Vendor Information
Security Requirements
Chinese (Mandarin) | Dutch | French | German | Italian
Portuguese (Latin America) | Russian | Spanish
1. Introduction
Vendor and CWT have entered into an agreement under which Vendor has agreed to provide services and/or products under the terms of that agreement (“Agreement”). Vendor agrees that it shall comply and shall cause Third Parties acting on its behalf to comply with the information security requirements contained in this document (“Information Security Requirements”) and the required information security measures (“Technical and Organizational Security Measures”). The Information Security Requirements and Technical and Organizational Security Measures are incorporated in and made a part of the Agreement.
2. Definitions
2.1 Unless otherwise set forth or expanded herein, defined terms shall have the same meaning as set forth in the Agreement. The following defined terms shall apply to these Information Security Requirements. If there is a conflict between the definition contained in the Agreement and those herein, the definition in this document shall govern as it relates to Information Security Requirements.
“Affiliates” unless otherwise defined in the Agreement, means, with reference to a party, any company or other legal entity which, at the signature date of the Agreement, directly or indirectly: (i) controls a party; or (ii) is controlled by a party; or (iii) is controlled by a company or entity which directly or indirectly controls a party. For these purposes, “control” means the right to exercise more than fifty percent (50%) of the voting or similar right of ownership; but only for so long as such control shall continue to exist.
“Authorized Employee” means Vendor’s employees who have a need to know or otherwise access Confidential Information and Personal Information to enable Vendor to perform its obligations under the Agreement.
“Authorized Party” or “Authorized Parties” means Vendor’s (i) Authorized Employees; and (ii) Third Parties who have a need to know or otherwise access Personal Information and Confidential Information to enable Vendor to perform its obligations under the Agreement, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Information and Confidential Information in accordance with the terms and conditions of the Agreement and this document.
“Confidential Information” means any commercially sensitive, proprietary or otherwise confidential information relating to (a) CWT, its partners, and its Affiliates; (b) a CWT client and CWT client employees, contractors, subcontractors, or suppliers; (c) CWT personnel; (d) its independent partners and joint venturers; or (e) the contents and/or purpose of the Agreement, whether oral, in writing or which by any other means may directly or indirectly come into the Vendor’s possession or into the possession of Authorized Parties as a result of or in connection with the Agreement. For the avoidance of doubt, all Work Product shall constitute Confidential Information.
“CWT” unless otherwise defined in the Agreement, means the CWT entity outlined in the Agreement as well as its Affiliates.
“Demilitarized Zone” or “DMZ” is a network or sub-network that sits between a trusted internal network, such as a corporate private Local Area Network (LAN), and an untrusted external network, such as the public Internet. A DMZ helps prevent outside users from gaining direct access to internal systems and other resources.
“Incident Management Process” is a Vendor-developed, documented process and procedure to be followed in the event of an actual or suspected attack upon, intrusion upon, unauthorized access to, loss of, or other breach involving the confidentiality, availability, or integrity of Personal Information and CWT’s Confidential Information.
“Masking” is the process of covering information displayed on a screen.
“Mobile and Portable Devices” mean mobile and/or portable computers, devices, media and systems capable of being easily carried, moved, transported or conveyed that are used in connection with the Agreement. Examples of such devices include laptop computers, tablets, USB hard drives, USB memory sticks, Personal Digital Assistants (PDAs), mobile or data phones, and any other wireless, periphery, or removable device with the ability to store Confidential Information and Personal Information.
“Personal Information” unless otherwise defined in the Agreement means as defined under Regulation (EU) 2016/679 and other applicable global information security, data protection, and privacy laws, means any information relating to an identified or identifiable natural person, who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Personal Information is owned by CWT, not Vendor.
“Security Gateway” means a set of control mechanisms between two or more networks having different trust levels which filter and log traffic passing, or attempting to pass, between networks, and the associated administrative and management servers. Examples of Security Gateways include firewalls, firewall management servers, hop boxes, session border controllers, proxy servers, and intrusion prevention devices.
“Strong Authentication” means the use of authentication mechanisms and authentication methodologies that requires multiple authentication factors, including at least two of the following: (1) Knowledge - something the user knows, e.g. password or personal identification number, (2) Ownership - something the user has, e.g. token, smart card, mobile phone, and (3) Inherence - something the user is, e.g. fingerprint.
“Strong Encryption” means the use of encryption technologies with minimum key lengths of 256-bits for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable assurance that it shall protect the encrypted information from unauthorized access and is adequate to protect the confidentiality and privacy of the encrypted information, and which incorporates a documented policy for the management of the encryption keys and associated processes adequate to protect the confidentiality and privacy of the keys and passwords used as inputs to the encryption algorithm. Strong Encryption includes, but is not limited to: SSL v3.0+/TLS v1.2, Point to Point Tunneling Protocol (PPTP), AES 256, FIPS 140-2 (United States government only), RSA 1024 bit, SHA1/SHA2/SHA3, Internet Protocol Security (IPSEC), SFTP, SSH, Vormetric v4, or WPA2.
“Technical and Organizational Security Measures” means any activities required under these Information Security Requirements to access, manage, transfer, process, store, retain, and destroy information or data; to disclose and notify affected parties required under the Agreement and under applicable information privacy and data protection laws; and to safeguard information or data to ensure availability, integrity, confidentiality, and privacy, or notify individuals of any failure to safeguard such information or data. Measures include but are not limited to those required or interpreted to be required under EU General Data Protection Regulation (GDPR), EU Payment Service Directive, the California Consumer Privacy Act, NYS DFS 23 NYCRR 500, the United States Gramm-Leach Bliley Act (GLBA), the United States Health Insurance Portability and Accountability Act (HIPAA), the EU /Switzerland data privacy requirements, and any other international and U.S. laws, official legal interpretations, or case precedents pertaining to information or data under the Agreement.
“Third Party” or “Third Parties” means Vendor’s subcontractors consultants, temporary personnel, contractors, or additional vendors and/or agents acting on behalf of the Vendor and does include any definition of Third Party under applicable EU, U.S., or other international law.
“Vendor” means the contracting entity set forth in the Agreement together with its Affiliates and its Third Parties.
3. Organization of Information Security
Vendor shall, at a minimum:
3.1 Ensure only Authorized Parties are granted access to Personal Information and Confidential Information.
3.2 Implement Technical and Organizational Security Measures that are no less rigorous than information security best practices to protect the integrity, availability, and confidentiality of Confidential Information, Personal Information and other non-public information and prevent the unauthorized access, acquisition, disclosure, destruction, alteration, accidental loss, misuse or damage of the Personal Information or Confidential Information.
3.3 Establish, implement, and maintain consistent with industry best practices, policies and a program of organizational, operational, administrative, physical and Technical and Organizational Security Measures appropriate to (1) prevent any access by non-Authorized Parties to Personal Information and Confidential Information in a manner not authorized by the Agreement or these Information Security Requirements, and (2) comply with and meet all applicable laws and regulations and applicable industry standards.
3.4 Provide to Authorized Parties who will have access to Personal Information and Confidential Information supervision, guidance, and training on the Technical and Organizational Security Measures, including training that provides practical exercises that are aligned with current threat scenarios and provides feedback to those taking the training. Vendor shall provide Technical and Organizational Security Measure training upon an Authorized Employee’s hire and before an Authorized Party’s access to Confidential Information and Personal Information. Refresher training shall be provided at least annually and as soon as possible following any material change in Vendor’s Technical and Organizational Security Measures.
3.5 Provide specialized training specific to Authorized Parties with significant security duties, including but not limited to human resources or information technology functions, and any technology administrator function. At a minimum, specialized training shall include, as applicable to the role, information security procedures, acceptable use of information security resources, current threats to information systems, security features of specific systems, and secure access procedures.
3.6 Take reasonable steps to prevent unauthorized access to or loss of Personal Information and Confidential Information and the services, systems, devices or media containing this information.
3.7 Employ risk assessment processes and procedures to regularly assess systems used to provide services or products to CWT. Vendor shall remediate such risks as soon as reasonably possible and commensurate with the level of risk to Personal Information and Confidential Information given threats known at the time of identification. Operate a process to enable the reporting of risks or suspected incidents to the Vendor security team.
3.8 To the extent that Vendor performs services pursuant to the Agreement in CWT facilities or using services, systems, devices or media owned, operated or managed by CWT, Vendor shall cause all Authorized Parties to comply with all CWT policies made available to Vendor, upon its request, that are applicable to such access. Vendor shall promptly notify CWT in writing when an Authorized Party no longer needs access to the Personal Information or Confidential Information in order for Vendor to provide products or services to CWT, including without limitation, when an Authorized Party is terminated or is otherwise no longer performing services under the Agreement.
3.9 Keep records of Authorized Parties and Vendor resources that access, transfer, maintain, store, or process Personal Information and Confidential Information.
3.10 Conduct comprehensive background checks on all Authorized Parties prior to hire, to the extent permitted by law. The comprehensive background check on individuals shall include, at a minimum, the individual’s previous employment history, criminal record, credit history, reference checks, and any additional industry standard background check requirements.
3.11 Have one or more qualified personnel designated with responsibility to maintain its information security program and shall report on its information security program at least annually to Vendor’s board of directors or equivalent governing body. Vendor shall ensure that its security personnel have reasonable and necessary experience and training in information security, including maintaining knowledge on changing threats and countermeasures. Upon request, Vendor shall provide to CWT a point of contact for all information security related items.
3.12 Require non-disclosure or confidentiality contractual commitments from Authorized Parties prior to providing them with access to Personal Information and Confidential Information.
3.13 Ensure that all Authorized Parties who may be performing work under the Agreement or who may have access to Personal Information or Confidential Information are in compliance with these Technical and Organizational Security Measures which shall be evidenced by a written agreement no less restrictive than these Information Security Requirements.
4. Physical and Environmental Security
Vendor shall, at a minimum:
4.1 Ensure that all of Vendor’s systems and other resources intended for use by multiple users are located in secure physical facilities with access limited and restricted to authorized individuals only.
4.2 Monitor and record, for audit purposes, access to the physical facilities containing systems and other resources intended for use by multiple users used in connection with Vendor’s performance of its obligations under the Agreement.
4.3 Require all Authorized Parties to abide by a clean desk policy and lock workstation screens prior to leaving work areas.
4.4 Collect all company assets upon employment termination or contract termination.
4.5 Limit and monitor physical access to its facilities according to the following requirements:
a. Visitor access is logged, which is maintained for three (3) months including the visitor’s name, company he/she represents, and the name of the employee authorizing the physical access. Visitors must be escorted by a Vendor employee at all times.
b. Access is restricted to appropriate personnel, based on a need-to-know basis.
c. All employees must wear a company-provided name badge and all visitors or Third Parties must wear a company-provided guest/visitor badge.
d. Access is revoked immediately upon termination of Vendor personnel or Third Party , and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
e. The data center or computer room is locked and access is limited to only those who need access to perform their job duties.
f. Where permitted by law, use video cameras to monitor individual physical access to sensitive areas, and review such data regularly. Video footage must be stored for a minimum of three (3) months.
g. Equipment used to store, process or transmit Personal Information and Confidential Information must be physically secured including wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
4.6 Implement controls to minimize the risk of and protect against physical threats.
4.7 Maintain all hardware assets processing or handling Personal Information and Confidential Information in accordance with the manufacturer’s recommended servicing requirements.
4.8 Restrict conference room and other publicly accessible networks and network jacks logically and physically from the Vendor’s internal network and restricted only to authenticated users or disabled by default.
4.9 Protect any device that captures payment card data via direct physical interaction from tampering and substitution by periodically inspecting device surfaces to detect tampering or substitution; provide training for personnel to be aware of attempting tampering or replacement of devices.
4.10 Control and separate access points such as delivery and loading areas and other points from all centers accessing, managing, storing, or processing Personal Information and Confidential Information.
4.11 Ensure Vendor data centers have heating, cooling, fire suppression, water detection, and heat/smoke detection devices. Vendor data centers and computer rooms must be free of combustible material (e.g. boxes, paper, etc.) or stored in metal cabinets.
5. Access Control
Vendor shall, at a minimum:
5.1 Take all reasonable steps to prevent anyone other than Authorized Parties from accessing Personal Information and Confidential Information in any manner or for any purpose not authorized by CWT and the Agreement.
5.2 Separate CWT’s information from Vendor’s other customers’ data or Vendor’s own applications and information either by using physically separate servers or by using logical access controls where physical separation of servers is not implemented.
5.3 Identify and require appropriate owners to review and approve access to systems used to access, process, manage, or store Personal Information and Confidential Information at least quarterly to remove unauthorized access; and maintain and track access approvals.
5.4 Remove access to systems managing Personal Information and Confidential Information within 24 hours of Authorized Party terminating its relationship with Vendor; and maintain reasonable procedures to remove access to such systems within three business days when it is no longer needed or relevant to the performance of their duties. All other user IDs must be disabled or removed after 90 calendar days of inactivity.
5.5 Restrict system administrator (also known as root, privileged, or super user) access to operating systems intended for use by multiple users only to individuals requiring such high-level access in the performance of their jobs. Use check-out system administrator IDs with individual user log-in credentials and activity logs to manage high security access and reduce high-level access to a highly limited number of users. Require application, database, network, and system administrators to restrict access by users to only the commands, data, systems, and other resources necessary for them to perform authorized functions. System administrative roles and access lists must be reviewed at least annually.
5.6 Enforce the rule of least privilege (i.e., limiting access to only the commands, information, systems, and other resources, necessary to perform authorized functions according to one’s job function).
5.7 Require Strong Authentication for all non-console administrative access, any remote access, and all administrative access into cloud environments.
5.8 Prohibit and employ Technical and Organizational Security Measures to ensure that Personal Information cannot copy, move, or store Personal Information onto local hard drives or cut and paste or print Personal Information.
5.9 Activate use of remote access capabilities only when needed, monitor while in use, and immediately deactivate after use.
5.10 Require Strong Authentication to connect to internal Vendor resources containing Personal Information and Confidential Information.
6. Identification and Authentication
Vendor shall, at a minimum:
6.1 Assign unique user IDs to individual users and assign authentication mechanisms to each individual account.
6.2 Use a documented user ID lifecycle management process including, but not limited to, procedures for approved account creation, timely account removal, and account modification (e.g., changes to privileges, span of access, functions/roles) for all access to Personal Information and Confidential Information and across all environments (e.g., production, test, development, etc.). Such process shall include review of access privileges and account validity to be performed at least quarterly.
6.3 Restrict all access to Personal Information and Confidential Information to those using a valid user ID and password, and require unique user IDs to employ one of the following: password or passphrase, two-factor authentication, or a biometric value.
6.4 Require password complexity and meet the following password construction requirements: a minimum of twelve (12) characters in length for system passwords and four (4) characters for tablet and smartphone passcodes. System passwords must contain three (3) of the following: upper case, lower case, numeric, or special characters. Passwords must also not be the same as the user ID with which they are associated, contain a dictionary word, sequential or repeat numbers, and not be one of the past 24 passwords. Require password expiration at regular intervals not to exceed ninety (90) days. Mask all passwords when displayed.
6.5 Limit failed login attempts to no more than five (5) failed logon attempts within 24 hours and lock the user account upon reaching that limit in a persistent state. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user’s identity.
6.6 Verify user’s identity and set one-time use and reset passwords to a unique value for each user. Systematically prompt change after first use.
6.7 Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards).
6.8 Restrict service account and proxy passwords to a 20-character minimum, including upper case, lower case, and numeric characters, as well as special symbols. Change service account and proxy passwords at least annually and after employment termination of anyone with knowledge of the password.
6.9 Terminate interactive sessions, or activate a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes.
6.10 Use an authentication method based on the sensitivity of Personal Information and Confidential Information. Whenever authentication credentials are stored, Vendor shall protect them using Strong Encryption.
6.11 Configure systems to automatically timeout after a maximum period of inactivity as follows: server (15 minutes), workstation (15 minutes), mobile device (4 hours), Dynamic Host Configuration Protocol (7 days), Virtual Private Network (24 hours).
7. Information Systems Acquisition, Development and Maintenance
Vendor shall, at a minimum:
7.1 Display a warning banner on login screens or pages as specified in writing by CWT for CWT-branded products or services or for products and software developed for CWT.
7.2 Return all CWT-owned or -provided access devices as soon as practicable, but in no event more than fifteen (15) days after the soonest of:
a. expiration or termination of the Agreement;
b. CWT’s request for the return of such property; or
c. the date when Vendor no longer needs such devices.
7.3 Employ an effective application management methodology that incorporates Technical and Organizational Security Measures into the software development process, and ensure that Technical and Organizational Security Measures, as represented by industry best practices, are implemented by Vendor in a timely manner.
7.4 Follow industry-standard development procedures, including separation of access and code between non-production and production environments and associated segregation of duties between such environments.
7.5 Ensure internal information security controls for software development are assessed regularly and reflect industry best practices, and revise and implement these controls in a timely manner.
7.6 Manage security of the development process and ensure secure coding practices are implemented and followed, including appropriate cryptographic controls, protections against malicious code, and a peer review process.
7.7 Conduct penetration testing on functionally complete applications before released into production and thereafter, at least once every year and after any significant modifications to source code or configuration that align with OWASP, CERT, SANS Top 25, and PCI-DSS. Remediate any exploitable vulnerabilities prior to deployment to the production environment.
7.8 Use anonymized or obfuscated data in non-production environments. Never use plain text production data in any non-production environment, and never use Personal Information in non-production environments for any reason. Ensure all test data and accounts are removed prior to production release.
7.9 Review open or free source code approved by CWT, software, applications, or services for flaws, bugs, security issues or non-compliance with open or free source licensing terms. Vendor shall notify CWT in advance of using any open or free source code and, if approved for use by CWT, provide CWT with the name, version and URL of the open or free source code. Vendor represents and warrants that (a) any open or free source code it uses in its products or services shall be licensed under “permissive” open or free source code licenses and not under Restrictive, Reciprocal, Hereditary or Copyleft licenses; (b) Vendor has the right to freely amend, adapt open or free source code and combine open or free source code or contain open or free source code with proprietary code without placing restrictions on such amendments, adaptions, or combinations or proprietary code that contains open or free source code and how these can be licensed onwards (collectively, “derivative works”) and (c) such derivative works will not be subject to any open or free source license requiring licensing the derivative work or making it available at no charge to third parties under the open or free source license terms.
7.10 Not share any code created under the Agreement, regardless of the stage of development, in any shared or non-private environment, such as an open access code repository, regardless of password protection.
8. Software and Data Integrity
Vendor shall, at a minimum:
8.1 In environments where antivirus software is commercially available, have current antivirus software installed and running to scan for and promptly remove or quarantine viruses and other malware from any system or device.
8.2 Separate non-production information and resources from production information and resources.
8.3 Ensure teams use a documented change control process for all system changes, including back-out procedures for all production environments and emergency change processes. Include testing, documentation, and approvals for all system changes and require management approval for significant changes in such processes.
8.4 Build and maintain a PCI zone if Vendor processes or stores card holder data.
8.5 For applications that utilize a database which allows modifications to Personal Information and Confidential Information, enable and maintain database transaction audit logging features that retain database transaction audit logs for a minimum of one (1) year with three months immediately available for analysis.
8.6 Review software to find and remediate security vulnerabilities during initial implementation and upon any significant modifications and updates.
8.7 Perform quality assurance testing for the security components (e.g., testing of identification, authentication and authorization functions), as well as any other activity designed to validate the security architecture, during initial implementation and upon any significant modifications and updates.
9. System Security
Vendor shall, at a minimum:
9.1 Regularly create and update the most recent versions of data flow and system diagrams used to access, process, manage, or store Personal Information and Confidential Information.
9.2 Actively monitor industry resources (e.g.www.cert.org, www.cert.org and pertinent software vendor mailing lists and websites) for timely notification of all applicable security alerts pertaining to Vendor’s systems and other information resources.
9.3 Effectively manage cryptographic keys by reducing access to keys by fewest number of custodians necessary, storing secret and private cryptographic keys by encrypting with a key at least as strong as the data-encrypting key, and storing separately from the data-encrypting key in a secure cryptographic device, in the fewest possible locations. Change cryptographic keys from default at installation and at least every two years, and securely dispose of old keys.
9.4 Scan externally-facing and internal systems and other information resources, including, but not limited to, networks, servers, applications and databases, with applicable industry-standard security vulnerability scanning software to uncover security vulnerabilities, ensure that such systems and other resources are properly hardened, and identify any unauthorized wireless networks at least quarterly, and prior to release for applications and for significant changes and upgrades within timeframes resulting from risk analyses based upon reasonable and generally accepted IT policies and standards.
9.5 Ensure that all of Vendor’s systems and other resources are and remain hardened including, but not limited to, removing or disabling unused network and other services and products (e.g., finger, rlogin, ftp, and simple Transmission Control Protocol/Internet Protocol (TCP/IP) services and products) and installing a system firewall, Transmission Control Protocol (TCP) wrappers or similar technology.
9.6 Deploy one or more Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Intrusion Detection and Prevention Systems (IDP) in an active mode of operation that monitors all traffic entering and leaving systems and other resources in conjunction with the Agreement in environments where such technology is commercially available and to the extent practicable.
9.7 Maintain a risk rating process for vulnerability assessment findings aligned with industry best practices to remediate security vulnerabilities in any system or other resource, including, but not limited to, those discovered through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be or is in the process of being exploited. Critical vulnerability assessment findings and patches must be remediated immediately upon availability and in no event longer than 7 days after release. High vulnerability assessment findings and patches must be remediated within 30 days of release. Medium vulnerability assessment findings and patches must be remediated within 90 calendar days. Low vulnerability assessment findings and patches must be remediated within 120 calendar days.
9.8 Conduct network and segmentation penetration testing internally and externally at least annually and after any significant infrastructure or application upgrade or modification.
9.9 Remove or disable unauthorized software discovered on Vendor’s systems and employ industry standard malware controls, including the installation, regular update and routine use of anti-malware software products on all services, systems and devices that may be used to access to Personal Information and CWT Confidential Information. Use reliable and industry best practice anti-virus software where practicable and ensure such virus definitions remain updated.
9.10 Maintain up-to-date software on all services, systems and devices that may be used to access Personal Information and CWT Confidential Information, including appropriate maintenance of operating system(s) and successful installation of reasonably up-to-date security patches.
9.11 Assign security administration responsibilities for configuring host operating systems to specific individuals.
9.12 Change all default account names and/or default passwords.
10. Monitoring
Vendor shall, at a minimum:
10.1 Retain log data for Personal Information and Confidential Information for at least 12 months from the date the log data was created and make the log and such data available to CWT within a reasonable timeframe and upon request, unless specified elsewhere in the Agreement. Logs shall be designed to detect and respond to incidents and include, but not be limited to:
a. All individual user access to Personal Information and Confidential Information
b. All actions taken by those with administrative or root privileges
c. All user access to audit trails
d. Invalid logical access attempts
e. Use of and changes to identification and authentication mechanisms
10.2 Record Vendor’s Third Parties’ primary system activities for systems containing any Personal Information and have a formal third-party assurance program to ensure that vendor’s third parties or subcontractors have appropriate security controls and certifications in place Have a cloud security assessment done if CWT data resides in a cloud environment.
10.3 Restrict access for security logs to authorized individuals and protect security logs from unauthorized modification.
10.4 Implement a change detection mechanism (e.g., file integrity monitoring) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; configure software to perform critical file comparisons weekly.
10.5 Review, on at least a weekly basis, all security and security-related audit logs on systems containing Personal Information and Confidential Information for anomalies and document and resolve all logged security problems in a timely manner.
10.6 Daily review all security events, logs of system components storing, processing, or transmitting card holder data, logs of critical system components, and logs of servers and system components performing security functions.
11. Security Gateways
Vendor shall, at a minimum:
11.1 Require Strong Authentication for administrative and/or management access to Security Gateways, including, but not limited to, any access for the purpose of reviewing log files.
11.2 Have and use documented controls, policies, processes and procedures to ensure that unauthorized users do not have administrative and/or management access to Security Gateways, and that user authorization levels to administer and manage Security Gateways are appropriate.
11.3 Have strong controls around email security such as configuring DKIM and SPF authentication protocols that help validate that an email message from trusted and validated source. Implementation of DMARC on receiving email servers.
11.4 At least once every six (6) months, ensure that Security Gateway configurations are hardened by selecting a sample of Security Gateways and verifying that each default rule set and set of configuration parameters ensures the following:
a. Internet Protocol (IP) source routing is disabled,
b. The loopback address is prohibited from entering the internal network,
c. Anti-spoofing filters are implemented,
d. Broadcast packets are disallowed from entering the network,
e. Internet Control Message Protocol (ICMP) redirects are disabled,
f. All rule sets end with a “DENY ALL” statement, and
g. Each rule is traceable to a specific business request.
11.5 Ensure that monitoring tools are used to validate that all aspects of Security Gateways (e.g., hardware, firmware, and software) are continuously operational.
Ensure that all Security Gateways are configured and implemented such that all non-operational Security Gateways shall deny all access.
11.6 Inbound packets from the untrusted external network must terminate within the demilitarized zone (“DMZ”) and must not be allowed to flow directly through to the trusted internal network. All inbound packets which flow to the trusted internal network must only originate within the DMZ. The DMZ must be separated from the untrusted external network by use of a Security Gateway and must be separated from the trusted internal network by use of either:
a. another Security Gateway, or
b. the same Security Gateway used to separate the DMZ from the untrusted external network, in which case the Security Gateway must ensure that packets received from the untrusted external network are either immediately deleted or if not deleted are routed only to the DMZ with no other processing of such inbound packets performed other than possibly writing the packets to a log.
The following must only be located within the trusted internal network:
a. Any Personal Information and CWT Confidential Information stored without the use of Strong Encryption,
b. The official record copy of information
c. Database servers,
d. All exported logs, and
e. All environments used for development, test, sandbox, production, and any other such environments; and all source code versions.
11.7 Authentication credentials not protected by the use of Strong Encryption must not be located within the DMZ.
12. Network Security
Vendor shall, at a minimum:
12.1 Upon CWT’s request, provide to CWT a logical network diagram documenting systems and connections to other resources including routers, switches, firewalls, IDS systems, network topology, external connection points, gateways, wireless networks, and any other devices that shall support CWT.
12.2 Maintain a formal process for approving, testing, and documenting all network connections and changes to the firewall and router configurations. Configure firewalls to deny and log suspicious packets, and restrict to only allow appropriate and authorized traffic, denying all other traffic through the firewall. Review firewall rules every six months.
12.3 Install a firewall at each Internet connection and between any DMZ and the internal network zone. Any system storing Personal Information must reside in the internal network zone, segregated from the DMZ and other untrusted networks.
12.4 Monitor firewall at the perimeter and internally to control and protect the flow of network traffic entering or leaving the border or boundary, as necessary.
12.5 Install threat detection technologies such as Network Detection and Response (NDR), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) which offer a comprehensive solution to detect and respond to various cyberattacks or ransomware attacks.
12.6 Maintain a documented process and controls in place to detect and handle unauthorized attempts to access Personal Information and CWT Confidential Information.
12.7 When providing Internet-based services and products to CWT, protect Personal Information and Confidential Information by the implementation of a network DMZ. Web servers providing service to CWT shall reside in the DMZ. Any system or information resource storing Personal Information and Confidential Information (such as application and database servers) shall reside in a trusted internal network. Vendor shall use DMZ for Internet services and products.
12.8 Restrict unauthorized outbound traffic from applications processing, storing or transmitting Personal Information and Confidential Information to IP addresses within the DMZ and Internet.
12.9 When using radio frequency (RF) based wireless networking technologies to perform or support services and products for CWT, Vendor shall ensure that all of Personal Information and Confidential Information transmitted is protected by the use of appropriate encryption technologies sufficient to protect the confidentiality of Personal Information and Confidential Information; provided, however, that in any event such encryption shall use no less than key lengths of 256-bits for symmetric encryption and 2048-bits for asymmetric encryption. Regularly scan, identify, and disable unauthorized wireless access points.
12.10 Cloud Security – When CWT’s data resides on cloud, or vendor uses third party cloud environment including but not limited to, Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS), vendor must implement or assess for Cloud Security Posture Management to discover and automatically remediate threats, misconfigurations, misuse and compliance violations in public clouds.
13. Connectivity Requirements
13.1 In the event that Vendor has, or shall be provided, connectivity to Personal Information and CWT Confidential Information resources in conjunction with the Agreement, then in addition to the foregoing, if Vendor has or is provided connectivity to CWT’s environment, Vendor shall, at a minimum:
a. Use only the mutually agreed upon facilities and connection methodologies to interconnect CWT’s environment with Vendor’s resources.
b. NOT establish interconnection to CWT’s environment without the prior written consent of CWT.
c. Provide CWT access to any applicable Vendor facilities during normal business hours for the maintenance and support of any equipment (e.g., router) provided by CWT under the Agreement for connectivity to Personal Information and Confidential Information resources.
d. Use any equipment provided by CWT under the Agreement for connectivity to CWT’s environment only for the furnishing of those services and products or functions explicitly authorized in the Agreement.
e. If the agreed upon connectivity methodology requires that Vendor implement a Security Gateway, maintain logs of all sessions using such Security Gateway. These session logs must include sufficiently detailed information to identify the end user or application, origination IP address, destination IP address, ports/service protocols used and duration of access. These session logs must be retained for a minimum of six (6) months from session creation.
f. Permit CWT to gather information relating to access, including Vendor’s access, to CWT’s environment. This information may be collected, retained and analyzed by CWT to identify potential security risks without further notice. This information may include from trace files, statistics, network addresses, and the actual data or screens accessed or transferred.
g. Immediately suspend or terminate any interconnection to CWT’s environment upon Vendors belief there has been a breach or unauthorized access or upon CWT’s instructions if CWT, in its sole discretion, believes there has been a breach of security or unauthorized access to or misuse of CWT data facilities or any CWT information, systems, or other resources.
14. Mobile and Portable Devices
Vendor shall, at a minimum:
14.1 Not store Personal Information and Confidential Information on Mobile and Portable Devices, unless fully encrypted using Strong Encryption.
14.2 Use Strong Encryption to protect Personal Information and Confidential Information transmitted used or remotely accessed by network-aware Mobile and Portable Devices.
a. When using network aware Mobile and Portable Devices that are not laptop computers to access and/or store Personal Information and Confidential Information, such devices must be capable of deleting all stored copies of Personal Information and Confidential Information upon receipt over the network of a properly authenticated command. (Note: Such capability is often referred to as a “remote wipe” capability.)
b. Have documented policies, procedures and standards in place to ensure that the Authorized Party who should be in physical control of a network-aware mobile and portable device that is not a laptop computer and that is storing Personal Information and Confidential Information promptly initiates deletion of all Personal Information and Confidential Information when the device becomes lost or stolen.
c. Have documented policies, procedures and standards in place to ensure that Mobile and Portable Devices that are not laptop computers and are not network aware shall automatically delete all stored copies of Personal Information and Confidential Information after consecutive failed login attempts.
14.3 Have documented policies, procedures and standards in place which ensure that any Mobile and Portable Devices used to access and/or store Personal Information and Confidential Information:
a. Are in the physical possession of Authorized Parties;
b. Are physically secured when not in the physical possession of Authorized Parties; or
c. Have their data storage promptly and securely deleted when not in the physical possession of an Authorized Party, or physically secured, or after 10 unsuccessful access attempts.
14.4 Prior to allowing access to Personal Information and Confidential Information stored on or through the use of Mobile and Portable Devices, Vendor shall have and use a process to ensure that:
a. The user is an Authorized Party authorized for such access; and
b. The identity of the user has been authenticated.
14.5 Implement a policy that prohibits the use of any Mobile and Portable Devices that are not administered and/or managed by Vendor or CWT to access and/or store Personal Information and Confidential Information.
14.6 Review, at least annually, the use of and controls for all Vendor-administered or managed Mobile and Portable Devices to ensure that the Mobile and Portable Devices can meet the applicable Technical and Organizational Security Measures.
15. Security in Transit
Vendor shall, at a minimum:
15.1 Use Strong Encryption for the transfer of Personal Information and Confidential Information outside of CWT-controlled or Vendor-controlled networks or when transmitting Personal Information and Confidential Information over any untrusted network.
15.2 For records containing Personal Information and Confidential Information in paper format, microfiche, or electronic media to be physically transferred, transport them by secured courier or other delivery method that can be tracked, packed securely and per manufacturer specifications. Any Personal Information and Confidential Information must be transported in locked containers.
16. Security at Rest
Vendor shall, at a minimum:
16.1 Use Strong Encryption to protect Personal Information and Confidential Information when stored.
16.2 Not store Personal Information or Confidential Information electronically outside of Vendor’s network environment (or CWT’s own secure computer network) unless the storage device (e.g., backup tape, laptop, memory stick, computer disk, etc.,) is protected by Strong Encryption.
16.3 Not store Personal Information or Confidential Information on removable media (e.g., USB flash drives, thumb drives, memory sticks, tapes, CDs, or external hard drives) except: for backup, business continuity, disaster recovery, and data interchange purposes as allowed and required under contract between Vendor and CWT. If removable media is used to store Personal Information or Confidential Information per the exceptions noted within this subsection, the information must be protected using Strong Encryption. Autorun shall be disabled for removable media and storage devices.
16.4 Appropriately store and secure records containing Personal Information or Confidential Information in paper format or microfiche in areas to which access is restricted to authorized personnel.
16.5 Unless otherwise instructed by CWT in writing, when collecting, generating or creating Personal Information or Confidential Information in paper form and backup media for, through or on behalf of CWT or under the CWT brand, ensure that such information shall be Personal Information or Confidential Information and, whenever practicable, label such information of CWT as “Confidential”. Vendor acknowledges that Personal Information and Confidential Information is and shall remain owned by CWT- irrespective of labeling or the absence thereof.
17. Return, Retention, Destruction, and Disposal
Vendor shall, at a minimum:
17.1 At no additional charge to CWT, upon CWT’s request or upon termination of the Agreement, provide copies of any of Personal Information and Confidential Information to CWT within thirty (30) calendar days of such request or termination of the Agreement. Vendor shall return or, at CWT’s option, destroy all of CWT’s Confidential Information and Personal Information, including electronic, hard, and secured backup copies as provided for in the Agreement or, if not provided for in the Agreement, within ninety calendar (90) days after the soonest of: (a) expiration or termination of the Agreement, (b) CWT’s request for the return of Personal Information and Confidential Information, or (c) the date when Vendor no longer needs Personal Information and Confidential Information to perform services and products under the Agreement.
17.2 In the event that CWT approves destruction as an alternative to returning Personal Information and Confidential Information, certify in writing, by an officer of the Vendor, the destruction as rendering Personal Information and Confidential Information non-retrievable and unrecoverable. Vendor shall completely destroy all copies of Personal Information and Confidential Information at all locations and in all systems where Personal Information and Confidential Information is stored, including but not limited to previously approved Authorized Parties. Such information shall be destroyed following an industry standard procedure for complete destruction such as DOD 5220.22M or NIST Special Publication 800-88 or using a manufacturer-recommended degaussing product for the system affected. Prior to such destruction, Vendor shall maintain all applicable Technical and Organizational Security Measure to protect the security, privacy and confidentiality of Personal Information and Confidential Information.
17.3 Dispose of Personal Information and CWT Confidential Information in a manner that ensures the information cannot be reconstructed into a usable format. Papers, slides, microfilm, microfiche and photographs must be disposed by cross-shredding or burning. Materials containing Personal Information and CWT Confidential Information awaiting destruction must be stored in secured containers and be transported using a secure third party.
18. Incident Response and Notification
Vendor shall, at a minimum:
18.1 Have and use an Incident Management Process and related procedures and staff such Incident Management Process and procedures with specialized resources. Immediately, and in no event more than twenty-four (24) hours, notify CWT at iRespond@mycwt.com whenever there is any suspected or confirmed attack upon, intrusion upon, unauthorized access to, loss of, or other incident regarding CWT’s information, systems, or other resources.
18.2 After notifying CWT, provide CWT with regular status updates, including, but not limited to, actions taken to resolve such incident, at mutually agreed upon intervals or times for the duration of the incident and as soon as reasonably possible after the closure of the incident, provide CWT with a written report describing the incident, actions taken by the Vendor during its response and Vendor’s plans for future actions to prevent a similar incident from occurring.
18.3 Not report or publicly disclose any such breach of CWT’s information, systems, or other resources without first notifying CWT and working directly with CWT to notify applicable regional, country, state, or local government officials or credit monitoring services, individuals affected by such breach, and any applicable media outlets, as required by law.
18.4 Have a process in place to promptly identify violations of security controls including those set forth in these Information Security Requirements by Vendor personnel or Third Parties. Identified violators shall be subject to appropriate disciplinary action subject to the applicable laws. Notwithstanding the foregoing, violators shall remain under the authority of the Vendor or its Third Parties. CWT shall not be deemed employer of the Vendor or its Third Parties personnel.
19. Business Continuity Management and Disaster Recovery
Vendor shall, at a minimum:
19.1 Develop, operate, manage, and revise business continuity plans for each location and disaster recovery plans for each core technology in order to minimize impact for CWT to Vendor’s service or products. Such plans shall include: named resources specific to Business Continuity and Disaster Recovery functions, established recovery time objectives and recovery point objectives, at least daily back-up of data and systems, off-site storage of the data and systems backup and records, record protection and contingency plans commensurate with the requirements of the Agreement, store such records and plans securely off-site and ensure such plans are available to Vendor as needed.
19.2 Upon CWT’s request, furnish to CWT a documented business continuity plan that ensures Vendor can meet its contractual obligations under the Agreement and this document, including the requirements of any applicable statement of work or service level agreement. Such plans shall exercise recovery while protecting integrity and confidentiality of Personal Information and Confidential Information.
19.3 Have documented procedures for the secure backup and recovery of Personal Information and Confidential Information which shall include, at a minimum, procedures for the transport, storage, and disposal of the backup copies of Personal Information and Confidential Information and, upon CWT’s request, provide such documented procedures to CWT.
19.4 Ensure that backups of all Personal Information and Confidential Information stored or software and configurations for systems used by CWT are created at least once a week.
19.5 Business continuity and disaster recovery plans shall be updated at least annually, or as often as necessitated by significant changes to the business and/or technology environment.
These plans shall also be comprehensibly exercised at least annually, or following any material change in business continuity or disaster recovery plans at Vendor’s sole cost and expense. Such exercises shall ensure proper functioning of impacted technologies and internal awareness of such plans.
19.6 Promptly review its business continuity plan to address additional or emerging threat sources or scenarios and provide CWT a high-level summary of plans and testing within a reasonable timeframe upon request.
19.7 Ensure that all Vendor or Vendor-contracted locations housing or processing Personal Information and CWT Confidential Information are monitored 24 hours a day, seven (7) days per week against intrusion, fire, water, and other environmental hazards.
20. Compliance and Accreditations
Vendor shall, at a minimum:
20.1 Retain complete and accurate records relating to its performance of its obligations arising out of these Information Security Requirements and Vendor’s compliance herewith in a format that shall permit assessment or audit for a period of no less than three (3) years or longer as may be required pursuant to a court order or civil or regulatory proceeding. Notwithstanding the foregoing, Vendor shall only be required to maintain security logs for a minimum of one (1) year after any continuing performance of the Agreement.
20.2 Allow CWT, at no additional cost to CWT, upon reasonable advance notice, conduct periodic security assessments or audits of the Technical and Organizational Security Measure used by Vendor during which CWT shall provide Vendor with written questionnaires and requests for documentation. For all requests, Vendor shall respond with a written response and evidence, if applicable, immediately or upon mutual agreement. Upon CWT’s request for an audit by CWT, Vendor shall schedule a security audit to commence within ten (10) business days from such request. CWT may require access to facilities, systems, processes, or procedures to evaluate Vendor’s security control environment.
20.3 Upon CWT’s request, certify it is in compliance with this document along with supporting certifications for the most recent versions of PCI-DSS, ISO 27001/27002, SOC 2, Cyber Essentials or similar assessment for the Vendor and for any subcontractor or third-party processing, accessing, storing, or managing on behalf of the Vendor. If Vendor is not able to certify compliance, it shall provide a written report detailing where it is out of compliance and its remediation plan to become compliant.
20.4 In the event that CWT, in its sole discretion, deems that a security breach has occurred which was not reported to CWT in compliance with this Agreement and Vendor’s Incident Management Process, schedule the audit or assessment to commence within twenty-four (24) hours of CWT’s notice requiring an assessment or audit.
20.5 Within thirty (30) calendar days of receipt of the assessment results or audit report, provide CWT a written report outlining the corrective actions that Vendor has implemented or proposes to implement with the schedule and current status of each corrective action. Vendor shall update this report to CWT every thirty (30) calendar days reporting the status of all corrective actions through the date of implementation. Vendor shall implement all corrective actions within ninety (90) days of Vendor’s receipt of the assessment or audit report or within an alternative time period provided such alternative time period has been mutually agreed to in writing by the parties within no more than thirty (30) days of Vendor’s receipt of the assessment or audit report.
20.6 PCI DSS compliance - To the extent that Vendor handles payment account numbers or any other related payment information, Vendor shall be currently compliant with the most current version of Payment Card Industry (PCI-DSS) for the full scope of systems handling this information and continue such compliance. If any subcontractor or third-party is processing, accessing, storing, or managing credit card data on behalf of the Vendor, vendor should obtain a PCI AOC from such subcontractor or third-party and make it available to CWT upon request. In the event Vendor is not or is no longer compliant with PCI-DSS for any portion of the full scope of systems handling PCI-applicable data, Vendor will promptly notify CWT, immediately proceed without undue delay to remedy such non-compliance, and provide regular status of such remediation to CWT upon request.
21. Standards, Best Practices, Regulations, and Laws
In the event Vendor processes, accesses, views, stores, or manages Personal Information or Confidential Information pertaining to CWT personnel, partners, Affiliates, CWT clients; or CWT client employees, contractors, subcontractors, or suppliers; Vendor shall employ Technical and Organizational Security Measures no less strict than is required by applicable global, regional, country, state, and local guidelines, regulations, directives and law.
22. Modification
CWT reserves the right to update or modify these Information Security Requirements from time-to-time by posting the latest version on CWT’s website. Unless Vendor provides written notification objecting to such updates or modifications within thirty (30) days of posting, the Vendor will be deemed to have accepted them.
Version 6.1
Date: April 2024