SlideShare una empresa de Scribd logo
1 de 21
Descargar para leer sin conexión
November 2005
                                                                                    www.truste.org




TRUSTe Security Guidelines 2.0




Summary
               Increasing criminal attacks on consumer and employee data have wrought
               a high price on individual privacy and trust. In accordance with TRUSTe’s
               broad mission to increase respect for personal identity and information,
               we are therefore pleased to issue these revised Data Security Guidelines
               for use as a resource by our licensees and other members of the public.
               Meaningful protection of consumer privacy depends on a foundation of
               responsible data security practices.

               This new version of the Guidelines provides additional information in three
               important areas of data security. First, more attention has been given to
               web application security. Additional guidelines for mobile devices have
               also been added. Finally, preparation for possible data breaches has been
               addressed in two new sections.

               Security standards are not “one size fits all.” Responsible, commercially
               reasonable standards vary, depending on such factors as a company’s size
               and complexity, industry category, sensitivity of data collected, number of
               customers served, and use of outside vendors. These Security Guidelines
               are divided into five categories of safeguards: Parts 1, 2, and 3 address
               overall administrative, technical, and physical safeguards. Parts 4 and 5 are
               substantially new sections and address incident response plans and breach
               notice processes, respectively. All recommended practices are presented in
               a checklist form so that companies can assess their own risk levels and
               adopt the practices most appropriate to their particular circumstances.
TRUSTe Security Guidelines 2.0
                                                                                                                  www.truste.org




Introduction
Security Enables Privacy                    No one on the Internet is immune              Finally, two sections relating to inci-
Protection                                  from security threats. In the race to         dent response in general, and specifi-
Meaningful protection of consumer           develop online services, web applica-         cally breach notices, have been
privacy depends on a foundation of          tions have often been developed and           added. Because of the many data
responsible data security practices.        deployed with minimal attention given         breaches recently, many states have
In accordance with TRUSTe’s broad           to security risks, resulting in a sur-        now enacted legislation requiring
mission to increase respect for per-        prising number of corporate sites that        companies to protect data and notify
sonal identity and information,             are vulnerable to hackers. The conse-         affected individuals. As companies
we are therefore pleased to issue           quences of a security breach are great:       contemplate these legal requirements,
Data Security Guidelines for use as a       loss of revenues, damage to credibility,      as well as a desire to maintain cus-
resource by our licensees and other         legal liability, and loss of customer         tomer trust even in the face of data
members of the public. We hope              trust.Web application security is a sig-      breaches, these Guidelines set forth
these Guidelines will help facilitate       nificant privacy and risk compliance           some recommended steps to help
internal discussion between privacy         concern and organizations should              companies be prepared in the event
and security groups, assist companies       identify and address web application          of a data breach.
as they initially draft their internal      security vulnerabilities as part of an
security policies, and be useful as a       overall web risk management program.          Using the Guidelines
checklist to confirm and perhaps dou-                                                      Security standards are not “one size
blecheck existing policies. These prac-     We have also supplemented recom-
                                                                                          fits all.” Responsible, commercially
tices are not intended as mandatory         mended safeguards as they relate to
                                                                                          reasonable standards vary, depending
procedures for TRUSTe licensees.            mobile devices, particularly those on
                                                                                          on such factors as a company’s size
                                            which sensitive information is stored.
                                                                                          and complexity, industry category,
This version of the Guidelines sup-         While this is not a new area of con-
                                                                                          sensitivity of data collected, number
plements our previously recommended         cern, mobile devices have surfaced as
                                                                                          of customers served, and use of out-
practices in the areas of web applica-      a point of vulnerability for many
                                                                                          side vendors.
tion security, mobile device security,      businesses, as evidenced by a number
and best practices related to data breach   of publicly-acknowledged breaches             The Security Guidelines are drafted
incident response, including potential      traceable to, for example, stolen lap-        in checklist form so that companies
public notification of any such breach.      tops containing sensitive information.        can assess their own risk levels and
                                            As technology develops, new meth-             adopt the corresponding appropriate
Web application security focuses on
                                            ods of transmitting, receiving and            level of recommended safeguard
the ways that sites might be vulnerable
                                            storing personal data via mobile devices      practices. Larger, more complex com-
to hackers. Web applications are used
                                            are created. This poses new problems          panies which handle data with the
to perform most major tasks or web-
                                            for privacy protection. The Guidelines        highest level of sensitivity will likely
site functions. They include forms that
                                            set forth some simple steps that can assist   find it appropriate to adopt all the
collect personal, classified, and confi-
                                            companies in determining how to               recommended practices, while a
dential information such as medical
                                            handle data security on mobile devices.       smaller company, collecting less
history, credit and bank account
                                                                                          sensitive information, may conclude
information and user feedback.




                                                                                                                                     1
TRUSTe Security Guidelines 2.0
                                                                                                          www.truste.org



that adopting only a subset of these        Following each of these three main        Guiding Principles
controls will still enable it to have       categories, the user will find different   We recognize that companies may
a security program appropriate to           types of safeguards, each followed by     achieve reasonable security through
the nature of the data it collects          a number of more detailed supporting      other measures, not included within
and handles.                                directives.                               the Guidelines. While the Guidelines
                                                                                      rely upon other learned information
These Security Guidelines are divided       For the user’s convenience, the
                                                                                      security standards such as ISO 17799
into five categories of safeguards: Parts    Guidelines are presented in checklist
                                                                                      and the Payment Card Industry (PCI)
1, 2, and 3 address overall administra-     form, with each recommended control
                                                                                      Guidelines, and are informed by reg-
tive, technical, and physical safeguards.   accompanied by checkboxes which the
                                                                                      ulatory requirements such as those
Parts 4 and 5 address incident response     user can fill in with his or her own
                                                                                      imposed by the Gramm Leach Bliley
plans and breach notice processes,          assessment of whether the practice is
                                                                                      Act and HIPAA, they are not intended
respectively. Administrative controls       appropriate and relevant to the user’s
                                                                                      as a comprehensive list of all leading
include, for example, drafting a written    particular company, as follows:
                                                                                      security measures. Rather, the
internal security policy, training
                                                                                      Guidelines are intended to provide
employees, conducting ongoing security        Should be required – A check in
                                                                                      a relatively non-technical, high level
risk assessments, and establishing proce-   this category means that you believe
                                                                                      overview of responsible security
dures in connection with external third     the practice or procedure should be
                                                                                      practices. For those users wishing a
parties (including vendors) with whom       implemented within your organization
                                                                                      more detailed or technological focus,
data is shared.Technical measures           to achieve reasonable data protection
                                                                                      the Guidelines also contain links to an
include controlling employee access to      levels.
                                                                                      array of information security websites
sensitive information on a need-to-
                                                                                      which some users will find helpful.
know basis, establishing good password        Should be optional – A check in
practices, ongoing monitoring to assess     this category means that you believe      We anticipate that the Guidelines will
threats and vulnerabilities, ensuring web   the practice or procedure will be         evolve over time to reflect emerging
application security, and establishing      useful, but may not be appropriate        technologies and business issues that
incident response procedures. Physical      within your organization to achieve       may impact the safety, security and
controls include practices such as mon-     reasonable data protection levels.        quality of sensitive or confidential
itoring legitimate access to data, estab-                                             information used by TRUSTe’s
lishing physical access controls, and         Not relevant – A check in this          licensees. Finally, we welcome
securing one’s data facilities. Finally,    category means that you believe the       suggestions and comments via email
incident planning and response controls     practice or procedure will not be         to policylegal@truste.org.
include creating a response team, creat-    useful within your organization for
ing a response plan, and formulating a      purposes of data protection.
breach notification policy.




                                                                                                                            2
TRUSTe Security Guidelines 2.0
                                                                                                           www.truste.org




Sources
Following are the main sources used to draft the attached Guidelines:

International Organization for Standardization (ISO) 17799. ISO-17799 is an International recognized
Information Security Management Standard first published in December 2000, derived from British
Standard 7799 Parts I and II.

Visa USA Cardholder Information Security Program (CISP). Established in June 2001, the program is
intended to protect Visa cardholder data to ensure that members, merchants, and service providers
maintain reasonably high information security standard. In addition to the CISP “digital dozen,”
we included new features from the PCI Data Security Guidelines.


Organisation for Economic Co-Operation and Development (OECD), Guidelines for the Security of
Information Systems. In addition, we reviewed various papers published by the Business and Industry
Advisory Committee (BIAC) to the OECD.




Acknowledgments
TRUSTe would like to acknowledge the many experts we consulted in revising these Guidelines.

Dr. Larry Ponemon of the Ponemon Institute was instrumental in developing these Guidelines.
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government.
www.ponemon.org

Watchfire provided input and guidance in developing the Web application security guidelines.
Watchfire is a provider of Online Risk Management software and services to monitor and report
online security, privacy, quality, accessibility, and compliance risks. For more information on Watchfire
and its web application security expertise please visit:
http://www.watchfire.com/securityzone/default.aspx

Joanne McNabb, Chief, California Office of Privacy Protection, provided guidance in connection with
the new incident response sections. The California Office of Privacy Protection assists individuals with
identity theft and other privacy-related concerns; provides consumer education and information on
privacy issues; coordinates with local, state and federal law enforcement on identity theft investiga-
tions; and recommends policies and practices that protect individual privacy rights.
www.privacy.ca.gov

TRUSTe would also like to recognize the contributions of Ernst & Young and ChoicePoint Inc.




                                                                                                                        3
TRUSTe Security Guidelines 2.0
                                                                                                                                 www.truste.org


Part 1: Administrative Controls




                                                                                                                                           E
                                                                                                                             E




                                                                                                                                  IO D B
                                                                                                                      UI D B




                                                                                                                                                         T
                                                                                                                                         L
                                                                                                                           D




                                                                                                                                                     N
                                                                                                                                       A
                                                                                                                        RE



                                                                                                                                    UL




                                                                                                                                                    VA
                                                                                                                                     N
                                                                                                                         L
 1.0   Establish a security committee.




                                                                                                                  RE OU




                                                                                                                                               RE T
                                                                                                                                  O




                                                                                                                                                 LE
                                                                                                                                                  O
                                                                                                                                 SH
                                                                                                                                      PT
                                                                                                                   SH

                                                                                                                    Q




                                                                                                                                                N
                                                                                                                                  O
       Ensure that the committee is composed of cross-functional members representing different parts
 1.1
       of the organization.

 1.2   Create a charter for the security committee.

       Designate an executive sponsor for security function. The sponsor should also serve as
 1.3
       a member of the cross-functional committee.




                                                                                                                                           E
                                                                                                                             E




                                                                                                                                  IO D B
                                                                                                                      UI D B




                                                                                                                                                         T
                                                                                                                                         L
       Establish a formal, written security policy and detailed standard




                                                                                                                           D




                                                                                                                                                     N
                                                                                                                                       A
                                                                                                                        RE



                                                                                                                                    UL




                                                                                                                                                    VA
                                                                                                                                     N
                                                                                                                         L
 2.0




                                                                                                                  RE OU




                                                                                                                                               RE T
                                                                                                                                  O
       operating procedures.




                                                                                                                                                 LE
                                                                                                                                                  O
                                                                                                                                 SH
                                                                                                                                      PT
                                                                                                                   SH

                                                                                                                    Q




                                                                                                                                                N
                                                                                                                                  O
       Ensure that the policy applies to the entire organization or that appropriate policies exist to cover
 2.1   the various operations in the organization, and that they are integrated with other enterprise policies.
       Ensure that appropriate policies also apply to your internal and external websites.


 2.2
       Align the policies with other compliance policies, especially those for privacy and secure
       vendor relationships. Before creating your policies, determine regulatory compliance needs as
       relevant to the data and customers.

 2.3   Ensure that versions of the security policy are coordinated and rigorous version control is exercised.

       Periodically review the security policy and standard operating procedures, revising them as
 2.4
       necessary based on changing business, technology and environmental conditions.

       Disseminate the security policy and detailed standard operating procedures to all relevant
 2.5   stakeholders within the organization. Consider developing an externalizable version of the policy
       and for outside stakeholders of the organization, including outside contractors agents.

 2.6   Provide appropriate information on how you secure information to users on your websites
       through a link on each page. Consider including this summary in your privacy statement.




                                                                                                                                                             4
TRUSTe Security Guidelines 2.0
                                                                                                                            www.truste.org


Part 1: Administrative Controls, cont.




                                                                                                                                      E
                                                                                                                        E




                                                                                                                             IO D B
                                                                                                                 UI D B




                                                                                                                                                    T
                                                                                                                                    L
                                                                                                                      D




                                                                                                                                                N
                                                                                                                                  A
 3.0   Conduct ongoing security risk assessments.




                                                                                                                   RE



                                                                                                                               UL




                                                                                                                                               VA
                                                                                                                                N
                                                                                                                    L
                                                                                                             RE OU




                                                                                                                                          RE T
                                                                                                                             O




                                                                                                                                            LE
                                                                                                                                             O
                                                                                                                            SH
                                                                                                                                 PT
                                                                                                              SH

                                                                                                               Q




                                                                                                                                           N
                                                                                                                             O
       Identify and prioritize security risk threats and vulnerabilities. Consider, at a minimum, risks in
 3.1   these areas: employee training and management; information systems; and prevention, detection
       and response to attacks or other systems failures.

 3.2   Prioritize resource allocation and spending based on prioritized risk areas.

       Periodically review risk assessments and revise them as necessary, especially in response
 3.3
       to business, technology and environmental changes.




                                                                                                                                      E
                                                                                                                        E




                                                                                                                             IO D B
                                                                                                                 UI D B




                                                                                                                                                    T
                                                                                                                                    L
                                                                                                                      D




                                                                                                                                                N
                                                                                                                                  A
                                                                                                                   RE



                                                                                                                               UL




                                                                                                                                               VA
                                                                                                                                N
                                                                                                                    L
 4.0   Require a system security plan for every major system and network.




                                                                                                             RE OU




                                                                                                                                          RE T
                                                                                                                             O




                                                                                                                                            LE
                                                                                                                                             O
                                                                                                                            SH
                                                                                                                                 PT
                                                                                                              SH

                                                                                                               Q




                                                                                                                                           N
                                                                                                                             O
 4.1   Conduct a periodic review of system security plans and revise them as necessary.

       Ensure that plans and policies for security include periodic review and control over endpoints
 4.2   such as desktop PC’s, laptops, PDA’s, and other devices which connect to sensitive networks or
       systems (including Bluetooth technology).

 4.3   Require system interconnection agreements.

 4.4   Require user system access agreements.

 4.5   Conduct periodic review of system interconnection agreements and revise them as necessary.




                                                                                                                                      E
                                                                                                                        E




                                                                                                                             IO D B
                                                                                                                 UI D B




                                                                                                                                                    T
                                                                                                                                    L
                                                                                                                      D




                                                                                                                                                N
                                                                                                                                  A
                                                                                                                   RE



                                                                                                                               UL




                                                                                                                                               VA
                                                                                                                                N
                                                                                                                    L




       Establish contingency plans, including maintenance of access controls.
                                                                                                             RE OU




 5.0

                                                                                                                                          RE T
                                                                                                                             O




                                                                                                                                            LE
                                                                                                                                             O
                                                                                                                            SH
                                                                                                                                 PT
                                                                                                              SH

                                                                                                               Q




                                                                                                                                           N
                                                                                                                             O




 5.1   Establish business continuity plan.

 5.2   Establish disaster recovery plan.

 5.3   Establish personnel emergency plan.

 5.4   Conduct periodic review and test of contingency plans and revise them as necessary.
                                                                                                                                      E
                                                                                                                        E




                                                                                                                             IO D B
                                                                                                                 UI D B




                                                                                                                                                    T
                                                                                                                                    L
                                                                                                                      D




                                                                                                                                                N
                                                                                                                                  A
                                                                                                                   RE



                                                                                                                               UL




                                                                                                                                               VA
                                                                                                                                N
                                                                                                                    L




       Integrate security throughout the system life cycle, including:
                                                                                                             RE OU




 6.0
                                                                                                                                          RE T
                                                                                                                             O




                                                                                                                                            LE
                                                                                                                                             O
                                                                                                                            SH
                                                                                                                                 PT
                                                                                                              SH

                                                                                                               Q




                                                                                                                                           N
                                                                                                                             O




       Requirements definitions.
 6.1

       Design/procurement procedures.
 6.2

       Testing and maintenance procedures.
 6.3



                                                                                                                                                        5
TRUSTe Security Guidelines 2.0
                                                                                                                              www.truste.org


Part 1: Administrative Controls, cont.




                                                                                                                                        E
                                                                                                                          E




                                                                                                                               IO D B
                                                                                                                   UI D B




                                                                                                                                                      T
                                                                                                                                      L
                                                                                                                        D




                                                                                                                                                  N
                                                                                                                                    A
                                                                                                                     RE



                                                                                                                                 UL




                                                                                                                                                 VA
                                                                                                                                  N
                                                                                                                      L
 7.0    Establish formal data backup processes.




                                                                                                               RE OU




                                                                                                                                            RE T
                                                                                                                               O




                                                                                                                                              LE
                                                                                                                                               O
                                                                                                                              SH
                                                                                                                                   PT
                                                                                                                SH

                                                                                                                 Q




                                                                                                                                             N
                                                                                                                               O
 7.1    Ensure that data backup includes the maintenance of current access controls.

 7.2    Conduct periodic review and test of data backup processes and revise them as necessary.




                                                                                                                                        E
                                                                                                                          E




                                                                                                                               IO D B
                                                                                                                   UI D B




                                                                                                                                                      T
                                                                                                                                      L
                                                                                                                        D




                                                                                                                                                  N
                                                                                                                                    A
                                                                                                                     RE



                                                                                                                                 UL




                                                                                                                                                 VA
                                                                                                                                  N
                                                                                                                      L
 8.0    Establish security auditing process.




                                                                                                               RE OU




                                                                                                                                            RE T
                                                                                                                               O




                                                                                                                                              LE
                                                                                                                                               O
                                                                                                                              SH
                                                                                                                                   PT
                                                                                                                SH

                                                                                                                 Q




                                                                                                                                             N
                                                                                                                               O
 8.1    Conduct periodic reviews of all security controls through internal or external audit. Include
        web applications, as well as host, network and user accounts as part of the audit.

 8.2    Conduct mock reviews to test the organization’s ability to respond to threats (including
        vulnerability to social engineering).




                                                                                                                                        E
                                                                                                                          E




                                                                                                                               IO D B
                                                                                                                   UI D B




                                                                                                                                                      T
                                                                                                                                      L
                                                                                                                        D




                                                                                                                                                  N
                                                                                                                                    A
                                                                                                                     RE



                                                                                                                                 UL




                                                                                                                                                 VA
                                                                                                                                  N
                                                                                                                      L
        Document all system and network configurations.




                                                                                                               RE OU
 9.0




                                                                                                                                            RE T
                                                                                                                               O




                                                                                                                                              LE
                                                                                                                                               O
                                                                                                                              SH
                                                                                                                                   PT
                                                                                                                SH

                                                                                                                 Q




                                                                                                                                             N
                                                                                                                               O
 9.1
        Establish a formal configuration/change control process (including vulnerability identification
        and patching), with pre-production testing.

 9.2    Document and classify all sensitive information (data inventory).

        Document formal and appropriate rules of behavior, acceptable use and confidentiality
 9.3
        agreements for all personnel with access to sensitive information.

        Document all appropriate separation of duties (e.g., system administrators and security
 9.4
        administrators should not be the same person).

 9.5    Document routine and emergency access termination procedures.

 9.6    Document a formal incident response capability.
                                                                                                                                        E
                                                                                                                          E




                                                                                                                               IO D B
                                                                                                                   UI D B




                                                                                                                                                      T
                                                                                                                                      L
                                                                                                                        D




                                                                                                                                                  N
                                                                                                                                    A
                                                                                                                     RE



                                                                                                                                 UL




                                                                                                                                                 VA
                                                                                                                                  N
                                                                                                                      L




 10.0   Establish employee awareness and training program.
                                                                                                               RE OU




                                                                                                                                            RE T
                                                                                                                               O




                                                                                                                                              LE
                                                                                                                                               O
                                                                                                                              SH
                                                                                                                                   PT
                                                                                                                SH

                                                                                                                 Q




                                                                                                                                             N
                                                                                                                               O




 10.1   Establish a certification and accreditation (C&A) process for employees with access to major systems.

 10.2   Require all employees to undergo basic initial and refresher security training. Track and document
        completion of training.

 10.3   Support continuing professional training and education for security specialists.




                                                                                                                                                          6
TRUSTe Security Guidelines 2.0
                                                                                                                            www.truste.org


Part 1: Administrative Controls, cont.




                                                                                                                                      E
                                                                                                                        E




                                                                                                                             IO D B
                                                                                                                 UI D B




                                                                                                                                                    T
                                                                                                                                    L
                                                                                                                      D




                                                                                                                                                N
                                                                                                                                  A
 11.0   Establish special procedures for outsourced IT or data management activities.




                                                                                                                   RE



                                                                                                                               UL




                                                                                                                                               VA
                                                                                                                                N
                                                                                                                    L
                                                                                                             RE OU




                                                                                                                                          RE T
                                                                                                                             O




                                                                                                                                            LE
                                                                                                                                             O
                                                                                                                            SH
                                                                                                                                 PT
                                                                                                              SH

                                                                                                               Q




                                                                                                                                           N
                                                                                                                             O
        Perform vendor due diligence before sharing sensitive or confidential information, including all
 11.1
        personally identifiable consumer or employee data.

 11.2   Perform a site audit of the vendor’s data center to determine adequacy of security infrastructure.

        Obtain certification from the vendor that they are in compliance with the customer’s privacy and
 11.3
        data protection obligations as required by law or stated policies.

 11.4   Impose contractual control over vendors’ data use and practices.

 11.5   Perform periodic or random audits of the outsourcing vendor.

        Whenever feasible, determine the adequacy and competence of the outsourced vendor’s key
 11.6
        personnel (especially those individuals who are responsible for handling or managing sensitive
        personal information).




                                                                                                                                                        7
TRUSTe Security Guidelines 2.0
                                                                                                                        www.truste.org


Part 2: Technical Security




                                                                                                                                  E
                                                                                                                    E




                                                                                                                         IO D B
                                                                                                             UI D B
       Control access to information that resides on data




                                                                                                                                                T
                                                                                                                                L
                                                                                                                  D




                                                                                                                                            N
                                                                                                                              A
                                                                                                               RE



                                                                                                                           UL




                                                                                                                                           VA
                                                                                                                            N
                                                                                                                L
 1.0




                                                                                                         RE OU
       storage devices such as servers, desktop PCs, laptops, and PDAs.




                                                                                                                                      RE T
                                                                                                                         O




                                                                                                                                        LE
                                                                                                                                         O
                                                                                                                        SH
                                                                                                                             PT
                                                                                                          SH

                                                                                                           Q




                                                                                                                                       N
                                                                                                                         O
 1.1   Use unique ID or username for all system users. Ensure that neither Social Security nor account
       numbers are used as an ID or username.

 1.2   Use authentication mechanisms, such as passwords, tokens, and/or biometrics.

       Require system administrators to use regular user accounts for work that does not need
 1.3
       enterprise-wide system or security administration privileges.

 1.4   Assign access privileges based on a need to know (the level of access should only relate to job
       function and be not based on organizational position or rank).

 1.5   Whenever feasible, utilize a two-factor authentication procedure before granting access to a
       user’s sensitive information.

 1.6   When possible, implement a method for online service requests concerning changes in
       usernames and passwords.

 1.7   Force appropriate session timeouts, such as 15 minutes or less, if idle.




                                                                                                                                  E
                                                                                                                    E




                                                                                                                         IO D B
                                                                                                             UI D B




                                                                                                                                                T
                                                                                                                                L
                                                                                                                  D




                                                                                                                                            N
                                                                                                                              A
                                                                                                               RE



                                                                                                                           UL




                                                                                                                                           VA
                                                                                                                            N
                                                                                                                L
                                                                                                         RE OU
 2.0   Establish password usage policy that encompasses the following rules:




                                                                                                                                      RE T
                                                                                                                         O




                                                                                                                                        LE
                                                                                                                                         O
                                                                                                                        SH
                                                                                                                             PT
                                                                                                          SH

                                                                                                           Q




                                                                                                                                       N
                                                                                                                         O
 2.1   Whenever feasible, use a minimum of six digit alpha-numeric format. Instruct users to create
       such passwords during a periodic password change process.


 2.2
       Prohibit passwords based on account number, username, real name, Social Security number, or
       publicly available personal details (birthdays, names of children or pets, etc.).

 2.3   Restrict password reuse.

       Establish a formal user authentication process for resetting passwords. When possible, make
 2.4   password change or reset option available from the login page. Allow users to update their
       password hints or questions.

       When sending a registration confirmation or other type of welcome email, provide only the
 2.5
       username within the email and implement a password reset feature on the web site.

 2.6   Username and passwords should not be sent together within the same email.

 2.7   Force password expiration.

 2.8   Establish lost/stolen laptop procedures, including password cancellation.




                                                                                                                                                    8
TRUSTe Security Guidelines 2.0
                                                                                                                               www.truste.org


Part 2: Technical Security, cont.




                                                                                                                                         E
                                                                                                                           E




                                                                                                                                IO D B
                                                                                                                    UI D B




                                                                                                                                                       T
                                                                                                                                       L
       Control access to information that can be displayed, printed, and/or down-




                                                                                                                         D




                                                                                                                                                   N
                                                                                                                                     A
                                                                                                                      RE



                                                                                                                                  UL




                                                                                                                                                  VA
                                                                                                                                   N
                                                                                                                       L
 3.0




                                                                                                                RE OU




                                                                                                                                             RE T
                                                                                                                                O




                                                                                                                                               LE
       loaded to external storage devices, especially desktop PCs, laptops or PDAs.




                                                                                                                                                O
                                                                                                                               SH
                                                                                                                                    PT
                                                                                                                 SH

                                                                                                                  Q




                                                                                                                                              N
                                                                                                                                O
 3.1   Have operating controls that restrict downloads of sensitive information without proper identification.
       (See Appendix for sensitive data classifications.)

 3.2   Have screen savers and screen shields to minimize the display of sensitive data to unauthorized users.

 3.3   Have shutdown controls when computers are idle or inactive.

 3.4   Whenever feasible, only allow read-only access rights when using remote computers or wireless
       devices to enter the organization’s network or enterprise system.

       As much as possible, limit the use of personally identifiable information on laptops. Where such
 3.5
       use is essential, ensure that data is encrypted or, at a minimum, that such laptops are protected
       by something stronger than a password.

       Set up periodic disk clean-up reminders to help eliminate temporary backups and empty recycle/
 3.6   trash bin. Consider reflecting this practice in your company document retention/deletion plans.




                                                                                                                                         E
                                                                                                                           E




                                                                                                                                IO D B
                                                                                                                    UI D B




                                                                                                                                                       T
                                                                                                                                       L
                                                                                                                         D




                                                                                                                                                   N
                                                                                                                                     A
       Monitor user accounts to identify and eliminate inactive users, specifically:




                                                                                                                      RE



                                                                                                                                  UL




                                                                                                                                                  VA
                                                                                                                                   N
                                                                                                                       L
 4.0




                                                                                                                RE OU




                                                                                                                                             RE T
                                                                                                                                O




                                                                                                                                               LE
                                                                                                                                                O
                                                                                                                               SH
                                                                                                                                    PT
                                                                                                                 SH

                                                                                                                  Q




                                                                                                                                              N
                                                                                                                                O
 4.1   Accounts that have been inactive for 60 days should be automatically terminated.

 4.2   Accounts of terminated employees and contractors should be shut down within 24 hours.

       Regularly cross-check user accounts against HR records to ensure that access by former
 4.3
       employees has been terminated.

                                                                                                                                         E
                                                                                                                           E




                                                                                                                                IO D B
                                                                                                                    UI D B




                                                                                                                                                       T
                                                                                                                                       L
                                                                                                                         D




                                                                                                                                                   N
                                                                                                                                     A




       Ensure sufficient safeguards over the transmission and storage of
                                                                                                                      RE



                                                                                                                                  UL




                                                                                                                                                  VA
                                                                                                                                   N
                                                                                                                       L
                                                                                                                RE OU




 5.0
                                                                                                                                             RE T
                                                                                                                                O




                                                                                                                                               LE
                                                                                                                                                O




       data, including:
                                                                                                                               SH
                                                                                                                                    PT
                                                                                                                 SH

                                                                                                                  Q




                                                                                                                                              N
                                                                                                                                O




 5.1   Use reasonable encryption methods when transmitting or receiving sensitive information, especially
       when sent or received over the public Internet. Ensure that you employ at least 128-bit encryption.


 5.2
       Use wireless encryption protocol (WEP) when transmitting or receiving sensitive information
       from PDAs, Web phones, laptops, and emerging devices that use Bluetooth connection technologies.


 5.3
       Use reasonable encryption methods for storage, especially when maintaining sensitive information
       on servers, desktop PCs, and laptops.

       Use VPN software to authorize and encrypt traffic from authorized devices, and ensure that VPN
 5.4
       access has adequate controls and is monitored.

       Use configuration monitoring tools to flag storage devices that are removed from the network or
 5.5
       enterprise system.

       Restrict the downloading of sensitive personal information from central storage devices onto
 5.6
       personal computers or wireless storage devices.


                                                                                                                                                           9
TRUSTe Security Guidelines 2.0
                                                                                                                               www.truste.org


Part 2: Technical Security, cont.




                                                                                                                                         E
                                                                                                                           E




                                                                                                                                IO D B
                                                                                                                    UI D B




                                                                                                                                                       T
                                                                                                                                       L
                                                                                                                         D




                                                                                                                                                   N
                                                                                                                                     A
        Configure all servers, desktop PCs, and laptops prior to use, including:




                                                                                                                      RE
 6.0




                                                                                                                                  UL




                                                                                                                                                  VA
                                                                                                                                   N
                                                                                                                       L
                                                                                                                RE OU




                                                                                                                                             RE T
                                                                                                                                O




                                                                                                                                               LE
                                                                                                                                                O
                                                                                                                               SH
                                                                                                                                    PT
                                                                                                                 SH

                                                                                                                  Q




                                                                                                                                              N
                                                                                                                                O
 6.1    Disable unused ports.

 6.2    Install/enable automatic screen locks to prevent access after a certain period of inactivity.

 6.3    Change all vendor-supplied default passwords.

        Ensure that wireless encryption protocol (WEP) is enabled prior to allowing wireless devices to
 6.4
        be connected to enterprise systems or networks.

 6.5    Treat all internal wireless connections as external connections.

 6.6    Routinely check for unauthorized external access capability, including wireless access points.

        Confirm that default software installations and configurations are appropriate for your security needs,
 6.7
        including as appropriate changing default passwords and appropriately adjusting security parameters.




                                                                                                                                         E
                                                                                                                           E




                                                                                                                                IO D B
                                                                                                                    UI D B




                                                                                                                                                       T
        Firewalls should be configured to provide maximum protection over




                                                                                                                                       L
                                                                                                                         D




                                                                                                                                                   N
                                                                                                                                     A
                                                                                                                      RE



                                                                                                                                  UL




                                                                                                                                                  VA
                                                                                                                                   N
                                                                                                                       L
 7.0




                                                                                                                RE OU




                                                                                                                                             RE T
        information, balancing business needs with reasonable security.




                                                                                                                                O




                                                                                                                                               LE
                                                                                                                                                O
                                                                                                                               SH
                                                                                                                                    PT
                                                                                                                 SH

                                                                                                                  Q




                                                                                                                                              N
                                                                                                                                O
 7.1    Establish a formal process for approving and testing all external network connections.

 7.2    Establish a firewall at each Internet connection.

 7.3    Establish a firewall between any DMZ and Intranet connection.

        Utilize multi-layered firewall configurations to protect sensitive information.
 7.4
        (See Appendix for senitive data classification).

 7.5    Validate firewall configurations with vulnerability tools available from vendors.

 7.6    Conduct application level assessments to ensure application and database security.
                                                                                                                                         E
                                                                                                                           E




                                                                                                                                IO D B
                                                                                                                    UI D B




        Install and configure anti-spyware software to provide maximum protection
                                                                                                                                                       T
                                                                                                                                       L
                                                                                                                         D




                                                                                                                                                   N
                                                                                                                                     A
                                                                                                                      RE



                                                                                                                                  UL




                                                                                                                                                  VA
                                                                                                                                   N
                                                                                                                       L




  8.0
                                                                                                                RE OU




        of sensitive information on all servers, desktop PCs, and laptops.
                                                                                                                                             RE T
                                                                                                                                O




                                                                                                                                               LE
                                                                                                                                                O
                                                                                                                               SH
                                                                                                                                    PT
                                                                                                                 SH

                                                                                                                  Q




                                                                                                                                              N
                                                                                                                                    O




  8.1   Ensure automatic downloads and updates to enterprise system or network.

        Ensure automatic downloads and updates to desktop PCs, laptops and PDAs that are connected
  8.2   to the enterprise system or network.


  8.3
        Perform frequent scans of data storage using enabling technologies to detect, quarantine, and
        remove viruses, worms, and Trojans.

        Instruct employees not to download unknown attachments that could contain viruses, worms,
        spyware or keystroke loggers potentially giving unauthorized individuals access to the company’s
  8.4
        network. This applies to the user of any computer that has access to the organizational network,
        including the home computer of a telecommuting employee or a traveling employee logging in
        from a hotel or other public access point.

                                                                                                                                                       10
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0

Más contenido relacionado

La actualidad más candente

Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 
Paper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile worldPaper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile worldWTHS
 
Issue identification cloud computing
Issue identification cloud computingIssue identification cloud computing
Issue identification cloud computinggirish0984
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenThuan Ng
 
IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesRichard Cole
 
Enterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking SectorEnterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking SectorCONFENIS 2012
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security AwarenessDinesh O Bareja
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Unisys Corporation
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
Ramnish Singh Platform Security Briefing
Ramnish Singh Platform Security BriefingRamnish Singh Platform Security Briefing
Ramnish Singh Platform Security Briefingguestb099f64c
 

La actualidad más candente (20)

Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the Enterprise
 
Asset Security
Asset Security Asset Security
Asset Security
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
Paper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile worldPaper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile world
 
Issue identification cloud computing
Issue identification cloud computingIssue identification cloud computing
Issue identification cloud computing
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gap
 
Pdf7
Pdf7Pdf7
Pdf7
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyen
 
IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas Companies
 
Enterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking SectorEnterprise Information Systems Security: A Case Study in the Banking Sector
Enterprise Information Systems Security: A Case Study in the Banking Sector
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
 
Ramnish Singh Platform Security Briefing
Ramnish Singh Platform Security BriefingRamnish Singh Platform Security Briefing
Ramnish Singh Platform Security Briefing
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
 

Similar a TRUSTe Online Security Guidelines v2.0

Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile securityJAYANT RAJURKAR
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data securityKeith Braswell
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkIOSR Journals
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijensgeekmodeboy
 
Five cloud security tips
Five cloud security tipsFive cloud security tips
Five cloud security tipsServiceMesh
 
Asset 1 security-in-the-cloud
Asset 1 security-in-the-cloudAsset 1 security-in-the-cloud
Asset 1 security-in-the-clouddrewz lin
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Nt1330 Unit 2 Research Paper
Nt1330 Unit 2 Research PaperNt1330 Unit 2 Research Paper
Nt1330 Unit 2 Research PaperMarilyn Marie
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trustlmgangi
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 

Similar a TRUSTe Online Security Guidelines v2.0 (20)

Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
 
Five cloud security tips
Five cloud security tipsFive cloud security tips
Five cloud security tips
 
Asset 1 security-in-the-cloud
Asset 1 security-in-the-cloudAsset 1 security-in-the-cloud
Asset 1 security-in-the-cloud
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Information security
Information securityInformation security
Information security
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Nt1330 Unit 2 Research Paper
Nt1330 Unit 2 Research PaperNt1330 Unit 2 Research Paper
Nt1330 Unit 2 Research Paper
 
Strategy for Holistic Security
Strategy for Holistic SecurityStrategy for Holistic Security
Strategy for Holistic Security
 
Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trust
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 

Más de TRUSTe

How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareTRUSTe
 
How to use privacy seals to improve privacy practices and increase sales
How to use privacy seals to improve privacy practices and increase salesHow to use privacy seals to improve privacy practices and increase sales
How to use privacy seals to improve privacy practices and increase salesTRUSTe
 
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer TrustTRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer TrustTRUSTe
 
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID DocumentsTNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID DocumentsTRUSTe
 
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email ComplaintsTRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email ComplaintsTRUSTe
 
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...TRUSTe
 
How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareTRUSTe
 
Boosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy sealBoosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy sealTRUSTe
 
Steps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certificationSteps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certificationTRUSTe
 

Más de TRUSTe (9)

How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer Care
 
How to use privacy seals to improve privacy practices and increase sales
How to use privacy seals to improve privacy practices and increase salesHow to use privacy seals to improve privacy practices and increase sales
How to use privacy seals to improve privacy practices and increase sales
 
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer TrustTRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
TRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
 
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID DocumentsTNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
TNS-TRUSTe Study: Consumer Attitudes about Biometrics in ID Documents
 
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email ComplaintsTRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
TRUSTe/Epsilon Whitepaper -- Best Practices that Minimize Email Complaints
 
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
Trusted Download Program: A Year in the Trenches - How Trusted Downloads Make...
 
How to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer CareHow to Integrate Privacy into Your Customer Care
How to Integrate Privacy into Your Customer Care
 
Boosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy sealBoosting online conversions with the TRUSTe web privacy seal
Boosting online conversions with the TRUSTe web privacy seal
 
Steps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certificationSteps to prepare for TRUSTe EU certification
Steps to prepare for TRUSTe EU certification
 

Último

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 

Último (20)

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 

TRUSTe Online Security Guidelines v2.0

  • 1. November 2005 www.truste.org TRUSTe Security Guidelines 2.0 Summary Increasing criminal attacks on consumer and employee data have wrought a high price on individual privacy and trust. In accordance with TRUSTe’s broad mission to increase respect for personal identity and information, we are therefore pleased to issue these revised Data Security Guidelines for use as a resource by our licensees and other members of the public. Meaningful protection of consumer privacy depends on a foundation of responsible data security practices. This new version of the Guidelines provides additional information in three important areas of data security. First, more attention has been given to web application security. Additional guidelines for mobile devices have also been added. Finally, preparation for possible data breaches has been addressed in two new sections. Security standards are not “one size fits all.” Responsible, commercially reasonable standards vary, depending on such factors as a company’s size and complexity, industry category, sensitivity of data collected, number of customers served, and use of outside vendors. These Security Guidelines are divided into five categories of safeguards: Parts 1, 2, and 3 address overall administrative, technical, and physical safeguards. Parts 4 and 5 are substantially new sections and address incident response plans and breach notice processes, respectively. All recommended practices are presented in a checklist form so that companies can assess their own risk levels and adopt the practices most appropriate to their particular circumstances.
  • 2. TRUSTe Security Guidelines 2.0 www.truste.org Introduction Security Enables Privacy No one on the Internet is immune Finally, two sections relating to inci- Protection from security threats. In the race to dent response in general, and specifi- Meaningful protection of consumer develop online services, web applica- cally breach notices, have been privacy depends on a foundation of tions have often been developed and added. Because of the many data responsible data security practices. deployed with minimal attention given breaches recently, many states have In accordance with TRUSTe’s broad to security risks, resulting in a sur- now enacted legislation requiring mission to increase respect for per- prising number of corporate sites that companies to protect data and notify sonal identity and information, are vulnerable to hackers. The conse- affected individuals. As companies we are therefore pleased to issue quences of a security breach are great: contemplate these legal requirements, Data Security Guidelines for use as a loss of revenues, damage to credibility, as well as a desire to maintain cus- resource by our licensees and other legal liability, and loss of customer tomer trust even in the face of data members of the public. We hope trust.Web application security is a sig- breaches, these Guidelines set forth these Guidelines will help facilitate nificant privacy and risk compliance some recommended steps to help internal discussion between privacy concern and organizations should companies be prepared in the event and security groups, assist companies identify and address web application of a data breach. as they initially draft their internal security vulnerabilities as part of an security policies, and be useful as a overall web risk management program. Using the Guidelines checklist to confirm and perhaps dou- Security standards are not “one size blecheck existing policies. These prac- We have also supplemented recom- fits all.” Responsible, commercially tices are not intended as mandatory mended safeguards as they relate to reasonable standards vary, depending procedures for TRUSTe licensees. mobile devices, particularly those on on such factors as a company’s size which sensitive information is stored. and complexity, industry category, This version of the Guidelines sup- While this is not a new area of con- sensitivity of data collected, number plements our previously recommended cern, mobile devices have surfaced as of customers served, and use of out- practices in the areas of web applica- a point of vulnerability for many side vendors. tion security, mobile device security, businesses, as evidenced by a number and best practices related to data breach of publicly-acknowledged breaches The Security Guidelines are drafted incident response, including potential traceable to, for example, stolen lap- in checklist form so that companies public notification of any such breach. tops containing sensitive information. can assess their own risk levels and As technology develops, new meth- adopt the corresponding appropriate Web application security focuses on ods of transmitting, receiving and level of recommended safeguard the ways that sites might be vulnerable storing personal data via mobile devices practices. Larger, more complex com- to hackers. Web applications are used are created. This poses new problems panies which handle data with the to perform most major tasks or web- for privacy protection. The Guidelines highest level of sensitivity will likely site functions. They include forms that set forth some simple steps that can assist find it appropriate to adopt all the collect personal, classified, and confi- companies in determining how to recommended practices, while a dential information such as medical handle data security on mobile devices. smaller company, collecting less history, credit and bank account sensitive information, may conclude information and user feedback. 1
  • 3. TRUSTe Security Guidelines 2.0 www.truste.org that adopting only a subset of these Following each of these three main Guiding Principles controls will still enable it to have categories, the user will find different We recognize that companies may a security program appropriate to types of safeguards, each followed by achieve reasonable security through the nature of the data it collects a number of more detailed supporting other measures, not included within and handles. directives. the Guidelines. While the Guidelines rely upon other learned information These Security Guidelines are divided For the user’s convenience, the security standards such as ISO 17799 into five categories of safeguards: Parts Guidelines are presented in checklist and the Payment Card Industry (PCI) 1, 2, and 3 address overall administra- form, with each recommended control Guidelines, and are informed by reg- tive, technical, and physical safeguards. accompanied by checkboxes which the ulatory requirements such as those Parts 4 and 5 address incident response user can fill in with his or her own imposed by the Gramm Leach Bliley plans and breach notice processes, assessment of whether the practice is Act and HIPAA, they are not intended respectively. Administrative controls appropriate and relevant to the user’s as a comprehensive list of all leading include, for example, drafting a written particular company, as follows: security measures. Rather, the internal security policy, training Guidelines are intended to provide employees, conducting ongoing security Should be required – A check in a relatively non-technical, high level risk assessments, and establishing proce- this category means that you believe overview of responsible security dures in connection with external third the practice or procedure should be practices. For those users wishing a parties (including vendors) with whom implemented within your organization more detailed or technological focus, data is shared.Technical measures to achieve reasonable data protection the Guidelines also contain links to an include controlling employee access to levels. array of information security websites sensitive information on a need-to- which some users will find helpful. know basis, establishing good password Should be optional – A check in practices, ongoing monitoring to assess this category means that you believe We anticipate that the Guidelines will threats and vulnerabilities, ensuring web the practice or procedure will be evolve over time to reflect emerging application security, and establishing useful, but may not be appropriate technologies and business issues that incident response procedures. Physical within your organization to achieve may impact the safety, security and controls include practices such as mon- reasonable data protection levels. quality of sensitive or confidential itoring legitimate access to data, estab- information used by TRUSTe’s lishing physical access controls, and Not relevant – A check in this licensees. Finally, we welcome securing one’s data facilities. Finally, category means that you believe the suggestions and comments via email incident planning and response controls practice or procedure will not be to policylegal@truste.org. include creating a response team, creat- useful within your organization for ing a response plan, and formulating a purposes of data protection. breach notification policy. 2
  • 4. TRUSTe Security Guidelines 2.0 www.truste.org Sources Following are the main sources used to draft the attached Guidelines: International Organization for Standardization (ISO) 17799. ISO-17799 is an International recognized Information Security Management Standard first published in December 2000, derived from British Standard 7799 Parts I and II. Visa USA Cardholder Information Security Program (CISP). Established in June 2001, the program is intended to protect Visa cardholder data to ensure that members, merchants, and service providers maintain reasonably high information security standard. In addition to the CISP “digital dozen,” we included new features from the PCI Data Security Guidelines. Organisation for Economic Co-Operation and Development (OECD), Guidelines for the Security of Information Systems. In addition, we reviewed various papers published by the Business and Industry Advisory Committee (BIAC) to the OECD. Acknowledgments TRUSTe would like to acknowledge the many experts we consulted in revising these Guidelines. Dr. Larry Ponemon of the Ponemon Institute was instrumental in developing these Guidelines. Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. www.ponemon.org Watchfire provided input and guidance in developing the Web application security guidelines. Watchfire is a provider of Online Risk Management software and services to monitor and report online security, privacy, quality, accessibility, and compliance risks. For more information on Watchfire and its web application security expertise please visit: http://www.watchfire.com/securityzone/default.aspx Joanne McNabb, Chief, California Office of Privacy Protection, provided guidance in connection with the new incident response sections. The California Office of Privacy Protection assists individuals with identity theft and other privacy-related concerns; provides consumer education and information on privacy issues; coordinates with local, state and federal law enforcement on identity theft investiga- tions; and recommends policies and practices that protect individual privacy rights. www.privacy.ca.gov TRUSTe would also like to recognize the contributions of Ernst & Young and ChoicePoint Inc. 3
  • 5. TRUSTe Security Guidelines 2.0 www.truste.org Part 1: Administrative Controls E E IO D B UI D B T L D N A RE UL VA N L 1.0 Establish a security committee. RE OU RE T O LE O SH PT SH Q N O Ensure that the committee is composed of cross-functional members representing different parts 1.1 of the organization. 1.2 Create a charter for the security committee. Designate an executive sponsor for security function. The sponsor should also serve as 1.3 a member of the cross-functional committee. E E IO D B UI D B T L Establish a formal, written security policy and detailed standard D N A RE UL VA N L 2.0 RE OU RE T O operating procedures. LE O SH PT SH Q N O Ensure that the policy applies to the entire organization or that appropriate policies exist to cover 2.1 the various operations in the organization, and that they are integrated with other enterprise policies. Ensure that appropriate policies also apply to your internal and external websites. 2.2 Align the policies with other compliance policies, especially those for privacy and secure vendor relationships. Before creating your policies, determine regulatory compliance needs as relevant to the data and customers. 2.3 Ensure that versions of the security policy are coordinated and rigorous version control is exercised. Periodically review the security policy and standard operating procedures, revising them as 2.4 necessary based on changing business, technology and environmental conditions. Disseminate the security policy and detailed standard operating procedures to all relevant 2.5 stakeholders within the organization. Consider developing an externalizable version of the policy and for outside stakeholders of the organization, including outside contractors agents. 2.6 Provide appropriate information on how you secure information to users on your websites through a link on each page. Consider including this summary in your privacy statement. 4
  • 6. TRUSTe Security Guidelines 2.0 www.truste.org Part 1: Administrative Controls, cont. E E IO D B UI D B T L D N A 3.0 Conduct ongoing security risk assessments. RE UL VA N L RE OU RE T O LE O SH PT SH Q N O Identify and prioritize security risk threats and vulnerabilities. Consider, at a minimum, risks in 3.1 these areas: employee training and management; information systems; and prevention, detection and response to attacks or other systems failures. 3.2 Prioritize resource allocation and spending based on prioritized risk areas. Periodically review risk assessments and revise them as necessary, especially in response 3.3 to business, technology and environmental changes. E E IO D B UI D B T L D N A RE UL VA N L 4.0 Require a system security plan for every major system and network. RE OU RE T O LE O SH PT SH Q N O 4.1 Conduct a periodic review of system security plans and revise them as necessary. Ensure that plans and policies for security include periodic review and control over endpoints 4.2 such as desktop PC’s, laptops, PDA’s, and other devices which connect to sensitive networks or systems (including Bluetooth technology). 4.3 Require system interconnection agreements. 4.4 Require user system access agreements. 4.5 Conduct periodic review of system interconnection agreements and revise them as necessary. E E IO D B UI D B T L D N A RE UL VA N L Establish contingency plans, including maintenance of access controls. RE OU 5.0 RE T O LE O SH PT SH Q N O 5.1 Establish business continuity plan. 5.2 Establish disaster recovery plan. 5.3 Establish personnel emergency plan. 5.4 Conduct periodic review and test of contingency plans and revise them as necessary. E E IO D B UI D B T L D N A RE UL VA N L Integrate security throughout the system life cycle, including: RE OU 6.0 RE T O LE O SH PT SH Q N O Requirements definitions. 6.1 Design/procurement procedures. 6.2 Testing and maintenance procedures. 6.3 5
  • 7. TRUSTe Security Guidelines 2.0 www.truste.org Part 1: Administrative Controls, cont. E E IO D B UI D B T L D N A RE UL VA N L 7.0 Establish formal data backup processes. RE OU RE T O LE O SH PT SH Q N O 7.1 Ensure that data backup includes the maintenance of current access controls. 7.2 Conduct periodic review and test of data backup processes and revise them as necessary. E E IO D B UI D B T L D N A RE UL VA N L 8.0 Establish security auditing process. RE OU RE T O LE O SH PT SH Q N O 8.1 Conduct periodic reviews of all security controls through internal or external audit. Include web applications, as well as host, network and user accounts as part of the audit. 8.2 Conduct mock reviews to test the organization’s ability to respond to threats (including vulnerability to social engineering). E E IO D B UI D B T L D N A RE UL VA N L Document all system and network configurations. RE OU 9.0 RE T O LE O SH PT SH Q N O 9.1 Establish a formal configuration/change control process (including vulnerability identification and patching), with pre-production testing. 9.2 Document and classify all sensitive information (data inventory). Document formal and appropriate rules of behavior, acceptable use and confidentiality 9.3 agreements for all personnel with access to sensitive information. Document all appropriate separation of duties (e.g., system administrators and security 9.4 administrators should not be the same person). 9.5 Document routine and emergency access termination procedures. 9.6 Document a formal incident response capability. E E IO D B UI D B T L D N A RE UL VA N L 10.0 Establish employee awareness and training program. RE OU RE T O LE O SH PT SH Q N O 10.1 Establish a certification and accreditation (C&A) process for employees with access to major systems. 10.2 Require all employees to undergo basic initial and refresher security training. Track and document completion of training. 10.3 Support continuing professional training and education for security specialists. 6
  • 8. TRUSTe Security Guidelines 2.0 www.truste.org Part 1: Administrative Controls, cont. E E IO D B UI D B T L D N A 11.0 Establish special procedures for outsourced IT or data management activities. RE UL VA N L RE OU RE T O LE O SH PT SH Q N O Perform vendor due diligence before sharing sensitive or confidential information, including all 11.1 personally identifiable consumer or employee data. 11.2 Perform a site audit of the vendor’s data center to determine adequacy of security infrastructure. Obtain certification from the vendor that they are in compliance with the customer’s privacy and 11.3 data protection obligations as required by law or stated policies. 11.4 Impose contractual control over vendors’ data use and practices. 11.5 Perform periodic or random audits of the outsourcing vendor. Whenever feasible, determine the adequacy and competence of the outsourced vendor’s key 11.6 personnel (especially those individuals who are responsible for handling or managing sensitive personal information). 7
  • 9. TRUSTe Security Guidelines 2.0 www.truste.org Part 2: Technical Security E E IO D B UI D B Control access to information that resides on data T L D N A RE UL VA N L 1.0 RE OU storage devices such as servers, desktop PCs, laptops, and PDAs. RE T O LE O SH PT SH Q N O 1.1 Use unique ID or username for all system users. Ensure that neither Social Security nor account numbers are used as an ID or username. 1.2 Use authentication mechanisms, such as passwords, tokens, and/or biometrics. Require system administrators to use regular user accounts for work that does not need 1.3 enterprise-wide system or security administration privileges. 1.4 Assign access privileges based on a need to know (the level of access should only relate to job function and be not based on organizational position or rank). 1.5 Whenever feasible, utilize a two-factor authentication procedure before granting access to a user’s sensitive information. 1.6 When possible, implement a method for online service requests concerning changes in usernames and passwords. 1.7 Force appropriate session timeouts, such as 15 minutes or less, if idle. E E IO D B UI D B T L D N A RE UL VA N L RE OU 2.0 Establish password usage policy that encompasses the following rules: RE T O LE O SH PT SH Q N O 2.1 Whenever feasible, use a minimum of six digit alpha-numeric format. Instruct users to create such passwords during a periodic password change process. 2.2 Prohibit passwords based on account number, username, real name, Social Security number, or publicly available personal details (birthdays, names of children or pets, etc.). 2.3 Restrict password reuse. Establish a formal user authentication process for resetting passwords. When possible, make 2.4 password change or reset option available from the login page. Allow users to update their password hints or questions. When sending a registration confirmation or other type of welcome email, provide only the 2.5 username within the email and implement a password reset feature on the web site. 2.6 Username and passwords should not be sent together within the same email. 2.7 Force password expiration. 2.8 Establish lost/stolen laptop procedures, including password cancellation. 8
  • 10. TRUSTe Security Guidelines 2.0 www.truste.org Part 2: Technical Security, cont. E E IO D B UI D B T L Control access to information that can be displayed, printed, and/or down- D N A RE UL VA N L 3.0 RE OU RE T O LE loaded to external storage devices, especially desktop PCs, laptops or PDAs. O SH PT SH Q N O 3.1 Have operating controls that restrict downloads of sensitive information without proper identification. (See Appendix for sensitive data classifications.) 3.2 Have screen savers and screen shields to minimize the display of sensitive data to unauthorized users. 3.3 Have shutdown controls when computers are idle or inactive. 3.4 Whenever feasible, only allow read-only access rights when using remote computers or wireless devices to enter the organization’s network or enterprise system. As much as possible, limit the use of personally identifiable information on laptops. Where such 3.5 use is essential, ensure that data is encrypted or, at a minimum, that such laptops are protected by something stronger than a password. Set up periodic disk clean-up reminders to help eliminate temporary backups and empty recycle/ 3.6 trash bin. Consider reflecting this practice in your company document retention/deletion plans. E E IO D B UI D B T L D N A Monitor user accounts to identify and eliminate inactive users, specifically: RE UL VA N L 4.0 RE OU RE T O LE O SH PT SH Q N O 4.1 Accounts that have been inactive for 60 days should be automatically terminated. 4.2 Accounts of terminated employees and contractors should be shut down within 24 hours. Regularly cross-check user accounts against HR records to ensure that access by former 4.3 employees has been terminated. E E IO D B UI D B T L D N A Ensure sufficient safeguards over the transmission and storage of RE UL VA N L RE OU 5.0 RE T O LE O data, including: SH PT SH Q N O 5.1 Use reasonable encryption methods when transmitting or receiving sensitive information, especially when sent or received over the public Internet. Ensure that you employ at least 128-bit encryption. 5.2 Use wireless encryption protocol (WEP) when transmitting or receiving sensitive information from PDAs, Web phones, laptops, and emerging devices that use Bluetooth connection technologies. 5.3 Use reasonable encryption methods for storage, especially when maintaining sensitive information on servers, desktop PCs, and laptops. Use VPN software to authorize and encrypt traffic from authorized devices, and ensure that VPN 5.4 access has adequate controls and is monitored. Use configuration monitoring tools to flag storage devices that are removed from the network or 5.5 enterprise system. Restrict the downloading of sensitive personal information from central storage devices onto 5.6 personal computers or wireless storage devices. 9
  • 11. TRUSTe Security Guidelines 2.0 www.truste.org Part 2: Technical Security, cont. E E IO D B UI D B T L D N A Configure all servers, desktop PCs, and laptops prior to use, including: RE 6.0 UL VA N L RE OU RE T O LE O SH PT SH Q N O 6.1 Disable unused ports. 6.2 Install/enable automatic screen locks to prevent access after a certain period of inactivity. 6.3 Change all vendor-supplied default passwords. Ensure that wireless encryption protocol (WEP) is enabled prior to allowing wireless devices to 6.4 be connected to enterprise systems or networks. 6.5 Treat all internal wireless connections as external connections. 6.6 Routinely check for unauthorized external access capability, including wireless access points. Confirm that default software installations and configurations are appropriate for your security needs, 6.7 including as appropriate changing default passwords and appropriately adjusting security parameters. E E IO D B UI D B T Firewalls should be configured to provide maximum protection over L D N A RE UL VA N L 7.0 RE OU RE T information, balancing business needs with reasonable security. O LE O SH PT SH Q N O 7.1 Establish a formal process for approving and testing all external network connections. 7.2 Establish a firewall at each Internet connection. 7.3 Establish a firewall between any DMZ and Intranet connection. Utilize multi-layered firewall configurations to protect sensitive information. 7.4 (See Appendix for senitive data classification). 7.5 Validate firewall configurations with vulnerability tools available from vendors. 7.6 Conduct application level assessments to ensure application and database security. E E IO D B UI D B Install and configure anti-spyware software to provide maximum protection T L D N A RE UL VA N L 8.0 RE OU of sensitive information on all servers, desktop PCs, and laptops. RE T O LE O SH PT SH Q N O 8.1 Ensure automatic downloads and updates to enterprise system or network. Ensure automatic downloads and updates to desktop PCs, laptops and PDAs that are connected 8.2 to the enterprise system or network. 8.3 Perform frequent scans of data storage using enabling technologies to detect, quarantine, and remove viruses, worms, and Trojans. Instruct employees not to download unknown attachments that could contain viruses, worms, spyware or keystroke loggers potentially giving unauthorized individuals access to the company’s 8.4 network. This applies to the user of any computer that has access to the organizational network, including the home computer of a telecommuting employee or a traveling employee logging in from a hotel or other public access point. 10