Reference

Physical Security – Control Description

A.1.

Policy

FOS Data Hosting will maintain a formal physical and environmental security program for any FOS Data Hosting operated facilities used to perform the Services.

A.2.

Access

Visitors to FOS Data Hosting facilities used to perform the Services will be required to check in with reception/security before being granted access to FOS Data Hosting facilities. The visitor log will be compiled and reviewed in the event of an incident. Visitors without a government-issued ID will be denied access to FOS Data Hosting facilities used to perform the Services. Visitor badges are used to identify visitors at FOS Data Hosting facilities.

A.3.

Security

Controlled building access and secure access to specific areas of FOS Data Hosting operated facilities used to perform the Services will be enforced through the administration of proximity-based access cards and biometric hand scanners or other approved security authentication methods. FOS Data Hosting will use proximity cards at its facilities used to provide Services to secure access to buildings and sensitive areas appropriately. Physical access is disabled within the timeframe specified by a maintained access termination standard when physical access is no longer needed due to termination of employment or Services. To effectively manage physical security incidents, an incident response process has been instituted to respond to, and document physical security incidents at FOS Data Hosting operated facilities used to perform the Services.

Reference

Access Controls – Control Description

B.1.1.

Access & Bastions

For Hosted Systems: FOS Data Hosting’s access to the Customer Hosted System and Customer VLANs will occur through dedicated bastion servers designed for this purpose, and FOS Data Hosting employees will authenticate with the bastion server using a dedicated user ID (including the assigned corporate SSO credential) and a two-factor authentication mechanism.

For Customer Configurations other than Hosted Systems: FOS Data Hosting’s access to the control panel permitting access to the Customer Configuration will require

Reference

Access Controls – Control Description

two-factor authentication, will be managed through FOS Data Hosting’s LDAP Active Directory group, and will be limited to support personnel and those ancillary services teams at FOS Data Hosting who require that access to provide or support the Services. Network security group rules are maintained on the Customer Configuration subnets to allow access over established RDP and SSH ports for remote administration. In addition, the Customer Configuration bastion subnet is locked down to only allow remote access from the FOS Data Hosting Support Bastions. FOS Data Hosting manages and leverages local server users, tied back to established corporate identities. Server authentication requests are directed to a known FOS Data Hosting ADFS endpoint for dual-factor authentication. As part of the user authentication flow, local user accounts are only enabled when an authenticated access request is granted and are constrained to the requested device. The FOS Data Hosting support team maintains a list of approved technicians who can execute the user access workflow.

B.1.2.

Access Review

FOS Data Hosting will maintain a formal program to review access to the Customer Configuration by any FOS Data Hosting employee (“Access Review Program”). This does not include additional logging at the server or device or instance level (which a customer can enable at their option or request assistance as part of the Services). The Access Review Program is designed to ensure that no active IDs or accounts exist that are not linked to one or more FOS Data Hosting Personnel; IDs, or accounts for terminated FOS Data Hosting Personnel are deleted as appropriate; and that FOS Data Hosting is complying with its access provisioning process.

B.1.3.

Remote Access

FOS Data Hosting personnel may use a Virtual Private Network (VPN) utilizing two-factor authentication (RSA token and password) to connect remotely to FOS Data Hosting networks. Once inside the FOS Data Hosting network, support staff members are required to go through a second level of authentication through the FOS Data Hosting Support Bastion/jump hosts/gateway servers to access Customer

Configurations.

B.1.4.

Password Policy

FOS Data Hosting will maintain a formal policy concerning the requirements for password and authentication regarding FOS Data Hosting’s access to Customer Configurations and the FOS Data Hosting Shared Infrastructure (“Password Policy”). The Password Policy will provide for a secure method of assigning and selecting passwords or require the use of unique identifier technologies (e.g., biometrics or token devices); require control of data security passwords to ensure that those passwords are kept in a location or format that does not compromise the security of the data they protect; require FOS Data Hosting to prevent or limit users from further access after a number of unsuccessful attempts to gain access; ensure that access to each user account relating to the FOS Data Hosting Shared Infrastructure meets: (a) the authentication requirements set out in the Agreement and (b) if and to the extent not otherwise set out in the Agreement, industry standards (two-factor authentication when accessing FOS Data Hosting Shared Infrastructure from the Internet); and ensure that all FOS Data Hosting managed computing devices will be configured to lock (i.e. prevent access to the computing device) after a period of

Reference

Access Controls – Control Description

inactivity (which period of inactivity will be no longer than 15 minutes or the applicable period set out in the Agreement) requiring users of the applicable computing device to enter their credentials to regain access to the computing device.

B.1.5.

Encryption or

Pseudonymization

Customer may employ encryption of data stored within the Customer Configuration by electing to purchase or use capabilities provided by FOS Data Hosting or otherwise obtained by Customer from nonparties.

Reference

Vulnerability Assessments – Control Description

B.2.1.

Customer Testing

Subject to FOS Data Hosting’s written consent (for Hosted Systems) or agreement of any applicable Third-Party Cloud provider (for Third-Party Cloud infrastructure), Customer may perform network and application security scans that tests the Customer Configuration for one or more of the following: (a) security vulnerabilities, (b) denial of service vulnerabilities, (c) system access, and (d) other intrusive activities including password cracking. Unless identified in the Service Order, the Services do not include support for those activities. If, as a result of those activities, Customer identifies any vulnerabilities on the FOS Data Hosting Shared Infrastructure, FOS Data Hosting will correct any discovered vulnerabilities on FOS Data Hosting Shared Infrastructure within a reasonable timeframe or as otherwise required by the Agreement.

B.2.2.

Monitoring, AoC

FOS Data Hosting will perform ongoing monitoring and testing of the FOS Data Hosting Shared Infrastructure (to include vulnerability scanning, scheduled penetration testing, and maintenance) under applicable PCI standards and applicable FOS Data Hosting Policies and Standards (“Vulnerability Assessments”). FOS Data Hosting will make available its Attestation of Compliance to Customer on an annual basis.

Reference

System Defense – Control Description

B.3.1.

General

FOS Data Hosting will: (a) use reasonable current security measures (including IDS/IPS/virus and malware scanning/cryptographic and key management processes) designed to protect the FOS Data Hosting Shared Infrastructure; (b) secure web servers used by FOS Data Hosting to provide the Services and the FOS Data Hosting customer portal to reduce the risk of infiltration, access penetration by, or exposure to, a nonparty by (i) protecting against intrusions, (ii) securing those servers, and (iii) protecting against intrusions of operating system software, in each case under the FOS Data Hosting Policies and Standards; (c) maintain patching practices for FOS Data Hosting Shared Infrastructure under the FOS Data Hosting Policies and Standards; and (d) maintain current firewalls around the FOS Data Hosting Shared

Reference

System Defense – Control Description

Infrastructure and provide general maintenance and monitoring of those firewalls and active 24/7 monitoring of those firewalls to identify attempted unauthorized access to the FOS Data Hosting Shared Infrastructure.

B.3.2.

DDoS Mitigation

FOS Data Hosting will use several tools to detect and trace network-wide anomalies, including denial-of-service (DoS) attacks and worms against the FOS Data Hosting Shared Infrastructure. Access control lists (ACLs) are used on Internet edge routers to mitigate distributed denial of service (DDoS) attacks against the FOS Data Hosting Shared Infrastructure. Through network-wide, router-based sampling, FOS Data Hosting will evaluate existing, and potential threats by aggregating traffic from across the FOS Data Hosting Shared Infrastructure. To help maintain the integrity of the FOS Data Hosting Shared Infrastructure and prevent disruption to support operations, FOS Data Hosting will continuously monitor connectivity and performance for multiple bandwidth providers, including routers and switches. FOS Data Hosting will use fully redundant routing and switching equipment for its core networking infrastructure elements of the FOS Data Hosting Shared Infrastructure.

B.3.3.

Separation

FOS Data Hosting will use logically separate networks (vLANs) for internal traffic, administering customer environments from specified networks within the FOS Data Hosting Shared Infrastructure.

B.3.4.

Role-Based Access

Controls

FOS Data Hosting will secure access to core networking infrastructure elements of the FOS Data Hosting Shared Infrastructure using the inherent access control functionality in TACACS+/ACS software (or equivalent). Administrator access to network devices supporting FOS Data Hosting Shared Infrastructure is limited to authorized FOS Data Hosting Personnel. New administrator access to network devices supporting FOS Data Hosting infrastructure is granted through a maintained new user creation process. Access is role-based, and deviations require managerial approval. TACACS+/ACS (or equivalent) access lists are reviewed periodically to verify that those users on the list still require access to network devices. Any discrepancies found are corrected.

B.3.5.

Security Services

FOS Data Hosting will provide a firewall, IDS, and any other security devices in Customer’s dedicated Hosted System only if Customer purchases those devices and then under the applicable Product Terms for those devices.

B.3.6.

FOS Data Hosting Support

Bastion Security

FOS Data Hosting will maintain a formal program to ensure that the FOS Data Hosting Support Bastions used to access the Customer Configuration have malicious software protections in place, are maintained in good technical working order, are regularly scanned for vulnerabilities, and are patched with the latest applicable software updates.

B.3.7.

Policy, Demarcation

FOS Data Hosting will maintain a formal program for securing access to the FOS Data Hosting Shared Infrastructure and ensure all access points and boundaries to FOS Data Hosting’s network are clearly documented and protections against unauthorized access are implemented.

Reference

Incident Response – Control Description

C.1.

Notification

FOS Data Hosting will report to Customer as soon as reasonably practicable in writing and in accordance with law, of a material breach of the Customer Configuration security that results in unauthorized access to Customer Data resulting in the destruction, loss, unauthorized disclosure, or alteration of Customer Data of which FOS Data Hosting becomes aware. On request, FOS Data Hosting will promptly provide to Customer all relevant information and documentation that FOS Data Hosting has available regarding the Customer Configuration for any security incident. FOS Data Hosting is not obligated to notify routine security alerts concerning the Customer Configuration (including pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing, or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) except as otherwise specifically set out in the Agreement. FOS Data Hosting will follow standard incident procedures defined in FOS Data Hosting’s Policies and Standards.

C.2.

Policy

FOS Data Hosting responds to security incidents identified on the FOS Data Hosting Shared Infrastructure with a defined process to rate and remediate those incidents within reasonable timeframes depending on the severity of the incident and maintains a documented process to report, evaluate, and respond to security incidents (“Management of Information Security Incidents Policy”).

Reference

Personnel Controls – Control Description

D.1.

Screening

FOS Data Hosting will screen individuals with access to organizational information systems when the role or position of those individuals with FOS Data Hosting provides access to Customer Data and as otherwise required by the Agreement. FOS Data Hosting will conduct the appropriate level of background screening required by ISO/PCIDSS, as applicable to FOS Data Hosting. FOS Data Hosting will maintain documentation that validates that FOS Data Hosting has completed the appropriate level of screening requirements. FOS Data Hosting will maintain and follow a written procedure for how FOS Data Hosting will comply with the screening and requirements, which will be available for review by Customer on request.

D.2.

Removal

If an employee satisfies the screening requirements, but FOS Data Hosting later becomes aware of any information that would result in an employee failing any of the screening requirements, FOS Data Hosting will promptly suspend or remove the employee’s access to Customer Data and prohibit the employee from performing any Services for Customer involving access to Customer Data in accordance with any requirements under the Agreement.

Reference

Personnel Controls – Control Description

D.3.

Policy

FOS Data Hosting will maintain documented and monitored procedures that define appropriate IT security-related roles and responsibilities for FOS Data Hosting Personnel; ensure that FOS Data Hosting Personnel have access only to the systems they have a business need and authorization to use; prohibit the copying of Customer Data to any portable physical device of any kind for access of Sensitive Data outside of a FOS Data Hosting controlled access facility; identify an owner for critical systems and responsibilities for key tasks and assign those tasks to individuals capable of performing them as they relate to the FOS Data Hosting Shared

Infrastructure; include security responsibilities and confidentiality provisions within FOS Data Hosting employees’ terms of employment; retain documentation of security awareness training, confirming the completion of this training for each member of FOS Data Hosting Personnel engaged in providing the Services requiring access to Customer Data; control the creation, change, and termination of FOS Data Hosting Personnel user accounts; and maintain a disciplinary process for policy violations.

D.4.

Awareness

As part of implementing and ongoing support for information security policies, all FOS Data Hosting Personnel are required to participate in training and awareness sessions to support the importance of security within FOS Data Hosting’s organization. FOS Data Hosting will maintain an ongoing security awareness program for employees to provide updated guidance and practice information on (a) securing data and assets and (b) threat reports. FOS Data Hosting will release regular notifications to employees focusing on prominent security issues.

D.5.

Competence

FOS Data Hosting will maintain 24/7 staffing to support FOS Data Hosting Shared Infrastructure systems critical to FOS Data Hosting’s performance of the Services under the Agreement, including staffing support and data center operations teams with technicians certified in various areas of expertise.

D.6.

Hiring

FOS Data Hosting will base hiring decisions on factors relevant to the performance of FOS Data Hosting’s obligations under its customer agreements, including evaluating educational background, prior relevant experience, past accomplishments, and evidence of integrity and ethical behavior.

Reference

Data Center Controls – Control Description

E.1.

Environmental

Controls

FOS Data Hosting Shared Infrastructure data center facilities are equipped with redundant HVAC units to maintain consistent temperature and humidity levels. FOS Data Hosting Shared Infrastructure HVAC systems are inspected regularly, and air filters are changed as needed. Redundant lines of communication exist within the FOS Data Hosting Shared Infrastructure to telecommunication providers providing FOS Data Hosting customers with failover communication paths in the event of data

Reference

Data Center Controls – Control Description

communications interruption. FOS Data Hosting Shared Infrastructure data centers are equipped with sensors to detect environmental hazards, including smoke detectors and floor water detectors. FOS Data Hosting Shared Infrastructure data centers are also equipped with raised flooring to protect hardware and communications equipment from water damage. FOS Data Hosting Shared

Infrastructure data centers are equipped with fire detection and suppression systems and fire extinguishers. Fire detection systems, sprinkler systems, and chemical fire extinguishers FOS Data Hosting Shared Infrastructure are inspected annually. FOS Data Hosting Shared Infrastructure data center facilities are equipped with uninterruptible power supplies (UPS) to mitigate the risk of short-term utility power failures and fluctuations. The FOS Data Hosting Shared Infrastructure UPS power subsystem is at least N+1 redundant with instantaneous failover in the event of a primary UPS failure. The FOS Data Hosting Shared Infrastructure UPS systems are inspected or serviced or both at least annually. FOS Data Hosting Shared Infrastructure data center facilities are equipped with diesel generators to mitigate the risk of long-term utility power failures and fluctuations. FOS Data Hosting Shared Infrastructure generators are tested at least every 120 days internally and tested at least annually by a third-party contractor to maintain proper operability in the event of an emergency.

E.2.

Physical Controls

FOS Data Hosting Personnel are on duty at FOS Data Hosting operated data center facilities 24 hours a day, seven days a week. FOS Data Hosting Personnel are required to display their identity badges at all times when onsite at FOS Data Hosting facilities. Two-factor authentication is used to gain access to the server room floors of FOS Data Hosting Shared Infrastructure. Electromechanical locks within FOS Data Hosting Shared Infrastructure are controlled by biometric authentication (e.g., biometric scanner) and keycard/badge. Only authorized personnel have access to FOS Data Hosting operated data center facilities. Closed-circuit video surveillance has been installed at entrance points on the interior and exterior of the buildings housing FOS Data Hosting operated data centers and is monitored by authorized personnel. The CCTV retention period is at least 90 days.

Reference

Media Protection – Control Description

F.1.

Single-Pass

FOS Data Hosting will zero-fill (meaning to format the hard disk drive by filling available sectors with zeroes) any hard disk drive dedicated to Customer’s use as part of a Hosted System before re-using the hard disk drive in an FOS Data Hosting data center.

F.2.

Physical

Destruction

On Customer’s written request, FOS Data Hosting will destroy (by hole punch, degaussing, or other mechanisms) any media dedicated to Customer’s use as part of a Hosted System, and FOS Data Hosting will provide documentation or certification to Customer of that destruction. FOS Data Hosting may charge Customer a fee for those Services at its then-current rates as applicable.

Reference

Media Protection – Control Description

F.3.

Multi-Pass

Customer may designate the hard drives dedicated to Customer’s use as part of a Hosted System as requiring a three-pass wipe (on failure as possible, or on replacement or cancellation) on written notice to the FOS Data Hosting account manager. FOS Data Hosting will perform a three-pass wipe on that media on a failure, replacement, or cancellation event, and Customer will reimburse FOS Data Hosting at FOS Data Hosting’s then-current rates for those Services.

F.4. Geographic

F.5.

Control

Except in the case of a consolidation of FOS Data Hosting data center facilities or as otherwise specifically stated in the Agreement, FOS Data Hosting will not relocate the Customer’s Hosted System from a FOS Data Hosting data center in one country to another without Customer’s express written permission. The parties acknowledge that off-site backup involves transporting encrypted media containing Customer Data to a third-party site.

Reference

Risk Assessment Controls – Control Description

G.1.

Policy

FOS Data Hosting will incorporate risk management throughout its business operations. FOS Data Hosting will conduct internal information security risk assessments regarding FOS Data Hosting Shared Infrastructure.

G.2.

Oversight

FOS Data Hosting will manage identified risks to the FOS Data Hosting Shared Infrastructure on an ongoing basis through formal project management processes, provide an overall strategic plan, and operationalize that plan.

G.3.

Review

FOS Data Hosting will assign managerial and supervisory personnel to be responsible for monitoring the quality of internal FOS Data Hosting Shared Infrastructure security control performance as a routine part of their job responsibilities. FOS Data Hosting’s management will review key reports to verify appropriate actions have been taken.

G.4.

Assessments

FOS Data Hosting will undertake security risk assessments per the FOS Data Hosting Policies and Standards regarding FOS Data Hosting Shared Infrastructure and FOS Data Hosting corporate networks. The risk assessment includes: (a) identifying and assessing reasonably foreseeable internal and external threats and risks to the privacy, confidentiality, security, integrity, and availability of personal information; (b) assessing the likelihood of, and potential damage that can be caused by, identified threats and risks; (c) assessing the adequacy of and compliance with personnel training concerning FOS Data Hosting’s information security program; (d) assessing the adequacy of service provider arrangements; (e) adjusting and updating FOS Data Hosting’s information systems and information security program to limit and mitigate identified threats and risks and to address material changes in relevant technology, business practices, personal information practices, and sensitivity of personal information that FOS Data Hosting processes; and (f) assessing whether

Reference

Risk Assessment Controls – Control Description

FOS Data Hosting’s information security program is operating in a manner reasonably calculated to prevent and mitigate information security incidents.

Reference

Business Continuity Planning – Control Description

I.1.

Policy

FOS Data Hosting maintains an Information Security Aspects of Business Continuity Policy that includes defined requirements for information security and continuity of information security management for FOS Data Hosting Shared Infrastructure during FOS Data Hosting business recovery events; defined management structure to prepare for, mitigate, and respond to a FOS Data Hosting business recovery

Reference

Change & Configuration Management Controls – Control Description

H.1.

Process

FOS Data Hosting will cooperate in good faith with Customer to create a run book or account management guidelines (“Run Book”), which will contain the controls applicable to system or network changes and detail the system or change management process as agreed on with Customer. FOS Data Hosting will provide Customer with a mechanism to apply patches to the Hosted System and apply patches at Customer’s request, as stipulated in the Run Book.

H.2.

Run Book

FOS Data Hosting will make the Run Book and any attendant documentation available to Customer promptly on Customer’s request, will update the Run Book with any reasonable process management controls for the Customer Configuration requested by Customer, and will otherwise cooperate with Customer in good faith to review or implement those system/network change management processes for the Customer Configuration as Customer requests.

H.3.

Windows

FOS Data Hosting will maintain change windows for implementing or completing system/network changes to the Customer Configuration that comply with any change window requirements in the Agreement.

H.4.

Approval, History

Customer is required to approve material changes to be made by FOS Data Hosting to the Customer Configuration before the change is implemented, except in the cases of predefined proactive FOS Data Hosting Shared Infrastructure maintenances, urgent security patches and fixes, downtime events where Customer cannot be reached (or has provided prior approval for action), and emergency maintenances (in which case FOS Data Hosting will provide Customer with reasonable notice of that change activity). The ticket history associated with the FOS Data Hosting account will be available for review through the FOS Data Hosting customer portal, thus providing a history of changes to the Customer Configuration performed by the FOS Data Hosting support team.

Reference

Business Continuity Planning – Control Description

event involving FOS Data Hosting Shared Infrastructure using personnel with the necessary authority, experience, and competence; and verification, review, and testing of defined information security continuity controls related to the FOS Data Hosting Shared Infrastructure regularly.

I.2.

BCP

FOS Data Hosting maintains an internal business continuity plan designed to permit FOS Data Hosting to resume its business operations after an interruption (“Business Continuity Plan”). This Business Continuity Plan does not cover Customer Configuration directly (is no substitute for redundancy or data backup, and in no way guarantees the restoration of the Customer Configuration or any Customer Data in the event of severe business interruption).