Security Requirements Berwyn End Users
Access Security Requirements for Berwyn End-Users of FCRA and GLB 5A Data
The following information security controls are required to reduce unauthorized access to consumer information. It is your (company provided access to Berwyn systems or data, referred to as the “Customer”) responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you. The Berwyn Group reserves the right to make changes to these Access Security Requirements without prior notification. The information provided herewith provides minimum baselines for information security.
In accessing Berwyn services, Customer agrees to follow these security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store Berwyn data.
- Implement Strong Access Control Measures
- All access to Berwyn systems or data must require authentication of users to the application and/or system (e.g., application-based authentication, Active Directory, etc.).
- If any method used to access Berwyn data/systems is replaced or is no longer in use, passwords must be changed immediately.
- Create a unique user ID and password for each user to enable individual authentication and accountability for access to Berwyn’s infrastructure.
- Develop strong passwords that:
- are not easily guessable (i.e., your name or company name, repeating numbers and letters or consecutive numbers and letters);
- contain a combination of a minimum of ten (10) alphabetic, numeric, and special characters for standard user accounts; and
- must be changed periodically (at least every 90 days or more frequently) or that use enhancements such as multi-factor authentication.
- Passwords (e.g., user/account password) must be changed immediately when:
- any system access software is replaced by another system access software or is no longer used;
- the hardware on which the software resides is upgraded, changed or disposed without being purged of sensitive information; or
- there is any suspicion of a password having been disclosed to an unauthorized party (see section 8.7 for reporting requirements).
- Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g., internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithms are required (current NIST guidelines or similar).
- Implement password-protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended.
- Active logins to credit information systems must be configured with a 30-minute inactive session timeout.
- Customer must NOT install Peer-to-Peer file sharing software on systems used to access, transmit or store Berwyn data.
- Ensure that Customer employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a contracted permissible purpose.
- Implement physical security controls to prevent unauthorized entry to Customer’s facility and access to systems used to obtain credit information. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.
- Maintain a Vulnerability Management Program
- Keep operating system(s), firewalls, routers, servers, personal computers (laptops and desktops), mobile devices, and all other systems current with appropriate system patches and updates.
- Configure infrastructure such as firewalls, routers, servers, tablets, smart phones, personal computers (laptops and desktops), and similar components to industry standard hardened security practices, including disabling unnecessary services or features; removing or changing default passwords, IDs, and sample files/programs; and enabling the most secure configuration features to avoid unnecessary risks.
- Implement and follow current best security practices for computer virus detection scanning services and procedures:
- Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all known types of malicious software such as viruses, worms, spyware, adware, Trojans, and rootkits.
- Ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
- If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
- Protect Data
-
- Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.).
- Berwyn data is classified Confidential and must be secured in accordance with the requirements mentioned in this document, at a minimum.
- Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.
- Encrypt all Berwyn data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, and databases using strong encryption such as AES 256 or above, or according to current NIST standards, or similar. An alternative to encryption at rest is compensating controls designed to mitigate the risk of data exposure.
- Berwyn data must not be stored locally and permanently on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc.
- When using smart tablets or smart phones to access Berwyn data, ensure that such devices are protected via device passcode.
- Applications used to access Berwyn data via smart tablets or smart phones must protect data while in transmission using an industry-recognized, strong encryption method.
- Only open email attachments and links from trusted sources and after verifying legitimacy.
- When no longer in use, ensure that hard-copy materials containing Berwyn data are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
- When no longer in use, electronic media containing Berwyn data must be rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).
-
- Maintain an Information Security Policy
-
- Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations.
- The FACTA Disposal Rules require that Customer implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.
- Implement and maintain ongoing mandatory security training for those who have access to Berwyn information and awareness sessions for all staff to underscore the importance of security in the organization.
- When using third party service providers (e.g., application service providers, cloud-based platforms) for Customer access, transmittal, storage or processing of Berwyn data, ensure that the service provider is compliant with an industry standard security program. (Approved certifications can be found in the Glossary section.
-
- Build and Maintain a Secure Network
-
- Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices.
- Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
- Administrative access to firewalls and servers must be performed through a secure internal wired connection or over a secured private network only.
- Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.
- Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor defaults.
- For wireless networks connected to or used for accessing or transmission of Berwyn data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks.
- When using service providers (e.g., software providers) to access Berwyn systems, access to third party tools/services must require multi-factor authentication.
-
- Regularly Monitor and Test Networks
-
- Perform regular tests on information systems that serve Berwyn data and are exposed to the Internet (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g., fix critical issues immediately, high severity in 15 days, etc.)
- Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit Berwyn data; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that follow-up to exceptions is required.
- Use current best practices to protect telecommunications systems and any computer system or network device(s) used to provide Services hereunder to access Berwyn systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:
- protecting against intrusions;
- securing the computer systems and network devices; and
- protecting against intrusions of operating systems or software.
-
- Mobile and Cloud Technology
-
- Storing Berwyn data permanently on mobile devices is prohibited. Any exceptions must be obtained from Berwyn in writing; additional security requirements will apply.
- Application development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
- Application development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
- Servers/systems should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
- Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Berwyn data to be exchanged between secured and non-secured applications on the mobile device.
- Berwyn data and services are not available to consumers. Non-consumer access, that is, commercial/business-to-business (B2B) users accessing Berwyn data via mobile applications (internally developed or using a third-party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are used to authenticate users to application.
- When using third parties or cloud providers for Customer to access, transmit, store, or process Berwyn data, ensure that:
- Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations.
- Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Berwyn:
-
- ISO 27001
- PCI DSS
- EI3PA
- SSAE 16 – SOC 2 or SOC3
- FISMA
- CAI / CCM assessment
-
-
- General
-
- As allowed under Customer’s agreement with Berwyn, no more than once per year, at Berwyn’s expense, Berwyn will have the right to audit the security mechanisms Customer maintains to safeguard access to Berwyn information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices. Audits shall be reasonable in scope and duration.
- In cases where the Customer is accessing Berwyn information and systems via third party software, the Customer agrees to make available to Berwyn upon request, audit trail information and management reports generated by the vendor software, regarding Customer individual authorized users.
- Customer shall be responsible for and ensure that third party software, which accesses Berwyn information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.
- Customer shall conduct software development (for software which accesses Berwyn information systems; this applies to both in-house and outsourced software development) based on the following requirements:
- Software development must follow industry standard secure software development practices such as OWASP, adhering to common controls and addressing top risks.
- Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensure vulnerabilities are remediated.
- Software solution servers/systems should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
- Under Section 8.1 above, reasonable access to audit trail reports of systems utilized to access Berwyn systems shall be made available to Berwyn upon request, for example during breach investigation or while performing audits.
- Data requests from Customer to Berwyn must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.
- Customer shall report actual security violations or incidents that impact Berwyn to Berwyn within twenty-four (24) hours or per agreed contractual notification timeline. Customer agrees to provide notice to Berwyn of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at 216-765-8818, Email notification will be sent to compliance@berwyngroup.com.
- By its use of this site, Customer acknowledges and agrees that the Customer (a) has received a copy of these requirements, (b) has read and understands Customer’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to Berwyn services, systems or data, and (d) will abide by the provisions of these requirements when accessing Berwyn systems or data.
- Customer understands that its use of Berwyn resources may be monitored and audited by Berwyn, without further notice.
- Customer acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access Berwyn services or data are secure and in compliance with its Berwyn agreement.
- When using third party service providers to access, transmit, or store Berwyn data, additional documentation may be required by the Berwyn Group.
-
Internet Delivery Security Requirements
In addition to the above, the following requirements apply where Customer and their employees or an authorized agent/s acting on behalf of the Customer are provided access to Berwyn services via the Internet (“Internet Access”).
General requirements:
-
- The Customer shall designate an employee to be its Head Security Designate, to act as the primary interface with the Berwyn Group on systems access related matters. The Customer’s Head Security Designate will be responsible for establishing, administering and monitoring all Customer employees’ access to Berwyn services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
- The Customer’s Head Security Designate or other Security Designates shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each Berwyn product based upon the legitimate business needs of each employee. Berwyn shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
- Unless automated means become available, the Customer shall request employee’s (Internet) user access via the Head Security Designate/Security Designate. Those employees approved by the Head Security Designate or Security Designate for Internet access (“Authorized Users”) will be individually assigned unique access identification accounts (“User ID”) and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). Berwyn’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. Berwyn may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Customer) and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
- An officer of the Customer agrees to notify Berwyn in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.
Roles and Responsibilities
-
- Customer agrees to identify an employee it has designated to act on its behalf as a primary interface with Berwyn on systems access related matters. This individual shall be identified as the “Head Security Designate.” The Head Security Designate can further identify a Security Designate(s) to provide the day-to-day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Customer and shall be available to interact with Berwyn on information and product access, in accordance with these Access Security Requirements for Berwyn End-Users. Customer’s duly authorized representative (e.g., contracting officer, security manager, etc.) must authorize changes to Customer’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to Berwyn’s systems and information. Changes in Head Security Designate status (e.g., transfer or termination) are to be reported to Berwyn immediately or the Head Security Designate’s access must be terminated.
- As a Client to Berwyn’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Customer.
- The Security Designate may be appointed by the Head Security Designate as the individual that the Customer authorizes to act on behalf of the business in regard to Berwyn product access control (e.g., request to add/change/remove access). The Customer can opt to appoint more than one Security Designate (e.g., for backup purposes). The Customer understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with Berwyn’s Security Administration group on information and product access matters.
- The Head Designate shall be responsible for notifying their corresponding Berwyn representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.
Designate
-
- Must be an employee and duly appointed representative of Customer and identified as an approval point for Customer’s Authorized Users.
- Is responsible for the initial and on-going authentication and validation of Customer’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
- Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User’s job responsibilities.
- Is responsible for ensuring that Customer’s Authorized Users are authorized to access Berwyn products and services.
- Must disable any Authorized User ID if it becomes compromised or if the Authorized User’s employment is terminated by Customer.
- Must immediately report any suspicious or questionable activity to the Berwyn Group regarding access to Berwyn’s products and services.
- Shall immediately report changes in their Head Security Designate’s status (e.g., transfer or termination) to Berwyn.
- Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users.
- Shall be available to interact with Berwyn when needed on any system or user related matters.
Glossary
Term | Definition |
---|---|
Computer Virus | A Computer Virus is a self-replicating computer program that alters the way a computer operates, without the knowledge of the user. A true virus replicates and executes itself. While viruses can be destructive by destroying data, for example, some viruses are benign or merely annoying. |
Confidential | Very sensitive information. Disclosure could adversely impact your company. |
Encryption | Encryption is the process of obscuring information to make it unreadable without special knowledge. |
Firewall | In computer science, a Firewall is a piece of hardware and/or software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to the function of Firewalls in building construction. The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle. |
Information Lifecycle | (Or Data Lifecycle) is a management program that considers the value of the information being stored over a period of time, the cost of its storage, its need for availability for use by authorized users, and the period of time for which it must be retained. |
IP Address | A unique number that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). All participating network devices – including routers, computers, time servers, printers, Internet fax machines, and some telephones – must have its own unique IP address. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. It is important to keep your IP address secure as hackers can gain control of your devices and possibly launch an attack on other devices. |
Peer-to-Peer | A type of communication found in a system that uses layered protocols. Peer-to-Peer networking is the protocol often used for reproducing and distributing music without permission. |
Router | A Router is a computer networking device that forwards data packets across a network via routing. A Router acts as a junction between two or more networks transferring data packets. |
Spyware | Spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer’s operation without the consent of that machine’s owner or user. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the internet. |
ISO 27001 /27002 | ISO/IEC 27001 is a specification (formerly known as ISO 17799) for an Information Security Management System (ISMS). ISO/IEC 27002 is an internationally recognized standard of good practice for information security which outlines hundreds of potential controls and control mechanisms that may be implemented to achieve the ISO 27001 standard. |
PCI DSS | The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. |
SSAE 16 SOC 2, SOC3 | Statement on Standards for Attestation Engagements (SSAE) No. 1 SOC 2 Report on Controls Related to Security, Availability, Processing Integrity, Confidentiality, and Privacy. The SOC 3 Report, just like SOC 2, is based upon the same controls as SOC 2, the difference being that a SOC 3 Report does not detail the testing performed (it is meant to be used as marketing material). |
FISMA | The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002. |
CAI/CCM | Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. |
Last Review: March 2023