Privacy Policy

 

I. Introduction

 It is Allure By K’s intended purpose to protect client, employee, financial, protected third party and other corporate information from unauthorized disclosure, modification or destruction throughout the information’s lifecycle.

 

To accomplish this, Allure By K has developed this set of IT Security Policies and Procedures in conjunction with a rigorous PCI DSS Compliance Assessment performed by a third party Qualified Security Assessor. These policies offer direction to specific departments and staff members, and it is each individual’s responsibility to uphold those policies that directly relate to their position at Allure By K.

 Violations of this policy or related standards may lead to disciplinary action, up to and including termination.

 

Brief Explanation of Payment Card Industry (PCI) Compliance

 

In September of 2006, the five biggest payment companies (VISA, American Express, Discover, JCB, and MasterCard) created the PCI Security Standards Council. Their mutual goal was to create a single process that would enable companies to secure credit card data across all brands.

 

Together, they devised the Payment Card Industry Data Security Standard (PCI DSS) Program. This program enables merchants and service providers to safely store and process credit card information, whether they are using manual or computerized credit card processing solutions. E-commerce websites and POS devices that process information over the Internet are subject to the most demanding PCI assessments due to the heightened risk of online data interception.

 II. Scope of Policies and Procedures


These IT security compliance policies and procedures apply to all users of the computer systems and networks of Allure By K, including but not limited to all employees and associates of Allure By K and its wholly-owned subsidiaries.  They also apply to the activities of all Allure By K personnel using or affecting Allure By K's computer systems and networks.  In addition, these policies and procedures apply to the activities of all third-party consultants, contractors, vendors and temporary employees using Allure By K's computer systems and networks.

 

Any system component that is connected to the card-processing or data storage environment is in scope for PCI compliance.  System components include servers, applications, employee PC’s, and other network components.

 

Examples of everyday systems that are in scope for PCI compliance include:

 

  • Web Servers and app servers that process credit card data.
  • Databases and PC’s used to store credit card data.
  • Firewalls or network devices used to transport cardholder traffic.
  • Printers, fax machines, and other devices that may temporarily hold data.
  • Support systems, such as syslog server or Active Directory, primarily used by system admins.

 

The following policies and procedures are intentionally broad in scope. The standards are specific and are regularly updated to keep pace with changes in business, technology and the business environment. Standards include details such as business process flows, roles and responsibilities, technical specifics and contract requirements.

Requirement 1 - Firewall and Router Security Administration Policy

 1.1 Policy Applicability

All Allure By K owned and operated routers and firewalls are in-scope for this policy. Exemptions may only be authorized with written approval from Allure By K management or approved Security Officer.

1.1.1 Firewall Configuration Changes

Firewalls are categorized as production systems as they support Allure By K information systems.

 

Any and all changes to the firewall must be approved in advance by the Information Security Department. The changes must be thoroughly tested (following production standards) as outlined in the Change Control Policy. Examples of changes include:

 

  • Upgrades or patches to the firewall system.
  • Modifications to any firewall software or system.
  • Additions, deletions, or modifications to the firewall rules.

 1.1.2 – 1.1.6 Device Management Responsibilities

The team responsible for managing Allure By K firewalls and routers will be comprised of the Information Security Department.

 

Information Security Department Roles and Responsibilities:

  • Ensures that any changes to the firewall hardware, software, or security rules are authorized by the Information Security Department and follow appropriate change control policies.
  • Ensures that all router configuration files are synchronized and secure.
  • Uses Permitted Network Services and Protocols to document any firewall security rule changes.
  • Mitigates security events by coordinating a sufficient response plan with the Information Security Department.
  • Reviews and updates network diagrams after any changes are made. The diagrams must accurately describe firewalls, access control systems, anti-virus software, IDS/IPS, and any other connection to confidential or sensitive information.
  • Reports any discovered vulnerabilities or security events to the Information Security Department.
  • On a daily basis, monitors all logs that capture and report security events.
  • Provides the Networks Operation Center read-only access to logs related to security events and the performance of critical systems.
  • Keeps track/monitor system alerts related to critical systems. These alerts might include system reboots, firewall daemon failing etc.
  • In the event of a security system failure, alerts the appropriate department.
  • Assures Allure By K management that the security rules applying to firewalls are sufficient to protect assets from unauthorized access.
  • Assures Allure By K management that the security rules applying to firewalls are sufficient to prevent internal security threats from exiting the network.
  • Mitigates security risks by developing an appropriate response plan with the System Administrator.
  • At least every six months, the Information Security Department must perform a thorough review of each firewall rule set. The results must be recorded, and must include the removal of any unnecessary access paths. As a result, any proposed changes must go through the change control process before they are implemented.
  • Identifies internal or external threats by actively monitoring firewall security events.
  • Performs a thorough review of any proposed firewall and router security rule change. Ensure they meet policy compliance before sending the proposal through the change management process.
  • Ensures the proper documentation of all services allowed through the firewall.
  • For risky protocols, performs or approve a risk assessment and ensure the protocol has a specific business need.

 1.2 – 1.3 Allowed Services and Connection Paths

The Allure By K firewall must block every path and service that is not specifically approved by this policy. The Allure By K must maintain a “Permitted Network Services and Protocols” form, which outlines the list of currently approved paths and services.

 

All inbound Internet traffic must use a network segmented by a firewall. This segmented zone is known as the DMZ. This inbound traffic must be limited to only those ports deemed necessary for Allure By K business. With the exception of the DMZ, perimeter routers should never be configured to include a route to internal address space.

 

All firewalls’ and routers’ configuration files must be secured to prevent unauthorized tampering. In addition, the start-up configuration files must be synchronized with the secure settings of the running configuration files in order to prevent weaker rules from running in the event that one of these devices re-starts.

 

Network Address Translation (NAT) or Port Address Translation (PAT) must be used to hide internal IP addresses.

 

Perimeter devices must be equipped with anti-spoofing technologies. These devices will reject all traffic that includes:

 

  • A destination IP address matching RFC 1918 address space.
  • A source IP address matching RFC 1918 address space.
  • A source IP address matching any Allure By K-owned address space.

 

Internal production systems with outbound traffic must also use the DMZ network. This type of traffic should also be limited to only required protocols and services.

 

Any Allure By K databases must be stored on an internal network that is segmented from the DMZ network. All inbound connections to internal production payment systems, and originating from Allure By K wireless networks, are forbidden.

 

Internet and wireless segmentation must employ a stateful packet inspection firewall. This will allow only established connections in or out of the network. For cardholder environment segmentation, VLANs with compliant ACLs may be used – so long as the VLAN switch is PCI compliant and hardened to deter switch exploits such as ARP cache floods. VLANs must be established according to the same requirements that apply to firewalls.

 1.4 Personal Firewalls

Personal firewall software must be installed and activated on any Internet-connected mobile or employee-owned computer that also accesses the Allure By K network.  This software must have a non-user alterable configuration as deemed suitable by the Information Security Department.

 

 

Requirement 2 - System Configuration Policy

2.1 Policy Applicability

This policy applies to all Allure By K-operated servers and network devices, whether supervised by employees or third parties. All devices must have vendor-supplied defaults changed prior to deployment. Exemptions may only be authorized with written approval from the Information Security Department.

 

2.2 System Configuration Standards and Deployment

Allure By K configuration standards for all system components must be maintained in accordance with industry-accepted system hardening standards. Allure By K shall develop and maintain standards based on one or a combination of the following sources:

  • Center for Internet Security (CIS)
  • International Organization for Standardization (ISO)
  • SysAdmin Audit Network Security (SANS)
  • National Institute of Standards Technology (NIST)

 

At the time of installation, a ‘System Configuration Record’ form must be completed for all deployed Allure By K systems. This record must be kept on file for the life of the system and must be updated in the event of a modification.

 

2.2.1 System Purpose

Allure By K computing systems should adhere to a ‘one primary function per server’ rule. For example: web servers, database servers and DNS should be operated from distinct and separate servers. Unless otherwise required by vendor documentation, no multi-purpose system may store, transmit, or process sensitive or confidential information.