skipnavigation

Vendor Information Security Requirements

 

More languages (PDF)

 

These Vendor Information Security Requirements are subject to the terms and conditions of the main agreement in which they are referenced and these requirements may be amended from time to time. In no event shall these terms and conditions apply to CWT or any other party other than as expressly provided for in each main agreement. 

 

 

1.                  Introduction


These terms and conditions ("Information Security Requirements") set out the required information security measures ("Technical and Organizational Security Measures") which shall apply to the Vendor (as defined below), its subcontractors, and each of the Vendor's temporary personnel, contractors, or additional vendors and/or agents acting on behalf of the Vendor (collectively  referred to herein as "Third Parties") who perform any services and supply any products for, on behalf of, and/or through Vendor and/or other obligations that include any of the following:

 

a.    The collection, storage, handling, or disposal of CWT's (as defined below)  Confidential Information (as defined below) resources;
 

b.    Providing or supporting CWT branded services and products using non-CWT systems or other resources;
 

c.     Connectivity to CWT's Confidential Information resources;
 

d.    Incidental and/or CWT-paid-for development of any software to the extent produced or developed by or on behalf of Vendor, or forming part of any software, pursuant to the Agreement (as defined below) to which these Technical and Organizational Security Measures are attached (including under any statement of work, exhibit, order or other document under, subordinate to, or referencing the Agreement) for the development of which CWT has been charged monies; or
 

e.    Website hosting and development for CWT and/or CWT's clients.

 

2.            Definitions

 

2.1            Unless otherwise set forth or expanded herein, defined terms shall have the same meaning as set forth in the main Agreement. The following defined terms shall apply to these Information Security Requirements:

 

"Affiliates" shall mean, with reference to a party, any company or other legal entity which: (i) controls either directly or indirectly, a party; or (ii) is controlled, directly or indirectly, by a party; or (iii) is directly or indirectly controlled by a company or entity which directly or indirectly controls a party. For these purposes, "control" means the right to exercise more than fifty percent (50%) of the voting or similar right of ownership; but only for so long as such control shall continue to exist.

 

"Agreement" means the contract or other legal document entered into by CWT and the Vendor.

 

"Company Restricted Data" are data that might cause serious loss, business interruption, or embarrassment to: (a) CWT and its Affiliates; (b) a CWT client; (c) CWT personnel. This data includes customer or supplier lists; individual traveler information; company business bank account numbers; non-credit card branded gift and stored value card numbers; customer loyalty data not included in Personal Information (as defined below); trade secrets; customer codes; performance assessments; contracts, requests for proposals, requests for quotes, and requests for information; strategic plans, marketing plans, mergers and acquisitions and divestitures; and financial statements.

 

"Confidential Information" means any commercially sensitive, proprietary or otherwise confidential information relating to CWT, its Affiliates or the contents and/or purpose of the Agreement, whether oral, in writing or which by any other means may directly or indirectly come into the Vendor's possession or into the possession of a Vendor personnel or the Vendor's personnel, agents, contractors or sub-contractors as a result of or in connection with the Agreement. For the avoidance of doubt all work product shall constitute Confidential Information.

 

"CWT" means the Carlson Wagonlit Travel entity outlined in the Agreement as well as its Affiliates.

 

"Demilitarized Zone" or "DMZ" is a network or sub-network that sits between a trusted internal network, such as a corporate private Local Area Network (LAN), and an untrusted external network, such as the public Internet. A DMZ helps prevent outside users from gaining direct access to internal systems and other resources. Inbound packets from the untrusted external network must terminate within the DMZ and must not be allowed to flow directly through to the trusted internal network. All inbound packets which flow to the trusted internal network must only originate within the DMZ. The DMZ must be separated from the untrusted external network by use of a Security Gateway and must be separated from the trusted internal network by use of either:

 

a.    another Security Gateway, or
 

b.    the same Security Gateway used to separate the DMZ from the untrusted external network, in which case the Security Gateway must ensure that packets received from the untrusted external network are either immediately deleted or if not deleted are routed only to the DMZ with no other processing of such inbound packets performed other than possibly writing the packets to a log.

 

The following must only be located within the trusted internal network:

 

a.    Any CWT Personal Information or Company Restricted Data stored without the use of Strong Encryption,
 

b.    The official record copy of information to be accessed from requests originating from the untrusted external network,
 

c.     The official record copy of information to be modified as the result of requests originating from the untrusted external network,
 

d.    Database servers,
 

e.    All exported logs, and
 

f.     All environments used for development, test, sandbox, production, and any other such environments; and all source code versions.

 

Authentication credentials not protected by the use of Strong Encryption must not be located within the DMZ.

 

"Government Data" means data belonging to a government entity and subject to enhanced requirements due to its status. For these purposes, Government Data requires full compliance with specific government standards.

 

"Incident Management Process" is a Vendor-developed, documented process and procedure to be followed in the event of an actual or suspected attack upon, intrusion upon, unauthorized access to, loss of, or other breach involving the confidentiality, availability, or integrity of CWT's Confidential Information.

 

"Masking" is the process of covering information displayed on a screen. System and user passwords, national identification numbers, driver's license numbers, passport numbers, health information, meal preferences, biometric data, gender, and redress numbers should be completely masked at all times. Charge card, debit card, loyalty, and financial account numbers require masking on all but the last four numbers. Any birth date should mask the year.

 

"Mobile and Portable Devices" mean mobile and/or portable computers, devices, media and systems capable of being easily carried, moved, transported or conveyed that are used in connection with the Agreement. Examples of such devices include laptop computers, tablets, USB hard drives, USB memory sticks, Personal Digital Assistants (PDAs), mobile or data phones, and any other wireless or periphery device with the ability to store Confidential Information.

 

"Personal Information" as defined under European Union Directive 94/46/EC and other applicable global information security, data protection, and privacy laws, means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Examples include, but are not limited to: full name (including prefix and suffix), personal identification number (PIN) or password, payment card information or associated numbers (e.g. CVV number), bank account information, email addresses, phone number, physical address, information evidencing health status (e.g. prior treatments) or health requirements, travel documents such as driver's license number, state or national ID number, passport number, citizenship, residency, date of birth, sexual orientation, religion, trade union membership, social security number or visa number, criminal history, biometric or genetic data.

 

"Security Gateway" means a set of control mechanisms between two or more networks having different trust levels which filter and log traffic passing, or attempting to pass, between networks, and the associated administrative and management servers. Examples of Security Gateways include firewalls, firewall management servers, hop boxes, session border controllers, proxy servers, and intrusion prevention devices.

 

"Strong Authentication" means the use of authentication mechanisms and authentication methodologies stronger than the passwords required herein. Examples of Strong Authentication mechanisms and methodologies include digital certificates, two-factor authentication, and one-time passwords.

 

 "Strong Encryption" means the use of encryption technologies with minimum key lengths of 256-bits for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable assurance that it shall protect the encrypted information from unauthorized access and is adequate to protect the confidentiality and privacy of the encrypted information, and which incorporates a documented policy for the management of the encryption keys and associated processes adequate to protect the confidentiality and privacy of the keys and passwords used as inputs to the encryption algorithm. Strong Encryption includes, but is not limited to: SSL v3.0+/TLS v1.0+, Point to Point Tunneling Protocol (PPTP), AES 256, FIPS 140-2 (United States government only), RSA 1024 bit, SHA1/SHA2/SHA3, Internet Protocol Security (IPSEC), SFTP, SSH, Vormetric v4, or WPA2.

 

"Technical and Organizational Security Measures" mean any activities required under these Information Security Requirements to access, manage, transfer, process, store, retain, and destroy information or data; to disclose and notify affected parties required under the Agreement and under applicable information privacy and data protection laws; and to safeguard information or data to ensure availability, integrity, confidentiality, and privacy, or notify individuals of any failure to safeguard such information or data. Measures include but are not limited to those required or interpreted to be required under European Union Directives 94/46/EC and 2006/24/EC as promulgated under member countries, the United States Gramm-Leach Bliley Act (GLBA), the United States Health Insurance Portability and Accountability Act (HIPAA), the EU /Switzerland data privacy requirements, and any other international and U.S. laws, official legal interpretation, or case precedent pertaining to information or data under the Agreement.

 

"Third Party" means any subcontractors, and each of the Vendor's temporary personnel, contractors, or additional vendors and/or agents acting on behalf of the Vendor, and does include any definition of Third Party under applicable EU, U.S., or other international law.

 

"Vendor" means the contracting entity set forth in the Agreement together with its Affiliates.

 

2.2           While Vendor has access to CWT's Confidential Information, Vendor shall implement reasonable and appropriate Technical and Organizational Security Measures in accordance with information security best practices to protect the integrity, availability, and confidentiality of information.

 

2.3            The Vendor warrants and represents that it shall comply with the following Technical and Organizational Security Measures to the extent that these are applicable to the provision of services set forth in the Agreement:

 

3.            Organization of Information Security

 

3.1            Vendor shall establish, implement, and maintain reasonable policies and a program of organizational, operational, administrative, physical, and Technical and Organizational Security Measures appropriate to (1) prevent any access to CWT's Confidential Information in a manner not authorized by the Agreement or these Information Security Requirements, and (2) comply with and meet all applicable industry standards. Vendor shall ensure that its information security staff has reasonable and necessary experience in information and network security.

 

3.2            Vendor shall provide an appropriate level of supervision, guidance, and training on the Technical and Organizational Security Measures to Vendor's Third Parties who require access to CWT's Confidential Information. Vendor shall provide Technical and Organizational Security Measure training upon hire and prior to accessing Confidential Information. Refresher training shall be provided at least annually and as soon as possible following any material change in Vendor's Technical and Organizational Security Measures.

 

3.3               Vendor's Third Parties with significant security duties, including but not limited to human resources or information technology functions, and any technology administrator function, shall also receive specialized training specific to their respective roles. Specialized training shall include, as applicable to the role, information security procedures, acceptable use of information security resources, current threats to information systems, security features of specific systems, and secure access procedures.

 

3.4               Vendor shall take reasonable steps to prevent unauthorized physical or electronic access to or loss of CWT's Confidential Information and the services, systems, devices or media containing this information.

 

3.5               Vendor shall employ risk assessment processes and procedures to regularly assess systems used to provide services or products to CWT. Vendor shall remediate such risks as soon as reasonably possible and commensurate with the level of risk posted to CWT Confidential Information given threats known at the time of identification. Operate a process to enable Vendor's Third Parties to report risks or suspected incidents to the Vendor security team.

 

3.6               To the extent that Vendor's Third Parties perform services pursuant to the Agreement in CWT facilities or using services, systems, devices or media owned, operated or managed by CWT, Vendor shall comply with all CWT policies made available to Vendor that are applicable to such access.  Vendor shall require all of Vendor's Third Parties using CWT facilities, services, systems, devices or media to perform services pursuant to the Agreement to comply with all applicable CWT policies. Vendor shall promptly notify CWT in writing when such access is no longer needed, including without limitation when an employee, contractor, subcontractor, or third party of Vendor is no longer performing services under the Agreement or when no longer accessing CWT's Confidential Information.

 

3.7              Vendor shall keep record of Vendor resources that access, transfer, maintain, store, or process CWT Confidential Information.

 

4.                 Physical and Environmental Security

 

4.1               Vendor shall ensure that all of Vendor's systems and other resources intended for use by multiple users are located in secure physical facilities with access limited and restricted to authorized individuals only.

 

4.2               Vendor shall monitor and record, for audit purposes, access to the physical facilities containing systems and other resources intended for use by multiple users used in connection with Vendor's performance of its obligations under the Agreement.

 

4.3               Vendor shall ensure that all of Vendor's Third Parties shall sign a non-disclosure or confidentiality agreement with Vendor prior to accessing CWT Confidential Information.

 

4.4               Vendor shall require all its personnel to abide by a clean desk policy and lock workstation screens prior to leaving work areas.

 

4.5               Vendor shall collect all company assets upon employment or contract termination.

 

4.6               Vendor shall limit and monitor physical access to its facilities according to the following requirements:

 

a.       Visitor access is logged, and the log is maintained for three months including the visitor's name, company he/she represents, and the name of the employee authorizing the physical access.
 

b.      Access is restricted to appropriate personnel, based on job requirements.
 

c.       All employees must wear a company provided name badge.
 

d.      Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
 

e.      The data center or computer room is locked and access limited to only those requiring access.
 

f.        Use video cameras to monitor individual physical access to sensitive areas, and review such data regularly. Video footage must be stored for a minimum of three (3) months.
 

g.       Equipment used to store, process or transmit Personal Information must be physically secured including wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.

 

4.7               Vendor shall implement controls to minimize the risk of and protect against physical threats.

 

4.8               Vendor shall maintain all hardware assets processing or handling in accordance with third party service provider's recommended servicing requirements.

 

4.9               Vendor shall restrict conference room and other publicly accessible network jacks logically from the Vendor's network and restricted only to authenticated users or disabled by default.

 

4.10            Vendor shall protect any device that captures payment card data via direct physical interaction from tampering and substitution by periodically inspecting device surfaces to detect tampering or substitution; provide training for personnel to be aware of attempting tampering or replacement of devices.

 

4.11            Vendor shall control and separate access points such as delivery and loading areas and other points from all centers accessing, managing, storing, or processing CWT Confidential Information.

 

4.12            Vendor data centers must have heating, cooling, fire suppression, water detection, and heat/smoke detection devices.

 

5.                Access Control

 

Vendor shall:

 

5.1               Take all reasonable steps to prevent anyone from accessing CWT's Confidential Information in any manner or for any purpose not authorized by CWT and the Agreement. Vendor shall limit access to CWT's Confidential Information to Vendor's Third Parties who (1) have a legitimate need to access Confidential Information to provide services pursuant to the Agreement, and (2) have agreed in writing to protect the integrity, availability, and confidentiality of CWT's Confidential Information.

 

5.2               Maintain reasonable procedures to terminate access to CWT's Confidential Information provided for Vendor Third Parties when it is no longer needed or relevant to the performance of their duties, and prior to the end of employment or engagement by CWT. Vendor shall comply with CWT's background check requirements to the extent needed and permitted by law, and as otherwise set forth in an applicable statement of work/work order/purchase order.

 

5.3               Separate CWT's information from any other customer's or Vendor's own applications and information either by using physically separate servers or alternatively by using logical access controls where physical separation of servers is not implemented.

 

5.4               Identify and require owners to review and approve access to systems used to access, process, manage, or store CWT's Confidential Information; and shall maintain and track access approvals.

 

5.5               Remove access to systems managing CWT Personal Information and Company Restricted Data within 24 hours of an employee, contractor, subcontractor, or third party terminating their relationship with Vendor; and remove access to such systems within three (3) business days when an employee, contractor, subcontractor, or third party changes job responsibilities within the company. All other user IDs must be disabled or removed after 90 calendar days of inactivity.

 

5.6               Routinely review and approve access to systems managing CWT Personal Information and Company Restricted Data at least quarterly to remove unauthorized access.

 

5.7               Limit access to CWT's Information only to authorized persons or systems, and employ highly restrictive access controls to any of Vendor's systems and CWT Personal Information and Company Restricted Data.

 

5.8               Limit system administrator (also known as root, privileged, or super user) access to operating systems intended for use by multiple users only to individuals requiring such high-level access in the performance of their jobs. Use check-out IDs with individual user log-in credentials and activity logs to manage high security access when possible and otherwise reduce high-level access to a highly limited number of users.

 

5.9               Require application, database, network, and system administrators to restrict access by users to only the commands, data, systems, and other resources necessary for them to perform authorized functions.

 

5.10            Require Strong Authentication for any remote access use of Confidential Information.

 

5.11            Prohibit and employ reasonable Technical and Organizational Security Measure to ensure that Vendor's Third Parties accessing Personal Information may not copy, move, or store Personal Information onto local hard drives or cut and paste or print Personal Information.

 

5.12            Manage remote access capabilities: activate use of remote access capabilities only when needed, monitor while in use, and immediately deactivate after use.

 

5.13            Require at least two-factor authentication to connect to internal Vendor resources containing CWT Confidential Information.

 

6.           Identification and Authentication

 

Vendor shall:

 

6.1               Assign unique user IDs to individual users and assign authentication mechanisms to one individual account.

 

6.2               Use a documented user ID lifecycle management process including, but not limited to, procedures for approved account creation, timely account removal, and account modification (e.g., changes to privileges, span of access, functions/roles) for all access to Confidential Information and across all environments (e.g., production, test, development, etc.). Such process shall include review of access privileges and account validity to be performed at least quarterly.

 

6.3               Enforce the rule of least privilege (i.e., limiting access to only the commands, information, systems, and other resources necessary to perform authorized functions according to one's job function).

 

6.4               Require all access to CWT Confidential Information be made using a valid user ID and password, and require unique user IDs to employ one of the following: password or passphrase, two-factor authentication, or a biometric value.

 

6.5               Require password complexity and meet the following password construction requirements: a minimum of eight (8) characters in length for system passwords and four (4) characters for tablet and smartphone passcodes. System passwords must contain three of the following: upper case, lower case, numeric, or special characters. Passwords must also not be the same as the user ID with which they are associated, contain a dictionary word, sequential or repeat numbers, and not be one of the past five passwords. Require password expiration at regular intervals not to exceed ninety (90) days. Mask all passwords when displayed.

 

6.6               Limit failed login attempts to no more than five (5) failed logon attempts within 24 hours and lock the user account upon reaching that limit in a persistent state. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user's identity.

 

6.7               Verify user's identity and set one-time use and reset passwords to a unique value for each user. Systematically prompt change after first use.

 

6.8               Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards).

 

6.9               Restrict service account and proxy passwords to a 12 character minimum, including upper case, lower case, and numeric characters, as well as special symbols. Change service account and proxy passwords at least annually.

 

6.10            Terminate interactive sessions, or activate a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes.

 

6.11            Use an authentication method based on the sensitivity of CWT's Information. Whenever authentication credentials are stored, Vendor shall protect them using Strong Encryption. Require reauthentication after 15 minutes of inactivity.

 

6.12            Configure systems to automatically timeout after a maximum period of inactivity: server (15 minutes), workstation (15 minutes), mobile device (4 hours), Dynamic Host Configuration Protocol (7 days), Virtual Private Network (24 hours).

 

7.                Information Systems Acquisition, Development and Maintenance

 

Vendor shall:

 

7.1               For CWT branded products or services and products or for software developed for CWT, Vendor shall display a warning banner on login screens or pages as specified in writing by CWT.

 

7.2               Ensure that all personnel, subcontractors or representatives performing work under the Agreement are in compliance with these Technical and Organizational Security Measures and evidenced by agreement no less restrictive than these Information Security Requirements.  

 

7.3               Return all CWT-owned or -provided access devices as soon as practicable, but in no event more than fifteen (15) days after the soonest of:

 

(a)                expiration or Termination of the Agreement;

(b)               CWT's request for the return of such property; or

(c)                the date when Vendor no longer needs such devices.

 

7.4               Employ an effective application management methodology that incorporates information technical and organizational security measures into the software development process, and ensure that information technical and organizational security measures, as represented in CWT's software development lifecycle or information security policies, standard, and procedures are implemented by Vendor in a timely manner.

 

7.5               Follow standard development procedures, including separation of access and code between non-production and production environments and associated segregation of duties between such environments.

 

7.6               Ensure internal information security controls for software development are assessed regularly and reflect industry best practices, and revise and implement these controls in a timely manner.

 

7.7               Manage security of the development process and ensure secure coding practices are implemented and followed, including appropriate cryptographic controls, protections against malicious code, and a peer review process.

 

7.8               Conduct or arrange for conduction of penetration testing on functionally complete applications, at least once every year and after any significant modifications to source code or configuration using NIST SP800-115. Remediate any exploitable vulnerabilities prior to deployment to the production environment.

 

7.9               Use anonymized or obfuscated data in non-production environments. Never use plain text production data in any non-production environment, and never use Personal Information in non-production environments for any reason. Ensure all test data and accounts are removed prior to production release.

 

7.10            Ensure Vendor's Third Parties using open source code, software, applications, or services maintain due diligence in reviewing such resulting code for flaws, bugs, or security issues that may impact data integrity, availability, or confidentiality of CWT or CWT clients.

 

7.11            Ensure Vendor Third Parties will not, under any circumstances, share any code created under the Agreement, regardless of the stage of development, in any shared or non-private environment, such as an open access code repository, regardless of password protection.

 

8.           Software and Data Integrity

 

Vendor shall:

 

8.1               In environments where antivirus software is commercially available and to the extent practicable, have current antivirus software installed and running to scan for and promptly remove or quarantine viruses and other malware from any system or device.

 

8.2               Separate non-production information and resources from production information and resources.

 

8.3               Ensure teams use a documented change control process for all system changes, including back-out procedures for all production environments and emergency change processes. Include testing, documentation, and approvals for all system changes and require management approval for significant changes in such processes.

 

8.4               To the extent Vendor processes or stores card holder data, shall build and maintain a PCI zone.

 

8.5               For applications that utilize a database that allows modifications to CWT's Information, have database transaction audit logging features enabled and retain database transaction audit logs for a minimum of six (6) months.

 

8.6               Not perform any incidental development of any software under the Agreement.

 

8.7   Where technically feasible, for all software used, furnished and/or supported under the Agreement, review such software to find and remediate security vulnerabilities during initial implementation and upon any significant modifications and updates.

 

8.8               Perform quality assurance testing for the security components (e.g., testing of identification, authentication and authorization functions), as well as any other activity designed to validate the security architecture, during initial implementation and upon any significant modifications and updates.

 

9.           System Security

 

Vendor shall:

 

9.1               Regularly create and update the most recent versions of data flow and system diagrams used to access, process, manage, or store CWT's Confidential Information.

 

9.2               Actively monitor industry resources (e.g.www.cert.org, www.cert.org and pertinent software vendor mailing lists and websites) for timely notification of all applicable security alerts pertaining to Vendor's systems and other information resources.

 

9.3               Effectively manage cryptographic keys by reducing access to keys by fewest number of custodians necessary, storing secret and private cryptographic keys by encrypting with a key at least as strong as the data-encrypting key, and storing separately from the data-encrypting key in a secure cryptographic device, in the fewest possible locations. Change cryptographic keys from default at installation and at least every two years, and securely dispose of old keys.

 

9.4               At least quarterly, and prior to release for applications and for significant changes and any upgrades within timeframes resulting from risk analyses based upon reasonable and generally accepted IT policies and standards, scan externally-facing systems and other information resources, including, but not limited to, networks, servers, and applications, with applicable industry-standard security vulnerability scanning software to uncover security vulnerabilities.

 

9.5               At least quarterly, and prior to release for applications and for significant changes and upgrades within timeframes resulting from risk analyses based upon reasonable and generally accepted IT policies and standards, scan internal systems and other information resources, including, but not limited to, networks, servers, applications and databases, with applicable industry-standard security vulnerability scanning software to uncover security vulnerabilities, ensure that such systems and other resources are properly hardened, and identify any unauthorized wireless networks.

 

9.6               Maintain a risk rating process for vulnerability assessment findings based on industry best practices and potential impact. All assessment findings with a CVSS score of 4 or higher must be addressed via a repeatable process.

 

9.7               Ensure that all of Vendor's systems and other resources are and remain 'hardened' including, but not limited to, removing or disabling unused network and other services and products (e.g., finger, rlogin, ftp, and simple Transmission Control Protocol/Internet Protocol (TCP/IP) services and products) and installing a system firewall, Transmission Control Protocol (TCP) wrappers or similar technology.

 

9.8               In environments where such technology is commercially available and to the extent practicable, deploy one or more Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Intrusion Detection and Prevention Systems (IDP) in an active mode of operation that monitors all traffic entering and leaving systems and other resources in conjunction with the Agreement.

 

9.9               Have and use a documented process to remediate security vulnerabilities in any system or other resource, including, but not limited to, those discovered through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be or is in the process of being exploited. Critical patches with a CVSS score of 7.5 or higher must be installed immediately upon availability and in no event longer than one month after release. Patches with a CVSS score of 4 or higher must be installed within 90 days of release.

 

9.10            Conduct generalized penetration testing internally and externally at least annually and after any significant infrastructure or application upgrade or modification.

 

9.11            Remove or disable unauthorized software discovered on Vendor's systems and employ reasonable malware controls, including the installation, regular update and routine use of anti-malware software products on all services, systems and devices that may be used to access to CWT's Confidential Information. Use reliable and industry best practice anti-virus software where practicable and ensure such virus definitions remain updated.

 

9.12            Maintain reasonably up-to-date software on all services, systems and devices that may be used to access Protected Information, including appropriate maintenance of operating system(s) and successful installation of reasonably up-to-date security patches.

 

9.13            Assign security administration responsibilities for configuring host operating systems to specific individuals.

 

9.14            Change all default account names and/or default passwords.

 

10.         Monitoring

 

Vendor shall:

 

10.1            Retain log data for CWT Confidential Information for at least 12 months and ensure such data is available to CWT within a reasonable timeframe and upon request, except as specified in 8.54.

 

10.2            Record primary system Vendor's Third Parties' activities for systems containing any CWT Personal Information and Company Restricted Data.

 

10.3            Restrict access for security logs to authorized individuals, and protect security logs from unauthorized modification.

 

10.4            Implement a change detection mechanism (e.g. file integrity monitoring) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; configure software to perform critical file comparisons weekly.

 

10.5            Review, on no less than a weekly basis, all security and security-related audit logs on systems containing CWT Personal Information and Company Restricted Data for anomalies and document and resolve all logged security problems in a timely manner.

 

10.6            Review daily all security events, logs of system components storing, processing, or transmitting card holder data, logs of critical system components, and logs of servers and system components performing security functions.

 

11.         Security Gateways

 

Vendor shall:

 

11.1            Require Strong Authentication for administrative and/or management access to Security Gateways, including, but not limited to, any access for the purpose of reviewing log files.

 

11.2            Have and use documented controls, policies, processes and procedures to ensure that unauthorized users do not have administrative and/or management access to Security Gateways, and that user authorization levels to administer and manage Security Gateways are appropriate.

 

11.3            At least once every six (6) months, ensure that Security Gateway configurations are hardened by selecting a sample of Security Gateways and verifying that each default rule set and set of configuration parameters ensures the following:

 

a.    Internet Protocol (IP) source routing is disabled,
 

b.    The loopback address is prohibited from entering the internal network,
 

c.     Anti-spoofing filters are implemented,
 

d.    Broadcast packets are disallowed from entering the network,
 

e.    Internet Control Message Protocol (ICMP) redirects are disabled,
 

f.     All rule sets end with a "DENY ALL" statement, and
 

g.    Each rule is traceable to a specific business request.

 

11.4            Ensure that monitoring tools are used to validate that all aspects of Security Gateways (e.g., hardware, firmware, and software) are continuously operational.

 

11.5            Ensure that all Security Gateways are configured and implemented such that all non-operational Security Gateways shall deny all access.

 

12.         Network Security

 

Vendor shall:

 

12.1            Upon CWT's request, provide to CWT a logical network diagram documenting systems and connections to other resources including routers, switches, firewalls, IDS systems, network topology, external connection points, gateways, wireless networks, and any other devices that shall support CWT.

 

12.2            Maintain a formal process for approving, testing, and documenting all network connections and changes to the firewall and router configurations. Configure firewalls to deny and log suspicious packets, and restrict to only allow appropriate and authorized traffic, denying all other traffic through the firewall. Review firewall rules every six months.

 

12.3            Install a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. Any system storing Personal Information must reside in the internal network zone, segregated from the DMZ and other untrusted networks.

 

12.4            Monitor firewall at the perimeter and internally, as necessary.

 

12.5            Have a documented process and controls in place to detect and handle unauthorized attempts to access CWT's Information.

 

12.6            When providing Internet-based services and products to CWT, protect CWT's Information by the implementation of a network DMZ. Web servers providing service to CWT shall reside in the DMZ. Any system or information resource storing CWT's Information (such as application and database servers) shall reside in a trusted internal network. (Internet services and products Must Use DMZ).

 

12.7            Restrict unauthorized outbound traffic from applications processing, storing or transmitting Confidential Information to IP addresses within the DMZ and Internet.

 

12.8            When using radio frequency (RF) based wireless networking technologies to perform or support services and products for CWT, Vendor shall ensure that all of CWT's Confidential Information transmitted is protected by the use of appropriate encryption technologies sufficient to protect the confidentiality of CWT's Confidential Information; provided, however, that in any event such encryption shall use no less than key lengths of 256-bits for symmetric encryption and 256-bits for asymmetric encryption. Regularly scan, identify, and disable unauthorized wireless access points.

 

13.         Connectivity Requirements

 

13.1            In the event that a data connection agreement, such as a "Master Data Connection Agreement," "Data Connection Agreement," and/or "Connection Supplement" ("DCA") exists between CWT and the Vendor, and incorporates the Agreement by reference, or is otherwise integrated with, or used to govern the parties' connectivity obligations under these Information Security Requirements, Vendor and CWT agree that any information technical and organizational security measures incorporated within such DCA are hereby superseded by the terms of these Information Security Requirements, effective as of the date these Information Security Requirements  becomes effective under the Agreement, and the terms of such DCA are amended to require that these Information Security Requirements and not the information technical and organizational security measures incorporated within the DCA are controlling in the Agreement (as well as any agreements subordinate to the Agreement). Notwithstanding the foregoing, the DCA remains in full force and effect for all other agreements between the parties to which it applies.

 

13.2            In the event that Vendor has, or shall be provided, connectivity to CWT's or CWT's clients' Confidential Information resources in conjunction with the Agreement, then in addition to the foregoing Vendor shall:

 

a.    Use only the mutually agreed upon facilities and connection methodologies to interconnect CWT's and CWT's clients' Confidential Information resources with Vendor's Information Resources.
 

b.    NOT establish interconnection to CWT's and CWT's clients' Confidential Information resources without the prior consent of CWT.
 

c.     Provide CWT access to any applicable Vendor facilities during normal business hours for the maintenance and support of any equipment (e.g., router) provided by CWT under the Agreement for connectivity to CWT's and CWT's clients' Confidential Information resources.
 

d.    Use any equipment provided by CWT under the Agreement for connectivity to CWT's and CWT's clients' Confidential Information resources only for the furnishing of those services and products or functions explicitly authorized in the Agreement.
 

e.    If the agreed upon connectivity methodology requires that Vendor implement a Security Gateway, maintain logs of all sessions using such Security Gateway. These session logs must include sufficiently detailed information to identify the end user or application, origination IP address, destination IP address, ports/service protocols used and duration of access. These session logs must be retained for a minimum of six (6) months from session creation.

 

13.3            In the event that Vendor has, or shall be provided, connectivity to CWT's or CWT's clients' Confidential Information resources in conjunction with the Agreement, in addition to other rights set forth herein, permit CWT to:

 

a.    Gather information relating to access, including Vendor's access, to CWT's and CWT's clients' Confidential Information resources. This information may be collected, retained and analyzed by CWT to identify potential security risks without further notice. This information may include from trace files, statistics, network addresses, and the actual data or screens accessed or transferred.
 

b.    Immediately suspend or terminate any interconnection to CWT's and CWT's clients' Confidential Information resources if CWT, in its sole discretion, believes there has been a breach of security or unauthorized access to or misuse of CWT data facilities or any CWT information, systems, or other resources.

 

14.          Mobile and Portable Devices

 

Vendor shall:

 

14.1            Use Strong Encryption to protect all of CWT's Confidential Information stored on Mobile and Portable Devices.

 

14.2            Not store Personal Information on mobile devices or laptops and not store CWT Personal Information and Company Restricted Data on removable devices unless using Strong Encryption.

 

14.3            Use Strong Encryption to protect CWT's Confidential Information transmitted using or remotely accessed by network-aware Mobile and Portable Devices.
 

a.    When using network aware Mobile and Portable Devices that are not laptop computers to access and/or store CWT's Information, such devices must be capable of deleting all stored copies of CWT's Information upon receipt over the network of a properly authenticated command. (Note: Such capability is often referred to as a "remote wipe" capability.)
 

b.    Have documented policies, procedures and standards in place to ensure that the authorized individual who should be in physical control of a network-aware mobile and portable device that is not a laptop computer and that is storing CWT's Information promptly initiates deletion of all CWT's Information when the device becomes lost or stolen.
 

c.     Have documented policies, procedures and standards in place to ensure that Mobile and Portable Devices that are not laptop computers and are not network aware, shall automatically delete all stored copies of CWT's Information after consecutive failed login attempts.

 

14.4            Have documented policies, procedures and standards in place which ensure that any Mobile and Portable Devices used to access and/or store CWT's Information:

 

a.    Are in the physical possession of authorized individuals;
 

b.    Are physically secured when not in the physical possession of authorized individuals; or
 

c.     Have their data storage promptly and securely deleted when not in the physical possession of authorized individuals nor physically secured, or after 10 unsuccessful access attempts.

 

14.5            Prior to allowing access to CWT's Information stored on or through the use of Mobile and Portable Devices, Vendor shall have and use a process to ensure that:

 

a.    The user is authorized for such access; and
 

b.    The identity of the user has been authenticated.

 

14.6            Implement a policy that prohibits the use of any Mobile and Portable Devices that are not administered and/or managed by Vendor or CWT to access and/or store CWT's Information.

 

14.7            Review, at least annually, the use of, and controls for, all Vendor-administered or managed Mobile and Portable Devices to ensure that the Mobile and Portable Devices can meet the applicable Technical and Organizational Security Measures.


15.         Security in Transit

 

Vendor shall:

 

15.1            Use Strong Encryption for the transfer of CWT's Information outside of CWT-controlled or Vendor controlled networks or when transmitting CWT's Information over any untrusted network.

 

15.2            Use Strong Encryption to protect CWT Personal Information and Company Restricted Data when transmitted over any CWT-controlled or Vendor-controlled network, including but not limited to CWT Personal Information and Company Restricted Data contained in email or attachments embedded therein.

 

15.3            Records containing CWT Personal Information and Company Restricted Data in paper format, microfiche, or electronic media physically transferred, must be transported by secured courier or other delivery method that can be tracked, packed securely and per manufacturer specifications. Any CWT Personal Information and Company Restricted Data must be transported in locked containers.

 

16.         Security at Rest

 

16.1            Vendor shall use Strong Encryption to protect CWT Personal Information and Company Restricted Data when stored.

 

16.2            Vendor shall not store CWT Personal Information and Company Restricted Data electronically outside of Vendor's network environment (or CWT's own secure computer network) unless the storage device (e.g., backup tape, laptop, memory stick, computer disk, etc.) is protected by Strong Encryption.

 

16.3            Vendor shall not store CWT Personal Information and Company Restricted Data on removable media (e.g., USB flash drives, thumb drives, memory sticks, tapes, CDs, or external hard drives) except: (a) for backup, business continuity, disaster recovery, and data interchange purposes as allowed and required under contract, and (b) using Strong Encryption.

 

16.4            Vendor shall appropriately store and secure records containing CWT Personal Information and Company Restricted Data in paper format or microfiche in areas to which access is restricted to authorized personnel.  Vendor shall ship CWT Personal Information and Company Restricted Data via secured courier or a delivery mechanism that allows for accurate tracking of delivery status.

 

16.5            Unless otherwise instructed by CWT in writing, when collecting, generating or creating Information in paper form and backup media for, through or on behalf of CWT or under the CWT brand, Vendor shall ensure that such Information shall be CWT's Information and, whenever practicable, label such Information of CWT as "Confidential" or "Proprietary". Vendor acknowledges that CWT's Confidential Information shall remain CWT-owned Information irrespective of labeling or the absence thereof.

 

17.         Return, Destruction, and Disposal

 

17.1            At no additional charge to CWT and upon CWT's request, Vendor shall provide copies of any of CWT's Information to CWT within thirty (30) days of such request. Return, or, at CWT's option, destroy all of CWT's Information, including electronic and hard copies within ninety (90) days after the soonest of: Expiration or Termination of the Agreement, CWT's request for the return of CWT's Information, or the date when Vendor no longer needs CWT's Information to perform services and products under the Agreement.

 

17.2            In the event that CWT approves destruction as an alternative to returning CWT's Information, then Vendor shall certify in writing the destruction as rendering CWT's Information non-retrievable and unrecoverable. Vendor shall completely destroy all copies of CWT Information at all locations and in all systems where CWT Information is stored, including but not limited to previously approved Vendor Third Parties. Such information shall be destroyed following an industry standard procedure for complete destruction such as DOD 5220.22M or NIST Special Publication 800-88 or using a manufacturer-recommended degaussing product for the system affected.  Prior to such destruction, Vendor shall maintain all applicable Technical and Organizational Security Measure to protect the security, privacy and confidentiality of CWT's Confidential Information.

 

17.3            Vendor shall dispose of CWT Personal Information and Company Restricted Data in a manner that ensures the information cannot be reconstructed into a usable format. Papers, slides, microfilm, microfiche and photographs must be disposed by cross-shredding or burning. Materials containing CWT Personal Information and Company Restricted Data awaiting destruction must be stored in secured containers and be transported using a secure third party.

 

18.         Retention

 

18.1            In the event that Vendor needs to retain copies of CWT's Information more than ninety (90) days past either the expiration or Termination of the Agreement, or CWT's request for the return or destruction of CWT's Information, Vendor shall be allowed to retain such copies when elsewhere agreed to in writing with CWT. Copies of CWT's profile Information may be retained for more than ninety (90) days past the expiration or Termination of the  Agreement without obtaining agreement in writing from CWT allowing for such longer retention, provided such longer retention is performed to achieve compliance with Laws requiring such longer retention.

 

18.2            In all cases, Vendor is responsible for validating appropriate retention requirements with CWT contacts prior to acquiring any CWT Information and consistent with any statement of work or purchase order.

 

18.3            Vendor shall take reasonable steps to secure any backup copies of CWT's Confidential Information automatically created by Vendor's or third party's services, systems, devices or media ("Archival Copies").  Within 90 calendar days of expiration or termination of the Agreement or sooner if reasonably requested by CWT, Vendor shall securely destroy all Archival Copies of CWT's Confidential Information, following an industry standard procedure at least as restrictive as DOD 5220.22M or NIST Special Publication 800-88.


19.         Incident Response and Notification

 

Vendor shall:    

 

19.1            Have and use an Incident Management Process and related procedures and staff such Process and procedures with specialized resources. Immediately, and in no event greater than twenty-four (24) hours, notify CWT whenever there is any suspected or confirmed attack upon, intrusion upon, unauthorized access to, loss of, or other incident regarding CWT's information, systems, or other resources.

 

19.2            After notifying CWT, provide CWT with regular status updates, including, but not limited to, actions taken to resolve such incident, at mutually agreed upon intervals or times for the duration of the incident and as soon as reasonably possible after the closure of the incident, provide CWT with a written report describing the incident, actions taken by the Vendor during its response and Vendor's plans for future actions to prevent a similar incident from occurring.

 

19.3            Under no circumstances publicly disclose any such breach of CWT's information, systems, or other resources without first notifying CWT and working directly with CWT to notify applicable regional, country, state, or local government officials or credit monitoring services, individuals affected by such breach, and any applicable media outlets, as required by law.

 

a.                   Vendor shall have a process in place to promptly identify violations of security controls including those set forth in these Information Security Requirements, by Vendor personnel.  Vendor personnel so identified shall be subject to appropriate disciplinary action subject to the applicable laws. Notwithstanding the foregoing, Vendor personnel shall remain under the authority of the Vendor. CWT shall not be deemed employer of the Vendor personnel.

 

20.         Business Continuity Management and Disaster Recovery

 

Vendor shall:

 

20.1            Develop, operate, manage, and revise business continuity and disaster recovery plans in order to minimize impact for CWT to Vendor's service or products. Such plans shall include: named resources specific to Business Continuity and Disaster Recovery functions, established recovery time objectives and recovery point objectives, daily back-up of data and systems, off-site storage of backup media and records, record protection and contingency plans commensurate with the requirements of the Agreement. Store such plans securely off-site and ensure such plans are available to Vendor as needed.

 

20.2            Upon CWT's request, furnish to CWT a documented business continuity plan that ensures Vendor can meet its contractual obligations under the Agreement, including the requirements of any applicable Statement of Work or Service Level Agreement. Such plans shall exercise recovery while protecting integrity and confidentiality of CWT Confidential Information.

 

20.3            Have documented procedures for the secure backup and recovery of CWT's Information which shall include, at a minimum, procedures for the transport, storage, and disposal of the backup copies of CWT's Information and, upon CWT's request, provide such documented procedures to CWT.

 

20.4            Ensure that backups of all CWT Information stored or software and configurations for systems used by CWT are created at least once a week.

 

20.5            Regularly, at least annually, or following any material change in business continuity or disaster recovery plans, comprehensively exercise such plans at Vendor's sole cost and expense. Such exercises shall ensure proper functioning of impacted technologies and internal awareness of such plans.

 

20.6            Promptly review its business continuity plan to address additional or emerging threat sources or scenarios and provide CWT a high level summary of plans and testing within a reasonable timeframe upon request.

 

20.7            Ensure that all Vendor or Vendor-contracted locations housing or processing CWT Information are monitored 24 hours a day, seven (7) days per week against intrusion, fire, water, and other environmental hazards.

 

21.             Compliance and Accreditations

 

21.1            Vendor shall retain complete and accurate records relating to its performance of its obligations arising out of these Information Security Requirements and Vendor's compliance herewith in a format that shall permit assessment or audit for a period of no less than three (3) years, or longer as may be required pursuant to a court order or civil or regulatory proceeding. Notwithstanding the foregoing, Vendor shall only be required to maintain security logs for a minimum of six (6) months after any continuing performance of the Agreement.

 

21.2            CWT may, at no additional cost to CWT, and with reasonable advance notice, conduct periodic security assessments or audits of the Technical and Organizational Security Measure used by Vendor during which, CWT shall provide Vendor with written questionnaires and requests for documentation. For all requests, Vendor shall respond with written response and evidence, if applicable, immediately or upon mutual agreement, if not reasonably possible. Upon CWT's request for an audit, Vendor shall schedule a security audit to commence within ten (10) business days from such request. CWT may require access to facilities, systems, processes, or procedures to evaluate Vendor's security control environment.

 

21.3            Upon CWT's request, Vendor shall supply evidence of compliance with the terms of the Agreement, including supporting certifications for the most recent versions of PCI-DSS, ISO 27001/27002, SOC 2, or similar assessment for the Vendor and for any subcontractor or third party processing, accessing, storing, or managing on behalf of the Vendor.

 

21.4            In the event that CWT, in its sole discretion, deems that a security breach has occurred, which has not been promptly reported to CWT in compliance with the Vendor's Incident Management Process, Vendor shall schedule the audit or assessment to commence within 24 (24) hours of CWT's notice requiring an assessment or audit. This provision shall not be deemed to, and shall not, limit any more stringent audit obligations permitting the examination of Vendor's records contained in the Agreement.

 

21.5            Within thirty (30) calendar days of receipt of the final assessment results or audit report, Vendor shall provide CWT a written report outlining the corrective actions that Vendor has implemented or proposes to implement with the schedule and current status of each corrective action. Vendor shall update this report to CWT every thirty (30) calendar days reporting the status of all corrective actions through the date of implementation. Vendor shall implement all corrective actions within ninety (90) days of Vendor's receipt of the assessment or audit report or within an alternative time period provided such alternative time period has been mutually agreed to in writing within no more than thirty (30) days of Vendor's receipt of the assessment or audit report.

 

21.6            Vendor shall be currently compliant and continue to be compliant with any applicable government mandated information security standards and reporting requirements and ISO 27001/27002. To the extent that Vendor handles payment account numbers or any other related payment information, Vendor shall be currently compliant with the most current version of Payment Card Industry (PCI-DSS) for the full scope of systems handling this information and continue such compliance. In the event Vendor no longer is compliant with PCI-DSS for any portion of the full scope of systems handling PCI-applicable data, Vendor will promptly notify CWT, immediately proceed without undue delay to remedy such non-compliance, and provide regular status of such remediation to CWT upon request.

 

22.         Standards, Best Practices, Regulations, and Laws

 

In the event Vendor processes, accesses, views, stores, or manages CWT Personal Information and Company Restricted Data pertaining to CWT personnel, partners, Affiliates; CWT clients; or CWT client employees, contractors, or subcontractors; Vendor shall employ Technical and Organizational Security Measures no less strict than is required by applicable global, regional, country, state, and local guidelines, regulations, directives and law.

 

23.         Modification

CWT reserves the right to update or modify these Information Security Requirements from time to time by posting the latest version on CWT's website.

 

 

The following clauses shall apply to the extent that they are not already included in the main Agreement. If there is a conflict between the following terms and the terms of the Agreement, the terms of the Agreement shall prevail.

 

24.         Warranties and Obligations

 

Vendor represents and warrants that during the term of the Agreement and thereafter (as applicable with respect to Vendor's obligations under the survival of obligations clause in the Agreement) Vendor is currently compliant at the time of Agreement, and shall continue to be throughout the course of service, software or product offering, in compliance with its obligations as set forth herein. The provisions of these Information Security Requirements shall not limit any more stringent security or other obligations of the Agreement.

 

25.         Survivability

 

Rights and obligations under these Information Security Requirements shall survive, including confidentiality of any CWT Confidential Information, past the active term or termination of the Agreement. All other obligations shall terminate at which point Vendor no longer views, accesses, collects, maintains, processes, or stores any CWT Confidential Information; visits any CWT premises; or retains any CWT information.


26.         Term and Termination

 

26.1            Any non-compliance with any terms within these Information Security Requirements shall constitute material breach for the purposes of the Agreement and give rise to CWT's right of rescission, modification, or remedy, at CWT's election. Any CWT decision not to enforce or terminate the Agreement for Vendor non-compliance shall not constitute any modification of the Agreement or waiver of CWT's rights under the Agreement.

 

26.2            Vendor agrees that any access to Confidential Information resources in violation of these Information Security Requirements, CWT's instructions, or Industry Standards; or incidence of any Data Breach or Incident, may cause immediate and irreparable harm to CWT for which money damages may not constitute an adequate remedy.  Accordingly, Vendor agrees that CWT may obtain specific performance and injunctive or other equitable relief for any such violation or Incident, in addition to its remedies at law, without proof of actual damages.

 

Version 1

Date: 26 May 2016

 

Download as a PDF

 

 

 

 

Download this information in a different language:

Chinese (Mandarin)

Dutch

French (European)

German

Italian

Portuguese (Latin American)

Russian

Spanish (Latin American)

Spanish (Spain version)