Data Security and Protection: PwC Data Handling Policies, Study notes of Technology

Download Data Security and Protection: PwC Data Handling Policies and more Study notes Technology in PDF only on Docsity! Service Provider Information New IAs Controls Service Provider Information Security Controls Page 2 of 11 Table of Contents 1. Risk Assessment and Treatment 3 2. Management Direction for Information Security 3 3. Human Resource Security 4 4. User Access Management 4 5. Physical Access Management 5 6. Equipment Protection 5 7. Environmental Controls 6 8. Asset Management 6 9. Communication Security 6 10. Cryptographic Controls 7 11. Service Monitoring, Testing, and Vulnerability Prevention and Remediation 7 12. System Development, Acquisition, and Maintenance 8 13. Third-party Service Provider Management 9 14. Incident Management 9 15. Resilience 9 16. Audit and Compliance 10 17. Termination of Services 11 Service Provider Information Security Controls Page 5 of 11 processing PwC Data (a) within 24 hours upon termination of employment or termination of engagement, and (b) within one week, upon change of employment or engagement. 4.5 Logon Procedure. 4.5.1 Service Provider shall implement a secure logon procedure for user access to systems and applications processing PwC Data. To support this, Service Provider shall implement the following user authentication controls: (i) unique user account IDs; (ii) a password required for each user account; (iii) passwords that are echo-suppressed on screen or masked on print-outs; (iv) if set by the system administrator, random issued passwords that will be changed by the users upon initial use; (v) users setting their own passwords as part of a password management system; and (vi) confidential passwords encrypted upon transmission. 4.5.2 Service Provider shall implement a password policy that (i) prohibits the reuse of passwords for at least 10 previous versions; (ii) enforces password changes at least every 90 days; (iii) enforces account lock-out after five failed login attempts; (iv) requires a minimum of eight alphanumeric characters and includes a mix of upper and lowercase characters with at least one numeric and one special character.; and (iv) stores passwords using a one-way encryption mechanism. Service Provider shall prevent interactive logon for service accounts. If a password of at least 30 characters for service accounts is not possible, then Service Provider shall set passwords to the maximum length allowed by the system and shall cause passwords to be changed every 90 days through a password management procedure. For PwC end user authentication, Service Provider shall support either integration with PwC-approved authentication mechanisms (e.g., federation) or multi-factor authentication. Where technically feasible, Service Provider shall integrate the cloud environment with PwC’s Cloud Access Security Broker (CASB). 5. Physical Access Management 5.1 General. Service Provider shall restrict physical access to facilities where PwC Data is stored or processed to its authorized Personnel. Controls to the facilities shall include all of the following, unless prohibited by Applicable Law: (a) locks enabled by key pads or swipe card technology; (b) locked windows and doors for vacant facilities and for all facilities during non-operating hours; (c) installed, remotely-monitored alarm systems, monitored CCTV, or on-premise security guards monitoring and securing the facilities at all times; (d) photographic access credentials worn visibly, clearly designating each of Service Provider’s Personnel and visitors to the facilities; and (e) visitor escort at all times while in areas where PwC Data is stored or processed. Service Provider shall document and maintain quarterly reviews of physical access logs and access control lists. Where possible, Service Provider shall separate facilities storing PwC Data from the rest of Service Provider’s facility. 6. Equipment Protection 6.1 General. Service Provider shall store equipment storing or processing PwC Data within a dedicated, secure and isolated facility (e.g., data center, server room, etc.). Service Provider shall protect (a) power and telecommunications cabling carrying PwC Data or supporting information services from interruption, interference, or damage; and (b) information processing equipment and storage media containing PwC Data during physical transport. In furtherance of its obligations in this Section, Service Provider shall (i) use authorized couriers; (ii) maintain adequate insurance; and (iii) use appropriate secure packaging based on the relevant data classification. 6.2 Unattended Sessions. Service Provider shall protect unattended sessions and equipment by (a) automatically terminating or revalidating its system and application sessions after a maximum of (i) fifteen (15) minutes for systems and applications handling PwC’s Confidential Information, or (ii) sixty (60) minutes of inactivity for all other systems and applications; and (b) enforcing a clear desk and clear screen policy. 6.3 Preventing Unauthorized Access. In order to restrict unauthorized access to PwC Data, Service Provider shall (a) enable its printers to require authentication controls of its Personnel; (b) implement controls to protect equipment, information and assets located off-premises, including during remote access sessions, such as teleworking or remote administration; (c) publish, implement and enforce Service Provider Information Security Controls Page 6 of 11 policies governing teleworking, mobile device and removable media devices; (d) encrypt remote access communications to systems or applications containing PwC Data; (e) require a minimum of multi-factor authentication Virtual Private Networking (VPN) device access or equivalent; and (f) require restricted ports and protocols. 6.4 Personal Devices. To further protect the security of PwC Data, Service Provider’s policies shall prohibit Personnel from accessing or storing PwC Data on any personally owned and managed equipment. Service Provider shall control Bring Your Own Device (BYOD) models, such as mobile devices and tablets, and implement controls commensurate with those on corporate-owned devices. Service Provider shall make removable media devices, such as USB drives, memory sticks and Bluetooth storage devices (a) read-only, (b) encrypted and (c) restricted to temporary write access authorized through a formal risk review process. Service Provider shall generate and store separately metadata logs from the removable media devices. 6.5 Secure Destruction. Service Provider shall implement procedures to ensure that PwC Data is securely destroyed when no longer needed for the purposes authorized by PwC, or at the expiration or termination of the Agreement. For purposes herein, Service Provider shall (a) secure and confirm the erasure of PwC Data from its systems and servers, including any physical or electronic copies, prior to asset destruction and disposal; (b) maintain records of destruction of that PwC Data; and (c) require that any third parties engaged to process PwC Data securely dispose of the information when no longer needed for the Services. 7. Environmental Controls 7.1 General. Unless otherwise prohibited by Applicable Law, Service Provider shall implement, install and maintain the following environmental controls to protect Personnel and equipment used to process or store PwC Data: (a) fire suppression systems; (b) temperature and humidity controls within a data centre or server room environment; (c) arrangements with authorities for active response to civil unrest or natural disasters; and (d) backup power technology (e.g., uninterruptible power supply, diesel generator, separate grid connection, etc.). 7.2 Environmental Risk Assessment. Service Provider shall perform an environmental Risk Assessment before processing any PwC Data, which shall include an assessment of the threats of natural and man-made disasters. Service Provider shall implement appropriate physical protections for facilities storing PwC Data, taking into account the results of the environmental Risk Assessment, the availability of state-of-the-art technology, and the costs of implementing those measures. 8. Asset Management 8.1 Asset Register. Service Provider shall identify and register assets that store or process PwC Data in an asset register, and at a minimum, include version, license and ownership information of those assets. With respect to information assets, Service Provider shall (a) classify according to asset value, criticality, sensitivity, and the risks resulting from unauthorized disclosure of information; and (b) develop procedures for labelling and handling for each asset classification. 8.2 Asset Use. Service Provider shall document policies for the acceptable use and handling of assets that are agreed to by its Personnel. Service Provider shall ensure that assets are immediately returned by Personnel upon termination of employment or engagement, and Service Provider shall track and verify those returned assets. 8.3 System Hardening. Service Provider shall implement and document system hardening procedures and baseline configurations and shall not include unsupported software or hardware. 9. Communication Security 9.1 Network Security. Service Provider shall secure PwC Data in its network systems by implementing the following: (a) segregation of network systems containing PwC Data from network systems supporting internal or other activity; (b) segregation of PwC Data within a shared service environment, and (c) securing network segments from external entry points where PwC Data is accessible. Service Provider Information Security Controls Page 7 of 11 9.2 Network Perimeters. “Demilitarized Zone” means a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network (e.g., the Internet). An external network node can only access what is exposed in the Demilitarized Zone, while the rest of the network is firewalled. Service Provider shall implement hardened configured external network perimeters to prevent unauthorized traffic, including termination of the external network perimeters in a Demilitarized Zone. Additionally, Service Provider shall: (a) record Demilitarized Zone connections in event logs; (b) protect inbound and outbound points by firewalls and intrusion detection systems (IDS); (c) limit communications to systems strictly allowed; (d) if possible, use intrusion prevention systems (IPS); (e) limit ports and protocols to those with a specific business purpose; (f) use firewalls to separate web and application servers from corresponding database servers; (g) implement access controls on wireless networks commensurate with the security level of external VPN access points using strong encryption and strong authentication (e.g., WPA2); and (h) synchronize system clocks on network servers to a universal time source (e.g., UTC) or network time protocol (NTP). 9.3 Internet Rules. Service Provider shall restrict its Personnel to solely use authorized file sharing websites and tools for business purposes. Additionally, Service Provider shall implement internet filtering procedures to protect end user workstations from malicious websites and unauthorized file transfers outside the network, including blocking unauthorised file sharing websites and tools. Service Provider shall implement Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) when sending out emails on PwC’s behalf. 10. Cryptographic Controls 10.1 Encryption; Information Exchange and Transfer. Service Provider shall encrypt PwC Data (a) at rest; (b) in transit across networks, including transmission across untrusted networks, such as public networks; (c) when writing to removable media devices; and (d) in transit between the internet, the cloud environment and the PwC network. Service Provider shall obtain certificates from an authorized certification authority certifying encryption in transit. The encryption of PwC Data during internal transmission within the cloud environment shall occur between each application tier and between interfacing applications. Service Provider shall use platform and data-appropriate encryption (e.g., AES-256) in non-deprecated, open and validated formats and standard algorithms. 10.2 Key Management. PwC Member Firms shall supply and govern use of the cryptographic keys, which includes the creation, rotation and revocation of cryptographic keys. Service Provider shall segregate management duties from usage of cryptographic keys. Additionally, Service Provider shall generate and implement cryptographic key management procedures that include the following: (a) approved key lengths; (b) secure distribution, activation, storage, recovery, replacement and update of cryptographic keys; (c) immediate revocation or deactivation of cryptographic keys upon compromise or change in user employment responsibility; (d) recovery of cryptographic keys that are lost, corrupted or expired; (e) backup and archive of cryptographic keys and maintenance of cryptographic key history; (f) allocation of defined cryptographic key activation and deactivation dates; (g) restriction of cryptographic key access to Personnel; and (h) compliance with Applicable Law. 11. Service Monitoring, Testing, and Vulnerability Prevention and Remediation 11.1 Service Management. Service Provider shall define capacity requirements and monitor service availability. 11.2 Penetration Testing. Service Provider shall perform annual penetration testing for systems and applications that process PwC Data, including during significant system and application changes. Upon PwC’s request, Service Provider shall provide complete testing results, including (a) the scope and methodology utilized; (b) the number of critical, high, and medium severity findings; (c) the name of the third-party tester; and (d) the date of the third-party testing. Service Provider shall remediate any identified vulnerability that PwC defines as “critical” risk or “high” risk within ten (10) business days. Service Provider shall remediate “medium” risk and “low” risk vulnerabilities within forty-five (45) and ninety (90) calendar days, respectively. Service Provider Information Security Controls Page 10 of 11 Plan”). In its business continuity and disaster recovery plan, Service Provider shall include (a) availability requirements for PwC Member Firm services, specifying critical systems; (b) agreed upon recovery points (RPO) and recovery time objectives (RTO); (c) clearly defined roles and responsibilities; (d) provisions for a geographically separate site subject to physical and environmental controls; and (e) backup and restoration procedures that include sanitation, disposal, or destruction of data stored at the alternate site. 15.1.2 Implementing the BCDR Plan. A “Disaster” means any event that causes the unplanned interruption, inaccessibility, or unavailability of any or all of the Services for 30 minutes or longer. In the event of a Disaster, Service Provider shall (i) notify PwC within 1 hour of the Disaster, (ii) implement the BCDR Plan within 2 hours of the Disaster, and (iii) fully restore the Services within 12 hours of the Disaster. Service Provider shall provide PwC with no less resource allocation priority than Service Provider’s other customers. Service Provider may not charge any additional fees or expenses for implementation the BCDR Plan. 15.1.3 Root Cause Analysis. Following each Disaster after the Services have been fully restored, Service Provider shall conduct a root cause analysis and provide to PwC a comprehensive report that describes, at a minimum, (i) the cause or causes of the Disaster, (ii) efforts taken to mitigate the consequences and resolve the Disaster, and (iii) the remedial actions to be implemented by Service Provider in order to avoid future Disasters. 15.2 Backup Procedures and Media. Service Provider shall follow industry best practices to make regular, encrypted backups of database and repository files of PwC Data to a secured location separate from the primary data centre, on a timeframe mutually agreed to by the parties. Information backup procedures and media shall include (a) strong encryption technology; (b) integrity validation; (c) reconciliation with disaster recovery requirements; and (d) secure offsite storage supporting availability requirements. Service Provider shall restore any corrupted files using the most current backup available. PwC may access the backup records to review any record of system activity related to PwC Data without prior notice to the Service Provider. 16. Audit and Compliance 16.1 Compliance. Service Provider shall periodically review its systems and equipment storing, enabling access to, or otherwise processing PwC Data, compliance with Applicable Law and contractual obligations owed to PwC. Service Provider management shall annually review the technical and organisational controls implemented to protect PwC Data and comply with contractual obligations, and report results to Service Provider senior management. 16.2 PwC Assessment. Service Provider shall allow PwC to monitor and assess Service Provider’s adherence to contractual requirements under the Agreement, including information security controls. 16.2.1 Remote Assessment. Service Provider shall promptly review and complete any questionnaire identified by PwC that is provided in an online vendor management assessment tool (e.g., KY3P or similar tool). Service Provider shall make relevant documentation, reports and evidence available for review upon PwC’s request. 16.2.2 On-site Assessment. PwC (or its designee) may conduct an independent on-site assessment of Service Provider during normal business hours to verify compliance with this Agreement. The assessment shall occur (i) once per year upon reasonable advance notice; (ii) after a suspected or actual Data Breach; and (iii) if PwC undergoes an audit by a government agency. Such assessment includes (w) inspecting Service Provider’s processing facilities and equipment; (x) conducting face-to-face interviews with Service Provider Personnel; (y) running assessment software to test processing applications; and (z) auditing any information technology system involved in the Services. Before commencing any on-site assessment, the parties will agree on the scope, timing and duration of the assessment. In addition, upon written request of PwC, Service Provider shall produce documentation to prove performance of the applicable security controls. 16.3 Audit Reports. Service Provider shall maintain independent verification of the effectiveness of its technical and organizational security measures. Service Provider shall cause an independent third Service Provider Information Security Controls Page 11 of 11 party to conduct an audit and produce a SOC 2 Type 2 Report at least annually. Service Provider shall make available to PwC the current SOC 2 Type 2 Report, including the status of any exceptions identified within the SOC 2 Type 2 Report. Service Provider shall also comply with the controls in, and maintain, an ISO 27001 Certification, providing that certification and a copy of Service Provider’s Statement of Applicability (SOA) to PwC upon its request. 16.4 Remediation. Promptly following the completion of each of the audits, assessments, reports, or tests described in Sections 16.1 through 16.3, Service Provider shall prioritize remediation efforts according to the severity of the identified vulnerabilities, and take prompt action to address all identified “critical” or “high” vulnerabilities. Service Provider will remediate those “critical” risk or “high” risk vulnerabilities within 10 days of identification and will correct “medium” risk and “low” risk vulnerabilities within 45 and 90 days of identification, respectively. PwC may track and request updates on the timing for completion of Service Provider’s remediation efforts. If Service Provider fails to remedy any “critical” or “high” vulnerability as required, then PwC may terminate this Agreement (or the applicable Order) upon notice to Service Provider, without having any obligation or liability to Service Provider. 16.5 Disclosure. Without the need for confidentiality measures, PwC may share the results of any audit, report, or test under this Section 16 with any PwC Member Firm or any government regulator of any PwC Member Firm. Under appropriate confidentiality measures, PwC may share the results of any audit, report, or test under this Section 16 with actual or prospective clients of any PwC Member Firm. To the extent required, Service Provider shall cooperate in good faith with requests from any client or government regulator of any PwC Member Firm that wishes to further investigate Service Provider’s security audit attestations and results. 17. Termination of Services 17.1 General. Service Provider shall comply with a documented termination or conclusion of Service process. Non-disclosure and confidentiality responsibilities with respect to PwC Data shall remain in place following Agreement or Order termination or conclusion. Service Provider shall identify a primary point of contact to support the Service termination process and communicate that termination or conclusion to relevant Personnel and stakeholders. Additionally, Service Provider shall (a) revoke access to systems and applications storing, allowing access to, or processing PwC Data promptly upon completion or termination of the Agreement or Order; (b) return hardware, software, middleware, documents, data, information, and other assets owned or leased from the PwC Member Firm; (c) issue certificates confirming the return or destruction of all copies of PwC Data in Service Provider’s possession or control, including any information stored on backup media to the PwC Member Firm; and (d) obtain certification of destruction of PwC Data from third-party contractors.