iSAFE SECURED Program

iSAFE SECURED is a program designed to recognize businesses that go the extra mile to ensure that their customer’s information is secure by improving the security and integrity of their own technology systems.

 

Customer’s who meet the minimum security specifications and requirements of the program shall be presented with an iSAFE Secured certificate, and granted usage rights to the iSAFE Secured seal to display the awarded program logos, and other information on their own web site or marketing materials.

General Requirements

  1. Customer must be a current Complete Managed Services platinum level subscriber and adhere to all policies and procedures outlined in the acceptable use policy developed in conjunction with the customer.
  2. Customer must agree to the marketing terms and agreements associated with the program, including the use of their logos and information in the marketing efforts of iSAFE.
  3. Customer must meet or exceed the minimum criteria and technical guidelines for each level of certification.

Technical Requirements

Customer has an annual assessment of their network, systems and processes to verify controls are in place and operational, and to evaluate and identify and areas of weakness in their systems.  PCI DSS 12.8.4, NIST 3.12.1

Customer has developed and enforces and acceptable use policy that applies to all employees and covers important security requirements, procedures and policies regarding the use of technology within the organization. PCI DSS 12.3

Customer utilizes a third-party email phish platform to test employee awareness and provide training regarding email phishing attempts.  PCI DSS 9.9.3, PCI DSS 12.6.1, NIST 3.2.3

Customer provides at least bi-annual training and communication of system security, policies, and processes. PCI DSS 9.9.3, PCI DSS 12.6.1, NIST 3.2.3

Customer utilizes multiple levels of data backup which include at least one on-site backup system that is physically secured, and one off-site backup system.  PCI DSS 9.5.1, NIST 3.8.9

Employees are not allowed to install software or updates on network connected devices.  NIST 3.4.9

Customer utilizes web filtering technology to block access to known malicious sites and content to reduce the risk of malware exposure.  NIST 3.4.8

Computers where sensitive data are stored are locked behind closed doors to prevent physical access to the machine.  PCI DSS 9, NIST 3.8.1, 3.8.2, 3.10

Users of the network are identified by a strong username and password unique to each individual logging in. There are no shared logins.  Inactive user accounts are removed within 90 days.  PCI DSS 8, NIST 3.5.1, 3.5.2

 

  • Failed login attempts will result in locking the system out for 30 minutes after 6 failed attempts. PCI DSS 8.1.6, PCI DSS 8.1.7
  • If a user session is idle for more than 15 minutes the system will automatically lock the user out and require password re-entry to access the system again. PCI DSS 8.1.8
  • Password complexity must be at least 7 characters long and include at least 3 out of four of the following; upper case letters, lower case letters, numbers, symbols. PCI DSS 8.2.3, NIST 3.5.7
  • User are required to change their password at least every 90 days. PCI DSS 8.2.4
  • New passwords must be different than the user’s last 4 passwords.  They cannot re-use the same password for 4 generations.  PCI DSS 8.2.5, NIST 3.5.9
 
 
 

Customer maintains secure systems and applications by ensuring that all security updates and patches are installed in a timely manner. PCI DSS 6, NIST 3.14.1

Customer does not transmit sensitive customer information or data over non-secure (un-encrypted) networks.  PCI DSS 4, NIST 3.1.13, 3.8.6

Customer has minimized or eliminated on-site cardholder data storage.  Magnetic strip, pins, or CVC data is not stored on-site.  Sensitive customer information is only accessible by authorized users with business relevant access requirements.  PCI DSS 3, PCI DSS 7, NIST 3.1.13, 3.8.6

All vendor supplied default usernames and passwords have been changed on all network connected hardware such as routers, switches, and access points to prevent un-authorized access and configuration changes.  PCI DSS 2, NIST 3.5.7, 3.5.1, 3.5.2

Customer must have actively scanning and updated anti-virus software on all workstations and servers directly connected to the Internal network. PCI DSS 5, NIST 3.14.2, 3.14.4, 3.14.5

Customer must have software firewalls on all servers and workstations enabled and blocking all unnecessary traffic between local workstations.  PCI DSS 1, NIST 3.13.1, 3.13.5, 3.13.2

Customer must have hardware firewall in place configured to block all unnecessary inbound traffic from the Internet.  Line of business applications requiring external access must be justified in writing.  PCI DSS 1, NIST 3.1.3, 3.1.18, 3.4.2, 3.4.3, 3.4.6, 3.13.1, 3.13.5

Interested in the Program?

Would you like to qualify your business for the iSAFE SECURED program?  Just fill out the form below and we’ll schedule a FREE consultation to determine your next steps toward becoming iSAFE SECURED!

Have Questions? Schedule a call or meeting with our team to discuss your needs.