1. Help Center
  2. Terms & Conditions

IT Security Policies

Measures and protocols we implement to protect ourselves from cyber threats

Last Modified: March 24, 2024

THIS IT SECURITY POLICY IS GOVERNED BY THE MASTER AGREEMENT (THE “MSA”). ALL CAPITALIZED TERMS UNDER THIS RESIDENT IT SECURITY POLICY SHALL BE DEEMED TO HAVE THE MEANING GIVEN TO SUCH TERMS UNDER THE MSA.

1. RIGHT TO SECURITY AUDIT

1.1 Access to Resident Premises

The Customer who has executed a Master Services Agreement with Resident is allowed to access Resident’s premises for security Audit purposes, the whole subject to: (i) Resident’s prior written consent (not to be unreasonably withheld); to (ii) any reasonable security provisions of Resident in effect at the time of such access, and to (iii) agreement on details of personnel, timelines, duration and scope of services being provided. Access can notably be denied based on conflict of roles and impact to Resident’s performance.

1.2 Security Audit

a) Customer has the right to conduct periodic audits of the physical security environment requirement.

b) Resident authorizes Customer to regularly inspect / audit the Resident Privacy and IT Security Policies processes and procedures implemented with regards to Resident Services, including the below but not limited to:

  1. Risk Management Process.

  2. Incident and Change Management Process.

  3. Security Tests (Vulnerability and Pentest).

  4. System Hardening Guidelines.

  5. BCP and DR and other Contingency services and Process.

c) Resident authorizes Customer, with no additional cost, to inspect the operational processes implemented for the Resident Services based on the scope, extent and on the Resident Agreements in Force and Effect.

d) Resident acknowledges that Customer reserves the right to require changes to Resident’s Privacy and IT Security Policies processes if they are found to be inadequate; such changes are mutually agreed upon, commercially reasonable and subject to a reasonable time frame in execution.

1.3 Inspection Reports

a) At the sole expense of the Customer, Resident acknowledges that Customer reserves the right to receive audit reports where independent auditors are used to audit Resident’s risk management arrangements for the Resident Services including security assessment reports such as penetration tests, vulnerability assessments, BCP/DR plans, test reports, etc.

b) Resident recommends that independent reviews and assessments are required by Customer to be performed at least annually, or at planned intervals, to ensure the organization is compliant with policies, procedures, standards and applicable regulatory requirements (i.e., internal/external audits, certifications, vulnerability and penetration testing).

2. OPERATIONAL INFRASTRUCTURE

2.1 Physical Controls

a) Resident has put in place appropriate procedures to ensure that the responsibilities for the maintenance of a secure operating environment are properly allocated and discharged.

b) Resident has implemented physical and environmental controls to protect the service commensurate with the level of risk. Resident has address physical and environmental threats in the risk assessment.

c) The physical protection of the Resident Services’ equipment and the service work area as a minimum covers:

  1. Intruders.

  2. Safety of people in fire hazards, and other threats such as natural calamities (storms, cyclones, forest fires, etc.) and also man made calamities (bomb threats, any accidental or intentional malicious activities).

d) Sites where Sensitive Data or processes are managed comply with recognized standards (such as ANSI/TIA942) for data centre premises management and security.

2.2 Logical Control

a) Resident ensures that IT equipment (at primary, backup and third-party locations) used in providing Resident Services to Customer logically separates Customer Business Data and Users Personal Data from that of Resident’s other customers.

b) Resident ensures that the Customer’s environment, at Resident’s designated premises, is at least logically compartmentalized, separating it from the rest of Resident’s environment to ensure no penetration is possible from other client environments or from Resident’s wider network.

2.3 Restriction of Network Access, Private Link

a) Resident only has the minimum access to Customer’s network in order to deliver the Resident Services. When there is a need for Resident to access some applications, access is, where possible, provided through a terminal services mechanism. Where not possible, shared systems are situated on a specific DMZ. Access rights at OS and application levels are also managed to restrict access to the minimum required to provide the Resident Services.

b) The transfer of data between Customer and Resident shall be secured end to end as a private link. When implemented through a virtual private network, the encryption level shall be sufficient to ensure the integrity of the connection and is established at the strongest current commercial level of encryption. Where possible, the VPN shall be established at the application level (e.g. SSL VPN) rather than the network level (e.g. IPSEC) in order to restrict the access and connectivity only to what is required. Where a network VPN is required, application encapsulation (e.g. via terminal services) shall be used and strict controls on compartmentalization are enforced (as above).

c) Transfer of data using a dedicated communication link is encrypted so as to avoid data leakage.

2.4 Application Architecture

For application development, the different components of the application (presentation, data processing, database, identification and authentication process, etc.), are distinct and if possible hosted on different physical or virtual servers so that the different components are situated on different zones of the network architecture.

2.5 Separation of Development Environments

Resident shall respect clear separation of production, development and integration environments.

2.6 Filtering Mechanism

a) Resident shall apply necessary filtering mechanisms to prevent unrestricted access from the Internet to websites' administration interfaces.

b) Resident assumes that Customer is defensive of its business network and sets a number of conditions on systems that are allowed to connect to it. Resident shall introduce controls to limit the incidence of:

  1. Unauthorized access to Customer’s systems.

  2. Interference with network components.

  3. Performance degradation across the network.

  4. Interference with network traffic.

  5. Multi-factor authentication is required for all remote user access.

c) Resident shall include the following conditions to all systems wishing to connect to Customer’s network:

  1. The gateway between Customer’s network and external systems are adequately secured.

  2. There are controls to prevent unauthorized access from connected systems to organisation’s network.

  3. There are adequate monitoring and controls to prevent external networks or systems from interfering with the operation of Customer’s network.

d) Resident shall implement the industries standard on access control and authorization through use of User IDs and Passwords (length, characters, attempts, re-authentication, duration and expiry, storage, disable, etc.).

e) Strong authentication will be used for critical business applications and for remote access activities.

f) User access to diagnostic and configuration ports shall be restricted to authorized individuals and applications.

g) Policies and procedures are established and mechanisms implemented for encrypting sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g. system interfaces, over public networks, and electronic messaging).

h) Electronic commerce (e-commerce) related data traversing public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure or modification in such a manner to prevent contract dispute and compromise of data.

i) Policies and procedures shall be established and mechanisms implemented to protect wireless network environments, including the following:

  1. Perimeter firewalls implemented and configured to restrict unauthorized traffic.

  2. Security settings enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings, etc.).

  3. Logical and physical user access to wireless network devices restricted to authorized personnel.

  4. The capability to detect the presence of unauthorized (rogue) wireless network devices for a timely disconnect from the network.

j) An external accurate (externally agreed upon) time source shall be used to synchronize the system clocks of all relevant information processing systems within the organization or explicitly define security domain to facilitate tracing and reconstitution of activity timelines. Note: specific legal jurisdictions and orbital storage and relay platforms (US GPS and EU Galileo Satellite Network) may mandate a reference clock that differs in synchronization with the organizations domicile time reference, in this event the jurisdiction or platform is treated as an explicitly defined security domain.

k) Automated equipment identification shall be used as a method of connection authentication. Location-aware technologies may be used to validate connection authentication integrity based on known equipment location.

2.7 Storage and Media Controls

Resident shall ensure that its staff understands the sensitivity associated with all media within the service and puts in place appropriate procedures for its secure destruction in case of a fault, failure or life expiry.

2.8 Operational Infrastructure: Licensing

Resident shall demonstrate a responsible attitude to copyright as it affects the licencing and use of software including:

  1. Procedures for software and license management.

  2. Monitoring any use of unauthorized / unlicensed software.

  3. Investigation of such incidents and its mandatory reporting requirements to Customer.

2.9 Malicious Software

a) Resident shall put in place appropriate checking and elimination procedures to ensure that the service is not affected by viruses during development, maintenance and operation.

b) Resident guarantees the integrity of all introduced software and new software versions prior to their integration into the service environments.

c) Policies and procedures shall be established and mechanisms implemented to restrict the installation of unauthorized software.

2.10 Secure Configurations

a) Resident security requirements shall be established and applied to the design and implementation of (developed or purchased) applications, databases, systems, and network infrastructure and information processing that comply with policies, standards and applicable regulatory requirements. Compliance with security baseline requirements is reassessed at least annually or upon significant changes.

b) Any variations shall be documented and agreed upon by the Parties.

c) Policies and procedures shall be established and mechanism implemented for vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and vendor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches.

d) Policies and procedures shall be established and measures implemented to strictly limit access to Sensitive Data from portable and mobile devices, such as laptops, cell phones, and personal digital assistants (PDAs), which are generally higher-risk than non-portable devices (e.g. desktop computers at the organization's facilities).

e) Network and infrastructure service level agreements (in-house or outsourced) are clearly document security controls, capacity and service levels, and business or customer requirements.

f) Mobile code is authorized before its installation and use, and the configuration ensures that the authorized mobile code operates according to a clearly defined security policy. All unauthorized mobile code are prevented from executing.

2.11 Logging And Monitoring

a) Audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events shall be retained, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized personnel.

b) Access to, and use of, audit tools that interact with the organizations information systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data.

3. INFORMATION MANAGEMENT, SECURITY AND CONFIDENTIALITY

3.1 Information

a) Audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events shall be retained, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized personnel.

b) A complete inventory of critical assets is maintained with ownership defined and documented.

c) Policies and procedures shall be established for the acceptable use of information assets.

d) All information submitted by Customer to Resident, or otherwise in Resident’s possession or accessible by Resident, remains the property of Customer. Customer information is not:

  1. Used by Resident other than in connection with providing the Resident Services.

  2. Disclosed, sold, assigned, leased or otherwise provided to third parties by Resident.

  3. Commercially exploited by or on behalf of Resident.

  4. All assets owned by the organization within a defined and documented time frame once the employment, contract or agreement is terminated, are returned.

e) Data, and objects containing data, are assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.

f) Policies and procedures shall be established for labeling, handling and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.

g) Security mechanisms shall be implemented to prevent data leakage.

h) Production data is not replicated or used in non-production environments.

i) Information system documentation (e.g., administrator and user guides, architecture diagrams, etc.) is made available to authorized personnel to ensure the following:

  1. Configuring, installing, and operating the information system.

  2. Effectively using the system's security features.

j) Resident guarantees that the classification of the data specified by the Customer’s information owner (in terms of confidentiality, integrity and availability) is respected at all stages of Information processing, and is also consistent with requirements with the MSA.

k) Resident guarantees that it (and any person employed or engaged by such party in connection with this project in the course of such employment or engagement) only uses proprietary information provided by Customer for the purposes for which it was provided or came into its possession.

3.2 Compliance

a) Resident shall comply with Information Security Management System (ISMS) as applicable.

b) Liaisons and points of contact with local authorities shall be maintained in accordance with business and customer requirements and compliance with legislative, regulatory, and contractual requirements. Data, objects, applications, infrastructure and hardware may be assigned legislative domain and jurisdiction to facilitate proper compliance points of contact

c) Statutory, regulatory, and contractual requirements shall be defined for all elements of the information system. Resident's approach to meet known requirements, and adapt to new mandates shall be explicitly defined, documented, and kept up to date for each information system element. Information system elements may include data, objects, applications, infrastructure and hardware. Each element may be assigned a legislative domain and jurisdiction to facilitate proper compliance mapping.

d) Resident shall approve a formal information security policy (the “Information Security Policy”) document which is communicated and published to employees, contractors and other relevant external parties. The Information Security Policy shall establish the direction of the organization and aligns to best practices, regulatory, federal/provincial and international laws where applicable. The Information Security policy shall be supported by a strategic plan and a security program with well-defined roles and responsibilities for leadership and officer roles.

e) Resident shall review the Information Security Policy at planned intervals or as a result of changes to the organization to ensure its continuing effectiveness and accuracy, and policies and procedures are established and made available for all personnel to adequately support services operations role.

f) Policies and procedures are established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations, and facilities.

3.3 Protecting Confidentiality, Integrity and Availability

a) Resident formally acknowledges its responsibility for protecting Confidential Information as per the terms and conditions of the Master Services Agreement and the requirements reflecting the organization's needs for the protection of data and operational details shall be identified, documented and reviewed at planned intervals.

b) Resident implements protection measures to ensure the confidentiality of Customers Confidential Information and that third party information entrusted to Customer, stored and in transit applicable within the service, which may include:

  1. Adequate file/record access controls.

  2. Encryption of sensitive files.

  3. Communications encryption.

  4. Secure key management.

  5. Policy on directory structures.

  6. Least privilege.

  7. Need to know authorities.

c) Resident takes all necessary precautions to ensure that Confidential Information is disclosed only to such of their employees, servants, agents, consultants, or subcontractors who have a need to know.

d) Normal and privileged user access to applications, systems, databases, network configurations, and sensitive data and functions are restricted and approved by management prior to access granted.

e) User access policies and procedures are documented, approved and implemented for granting and revoking normal and privileged access to applications, databases, and server and network infrastructure in accordance with business, security, compliance and service level agreement (SLA) requirements.

f) Timely deprovisioning, revocation or modification of user access to the organizations systems, information assets and data are implemented upon any change in status of employees, contractors, customers, business partners or third parties. Any change in status is intended to include termination of employment, contract or agreement, change of employment or transfer within the organization.

g) All levels of user access are reviewed by management at planned intervals and documented. For access violations identified, remediation follows documented access control policies and procedures.

h) Third party agreements that directly or indirectly impact the organization's information assets or data include explicit coverage of all relevant security requirements. This includes agreements involving processing, accessing, communicating, hosting or managing the organization's information assets, or adding or terminating services or products to existing information. Assets agreements provisions include security (e.g., encryption, access controls, and leakage prevention) and integrity controls for data exchanged to prevent improper disclosure, alteration or destruction.

i) Prior to granting customers access to data, assets and information systems, all identified security, contractual and regulatory requirements for customer access shall be addressed and remediated.

3.4 Return or Destruction of Information

Upon Customer’s request at any time, Resident shall:

  1. Promptly return to Customer, in the format and on the media in use as of the date of the request, all or the portion requested, of Customer Business Data; and/or

  2. Erases or destroys all or a portion of Customer Business Data in Resident's possession and destroys all media containing Customer Business Data that is not functioning properly. If Customer directs Resident to erase or destroy all or a portion of Customer Business Data, Resident promptly confirms to Customer in writing that such erasure or destruction has occurred. Archival tapes containing any Customer Business Data are used solely for back-up purposes and are returned or destroyed.

3.5 Policy and Scope

a) Resident shall have an information risk management policy that is demonstrable, and at minimum covers the following scope of areas:

  1. Information protection

  2. Awareness process

  3. Physical security

  4. Computer and Network Management

  5. Access controls

  6. System development and maintenance

  7. IS Recovery plans

  8. Compliance

b) Resident periodically carries out risk assessment covering all operations within the scope of Resident's contract with Customer, and also Resident periodically reviews Customer’s information risk management requirements for the Resident Services.

3.6 Roles and Responsibilities

a) As part of the Resident Service Level Agreement, the information risk management roles assigned to each Party and their associated responsibilities are clearly defined.

b) Resident shall nominate an information risk manager for Customer (the TAM - Technical Account Manager) and is responsible for the protection of Customer’s Confidential Information and any third party information entrusted to Customer.

c) Roles and responsibilities of contractors, employees and third party users are documented as they relate to information assets and security.

d) Policies, processes and procedures are implemented to enforce and assure proper segregation of duties. In those events where user-role conflict of interest constraint exists, technical controls are in place to mitigate any risks arising from unauthorized or unintentional modification or misuse of the organization's information assets.

e) Users are made aware of their responsibilities for:

  1. Maintaining awareness and compliance with published security policies, procedures, standards and applicable regulatory requirements.

  2. Maintaining a safe and secure working environment.

  3. Leaving unattended equipment in a secure manner.

3.7 Risk Management

a) Resident shares the risk assessment findings and proposed remediation plans with Customer and notifies Customer of any delays in meeting the agreed dates for implementing specific information risk management controls and adheres to the agreed process for managing any slippage.

b) Resident shall have risk management procedures in place with regard to staff management:

  1. Liaising with Customers information risk manager.

  2. Monitoring the service for information risk management breaches.

  3. Investigating and reporting all information risk management breaches and results of all investigations within the bounds of the service provided.

c) Resident shall have risk management procedures in place with regard to staff management:

  1. Hiring, change of work, dismissal, resignation, redundancy, termination of contract, transfer, unavailability of the staff, removal of user access privileges.

  2. All members of Resident's and Sub-contractor's staff shall sign a confidentiality agreement in respect of Customer proprietary information and that of third party information entrusted to Customer.

d) Pursuant to local laws, regulations, ethics and contractual constraints all employment candidates, contractors and third parties are subject to background verification proportional to the data classification to be accessed, the business requirements and acceptable risk.

e) Resident guarantees that the information risk management regime proposed to protect information is appropriate to the ambient risks.

f) Executive and line management shall take formal action to support information security through clear documented direction, commitment, explicit assignment and verification of assignment execution.

g) Resident shall have a process for resolving disputes about information risk management issues.

h) Resident shall develop and maintain an enterprise risk management framework to manage risk to an acceptable level.

i) Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk shall be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).

j) Risks shall be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and executive approval.

k) Risk assessment results shall include updates to security policies, procedures, standards and controls to ensure they remain relevant and effective.

l) The identification, assessment, and prioritization of risks posed by business processes requiring third party access to the organization's information systems and data are followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis are implemented prior to provisioning access.

3.8 Awareness

a) Resident shall ensure that its staff has an understanding of information risk management threats and concerns relating to the Resident Services and of relevant information risk management policies.

b) Resident staff assigned to the Resident Services shall receive training and regular updates on relevant information risk management policies and procedures of standard risk management classification scheme and appropriate procedures.

c) Sub-contractor staff assigned to the Resident Services shall be made aware of Resident's information risk management classification scheme and appropriate procedures.

d) Policies and procedures shall be established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

4. INCIDENT MANAGEMENT

4.1 Procedures for Managing Information Security Incidents

a) There shall be procedures established covering the investigation and reporting of all information security incidents immediately including the following but not limited to:

  1. The investigation

  2. Escalation

  3. Report format

  4. Disciplinary action

  5. Legal action

  6. Action taken to prevent the recurrence of the incident

  7. Feedback into the security management system

b) Resident shall have a process for ensuring that information security incidents are properly managed at no additional cost to Customer and within a timescale documented within the Service Level Agreement and for any formal forensic investigation.

c) Resident undertakes to communicate in full transparency with Customer on the investigation and subsequent action taken following information security incidents involving Customer.

d) Mechanisms shall be in place to monitor and quantify the types, volumes, and costs of information security incidents.

e) Resident shall notify Customer of any unauthorized possession, disclosure, use or knowledge, or attempt thereof, of Customer information of which it becomes aware, including any breach of security on a system, LAN or telecommunications network which contains, processes or transmits confidential information.

f) Resident shall ensure that service logs are regularly and effectively inspected for information security incidents.

g) Resident shall notify Customer of any changes to its environment that would significantly alter the level of security of the Resident Services.

h) Resident shall perform information risk mon Resident shall perform information risk monitoring and reporting and, as a minimum:

  1. Monitoring and reporting of security status.

  2. Information risk management incident reporting.

  3. Adheres to preset reporting structure and formats.

  4. Reporting frequencies are at least quarterly.

i) Resident shall immediately inform Customer’s contract manager or nominated contact, of any known or suspected compromises of Customer’s information assets or violations of the contract.

4.2 Follow-Up and Notification

a) Investigation of information security incidents discovered in audit trails shall be managed within the overall procedures established for the management and reporting of information security incidents.

b) In the event a follow-up action concerning a person or organization after an information security incident requires legal action, proper forensic procedures including chain of custody shall be in place for collection, retention, and presentation of evidence to support potential legal action subject to the relevant jurisdiction.

4.3 Emergency Response

a) Resident has in place an emergency response team, as per the SLA.

b) In the event of a major risk management breach Resident shall allocate appropriate resource to the emergency response team set up by Customer.

5. BUSINESS CONTINUITY

5.1 Plan and Procedures

a) Resident shall have a defined and documented method for determining the impact of any disruption to the organization which incorporates the following:

  1. Identify critical products and services.

  2. Identify all dependencies, including processes, applications, business partners and third party service Resident.

  3. Understand threats to critical products and services.

  4. Determine impacts resulting from planned or unplanned disruptions and how these vary over time.

  5. Establish the maximum tolerable period for disruption.

  6. Establish priorities for recovery.

  7. Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption.

  8. Estimate the resources required for resumption.

  9. Staff awareness of contingency.

  10. Safety plans.

b) Resident shall have a defined set of procedures for action in a contingency situation. Resident shall ensure that:

  1. Conditions for implementation are clearly set out and understood.

  2. Resident’s responsibilities are fully defined.

  3. All third party responsibilities are fully defined.

c) There shall be a detailed fallback and recovery plan within the migration plan to prevent loss or corruption of Customer information.

d) Policies and procedures shall be established for equipment maintenance ensuring continuity and availability of operations.

e) To reduce the risks from environmental threats, hazards and opportunities for unauthorized access equipment shall be located away from locations subject to high probability environmental risks and supplemented by redundant equipment located a reasonable distance.

f) Security mechanisms and redundancies shall be implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.).

g) Telecommunications equipment, cabling and relays transceving data or supporting services shall be protected from interception or damage and designed with redundancies, alternative power source and alternative routing.

h) Resident shall supply reliable technology supported by alternative or duplicate facilities as well as by primary (onsite) and secondary (offsite) data backup strategy to meet the service requirements in the Resident Agreement in Force and Effect, and sufficient capacity to cope with current and predicted workloads.

i) Policies and procedures for data retention and storage shall be established and backup or redundancy mechanisms implemented to ensure compliance with regulatory, statutory, contractual or business requirements. Testing the recovery of disk or tape backups shall be implemented at planned intervals.

5.2 Service Resilience

a) Resident shall have an annual test plan describing the number and types of tests to be conducted and the test objectives.

b) Resident endeavors that approved business continuity plan shall be periodically tested by a third party for its adequacy and effectiveness.

5.3 Change and Evolution Procedures

a) Resident shall have a process for managing changes to the Resident Services (to cover all components of service operational environments) that:

  1. A formal, controlled process shall be applied for all changes.

  2. An integration process shall be applied for all new components before they are rolled out.

  3. A rollback plan shall be defined and validated for each change.

  4. Functional changes shall be validated by information owners.

  5. Any changes to applications or operating system that have an impact on the infrastructure shall be validated by the relevant Information Security manager.

  6. Applications shall be maintained considering the ongoing support of the infrastructure and the evolution of platforms by suppliers.

b) Resident shall notify Customer’s information risk manager of any changes that may have an effect on the information risk management environment of the Resident Services.

5.4 Testing

a) Resident shall have procedures in place to ensure the proper certification and acceptance of products after testing, which include at a minimum:

  1. Design authority acceptance

  2. Test certification

  3. Customer handover procedures

b) Resident endeavors to demonstrate that its testing regime is able to adequately manage test data

c) Resident shall take every precaution so that Sensitive Data is never used for testing purposes. If the use of Sensitive Data is essential to the successful implementation of the Resident Services, Resident shall implement procedures to manage it appropriately.

d) All software provided for use with the Resident Services shall be adequately tested, and including at a minimum:

  1. Functional testing.

  2. Integration testing.

  3. Security testing.

  4. Performance testing.

  5. Acceptance tests.

  6. Independent test authority.

  7. Independent testing.

  8. Regression testing of system software version compatibility.

  9. System environment testing including the operating and application software, network infrastructure, and operational process involved in service delivery.

5.5 Emergency Changes

Resident shall have a process for handling emergency changes, which includes integration of the changes into standard procedures.

6. PCI-DSS SECURITY

Resident shall have formally assessed and documented its compliance against PCI DSS requirements

7. SOFTWARE AND APPLICATION DEVELOPMENT

7.1 Procedures

a) Resident shall have a defined and documented method for determining the impact of any disruption to the organization which incorporates the following:

b) Security policies shall explicitly state the security requirements and process to be adopted during the software /application development, and are designed in accordance with industry accepted security standards and comply with applicable regulatory and business requirements.

c) A security process is established, implemented and monitored.

d) Resident shall ensure its developers receive regular awareness sessions.

e) Resident shall have security processes to identify and address those applications that use User Personal Data.

7.2 Requirements Phase

a) Resident shall have a process to ascertain the security requirements from the business/application owner from the requirements and feasibility stages itself, and at minimum it addresses:

  1. Awareness of the security and privacy contacts and advisors.

  2. Defined document on security and privacy bug bars along with mandatory use of bug tracking system.

  3. Identification of staff that have access to Sensitive Data.

  4. Administration of the users through access reviews and verification of identity.

  5. Applications logging features enabled.

  6. Identification and communication on multifactor authentication and encryption as part of the solution if applicable.

7.3 Design, Development and Implementation Phase

a) Resident shall have documented design techniques which are followed through identification based on managed/unmanaged code, least privileges, attack surface minimization and limit through default settings, etc., and records are maintained regarding the individual granted access, reason for access and version of source code exposed.

b) Resident shall ensure supplemental security criteria identified through unique product issues such a cross site scripting, SQL injection attacks, etc. and utility programs capable of potentially overriding system, object, network, virtual machine and application controls are restricted.

c) Resident shall adopt and implements a threat modeling process as a systematic review of feature and product architecture to identify threats and mitigation.

d) Security is considered and taken as part of input validation and exception handling.

e) Resident shall ensure there has been design on load balancing and load monitoring to protect against destruction, or denial of service and ensure availability.

f) There shall be a defined process and documentation and tools necessary to ensure secure deployment and operation.

7.4 Verification, Testing and Release

a) At minimum, Resident shall consider and ensure the following:

  1. Vulnerability assessments done to ensure application security.

  2. Penetration testing to ensure security impacts from a hacker's perspective is covered.

  3. All the response plans are implemented and actioned upon along with re-evaluation of attack surface.

  4. Conduct of a code review both automatic and manual to ensure code is bug free.

  5. Review of the design and architecture in light of new threats.

  6. Data input and output integrity routines (i.e., reconciliation and edit checks).

b) Resident shall ensure there is a conduct on final security review (not part of pen tests) as part of the release process to ensure there are no known security vulnerabilities.