Introduction and Scope
The Harte Hanks Supplier Security Policy represents the base security requirement associated with providing services to Harte Hanks that comply with a variety of privacy, information security and regulatory obligations. Whether imposed through the products and services Harte Hanks offers, or indirectly through contractual agreements of Harte Hanks Clients; the Supplier Security Policy represents the summary guidelines and requirements applicable to all:
types of information, whether received or created,
personnel, contractors, temporary employees and all other representatives,
businesses and locations, and
networks and systems
Adherence to the Provider Security Policy is a condition of providing services to Harte Hanks. Violations of this policy are subject to corrective actions as defined in contractual agreement with Harte Hanks.
It is vitally important that each Supplier supporting Harte Hanks read and understand this document thoroughly and follow the policies and procedures herein.
SS 100-01: Physical Security RequirementsFacilities that house Harte Hanks information and infrastructure must be secured. Supplier must take precautions to protect these facilities and the information contained therein
- Supplier must follow all applicable policies regarding physical access to facilities supporting Harte Hanks. (B.1.8)
- Physical Access Management
- Supplier must follow a documented process for granting building access credentials, such as keys, access cards, and combinations, based upon justified business needs. (B.1.8)
- Requests for privileges into controlled-access areas within the facility must be made in writing or an approved electronic system. (B.1.8)
- General facility access must be reviewed on an annual basis to confirm each individuals continued need for access. (B.1.33)
- Controlled-Access Doorways:
- Personnel must not follow others through controlled-access doorways. Proper physical authentication must take place, such as through the use of a badge or key fob, for each person passing through the doorway. (B.1.8)
- Visitors to Supplier facilities must be approved and escorted at all time by Supplier staff. (F.1.3)
- Doors to secure offices, labs or facilities must be secured at all times. (F.1.2)
- ID badges must be displayed and clearly visible at all times, including those provisioned to visitors (temporary personnel, contractors, agents and consultants). (F.1.3.4)
- Visitors must sign in, or otherwise have their visit logged, and have their identity verified. (F.1.3.1, F.1.3.2)
- Secure Environment Data Centers and Computer Rooms
- Provisioned access into controlled-access areas within the facility must be reviewed on a quarterly basis. (F.2.24.2)
- Maintain environmental conditions in a manner sufficient for the safety of the staff, as well as the operation of all equipment. (F.1.2.18)
- Personnel must secure doors or entryways immediately after passing between non-secure and secure environments. (F.1.2.8)
- Only authorized individuals may enter secure areas; personnel must not permit individuals without authorization to gain access. (F.2.13)
SS 100-02: Personal Computers and LaptopsComputer workstations and laptops are provided to fulfill job functions. Personnel who have been given access to supplier workstations and laptops, are given this access based on a required adherence to workstation usage policies. Computer workstations and laptops are the property of Supplier and fall under all applicable policies. All personnel are required to follow these guidelines.
- All computer-related devices must be ordered through in accordance with Supplier policies. (D.1)
- Equipment moves and changes must be carried out in accordance with Supplier policies. (B.1.10, F.2.18)
- Only authorized Supplier representatives must perform all hardware and software installs, upgrades, moves and configuration. (G.20.11)
- No personnel shall share, or otherwise disclose, their password with other parties, including technology staff. Passwords which have been disclosed must be immediately changed or reset. (H.4.1.1, H.4.1.10)
- No personnel shall leave a device or asset logged in and the screen unlocked when left unattended. (H.4.1.7-9)
- Use of employee-owned personal computing devices is not permitted to access the Harte Hanks Network unless prior advanced approval. (G.20.10)
SS 100-03: Virus ProtectionAll Supplier computer devices have virus and malware protection software installed, when applicable. This software has been configured to identify and download any new signatures or database files and perform a system scan at least once a week. This is an automated process and must not be tampered with or disabled. This policy applies to all Supplier personnel and systems.
- All systems commonly affected by viruses must have active and current virus scanning software. (G.7)
- Personnel who believe that they have received a virus via any means must immediately contact Supplier help desk or technology support team. (J.220.127.116.11)
- Systems running an e-mail server that can receive mail from the Internet or from sources external to Supplier must be scan messages and attachments prior to delivery. (G.12.11)
- Virus software must check for updates of current virus pattern or signature files on a daily basis. (G.7.1.2)
- If updates are available, they must be loaded automatically on a daily basis. (G.7.1.2)
- Audits of servers, desktop, workstations and laptops must be performed at least monthly to confirm that virus protection is enabled, operational and using up-to-date pattern or signature files (C.1.2)
- Upon virus detection that is not automatically resolved by antivirus software the machine(s) must be removed from the network immediately and cleaned or reimaged before being placed back into service. (J.1.2.7)
SS 100-04: PasswordsAccess to computer systems and networks may be controlled by password access and such passwords secure Confidential Information . Any personnel that obtains a password or ID for a Harte Hanks or a client or Supplier resource must keep that password confidential. This policy applies to all Supplier personnel and systems.
- Passwords are not to be written down and displayed in public viewable locations. (H.4.1.2)
- Passwords are not to be disclosed to anyone, under any circumstances, except the passwords established at the time a new account is established may be provided, in which case such password must be changed at the time of their first use of that password. (H.4.1, H.4.10)
- Initial passwords are required to be changed upon first login.(G.14.17)
- Passwords must be changed every 90 days or sooner if prompted by the system or required by local rules and regulations. (G.14.15)
- All passwords must be a minimum of eight (8) characters in length and must contain both alpha and numeric characters. (G.14.13)
- Strong password guidelines: (Definition Strong Password)
- Passwords must not to be in the form of dictionary words, English or other languages. (G.14.14)
- Passwords must contain both upper and lower case letters and special characters whenever possible. (G.14.14)
- Passwords must not be reused for at least twelve (12) change cycles. (G.14.16)
- Passwords must never be communicated in the same transmission as other information, such as User ID required for log-in. (H.4.4)
- Password associated with SPI processes must never be stored in conjunction with the encrypted or hashed SPI. (H.4.3)
- After a minimum of three consecutive failed attempts to log in will result in the account being locked for at least 30 minutes. (G.18.17, G.14.22, G.15.20, G.16.22, G.17.20, )
- Password reset requests performed by the help desk requires multiple factors to identify the individual before performing the reset. (H.4.7)
- Personnel initiated password changes require authentication prior to changing the password. (H.4.7, H.4.9)
- Passwords must not be visible on-screen while entry is taking place. (G.16.20, G.17.18, G.18.15, )
- Passwords must not be visible in system logs or debug windows. (H.4.1.2)
- Where SNMP is used, the community strings must be defined as something other than public, private, system or other manufacturer defaults and must be different from the passwords used to log in interactively. (H.4.8)
- All system-level passwords such as root, enable, Windows administration, application administration accounts and database administration must meet the above requirements as well as the following:
- The passwords must be changed on at least a quarterly basis. (G.14.15, G.15.12)
- Default manufacturer passwords must be changed from the delivered default values prior to implementation. (H.4.8, G.9.1)
- System-level passwords must be changed immediately when anyone with access to the account or password changes job function that no longer requires access or is terminated. (H.4.1.3)
SS 200-01: Internet Access
Supplier may provide Internet access to those personnel who have a business need. Given the diverse nature of the material on the Internet, it is necessary to govern personnel access to the Internet. This policy applies to all Supplier personnel and systems.
- Personnel must not tamper with, attempt to change or disable any Internet access device or software in order to avoid or circumvent any filtering or proxy device. (G.9.6.1, G.9.6.2)
- No personnel shall knowingly download from the Internet any material that may be deemed racist, sexist, defamatory, obscene, pornographic or illegal. (G.9.12)
- Supplier must use tools to block access to inappropriate websites and identify inappropriate materials. (G.9.12)
SS 200-02: Information Security
Information that is maintained may include information regarding clients, client customers, third parties and Harte Hanks. These procedures must be followed to maintain the appropriate level of security for different types of information. In many instances information may be regulated by specific contracts requiring measures above and beyond these minimum guidelines. Personnel working with customer information must be made aware of any specific contractual agreements. This policy applies to all Supplier personnel and systems.
- Each Supplier must have a documented Information Security program in place within their organization.
- Recipient shall, upon request, provide a system architecture diagram, data flow diagram demonstrating the flow of information through the Supplier environment and descriptions of the technical and physical safeguards designed to protect Harte Hanks and/or Client information
- Each Supplier must designate an employee to support Information Security program within their organization.
- Supplier must evaluate and adjust, at least on an annual basis, the Information Security program in light of the results of testing and monitoring efforts required by paragraph, material changes to operations or business arrangements or other circumstances known, or should have been reasonably known, to have a material impact to the Information Security Program.
- Supplier must notify Harte Hanks of any planned system configuration changes or other changes affecting the Information Security program. No such change, which could reasonably be expected to have a material adverse impact on the security and protection of Harte Hanks Data, may be implemented without the prior written consent of a Harte Hanks security representative.
- Suppliers accepting information from Harte Hank must perform a risk assessment, at least annually, to determine the value and sensitivity of the information received and the level of protection afforded. Factors to be considered during the risk assessment include:
- Type of information supported (Confidential, Personally Identifiable Information (PII) and Sensitive Personal Information (SPI)).
- Legal obligations associated with the type of information supported.
- Impact on the interests of the company and Harte Hanks, including competitiveness and business growth, in the event of loss or disclosure of the information.
- Impact on the ability of the company or Harte Hanks to comply with laws and regulations, in the event of misuse, loss or disclosure of the information.
- Impact on contractual obligations between the company and Harte Hanks, in the event of misuse, loss or disclosure of the information.
- Impact on the integrity of and the public trust in the company and Harte, in the event of misuse, loss or disclosure of the information.
- At Harte Hanks request, Supplier shall meet with the Harte Hanks Information Security team to discuss information security issues in much greater detail at times reasonably requested by Harte Hanks and at mutually agreeable locations.
- Use information only for expressed business objectives, as identified in the relevant privacy policies, and in accordance with the implicit or explicit consent provided by individuals. (P.17)
- Information collection methods must ensure that the information is obtained fairly, without intimidation or deception, and lawfully to adhere to all relevant rules, legal statutes, or common law. (P.7, P.7.1, P.7.2)
- Provision access to information such that access is limited to only those individuals with a justified business need. (D.2.2.2)
- Disclose information only to those third parties whom are contractually bound to protect information in a manner consistent with the applicable privacy policies, limit the use of the information only for expressed purposes, and in accordance with the express implicit or explicit consent, unless a law or regulation specifically allows or requires otherwise. (P.12, P.12.1, P.12.2)
- Retain information for no longer than necessary to fulfill the stated business objectives, unless a law, regulation, or contractual agreement specifically requires otherwise. (D.2.2.9)
- Dispose information securely after it is no longer required, in accordance with type of information being destroyed, and in such a manner that prevents loss, reconstitution of the information, misuse, or unauthorized access. (D.2.2.10)
- Information must be protected and secured during any electronic transmission or physical media transfer in accordance with the type of the information being transferred. (D.2.2.13)
- Education and training of employees, temporary employees and contractors on the proper use of the computer security system and the importance of information security.
- Security and privacy training must be provided upon hire and required annually thereafter.
- Training must include a testing component to demonstrate comprehension of training provide.
- Supplier shall allow Harte Hanks and/or its Clients, as applicable, to inspect the physical system equipment, operational environment and data handling procedures with reasonable prior notice.
- The following requirements apply to storage of Confidential and PII:
- Information stored on computers must be protected with password controls at the system level and network access level. (B.1.12 )
- Approved cryptographic protection is encouraged for PII and Confidential Information. (I.6.2)
- Appropriate physical protection of the computer and storage media must be in place. (D.2.2.4, D.2.2.7)
- Information stored on removable storage devices, e.g., floppy disks, ZIP disks, USB tokens/pens, must be encrypted using approved encryption techniques. (G.11.2)
- Information stored on removable storage devices for the purposes of off-site retention must be stored in a secured storage facility, via contractual obligations, such that the appropriate security and environmental controls are implemented to effectively protect the privacy and security of the information. (Documentation: Offsite Storage Policy and Procedures)Additional requirements for the treatment of Sensitive Personal Information (or SPI)
- Any loss or unauthorized disclosure of information must be promptly reported in accordance with the SS 200-04: Security Incident Response.
- SPI which has been encrypted, hashed or de-identified shall no longer be considered SPI, provided that the: (Additional Questions)
- SPI cannot be readily decrypted, and (Additional Questions)
- decryption keys are not stored along with the information (Additional Questions)
- SPI may only be transferred between the parties deemed critical to the Services; described within the Agreements between the parties. (Additional Questions)
- Unprotected, unscheduled, or e-mail transmissions of SPI are expressly prohibited. (Additional Questions)
- SPI must not be transferred outside the country of origin, or the country from which it was collected, unless expressly granted by the Agreements between the parties. (Additional Questions)
- Cryptographic protection, as agreed to by the parties, MUST secure SPI at the file (or field) level prior to transmitting information from one location to another; regardless of the physical or electronic nature of the transmission. (Additional Questions)
- Electronic transmissions of SPI must also utilize protected transmission mechanisms as agreed to the by parties and SPI must not reside on transfer servers for a duration longer than four (4) hours after such a transfer. (Additional Questions)
- Physical transfers of SPI must utilize couriers with systems supporting tracking capabilities throughout the transfer process and require signature upon delivery. (G.12.8)
- Unsuccessful transfers of SPI must be immediately mitigated and resolved and shall constitute a Privacy and Security Incident as define in SS 200-04: Security Incident Response. (Additional Questions)
- SPI may only be accessed by individuals, including employees, temporary employees and contractors, who have been: (Additional Questions)
- Appropriately pre-screened, as permissible by law, in accordance with applicable pre-employment screening agreed to between the parties. (Additional Questions)
- Adequately trained in relation to Privacy, Information Security and Ethical business requirements appropriate to the Services and types of SPI they support. (Additional Questions)
- Access to SPI must be monitored, logged and reviewed on a regular basis; however no less than on a quarterly basis. (Additional Questions)
- SPI may only be used in physical and electronic environments with controls designed to prevent unauthorized reproduction, duplication, transmission, disclosure or use. (Additional Questions)
- SPI must be protected at all times while at rest: (Additional Questions)
- Via encryption, neutralization or hashing as agreed to by the parties while in electronic form. (Additional Questions)
- Physically secured environments when in physical form (Additional Questions)
- SPI must not be retained on portable devices (desktops, laptops, mobile phones, etc.) or any employee-owned device. (Additional Questions)
- SPI must be disposed of in a secure manner, commensurate with the media of such information, such that the SPI cannot be read, recovered or reconstituted, as specified in SS 400-03 Data Retention and Destruction; including but limited to: burning, pulverizing or cross-shredding of physical and electronic media. (Additional Questions)
Additional requirements for PCI cardholder information:
- Annually, or after any significant changes to cardholder processing methods, a risk assessment will be conducted, which considers the following: (Additional Questions)
- An assessment of threats and vulnerabilities against cardholder information. (Additional Questions)
- An assessment of the effectiveness of security controls to address threats and vulnerabilities. (Additional Questions)
- Implementation of new and more effective security controls to address new threats and vulnerabilities and to maintain compliance to PCI-DSS and other external requirements. (Additional Questions)
- The use of vulnerability and penetration testing to identify threats and vulnerabilities and to confirm that these have been mitigated following implementation of new and enhanced security controls. (Additional Questions)
- Sensitive authentication information associated with cardholder processing (PIN, PIN Block, Magnetic Stripe, CVV2) must NOT be stored in databases, log files, trace files, or history files in any form, encrypted or otherwise. (Additional Questions)
- Whenever displayed, the Primary Account Number (credit card number) must be masked or truncated (only first six and last four characters can be displayed). (Additional Questions)
- Whenever stored, cardholder information (Primary Account Number and, Name, Service Code, Expiration Date when stored with the Primary Account Number) must be encrypted using a strong encryption algorithm or hashed. (Additional Questions)
SS 200-03: Access Management
Access to all systems with access to Confidential Information (which includes Human Resource, financial, company confidential, SPI, PII and Client data) must be restricted. Access to such systems must be reviewed on an annual basis by the system owner, and modified as necessary to ensure a proper segregation of duties and that rights are appropriate in relation to current job responsibilities. This policy applies to all systems with access to Confidential Information.
- Access to the system and its data, based on the defined confidentiality of the information, and under what circumstances access may be granted. Document the provisioning and de-provisioning process and define how: (H.1.1)
- Access requests are created (H.2.4)
- Access requests are routed for approval (H.2.4.1)
- Access approvals are confirmed and accessed provisioned (H.2.4.1, H.2.4.2)
- De-provisioning processes are initiated and completed (E.6.2)
- Granted access is reviewed against approved access on regular intervals (H.2.6)
- Existing rights are reviewed against present roles and employment status on regular intervals (H.2.7)
- All systems must have an assigned owner who has the responsibility of approving the assignment, modification, or revoking of access (H.2.4.1)
- All requests for access rights must be made in writing or approved electronic system. (H.2.4)
- Access rights must be controlled by way of unique user IDs and associated passwords. (H.2)
- Accounts that have not been accessed within 90 days must be disabled or removed. (H.2.2)
- Documentation of all actions relating to access rights administration must be maintained in a current and accurate manner. (H.2.4.2)
- On an annual basis, the system owner must conduct a complete review of assigned access rights. (H.2.6)
- Segmentation of duties must be maintained between the owner and the person(s) authorized to actually set up and revoke access rights. (G.20.1)
- Any generic IDs must have a documented justification for their creation and use. (H.3.4)
- Access to data that is restricted may only be granted in accordance with appropriate job functions and responsibilities and must not exceed the level required for job performance, as determined by the system owner. (H.1.2)
- Access rights to a system that contains SPI or Confidential Information must be suspended after a maximum of three unsuccessful attempts to provide the password. (G.15.20, G.14.22)
- Supplier is responsible for notifying Harte Hanks, in approved electronic form, of all terminations on of the day of termination of employment for personnel that have access to Harte Hanks systems. (E.6, E.6.2.1)
- All access rights assigned to an individual must be revoked on the day of involuntary termination of employment or within one business day of voluntary termination or transfer. (E.6.2.1)
- Access rights must be revoked or reduced if the business need for such access no longer exists, based upon notification from the system owner. (E.6.3)
SS 200-04: Security Incident Response
In the event that any security incident or privacy violation occurs, Supplier must immediately (no later than 24 hours) report the incident to the Harte Hanks SIRT hotline at 1-866-611-SIRT (7478) and email firstname.lastname@example.org. This policy applies to any incident or situation which compromises, or has the potential to compromise, privacy or security.
- Supplier must not publicly discuss details associated with ongoing privacy or security investigations as such disclosures may impede law enforcement efforts. (J.1.2.9)
- Personnel must be always be mindful of their obligations to maintain confidentiality and remember that only designated Harte Hanks personnel are authorized to represent Harte Hanks. (J.1.2.9)
- Personnel must protect and maintain the integrity of all evidence related to privacy and security incidents and keep in mind that all related information and devices are subject to inspection or audit if deemed necessary.(J.1.2.4)
- Supplier required to report privacy and security incidents by contacting the SIRT hotline at 1-866-611-SIRT (7478) and emailing email@example.com (J.18.104.22.168)
- Reportable privacy and security incidents include, but are not limited to,: (J.1.2.11)
- Theft, fraud or physical intrusions (J.22.214.171.124, J.126.96.36.199)
- Violations to privacy, security or business conduct policies (J.188.8.131.52)
- Malicious activity or any misconduct resulting in the reduced ability to ensure the privacy or security of information (J.184.108.40.206)
- Activities which are unfair, deceptive or unethical (J.220.127.116.11)
- Unauthorized access to, or disclosure of, any confidential information (J.18.104.22.168)
- Vulnerabilities or threats associated with the integrity or effectiveness of privacy or security controls (J.22.214.171.124)
- Social engineering attacks including, but not limited to, phishing or vishing. (J.126.96.36.199)
- Any unauthorized system access or probes which have occurred. (J.188.8.131.52)
- Unauthorized computer activity including, but not limited to:
- Improper password usage or password loss (J.1.3.8)
- Denial of Service (J.1.3.2)
- Inappropriate use of computing resources (J.1.3.4)
- Viruses(J.1.3.4, J.1.3.6)
SS 200-05: Business Continuance Plan
The purpose of a Business Continuance Plan (BCP) is to ensure continued availability and acceptable service levels to Harte Hanks and Clients in the case of short term or long term incident resulting in a disruption of business. This policy applies to all Supplier personnel and systems.
- Supplier team must develop and maintain a BCP to be executed in the event of an incident resulting in disruption of business. (K.1)
- Supplemental BCP may be developed to address specific operational or Client needs. (K.1.2.3)
- Supplier must conduct business impact analysis to identify and prioritize the resources and systems that are required through the duration of an incident. (K.3)
- Supplier must conduct Risk Assessments to identify and classify gaps with recent business impact analysis results and business continuance tests. (A.1.1)
- Each BCP must describe a recovery team and identify the roles of each individual. Team members must be aware of their roles and responsibilities. (K.1.2.7)
- Team members receive additional training as needed. (K.1.2.6)
- The role of the BCP and BCP team members is to provide direction and prioritization for the recovery tasks in the event of an incident. (K.1.2.7)
- Incident also include events that would prevent personnel from reaching a facility (weather, pandemic, infrastructure, etc) (K.2)
- Classify the scenarios as short-term or long-term impact. (K.1.2.4, K.3)
- Each BCP must identify the materials required during the event and materials required for recovery. Some examples: (K.1.2.9)
- Call Lists (K.184.108.40.206)
- Equipment inventories (K.1.2.10)
- Outside contacts(K.1.2.14)
- Off-site storage (K.1.2.9)
- Each BCP must identify Supplier and Harte Hanks dependencies. (K.1.2.15)
- Each BCP must identify primary and secondary communication strategies. (K.220.127.116.11)
- Each BCP must establish recovery time objective (RTO) and recovery point objectives (RPO). (K.3.2)
- Each BCP must include how RTO and RPO objectives will be met. (K.18.104.22.168)
- Each BCP must be updated after any major change to processes, procedures or systems. (K.1.2.5)
- Each BCP must be reviewed, updated and tested at least annually. (K.1.2.16)
- This includes conducting business impact analysis and risk assessment. (K.3)
- Tests include incident scenarios that account for key personnel to be unavailable in the event of a disaster. (K.2)
SS 300-01: System Development, Implementation and Change ControlThis policy establishes requirements for all system changes throughout Supplier and Harte Hanks environments. System changes include, but are not limited to:
- Programming changes to source code object.
- Programming changes to reports or interface programs.
- Changes to database table structures.
- Changes to application security configurations.
- Changes to online configurations, such as setup, application configuration or table maintenance.
- Changes to configurations setting on the server(s) used to run the application.
- Changes to network infrastructure; routers, switches, firewalls, IPS. etc
- Direct database changes made to data contained within application tables.
PolicyThe following minimum requirements must be met for all system changes:
- A formal, documented change management policy must be established for each system. A single change management policy may address multiple systems. (G.2)(K.1)
- All personnel involved in the change management process must have working knowledge of the change management policy. (G.2)(K.1.2.3)
- Each system must have a designated owner. The owner is responsible for representing the end users of the system. System owners must approve all system changes. (G.2.2)
- Develop all applications based on secure coding guidelines and review custom application code to identify coding vulnerabilities. (I.2.2)
- Develop software applications based on industry best practices and incorporate considerations regarding information security throughout the software development life cycle. (I.2.7)
- Maintain and follow a development methodology. (I.2.2)
- Request for changes must be documented. (I.2.22.10)
- Request for changes must be approved in writing or using an approved electronic system by designated system owner. (I.2.22.2)
- Programming and database table structure changes must be made in a non-production environment prior to being migrated to the production environment. Testing of these types of changes must be completed and documented prior to being migrated to the production environment (I.2.22.5)
- Separate libraries and/or repositories must be maintained for development, test and production code. (I.2.7.2)
- Separate systems must be maintained for development/test and production services. (G.3.1)
- Write access to production libraries must be limited to specific individuals and a current list of authorized individuals must be maintained. (H.3.1)
- The migration of ALL changes to the production environment must be documented and approved by the designated owner. The documentation of migration must specify every change to the system as part of the migration. Migration documentation must be associated (cross-referenced) with the approved change request. (I.2.22.10)
- The individual who performs the programming change in the non-production environment must not have the ability to migrate that change to the production environment (H.3.1)
- Production deployments must be performed by designated individuals who do not have administrative access to the host infrastructure/platform or production data. (H.3.1)
- Documentation of a change request and migration to production must be maintained together to facilitate review of documents and audit of all system changes. In addition, a log of all changes must be maintained. Documentation must be retained for period of three (3) years, unless longer retention is required by contractual commitments or regulatory requirements. (I.2.23)
SS 300-02: Internet ConnectivityThis policy establishes requirements for all Internet Service Provider (ISP) connections providing Internet connectivity to Supplier. All ISP connections bordering Supplier are subject to this policy. This includes existing connections.
PolicyAll ISP connections must be secured appropriately.
- Each connection must be protected by a firewall and intrusion detection/protection device. (G.9.1, G.9.19)
- Primary Internet connection should be protected by DDoS mitigation services provided by the ISP or documented incident response procedures must be in place to response to DDoS incidents. (J.22.214.171.124)
- All firewall changes must be approved by a formal written or electronic process. (G.9.9)
- Connections used for web surfing must also utilize a web content filtering device. (G.9.12)
- Internet connections used for VoIP communications must be encrypted. (G.12.1)
SS 300-03: Wireless NetworkHarte Hanks recognizes the potential risks associated with the use of wireless network technologies. Therefore, there is a need for standard deployment practices and guidelines to mitigate these risks, while allowing for the benefits related to using wireless network technology. This policy outlines the deployment and usage guidelines for wireless network infrastructures within Harte Hanks and Supplier environments.
- All devices deployed to create WAPs must be managed by appropriate Supplier network group. (G.10.1)
- Running any wireless device in Ad-Hoc mode is prohibited. (G.10.1)
- The following deployment configuration must be followed:
- Key Requirements
- All wireless networks must be configured to use dynamic key exchange, such as WPA2/AES, Cisco-EAP or 802.11i. (G.10.4)
- Only associations created with a dynamic key exchange technology are permitted. (G.10.4)
- Configuration Requirements
- WAPs must be configured and hardened according to SS 400-05: NETWORK, SERVER AND WORKSTATION SYSTEM HARDENING (G.10.5)
- Settings must be in place to prevent clients from simultaneous wired and wireless connections. (G.10.2)
- Physical Requirements
- Wireless equipment must be placed in an area that is secure. (F.1.2)
- Access point antennas and deflectors must be placed in such as manner as to limit the existence of the signal outside of the facility. (G.10.1)
- Key Requirements
SS 300-04: Time SynchronizationHarte Hanks recognizes the potential risks associated with the unsynchronized time sources and clocks. Therefore, there is a need for standard deployment practices and guidelines to maintain reliable time sources and time synchronization. This policy outlines the deployment and usage guidelines for time synchronization within Supplier environments.
- All Supplier systems must be configured to receive time synchronization from an authorized clock. (G.13)
- Windows systems should be configured to use Active Directory for time synchronization. (G.13)
- Non-Windows systems should be configured to use a time synchronization program such as NTPd. (G.13)
- Network devices should use built in NTP client functionality. (G.13)
SS 400-01: Encryption Requirements
The purpose of this policy is to specify when encryption is required, how encryption is implemented and to limit the use of encryption to those algorithms that are considered industry standard.
- An analysis of databases and data files must be conducted to assess the need to encrypt the data included in the database or file. SPI data must be sent using encrypted transit as well as file or field level encryption. SPI data must be encrypted while at rest. PII and Harte Hanks Confidential Information must be encrypted prior to transport or delivered via a protected (encrypted) transit mechanism. (G.11.1, G.11.2, G.12.1, I.6.2)
- All encrypted data must meet a minimum 256-bit security level. Further detail in NIST Special Publication 800-57 (Recommendation for Key Management) located at: (I.6.10) https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
- Proven, standard algorithms must be used:
- Acceptable encryption algorithms include but are not limited AES.
- Acceptable hashing algorithms used in conjunction with encryption include SHA-1 (160 bits) or greater. (B.1.18)
- Acceptable hashing algorithms without the use of encryption include the SHA-2 family of hashing algorithms. (B.1.18)
- Symmetric crypto keys must be at least 256 bits. (B.1.18)
- Asymmetric crypto keys must be at least 2048 bits. (B.1.18)
- Harte Hanks key length requirements may be reviewed and upgraded as technology allows.
- File compression software that has encryption functionality is not acceptable due to inherent weakness with the implementation. This includes WinZip. (B.1.18)
- Separate encryption keys or key pairs must be used for each system, client or function whenever possible. (I.6.7)
- The use of proprietary encryption algorithms is not allowed for any purpose. (B.1.18)
SS 400-02: Encryption Key Management
The purpose of this policy is to specify how encryption keys are managed. Proper key management is essential to maintain data integrity and prevent loss of confidential information.
- Encryption keys must be stored securely. (I.6.5)
- Whenever possible keys should be stored offline in a secure area.
- Keys must not be stored in the same location as the data it is protecting. (I.6.6)
- Keys must be stored in a centralized and authorized key store or key management system (I.6.4)
- Encryption keys should be valid for no longer than one year. (B.1.18)
- Encryption keys that are expired or no longer required must be disposed according to the Data Retention and Destruction policy (SS 400-03)
- In the event that any key has expired, compromised or no longer trusted; the key shall be revoked and all data must be re-encrypted with a new key or key pair. (B.1.18)
- Access to encryption keys must be limited to the least possible number of personnel. These personnel are designated as key custodians who must acknowledge they understand their responsibilities as a key custodian. (I.6.6)
- Symmetric keys and asymmetric private keys must be treated as Confidential Information. Symmetric keys and asymmetric private keys must be transmitted via an approved encrypted transport method. (I.6.5)
SS 400-03: Data Retention and Destruction
Data retention and destruction procedures must be developed for all files and databases containing Confidential Information. This includes internal data related to administrative functions such as human resources and finance, company confidential data, SPI, PII and client data. This policy applies to all files and databases containing Confidential Information.
- Each Supplier must document data retention and destruction procedures for Confidential Information. (L.5)
- At a minimum, the data retention procedures must specify (P.8)
- Length of time each category of Confidential data is retained (D.2.2.9, D.2.2.10)
- Mechanisms in place to monitor compliance with the data retention procedures (D.2.2.9, D.2.2.10)
- Mechanisms in place to identify and comply with legal and contractual commitments related to data retention. (D.2.2.9, D.2.2.10)
- Encryption for SPI data must be maintained. (D.2.2.9, D.2.2.10)
- At a minimum, the data destruction procedures must specify:
- Actions taken to destroy data files prior to the disposal of hard drives, storage arrays, and other types of storage devices. (G.11.3)
- Actions taken to render compact discs, DVDs, back-up tapes and other forms of electronic media unreadable prior to disposal(G.11.3)
- Actions taken to properly dispose of paper documents containing Confidential Information. These actions may include cross-cut shredding of documents or disposal into secure receptacles provided by contracted destruction company. (D.2.2.9, D.2.2.10)
- Data destruction must meet the specifications for Confidential information in US DOD 5220.22 (Chapter 7, Section 5). (D.2.2.9, D.2.2.10)
- Mechanisms in place to monitor compliance with data destruction procedures. (D.2.2.9, D.2.2.10)
SS 400-04: Public Server Hardening
This section establishes requirements for system hardening of public Web servers and other internet available servers to limit potential security vulnerabilities. This policy applies to all servers deployed throughout Supplier or Harte Hanks that are accessible from the Internet.
- Isolate Web server from public networks and internal networks(G.9.18)
- Utilize DMZs for the deployment of publicly accessible web servers (G.9.18)
- Services, such as application servers and databases, supporting the publicly accessible web server must be placed in a DMZ that is separate from the web server DMZ.(G.9.18.2)
- PII and SPI must not be stored in public DMZ segments. (G.9.18.1)
- Configure Web server to execute only under a unique individual user and group identity without administrative privileges. (G.19.2.8, G.19.3.8)
- Configure the public Web server so it cannot serve files that are outside of the specified file directory tree for public Web content. (G.19.2.3, G.19.3.4 ) 2.2.
- Ensure default/sample web server files have been removed (G.19.2.7)
- Disable the serving of Web server file directory listings (Additional Questions)
- Certain contractual and regulatory obligations may restrict the use of wildcard certificates
- Enable Web server logging(G.19.2.6, G.19.3.1)
- Logs must be captured and maintained according to SS 400-06 (System Logging.)
- Utilize automated log analysis tools, such as Qradar, MS MOM/SCOM, OSSEC or GFIs SELM. (G.9.6.4)
- Configure server to limit the functionality of programs, scripts and plug-ins. (G.19.2.7, G.19.3.7)
- Remove all unnecessary programs and disable all unnecessary services from the system prior to release of server into a production environment. (G.19.2.4)
- Use only industry standard port numbers and protocols (G.19.2.5, G.19.3.6)
- Configure server to use authentication and encryption, where required. (H.2)
- Utilize user based access if content does not need to be public. (H.2)
- Utilize TLSv1.2 or greater where user based access is necessary. (G.14.18)
- Utilize TLSv1.2 or greater where SPI or PII is being transmitted. (D.2.2.5)
- Review public information on recent security vulnerabilities and incidents on a routine basis. (I.3.5)
- Update security controls to protect against new attacks and vulnerabilities. (I.3.2)
- Update firewall filtering mechanisms to deny new attacks (G.9.17)
- Temporarily disable specific services that might be vulnerable to attack (J.1.2.6, J.1.2.)
- Supplier shall cooperate with Harte Hanks conducted security vulnerability (penetration) testing on systems dedicated to processing of Harte Hanks Data only, which may include unannounced security penetration tests by electronic methods.
SS 400-05: Network, Server and Workstation System Hardening
This section establishes requirements for system hardening to limit potential security vulnerabilities. This policy applies to all systems deployed throughout the Supplier and Harte Hanks. This includes workstations, telecommunications infrastructure, servers and network devices.
- Develop a computer deployment plan (B.1.12)
- Identify the purpose of each computer (D.1.1.5)
- Identify the network services that will be provided on the computer, where applicable utilize standard image files (G.15.1.1, G.15.3)
- Identify the software, both client and server, to be installed (D.1.2)
- Identify the users or categories of users (groups) of the computer and determine the privileges that each category of user (group) will have on the computer (H.1.2)
- Decide how users will be authenticated and how authentication data will be protected (G.19.1.2)
- Ensure password parameters and account requirements are configured or inherited to meet SS 100-04: Passwords. (H.4)
- Determine how appropriate access to information resources will be enforced (D.2.2.2)
- Develop intrusion detection strategies for the computer (G.9.19)
- Login failure detection and audit (G.18.3)
- Virus detection and prevention (G.7)
- Document procedures for the back-up and recovery of information resources stored on the computer (G.8)
- Keep operating systems and applications software up-to-date (G.15.2)
- Establish a procedure for daily monitoring of sources of information about security problems, software updates and operating system security patches and procedures to communicate newly discovered vulnerabilities to the appropriate personnel. (C.1.6)
- Evaluate identified updates for applicability to installed systems. (G.15.2, I.3.1))
- Installation of updates must follow system change management procedures. This includes testing the updates in non-production environments where applicable. (I.3.1)
- Install and apply the latest vendor supplied security patches for all system components and software within one month of release. (Additional Questions)
- Updates must be obtained from vendor approved sources and deployed through authorized update mechanisms. (Additional Questions)
- Critical updates to internet facing services must be installed within 48 hours of availability. (Additional Questions)
- Configure network devices according to industry standard hardening guides. NIST, SANS, CIS, etc (G.9.1, G.14.1, G.15.1)
- Remove unneeded default accounts and groups and modify default account names and passwords that need to be maintained. (H.4.8)
- Ensure account passwords are set appropriately in accordance with password policies defined in SS 100-04: Passwords.
- Configure computers to require authentication after idle periods of 15 minutes or less. (H.2.17, H.2.18)
- Review access-list configuration quarterly. (G.9.17)
- Management of network devices must be performed in a secure manner (G.9.14)
- Management ports must be connected to internal networks (G.9.15)
- Management ports must restrict source connection IP addresses (G.9.15)
- Configure computers for file backups (See Section SS 400-09) (G.8)
- Configure computers for secure remote administration (H.5.6)
- Prevent installation of unauthorized hardware and the modification of authorized hardware. (C.2.6.5)
- Deploy the computer in a secure facility (See Section SS 400-08) (F.1.2)
SS 400-06: System Logging
This section establishes requirements for capturing and maintaining system authentication and security logs to identify unauthorized access or activities (exceptions.) This policy applies to all systems deployed throughout the Supplier and Harte Hanks. This includes internet accessible systems and those that may not be directly accessible over the Internet but through a secured connection (VPN), and to systems that are only accessible internally.
- Any activities deemed as exceptions (whether unauthorized access or unauthorized activities) must be reported in accordance with the SS 200-04: Security Incident Response
- Maintain logs for at least one year with the best practice of three years (G.14.9, G.15.6)
- Logs may be archived after 90 days.
- Log files must include the account used, date/time, and result (success/failure) of the login attempt. (G.9.6.1)
- Supplier must allow Harte Hanks and/or its applicable Clients reasonable access to system records and logs.
- Supplier acknowledges and agrees that records of system activity and data handling may be evidence (subject to appropriate chain of custody procedures) in the event of a security breach or other inappropriate activity. Upon Harte Hanks request, Supplier shall deliver the original copies of such records to Harte Hanks for use in any legal, investigatory or regulatory proceeding.
- Whenever possible the log should contain the source (IP address) of attempted login.
- Logs must not contain the contents of failed passwords. (H.4.1.1)
- The use of real-time or periodic remote logging facilities such as syslog, syslog-ng or Qradar is encouraged. (G.9.6.4)
- It is the best practice to maintain a centralized log retention environment with specific security controls in place to limit the connectivity to only capture logs and allow for log review. (G.9.6)
- Logs must be secured to prevent unauthorized modification or deletion. (G.9.6.3)
- Log files should be rotated daily.
- Historical logs (not from the current day) must be monitored for any manipulation or deletion to support any eDiscovery or Data Breach investigation. See http://www.edrm.net for additional information. (G.9.6.1)
- Log review should occur in real time or at least on a daily basis. (G.14.7, G.15.4)
SS 400-07: System Monitoring
The purpose of this policy is to establish the guidelines for monitoring systems for availability, functionality and anomalies. This policy applies to all systems.
- Monitoring must occur at multiple layers to ensure the system is performing properly. (G.9.19.3)
- Network availability (ping, snmp) (G.9.1.1)
- Utilization (bandwidth, response time, drive space, cpu) (G.9.19.1)
- Functionality (www, dns, database) (J.126.96.36.199)
- Errors (J.188.8.131.52)
- Intrusion Detection (G.9.19.3)
- Changes required to resolve outages must be documented and follow formal Change management procedures SS 300-01: System Development, Implementation and Change control.
- Escalation procedures must be documented. (J.1.2.2)
- Automatic alerts must be generated during a failure and once the system recovers. (G.9.6.2, G.9.19.1)
- Monitoring should be configured to report availability based on contractual service level agreements.
SS 400-08: Data Center Security
Access to data center facilities and work areas must be limited to those individuals with a justified business need. This policy applies to all computer rooms, data centers, and server rooms.
- Environmental conditions must be maintained in a manner designed to ensure the safety of the staff, as well as the operation of all equipment. (F.1.2.18)
- Sufficient fire detection and suppression equipment must installed and operational. (F.1.2.21)
- Where short and long term power protection is available the following must be considered.
- Battery systems must be tested and maintained according to manufacturer specifications. (F.2.19.1)
- Generator systems must be tested at least monthly without load and at least annually with load. (F.2.20.5, F.2.20.6)
- Emergency lighting and sufficient cooling must be provided when running on backup power systems. (Additional Questions)
- Air Conditioners must undergo scheduled maintenance to ensure availability and optimal performance no less than once per quarter. (F.2.19.7) A list of personnel authorized for access to the facility must be developed and maintained in a current manner. (F.2.1.3)
- All facilities must maintain a documented procedure to request, approve and remove authorized access to Data Center facilities. (F.2.14.1)
- All personnel must be individually approved by the appropriate management. (F.184.108.40.206.1)
- Access control systems must identify the person or individually assigned badge and include the date and time of entry into the data center. (F.2.13)
- Access control systems must log entry to the data center and retain logs according to SS 400-06: SYSTEM LOGGING.
- ID badges, access list and access control devices must be audited quarterly. (F.220.127.116.11)
- Access failures to the data center must be reviewed quarterly. (F.18.104.22.168)
- ID badges must be issued and worn by all authorized personnel with access to computer rooms, data center and server rooms. Visitors to these areas must sign in and escorted at all times by authorized personnel. (F.22.214.171.124)
- Sign in sheet must capture name, signature, authorized escort, company, date, time, signature and form of ID presented. (F.126.96.36.199)
- Areas housing computer equipment and storage media must be separately secured from the rest of the facility, and access must be restricted to only personnel requiring it in the performance of their duties. (F.1.2.3)
- Entry ways and exits must be covered by CCTV systems capable of capturing identifiable images visible in all lighting conditions.(F.1.2.15)
- CCTV recordings must be retained online for at least 90 days and retained for one year(F.1.2.15)
- Physical controls must be in place to identify and restrict access to authorized personnel. Actions must be taken on a regular basis to ensure the physical control is not compromised. Minimum requirements for specific physical controls include:
- Door keys Door locks must be changed or re-keyed when personnel changes job function that no longer requires access to a Data Center, when personnel with access to a Data Center is terminated and on an annual basis. ( F.188.8.131.52)
- Numeric keypads Combination codes must be changed when personnel changes job function that no longer requires access to a Data Center, when personnel with access to a Data Center is terminated and on at least an annual basis. (F.184.108.40.206, F.220.127.116.11)
- Keycards Data Center access must be removed immediately when personnel changes job function that no longer requires access to a Data Center or when personnel with access to a Data Center is terminated. Access lists must be reviewed on at least a quarterly basis. (F.1.2.4)
SS 400-09: Data Backup and Recovery
Processes must be in place to minimize the risk of loss of data or downtime of systems, which could result in financial consequences and loss of customer credibility. This policy applies to data maintained within all systems.
- Specific documentation of the backup procedures must be developed and maintained in a current manner. (G.8.1)
- System backups are performed on a regular basis, as dictated by business requirements. Daily backups can be incremental as long as one full backup is done weekly.(G.8.1.1)
- All SPI data must use media, file or field level encryption while stored on backup media. It is recommended that all tapes are encrypted using full media encryption. (G.11.1)
- Backup media that is no longer required to meet retention requirements must be destroyed as soon as possible. (G.11.3)
- Backup media must be systematically rotated offsite to a secure commercial or alternate Supplier location on at least a weekly basis. The offsite storage location must be physically separate from the operation location, so as to reduce the chance of being affected by a common disaster event. (G.8.2)
- An inventory of all media stored on-site and off-site must be maintained. (G.11.3.1)
- Media transportation (pick-up / drop-off) logs and chain of custody must be maintained to indicate movement of backup media including to/from offsite storage. (G.18.104.22.168)
- Media in transit must be stored in locked and inventoried containers.( G.22.214.171.124)
- On at least an annual basis, verification must be conducted to confirm existence of required media on-site and at the off-site storage facility. This verification must include review of inventory reports and visual inspection of the on-site backup media. (G.11.3.3)
- Recovery test using backup media must be performed for a sample of systems on at least a quarterly basis. Test procedures must be documented and results of tests must be maintained for past four quarters. (G.8.1.2)
SS 400-10: Disaster Recovery Plan
Supplier must have the ability to recover from disasters in a timely fashion with minimal impact to business and revenue and without loss of confidentiality and system security.
- All Suppliers are required to maintain an up-to date, and tested, technical disaster recovery plan. The plan must be fully documented, showing short term, intermediate (as applicable) and long term responses to disruptions. Procedures for initial identification and reaction to a potential disaster or disruption must be addressed in the plan. These procedures must address: (K.1)
- Declaration (K.1.2.4)
- Mobilization of Resources (K.1.2.7)
- Notifications (K.1.2.14)
- Disaster recovery plans must include at a minimum:
- The list of systems and processes to be recovered in event of a disaster (K.1.2.10)
- Priority listing of system specifying sequence of systems to be recovered based on business impact analysis and risk assessment results (A.1.1)
- Detailed recovery procedures for each system be recovered
- Identity of individuals responsible for specific recovery tasks (K.1.2.7)
- Supporting disaster recovery technology/equipment lists(K.1.2.10)
- A copy of the disaster recovery plan must be distributed to all core members of the Suppliers disaster response team. (K.1.2.4)
- It is required that all Suppliers test disaster recovery plans, at a minimum, on an annual basis. (K.1.3)
- The disaster recovery plan must be reviewed and updated to reflect changes to the environment within 30 days of any new material changes and at a minimum, on an annual basis. (K.1.2.1)