Example: quiz answers

STAR Dealer Data Security Guidelines 2016

star Dealer data Security Guidelines 2016 INDUSTRY BEST PRACTICES AND RECOMMENDATIONS FOR AUTOMOTIVE RETAIL data Security 1. star Dealer data Security Standards Overview Disclaimer 2. STAGE I Security Policies data Collection, Retention and Use Security Incident Response Plan Access Control Password Management Physical Security Controls Email Security Network Security Security Awareness Training Compliance with Federal Legislations Gramm-Leach-Bliley Act/Safeguards Rule PCI DSS Additional Resources 3. STAGE II Antivirus Patch Management Disaster Recovery Unified Threat Management (UTM)/Firewall/Intrusion Detection System (IDS) Security Information Event Management (SIEM) Wireless Detection Systems 1. star Dealer data Security Guidelines Overview The purpose of this document is to assist automotive retailers with implementing practical and effective data Security controls that support industry best practices. The goal of this document is to provide industry minimum Security controls that should be adopted.

1. STAR Dealer Data Security Guidelines 1.1 Overview The purpose of this document is to assist automotive retailers with implementing practical and effective data security

Tags:

  Guidelines, Security, 2016, Data, Star, Leaders, Star dealer data security guidelines 2016, Star dealer data security guidelines

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of STAR Dealer Data Security Guidelines 2016

1 star Dealer data Security Guidelines 2016 INDUSTRY BEST PRACTICES AND RECOMMENDATIONS FOR AUTOMOTIVE RETAIL data Security 1. star Dealer data Security Standards Overview Disclaimer 2. STAGE I Security Policies data Collection, Retention and Use Security Incident Response Plan Access Control Password Management Physical Security Controls Email Security Network Security Security Awareness Training Compliance with Federal Legislations Gramm-Leach-Bliley Act/Safeguards Rule PCI DSS Additional Resources 3. STAGE II Antivirus Patch Management Disaster Recovery Unified Threat Management (UTM)/Firewall/Intrusion Detection System (IDS) Security Information Event Management (SIEM) Wireless Detection Systems 1. star Dealer data Security Guidelines Overview The purpose of this document is to assist automotive retailers with implementing practical and effective data Security controls that support industry best practices. The goal of this document is to provide industry minimum Security controls that should be adopted.

2 These range from simple process reviews, to robust Security information monitoring solutions. The various approaches are broken into two stages. The first stage is comprised of simple actions such as policies and procedures that may be implemented with little to no expense. The second stage involves more complex safeguards, such as managed Security solutions and technologies. Disclaimer Any company name, application, website link, or technology reference mentioned in this document should not be considered an endorsement by the OEMs or by star unless that endorsement is expressly stated. This document provides a guideline for dealers to establish sound data Security practices. It is important to note that network infrastructure, Dealer data , and system Security is the dealership s responsibility. Third-party organizations such as service providers and partners may provide guidance and recommendations. Some organizations may provide software, hardware, or proprietary network elements to help streamline network operations and secure data .

3 However, these applications, recommendations, or tools are not a substitute for network management. STAGE I Security Policies Implementing, maintaining and adhering to a Security policy is an important first step in achieving effective data Security . A Security policy is a formal plan that addresses how Security will be implemented within an organization. The policy should describe the approaches taken to ensure the confidentiality, availability and integrity of sensitive data and resources, including the physical environment, network infrastructure, applications and data (both physical and digital). An effective Security policy should be tailored to the needs of the organization and identify what threats the business faces and how the business will handle these. A Security policy facilitates proactive data Security management by enabling the business to anticipate its threats and prepare accordingly, opposed to responding to an incident after it has occurred. A Security policy typically consists of several individual Security policies.

4 For instance, the below policies are commonly found within an organization s Security policy: Acceptable Use Policy: outlines the acceptable use of a business s physical and digital resources Audit Policy: describes the requirements for risk assessment and audits of the business s information and resources Extranet Policy: defines the requirements for third parties that access the business s network Password Policy: provides the specific requirements for creating secure passwords and keeping passwords private Wireless Standards Policy: describes what wireless devices may connect to the business s network and how to use these devices in a safe manner. Aside from the examples listed above, there are other Security policies and procedures an organization should consider implementing in order to safeguard data . More information on such policies may be found throughout this document. Additionally, the SANS Institute is great resource for developing and implementing such policies; for a variety of sample Security Policy templates, please visit: data Collection, Retention and Use As part of the Security policy, the organization should also develop standards governing appropriate data collection, retention and use.

5 These standards should consider what information is collected, how long it s kept, how it s stored, who may access it and how access is achieved. Understanding these items, along with how data enters, moves through and exits the business is essential to assessing and mitigating Security vulnerabilities. These policies should take the following into consideration: Only collect data there is a legitimate need for Retain information only as long as there is a legitimate business need Don t use sensitive information when it s not necessary Properly dispose of data in a secure fashion Security Incident Response Plan Taking steps to protect data can go a long way toward preventing a Security breach. Nevertheless, breaches may happen. To minimize the effects of a breach, the Security policy should contain an incident response plan. Below are steps that may be taken to reduce the impact on the business, employees and customers in the event of a Security incident: Have a plan in place to respond to Security incidents.

6 Designate a senior staff member to coordinate and implement the response plan. If a computer is compromised, disconnect it immediately from the network. Investigate Security incidents immediately and take steps to close off existing vulnerabilities or threats to sensitive data and information. Consider whom to notify in the event of an incident, both inside and outside the organization. The following parties may need to be informed: consumers, law enforcement, customers, credit bureaus and other businesses that may be affected by the breach. Additionally, many states and the federal bank regulatory agencies have laws or Guidelines addressing data breaches. It may be beneficial to seek legal guidance in these situations. Access Control Access Control is a Security technique that refers to the process of regulating who and what has access to resources, objects or data . Access control can be both physical and logical. Physical access control limits access to buildings, rooms and physical IT assets.

7 Logical access limits connections to computer networks, files and data . Retailers should put controls in place to ensure that employees and users have access to data and company resources on a need to know basis, meaning access to these resources should be given only if there is a business need. A documented process should be developed that ensures: (1) appropriate access is granted to users, based on job role or business need, (2) access is revoked or modified anytime an employee departs the company or changes positions; user rights/access should be updated in a timely manner, and (3) access should be assessed periodically on a documented cadence (quarterly, semiannually, annually). This evaluation, not prompted by employee exit or transition, is to determine if level of access presently granted corresponds with the person s position in the business. Also whether some right should be modified. Password Management Employees have multiple user ID s and passwords used to access the tools that support user s job roles.

8 Implementing a password management policy is a significant piece of data Security and access control. Such policy may include the following: Specify password requirements, such as: minimum password length, initial assignment, restricted words and format, password life cycle, and include Guidelines on suitable system and user password selection. The following is an example of such: Expire every 60 days, 8-character minimum using 3 of the following 4: 1) Uppercase, 2) Lowercase 3) numeric and 4) special characters Change all vendor-supplied default passwords before any information system in put into operation All passwords should be promptly changed if suspected of/are being comprised, or disclosed to vendors for maintenance/support. Refrain from divulging passwords unless absolutely necessary ( , helpdesk assistance) Protect stored passwords discourage employees from writing down access information and keeping it in plain sight of passerby ( , username & password written on post it note nearby workspace).

9 Passwords should be encrypted when transmitted electronically. Physical Security Controls Server/equipment rooms should be locked; employee access should be limited to only those who have a legitimate business need. Mechanisms should be in place to know if and when someone accesses the site. Require that files containing sensitive data and information be kept in locked file cabinets at all times, other than when an employee is working on the file. Remind employees not to leave sensitive documents/information out on desks when away from workstations. Require employees to put files away, log off computers, and lock file cabinets and office doors at the end of the day. Implement appropriate access controls for your building. Tell employees what to do and whom to notify if an unfamiliar person is seen on the premises. If offsite storage facilities are maintained, limit employee access to those with a legitimate business need. Mechanisms should be in place to know if and when someone accesses the site.

10 If devices that collect sensitive information are used, such as PIN pads, secure the equipment to reduce the risk of it being tampered with. Such equipment should also be secured to reduce the risk of an attacker switching equipment with a dummy device. Email Security Outbound Email Security : identify and respond to malware, inappropriate emails, unauthorized content, and company-private information before it leaves the network. Inbound Email Security : Apply filters to stop malware, phishing, or malicious emails before entering the network. Encryption: TLS Email encryption is recommended in order to make it more difficult for third parties to read email in transit. Network Security Encryption and Segmentation of Business and Guest WIFI Network: o Payment Card information, customer information, dealership traffic, and customer traffic should be segmented via network segmentation (such as VLAN, layer 2 switch, etc.) or a different network (such as a dedicated circuit for guests) to ensure no communication can take place between the networks.


Related search queries