skipnavigation

Vendor Information Security Requirements

Version 2.0
Date: 15 December 2017

Chinese (Mandarin) Dutch  French  German  Italian

 

Portuguese (Latin America) Russian  Spanish (Latin America)  Spanish

 

  1. Introduction

    Vendor agrees that it and third parties acting on its behalf to provide services and products to CWT shall comply with the information security requirements contained in this document (“Information Security Requirements”), which  sets out the required information security measures (“Technical and Organizational Security Measures”).  

     
  2. Definitions

    2.1 Unless otherwise set forth or expanded herein, defined terms shall have the same meaning as set forth in the main Agreement. The following defined terms shall apply to these Information Security Requirements:

    Affiliates” unless otherwise defined in the Agreement, shall mean, with reference to a party, any company or other legal entity which: (i) controls either directly or indirectly, a party; or (ii) is controlled, directly or indirectly, by a party; or (iii) is directly or indirectly controlled by a company or entity which directly or indirectly controls a party. For these purposes, “control” means the right to exercise more than fifty percent (50%) of the voting or similar right of ownership; but only for so long as such control shall continue to exist.

    "Agreement"
    unless otherwise defined in the main terms of the agreement means the contract or other legal document entered into by CWT and the Vendor.

    “Confidential Information
    ” means any commercially sensitive, proprietary or otherwise confidential information relating to (a) CWT and its Affiliates; (b) a CWT client; (c) CWT personnel (d) its independent partners and joint ventures or (e) the contents and/or purpose of the Agreement, whether oral, in writing or which by any other means may directly or indirectly come into the Vendor’s possession or into the possession of a Vendor personnel or the Vendor’s personnel, agents, contractors or sub-contractors as a result of or in connection with the Agreement. For the avoidance of doubt all work product shall constitute Confidential Information.

    “CWT”
    unless otherwise defined in the Agreement, means the CWT entity outlined in the Agreement as well as its Affiliates.

    Demilitarized Zone” or “DMZ” is a network or sub-network that sits between a trusted internal network, such as a corporate private Local Area Network (LAN), and an untrusted external network, such as the public Internet. A DMZ helps prevent outside users from gaining direct access to internal systems and other resources.

    “Incident Management Process”
    is a Vendor-developed, documented process and procedure to be followed in the event of an actual or suspected attack upon, intrusion upon, unauthorized access to, loss of, or other breach involving the confidentiality, availability, or integrity of CWT’s Confidential Information and Personal Information

    “Masking”
    is the process of covering information displayed on a screen.

    “Mobile and Portable Devices”
    mean mobile and/or portable computers, devices, media and systems capable of being easily carried, moved, transported or conveyed that are used in connection with the Agreement. Examples of such devices include laptop computers, tablets, USB hard drives, USB memory sticks, Personal Digital Assistants (PDAs), mobile or data phones, and any other wireless or periphery device with the ability to store Confidential Information and Personal Information

    “Personal Information”
    unless otherwise defined in the Agreement means as defined under Regulation (EU) 2016/679 and other applicable global information security, data protection, and privacy laws, means any information relating to an identified or identifiable natural person, who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

    “Security Gateway”
    means a set of control mechanisms between two or more networks having different trust levels which filter and log traffic passing, or attempting to pass, between networks, and the associated administrative and management servers. Examples of Security Gateways include firewalls, firewall management servers, hop boxes, session border controllers, proxy servers, and intrusion prevention devices.

    “Strong Authentication”
    means the use of authentication mechanisms and authentication methodologies stronger than the passwords required herein. Examples of Strong Authentication mechanisms and methodologies include digital certificates, two-factor authentication, and one-time passwords.

    “Strong Encryption”
    means the use of encryption technologies with minimum key lengths of 256-bits for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable assurance that it shall protect the encrypted information from unauthorized access and is adequate to protect the confidentiality and privacy of the encrypted information, and which incorporates a documented policy for the management of the encryption keys and associated processes adequate to protect the confidentiality and privacy of the keys and passwords used as inputs to the encryption algorithm. Strong Encryption includes, but is not limited to: SSL v3.0+/TLS v1.0+, Point to Point Tunneling Protocol (PPTP), AES 256, FIPS 140-2 (United States government only), RSA 1024 bit, SHA1/SHA2/SHA3, Internet Protocol Security (IPSEC), SFTP, SSH, Vormetric v4, or WPA2.

    “Technical and Organizational Security Measures”
    means any activities required under these Information Security Requirements to access, manage, transfer, process, store, retain, and destroy information or data; to disclose and notify affected parties required under the Agreement and under applicable information privacy and data protection laws; and to safeguard information or data to ensure availability, integrity, confidentiality, and privacy, or notify individuals of any failure to safeguard such information or data. Measures include but are not limited to those required or interpreted to be required under European Union Directives 94/46/EC and 2006/24/EC as promulgated under member countries, the United States Gramm-Leach Bliley Act (GLBA), the United States Health Insurance Portability and Accountability Act (HIPAA), the EU /Switzerland data privacy requirements, and any other international and U.S. laws, official legal interpretation, or case precedent pertaining to information or data under the Agreement.

    Third Party” unless otherwise defined in the Agreement, means any subcontractors, and each of the Vendor’s temporary personnel, contractors, or additional vendors and/or agents acting on behalf of the Vendor, and does include any definition of Third Party under applicable EU, U.S., or other international law.

    Vendor” means the contracting entity set forth in the Agreement together with its Affiliates and its Third Parties.

    2.2 While Vendor has access to CWT’s Confidential Information and Personal Information, Vendor shall implement reasonable and appropriate Technical and Organizational Security Measures in accordance with information security best practices to protect the integrity, availability, and confidentiality of information.

    2.3 The Vendor warrants and represents that it shall comply with the following Technical and Organizational Security Measures to the extent that these are applicable to the provision of services set forth in the Agreement: 


  3. Organization of Information Security

    3.1 Vendor shall establish, implement, and maintain consistent with industry practices but no less than reasonable policies and a program of organizational, operational, administrative, physical and Technical and Organizational Security Measures appropriate to (1) prevent any access to CWT’s Confidential Information and Personal Information in a manner not authorized by the Agreement or these Information Security Requirements, and (2) comply with and meet all applicable industry standards. Vendor shall ensure that its security personnel have reasonable and necessary experience in information security.

    3.2 Vendor shall provide an appropriate level of supervision, guidance, and training on the Technical and Organizational Security Measures to Vendor’s Third Parties who require access to CWT’s Confidential Information and Personal Information. Vendor shall provide Technical and Organizational Security Measure training upon hire and prior to accessing Confidential Information and Personal Information. Refresher training shall be provided at least annually and as soon as possible following any material change in Vendor’s Technical and Organizational Security Measures.

    3.3 Vendor’s Third Parties with significant security duties, including but not limited to human resources or information technology functions, and any technology administrator function, shall also receive specialized training specific to their respective roles. Specialized training shall include, as applicable to the role, information security procedures, acceptable use of information security resources, current threats to information systems, security features of specific systems, and secure access procedures.

    3.4 Vendor shall take reasonable steps to prevent unauthorized access to or loss of CWT’s Confidential Information and Personal Information and the services, systems, devices or media containing this information.

    3.5 Vendor shall employ risk assessment processes and procedures to regularly assess systems used to provide services or products to CWT. Vendor shall remediate such risks as soon as reasonably possible and commensurate with the level of risk posted to CWT Confidential Information and Personal Information given threats known at the time of identification. Operate a process to enable Vendor’s Third Parties to report risks or suspected incidents to the Vendor security team.

    3.6 To the extent that Vendor’s Third Parties perform services pursuant to the Agreement in CWT facilities or using services, systems, devices or media owned, operated or managed by CWT, Vendor shall comply with all CWT policies made available to Vendor that are applicable to such access.  Vendor shall require all of Vendor’s Third Parties using CWT facilities, services, systems, devices or media to perform services pursuant to the Agreement to comply with all applicable CWT policies. Vendor shall promptly notify CWT in writing when such access is no longer needed, including without limitation when an employee, contractor, subcontractor, or third party of Vendor is no longer performing services under the Agreement or when no longer accessing CWT’s Confidential Information and Personal Information.

    3.7 Vendor shall keep records of Vendor resources that access, transfer, maintain, store, or process CWT Confidential Information and Personal Information.

    3.8  Vendor shall comply with CWT’s background check requirements to the extent needed and permitted by law, and as otherwise set forth in an applicable statement of work/work order/purchase order.


  4. Physical and Environmental Security


    4.1 Vendor shall ensure that all of Vendor’s systems and other resources intended for use by multiple users are located in secure physical facilities with access limited and restricted to authorized individuals only.

    4.2 Vendor shall monitor and record, for audit purposes, access to the physical facilities containing systems and other resources intended for use by multiple users used in connection with Vendor’s performance of its obligations under the Agreement.

    4.3 Vendor shall ensure that all of Vendor’s Third Parties shall sign a non-disclosure or confidentiality agreement with Vendor prior to accessing CWT Confidential Information and Personal Information.

    4.4 Vendor shall require all its personnel to abide by a clean desk policy and lock workstation screens prior to leaving work areas.

    4.5 Vendor shall collect all company assets upon employment termination or contract termination.

    4.6 Vendor shall limit and monitor physical access to its facilities according to the following requirements:

    • Visitor access is logged, and the log is maintained for three (3) months including the visitor’s name, company he/she represents, and the name of the employee authorizing the physical access.
    • Access is restricted to appropriate personnel, based on -need to know access
    • All employees must wear a company-provided name badge.
    • Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
    • The data center or computer room is locked and access is limited to only those who need access to perform their job duties.
    • Where permitted by law, use video cameras to monitor individual physical access to sensitive areas, and review such data regularly. Video footage must be stored for a minimum of three (3) months.
    • Equipment used to store, process or transmit Personal Information must be physically secured including wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.


    4.7 Vendor shall implement controls to minimize the risk of and protect against physical threats.

    4.8 Vendor shall maintain all hardware assets processing or handling CWT Confidential Information and Personal Information in accordance with third party service provider’s recommended servicing requirements.

    4.9 Vendor shall restrict conference room and other publicly accessible network jacks logically from the Vendor’s network and restricted only to authenticated users or disabled by default.

    4.10 Vendor shall protect any device that captures payment card data via direct physical interaction from tampering and substitution by periodically inspecting device surfaces to detect tampering or substitution; provide training for personnel to be aware of attempting tampering or replacement of devices.

    4.11 Vendor shall control and separate access points such as delivery and loading areas and other points from all centers accessing, managing, storing, or processing CWT Confidential Information and Personal Information.

    4.12 Vendor data centers must have heating, cooling, fire suppression, water detection, and heat/smoke detection devices.

  5. Access Control

    Vendor shall:

    5.1 Take all reasonable steps to prevent anyone from accessing CWT’s Confidential Information and Personal Information in any manner or for any purpose not authorized by CWT and the Agreement. Vendor shall limit access to CWT’s Confidential Information and Personal Information to Vendor’s Third Parties who (1) have a legitimate need to access Confidential Information and Personal Information to provide services pursuant to the Agreement, and (2) have agreed in writing to protect the integrity, availability, and confidentiality of CWT’s Confidential Information and Personal Information.

    5.2 Maintain reasonable procedures to terminate access to CWT’s Confidential Information and Personal Information provided to Vendor Third Parties when it is no longer needed or relevant to the performance of their duties, and prior to the end of employment by Vendor or engagement by CWT.

    5.3 Separate CWT’s information from any other customer’s or Vendor’s own applications and information either by using physically separate servers or alternatively by using logical access controls where physical separation of servers is not implemented.

    5.4 Identify and require appropriate owners to review and approve access to systems used to access, process, manage, or store CWT’s Confidential Information and Personal Information; and shall maintain and track access approvals.

    5.5 Remove access to systems managing CWT Confidential Information and Personal Information within 24 hours of an employee, contractor, subcontractor, or third party terminating their relationship with Vendor; and remove access to such systems within three (3) business days when an employee, contractor, subcontractor, or third party changes job responsibilities within the company. All other user IDs must be disabled or removed after 90 calendar days of inactivity.

    5.6 Routinely review and approve access to systems managing CWT Confidential Information and Personal Information at least quarterly to remove unauthorized access.

    5.7 Restrict system administrator (also known as root, privileged, or super user) access to operating systems intended for use by multiple users only to individuals requiring such high-level access in the performance of their jobs. Use check-out IDs with individual user log-in credentials and activity logs to manage high security access when possible and otherwise reduce high-level access to a highly limited number of users.

    5.8 Require application, database, network, and system administrators to restrict access by users to only the commands, data, systems, and other resources necessary for them to perform authorized functions.

    5.9 Require Strong Authentication for any remote access.

    5.10  Prohibit and employ Technical and Organizational Security Measures to ensure that Vendor’s Third Parties accessing Personal Information cannot copy, move, or store Personal Information onto local hard drives or cut and paste or print Personal Information.

    5.11 Activate use of remote access capabilities only when needed, monitor while in use, and immediately deactivate after use.

    5.12 Require at least two-factor authentication to connect to internal Vendor resources containing CWT Confidential Information and Personal Information. 


  6. Identification and Authentication

    Vendor shall:

    6.1 Assign unique user IDs to individual users and assign authentication mechanisms to each individual account.

    6.2 Use a documented user ID lifecycle management process including, but not limited to, procedures for approved account creation, timely account removal, and account modification (e.g., changes to privileges, span of access, functions/roles) for all access to Confidential Information and Personal Information and across all environments (e.g., production, test, development, etc.). Such process shall include review of access privileges and account validity to be performed at least quarterly.

    6.3 Enforce the rule of least privilege (i.e., limiting access to only the commands, information, systems, and other resources necessary to perform authorized functions according to one’s job function).

    6.4 Restrict all access to CWT Confidential Information and Personal Information to those using a valid user ID and password, and require unique user IDs to employ one of the following: password or passphrase, two-factor authentication, or a biometric value.

    6.5 Require password complexity and meet the following password construction requirements: a minimum of eight (8) characters in length for system passwords and four (4) characters for tablet and smartphone passcodes. System passwords must contain three (3) of the following: upper case, lower case, numeric, or special characters. Passwords must also not be the same as the user ID with which they are associated, contain a dictionary word, sequential or repeat numbers, and not be one of the past five passwords. Require password expiration at regular intervals not to exceed ninety (90) days. Mask all passwords when displayed.

    6.6 Limit failed login attempts to no more than five (5) failed logon attempts within 24 hours and lock the user account upon reaching that limit in a persistent state. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user’s identity.

    6.7 Verify user’s identity and set one-time use and reset passwords to a unique value for each user. Systematically prompt change after first use.

    6.8 Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards).

    6.9 Restrict service account and proxy passwords to a 12 character minimum, including upper case, lower case, and numeric characters, as well as special symbols. Change service account and proxy passwords at least annually.

    6.10 Terminate interactive sessions, or activate a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes.

    6.11 Use an authentication method based on the sensitivity of CWT’s Confidential Information and Personal Information. Whenever authentication credentials are stored, Vendor shall protect them using Strong Encryption.

    6.12 Configure systems to automatically timeout after a maximum period of inactivity: server (15 minutes), workstation (15 minutes), mobile device (4 hours), Dynamic Host Configuration Protocol (7 days), Virtual Private Network (24 hours).



  7. Information Systems Acquisition, Development and Maintenance

    Vendor shall:

    7.1 For CWT-branded products or services or for products and software developed for CWT, Vendor shall display a warning banner on login screens or pages as specified in writing by CWT.

    7.2 Ensure that all personnel and its Third Parties who may be performing work under the Agreement are in compliance with these Technical and Organizational Security Measures which shall be evidenced by a written agreement no less restrictive than these Information Security Requirements.  

    7.3 Return all CWT-owned or -provided access devices as soon as practicable, but in no event more than fifteen (15) days after the soonest of:

    • expiration or termination of the Agreement;
    • CWT’s request for the return of such property; or
    • the date when Vendor no longer needs such devices.
     
    7.4 Employ an effective application management methodology that incorporates Technical and Organizational Security Measures into the software development process, and ensure that Technical and Organizational Security Measures, as represented in CWT’s software development lifecycle or information security policies, standard, and procedures are implemented by Vendor in a timely manner.

    7.5 Follow standard development procedures, including separation of access and code between non-production and production environments and associated segregation of duties between such environments.

    7.6 Ensure internal information security controls for software development are assessed regularly and reflect industry best practices, and revise and implement these controls in a timely manner. industry best practices, and revise and implement these controls in a timely manner.

    7.7 Manage security of the development process and ensure secure coding practices are implemented and followed, including appropriate cryptographic controls, protections against malicious code, and a peer review process.

    7.8 Conduct penetration testing on functionally complete applications before released into production and thereafter, at least once every year and after any significant modifications to source code or configuration that align with OWASP, CERT, SANS Top 25, and PCI-DSS. Remediate any exploitable vulnerabilities prior to deployment to the production environment.

    7.9 Use anonymized or obfuscated data in non-production environments. Never use plain text production data in any non-production environment, and never use Personal Information in non-production environments for any reason. Ensure all test data and accounts are removed prior to production release.

    7.10 Ensure Vendor using open source code, software, applications, or services maintain due diligence in reviewing such resulting code for flaws, bugs, or security issues that may impact data integrity, availability, or confidentiality of CWT or CWT clients. Vendor shall notify CWT where is uses open source code and provide CWT with the name and version of the open source code.  

    7.11 Ensure Vendor will not, under any circumstances, share any code created under the Agreement, regardless of the stage of development, in any shared or non-private environment, such as an open access code repository, regardless of password protection.


  8. Software and Data Integrity

    Vendor shall:

    8.1 In environments where antivirus software is commercially available, have current antivirus software installed and running to scan for and promptly remove or quarantine viruses and other malware from any system or device.

    8.2 Separate non-production information and resources from production information and resources.

    8.3 Ensure teams use a documented change control process for all system changes, including back-out procedures for all production environments and emergency change processes. Include testing, documentation, and approvals for all system changes and require management approval for significant changes in such processes.

    8.4 Build and maintain a PCI zone if Vendor processes or stores card holder data.

    8.5 For applications that utilize a database that allows modifications to CWT’s Confidential Information and Personal Information, have and maintain a database transaction audit logging features enabled and retain database transaction audit logs for a minimum of six (6) months.

    8.6 Review software to find and remediate security vulnerabilities during initial implementation and upon any significant modifications and updates.

    8.7 Perform quality assurance testing for the security components (e.g., testing of identification, authentication and authorization functions), as well as any other activity designed to validate the security architecture, during initial implementation and upon any significant modifications and updates.


  9. System Security

    Vendor shall:

    9.1 Regularly create and update the most recent versions of data flow and system diagrams used to access, process, manage, or store CWT’s Confidential Information and Personal Information.

    9.2 Actively monitor industry resources (e.g. www.cert.org and pertinent software vendor mailing lists and websites) for timely notification of all applicable security alerts pertaining to Vendor’s systems and other information resources.

    9.3 Effectively manage cryptographic keys by reducing access to keys by fewest number of custodians necessary, storing secret and private cryptographic keys by encrypting with a key at least as strong as the data-encrypting key, and storing separately from the data-encrypting key in a secure cryptographic device, in the fewest possible locations. Change cryptographic keys from default at installation and at least every two years, and securely dispose of old keys.

    9.4 Scan externally-facing systems and other information resources, including, but not limited to, networks, servers, and applications, with applicable industry-standard security vulnerability scanning software to uncover security vulnerabilities at least quarterly and prior to release for applications and for significant changes and any upgrades within timeframes resulting from risk analyses based upon reasonable and generally accepted IT policies and standards.

    9.5 Scan internal systems and other information resources, including, but not limited to, networks, servers, applications and databases, with applicable industry-standard security vulnerability scanning software to uncover security vulnerabilities, ensure that such systems and other resources are properly hardened, and identify any unauthorized wireless networks at least quarterly, and prior to release for applications and for significant changes and upgrades within timeframes resulting from risk analyses based upon reasonable and generally accepted IT policies and standards.

    9.6 Maintain a risk rating process for vulnerability assessment findings based on industry best practices and potential impact. All assessment findings with a CVSS score of 4 or higher must be addressed - through a formalized method to ensure continuity of risk evaluation is managed.

    9.7 Ensure that all of Vendor’s systems and other resources are and remain ‘hardened’ including, but not limited to, removing or disabling unused network and other services and products (e.g., finger, rlogin, ftp, and simple Transmission Control Protocol/Internet Protocol (TCP/IP) services and products) and installing a system firewall, Transmission Control Protocol (TCP) wrappers or similar technology.

    9.8 Deploy one or more Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Intrusion Detection and Prevention Systems (IDP) in an active mode of operation that monitors all traffic entering and leaving systems and other resources in conjunction with the Agreement in environments where such technology is commercially available and to the extent practicable,.

    9.9 Maintain a risk rating process to remediate security vulnerabilities in any system or other resource, including, but not limited to, those discovered through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be or is in the process of being exploited. Critical patches with a CVSS score of 7.5 or higher must be installed immediately upon availability and in no event longer than one month after release. Patches with a CVSS score of 4 or higher must be installed within 90 days of release.

    9.10 Conduct generalized penetration testing internally and externally at least annually and after any significant infrastructure or application upgrade or modification.

    9.11 Remove or disable unauthorized software discovered on Vendor’s systems and employ industry standard malware controls, including the installation, regular update and routine use of anti-malware software products on all services, systems and devices that may be used to access to CWT’s Confidential Information and Personal Information. Use reliable and industry best practice anti-virus software where practicable and ensure such virus definitions remain updated.

    9.12 Maintain up-to-date software on all services, systems and devices that may be used to access Confidential Information and Personal Information, including appropriate maintenance of operating system(s) and successful installation of reasonably up-to-date security patches.

    9.13 Assign security administration responsibilities for configuring host operating systems to specific individuals.

    9.14 Change all default account names and/or default passwords.


  10.  Monitoring

    Vendor shall:

    10.1 Retain log data for CWT Confidential Information and Personal Information for at least 12 months and ensure such data is available to CWT within a reasonable timeframe and upon request, unless specified elsewhere in the Agreement.

    10.2  Record primary system Vendor’s Third Parties’ activities for systems containing any CWT Confidential Information and Personal Information.

    10.3 Restrict access for security logs to authorized individuals, and protect security logs from unauthorized modification.

    10.4 Implement a change detection mechanism (e.g. file integrity monitoring) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; configure software to perform critical file comparisons weekly.

    10.5 Review, on at least a weekly basis, all security and security-related audit logs on systems containing CWT Confidential Information and Personal Information for anomalies and document and resolve all logged security problems in a timely manner.

    10.6 Daily review all security events, logs of system components storing, processing, or transmitting card holder data, logs of critical system components, and logs of servers and system components performing security functions.


  11. Security Gateways

    Vendor shall:

    11.1 Require Strong Authentication for administrative and/or management access to Security Gateways, including, but not limited to, any access for the purpose of reviewing log files.

    11.2 Have and use documented controls, policies, processes and procedures to ensure that unauthorized users do not have administrative and/or management access to Security Gateways, and that user authorization levels to administer and manage Security Gateways are appropriate.

    11.3 At least once every six (6) months, ensure that Security Gateway configurations are hardened by selecting a sample of Security Gateways and verifying that each default rule set and set of configuration parameters ensures the following:

    • Internet Protocol (IP) source routing is disabled,
    • The loopback address is prohibited from entering the internal network,
    • Anti-spoofing filters are implemented,
    • Broadcast packets are disallowed from entering the network,
    • Internet Control Message Protocol (ICMP) redirects are disabled,
    • All rule sets end with a “DENY ALL” statement, and
    • Each rule is traceable to a specific business request.

    11.4 Ensure that monitoring tools are used to validate that all aspects of Security Gateways (e.g., hardware, firmware, and software) are continuously operational.

    Ensure that all Security Gateways are configured and implemented such that all non-operational Security Gateways shall deny all access.

    11.5  Inbound packets from the untrusted external network must terminate within the demilitarized zone (“DMZ”) and must not be allowed to flow directly through to the trusted internal network. All inbound packets which flow to the trusted internal network must only originate within the DMZ. The DMZ must be separated from the untrusted external network by use of a Security Gateway and must be separated from the trusted internal network by use of either:

    • another Security Gateway, or
    • the same Security Gateway used to separate the DMZ from the untrusted external network, in which case the Security Gateway must ensure that packets received from the untrusted external network are either immediately deleted or if not deleted are routed only to the DMZ with no other processing of such inbound packets performed other than possibly writing the packets to a log.

    The following must only be located within the trusted internal network:

    • Any CWT Confidential Information and Personal Information stored without the use of Strong Encryption,
    • The official record copy of information to be accessed from requests originating from the untrusted external network,
    • The official record copy of information to be modified as the result of requests originating from the untrusted external network,<
    • Database servers,
    • All exported logs, and
    • All environments used for development, test, sandbox, production, and any other such environments; and all source code versions.

    11.6 Authentication credentials not protected by the use of Strong Encryption must not be located within the DMZ.


  12. Network Security

    Vendor shall:

    12.1 Upon CWT’s request, provide to CWT a logical network diagram documenting systems and connections to other resources including routers, switches, firewalls, IDS systems, network topology, external connection points, gateways, wireless networks, and any other devices that shall support CWT.

    12.2 Maintain a formal process for approving, testing, and documenting all network connections and changes to the firewall and router configurations. Configure firewalls to deny and log suspicious packets, and restrict to only allow appropriate and authorized traffic, denying all other traffic through the firewall. Review firewall rules every six months.

    12.3 Install a firewall at each Internet connection and between any DMZ and the internal network zone. Any system storing Personal Information must reside in the internal network zone, segregated from the DMZ and other untrusted networks.

    12.4 Monitor firewall at the perimeter and internally to control and protect the flow of network traffic entering or leaving the border or boundary, as necessary.

    12.5 Maintain a documented process and controls in place to detect and handle unauthorized attempts to access CWT’s Confidential Information and Personal Information.

    12.6 When providing Internet-based services and products to CWT, protect CWT’s Confidential Information and Personal Information by the implementation of a network DMZ. Web servers providing service to CWT shall reside in the DMZ. Any system or information resource storing CWT’s Confidential Information and Personal Information (such as application and database servers) shall reside in a trusted internal network. (Internet services and products Must Use DMZ).

    12.7 Restrict unauthorized outbound traffic from applications processing, storing or transmitting Confidential Information and Personal Information to IP addresses within the DMZ and Internet.

    12.8 When using radio frequency (RF) based wireless networking technologies to perform or support services and products for CWT, Vendor shall ensure that all of CWT’s Confidential Information and Personal Information transmitted is protected by the use of appropriate encryption technologies sufficient to protect the confidentiality of CWT’s Confidential Information and Personal Information; provided, however, that in any event such encryption shall use no less than key lengths of 256-bits for symmetric encryption and 256-bits for asymmetric encryption. Regularly scan, identify, and disable unauthorized wireless access points.


  13. Connectivity Requirement

    13.1 In the event that Vendor has, or shall be provided, connectivity to CWT’s Confidential Information and Personal Information resources in conjunction with the Agreement, then in addition to the foregoing Vendor shall:

    • Use only the mutually agreed upon facilities and connection methodologies to interconnect CWT’s Confidential Information and Personal Information resources with Vendor’s resources.
    • NOT establish interconnection to CWT’s Confidential Information and Personal Information resources without the prior consent of CWT.
    • Provide CWT access to any applicable Vendor facilities during normal business hours for the maintenance and support of any equipment (e.g., router) provided by CWT under the Agreement for connectivity to CWT’s Confidential Information and Personal Information resources.
    • Use any equipment provided by CWT under the Agreement for connectivity to CWT’s Confidential Information and Personal Information resources only for the furnishing of those services and products or functions explicitly authorized in the Agreement.
    • If the agreed upon connectivity methodology requires that Vendor implement a Security Gateway, maintain logs of all sessions using such Security Gateway. These session logs must include sufficiently detailed information to identify the end user or application, origination IP address, destination IP address, ports/service protocols used and duration of access. These session logs must be retained for a minimum of six (6) months from session creation.

    13.2 In the event that Vendor has, or shall be provided, connectivity to CWT’s Confidential Information and Personal Information resources in conjunction with the Agreement, in addition to other rights set forth herein, permit CWT to:

    • Gather information relating to access, including Vendor’s access, to CWT’s Confidential Information and Personal Information resources. This information may be collected, retained and analyzed by CWT to identify potential security risks without further notice. This information may include from trace files, statistics, network addresses, and the actual data or screens accessed or transferred.
    • Immediately suspend or terminate any interconnection to CWT’s Confidential Information and Personal Information resources if CWT, in its sole discretion, believes there has been a breach of security or unauthorized access to or misuse of CWT data facilities or any CWT information, systems, or other
      resources.

       
  14. Mobile and Portable Devices

    Vendor shall:

    14.1 Use Strong Encryption to protect all of CWT’s Confidential Information and Personal Information stored on Mobile and Portable Devices.

    14.2 Not store Personal Information on mobile devices or laptops and not store CWT Confidential Information and Personal Information on removable devices unless using Strong Encryption.

    14.3 Use Strong Encryption to protect CWT’s Confidential Information and Personal Information transmitted using or remotely accessed by network-aware Mobile and Portable Devices.

    • When using network aware Mobile and Portable Devices that are not laptop computers to access and/or store CWT’s Confidential Information and Personal Information, such devices must be capable of deleting all stored copies of CWT’s Confidential Information and Personal Information upon receipt over the network of a properly authenticated command. (Note: Such capability is often referred to as a “remote wipe” capability.)
    • Have documented policies, procedures and standards in place to ensure that the authorized individual who should be in physical control of a network-aware mobile and portable device that is not a laptop computer and that is storing CWT’s Confidential Information and Personal Information promptly initiates deletion of all CWT’s Confidential Information and Personal Information when the device becomes lost or stolen.
    • Have documented policies, procedures and standards in place to ensure that Mobile and Portable Devices that are not laptop computers and are not network aware shall automatically delete all stored copies of CWT’s Confidential Information and Personal Information after consecutive failed login attempts.

    14.4  Have documented policies, procedures and standards in place which ensure that any Mobile and Portable Devices used to access and/or store CWT’s Confidential Information and Personal Information:

    • Are in the physical possession of authorized individuals;
    • Are physically secured when not in the physical possession of authorized individuals; or
    • Have their data storage promptly and securely deleted when not in the physical possession of authorized individuals nor physically secured, or after 10 unsuccessful access attempts.

    14.5 Prior to allowing access to CWT’s Confidential Information and Personal Information stored on or through the use of Mobile and Portable Devices, Vendor shall have and use a process to ensure that:

    • The user is authorized for such access; and
    • The identity of the user has been authenticated.

    14.6 Implement a policy that prohibits the use of any Mobile and Portable Devices that are not administered and/or managed by Vendor or CWT to access and/or store CWT’s Confidential Information and Personal Information.

    14.7 Review, at least annually, the use of, and controls for, all Vendor-administered or managed Mobile and Portable Devices to ensure that the Mobile and Portable Devices can meet the applicable Technical and Organizational Security Measures.


  15. Security in Transit

    Vendor shall:

    15.1 Use Strong Encryption for the transfer of CWT’s Confidential Information and Personal Information outside of CWT-controlled or Vendor controlled networks or when transmitting CWT’s Confidential Information and Personal Information over any untrusted network.

    15.2 For records containing CWT Confidential Information and Personal Information in paper format, microfiche, or electronic media to be physically transferred, transport them by secured courier or other delivery method that can be tracked, packed securely and per manufacturer specifications. Any CWT Confidential Information and Personal Information must be transported in locked containers.µ


  16. Security at Rest

    16.1 Vendor shall use Strong Encryption to protect CWT Confidential Information and Personal Information when stored.

    16.2 Vendor shall not store CWT Confidential Information and Personal Information electronically outside of Vendor’s network environment (or CWT’s own secure computer network) unless the storage device (e.g., backup tape, laptop, memory stick, computer disk, etc.) is protected by Strong Encryption.

    16.3 Vendor shall not store CWT Confidential Information and Personal Information on removable media (e.g., USB flash drives, thumb drives, memory sticks, tapes, CDs, or external hard drives) except: (a) for backup, business continuity, disaster recovery, and data interchange purposes as allowed and required under contract, and (b) using Strong Encryption.

    16.4 Vendor shall appropriately store and secure records containing CWT Confidential Information and Personal Information in paper format or microfiche in areas to which access is restricted to authorized personnel.

    16.5 Unless otherwise instructed by CWT in writing, when collecting, generating or creating Confidential Information and Personal Information in paper form and backup media for, through or on behalf of CWT or under the CWT brand, Vendor shall ensure that such information shall be CWT’s Confidential Information and Personal Information and, whenever practicable, label such information of CWT as “Confidential”. Vendor acknowledges that CWT’s Confidential Information and Personal Information shall remain CWT-owned Confidential Information and Personal Information irrespective of labeling or the absence thereof.


  17. Return, Destruction, and Disposal

    17.1 At no additional charge to CWT and upon CWT’s request, Vendor shall provide copies of any of CWT’s Confidential Information and Personal Information to CWT within thirty (30) days of such request. Vendor shall return or, at CWT’s option, destroy all of CWT’s Confidential Information and Personal Information, including electronic and hard copies as provided for in the Agreement or, if not provided for in the Agreement, within ninety (90) days after the soonest of: (a) expiration or termination of the Agreement, (b)  CWT’s request for the return of CWT’s Confidential Information and Personal Information, or (c) the date when Vendor no longer needs CWT’s Confidential Information and Personal Information to perform services and products under the Agreement.

    17.2 In the event that CWT approves destruction as an alternative to returning CWT’s Confidential Information and Personal Information, then Vendor shall certify in writing the destruction as rendering CWT’s Confidential Information and Personal Information non-retrievable and unrecoverable. Vendor shall completely destroy all copies of CWT Confidential Information and Personal Information at all locations and in all systems where CWT Confidential Information and Personal Information is stored, including but not limited to previously approved Vendor Third Parties. Such information shall be destroyed following an industry standard procedure for complete destruction such as DOD 5220.22M or NIST Special Publication 800-88 or using a manufacturer-recommended degaussing product for the system affected.  Prior to such destruction, Vendor shall maintain all applicable Technical and Organizational Security Measure to protect the security, privacy and confidentiality of CWT’s Confidential Information and Personal Information.

    17.3 Vendor shall dispose of CWT Confidential Information and Personal Information in a manner that ensures the information cannot be reconstructed into a usable format. Papers, slides, microfilm, microfiche and photographs must be disposed by cross-shredding or burning. Materials containing CWT Confidential Information and Personal Information awaiting destruction must be stored in secured containers and be transported using a secure third party.


  18.  Retention

    18.1 In all cases, Vendor is responsible for validating appropriate retention requirements with CWT contacts prior to acquiring any CWT Confidential Information and Personal Information and consistent with any statement of work or purchase order.

    18.2 Vendor shall secure any backup copies of CWT’s Confidential Information and Personal Information automatically created by Vendor’s or third party’s services, systems, devices or media (“Archival Copies”).  Unless otherwise provided for in the Agreement, within 90 calendar days of expiration or termination of the Agreement or sooner if reasonably requested by CWT, Vendor shall securely destroy all Archival Copies of CWT’s Confidential Information and Personal Information, following an industry standard procedure at least as restrictive as DOD 5220.22M or NIST Special Publication 800-88.


  19. Incident Response and Notification

    Vendor shall:

    19.1 Have and use an Incident Management Process and related procedures and staff such Incident Management Process and procedures with specialized resources. Immediately, and in no event greater than twenty-four (24) hours, notify CWT whenever there is any suspected or confirmed attack upon, intrusion upon, unauthorized access to, loss of, or other incident regarding CWT’s information, systems, or other resources.

    19.2 After notifying CWT, provide CWT with regular status updates, including, but not limited to, actions taken to resolve such incident, at mutually agreed upon intervals or times for the duration of the incident and as soon as reasonably possible after the closure of the incident, provide CWT with a written report describing the incident, actions taken by the Vendor during its response and Vendor’s plans for future actions to prevent a similar incident from occurring.

    19.3 Vendor shall not report or publicly disclose any such breach of CWT’s information, systems, or other resources without first notifying CWT and working directly with CWT to notify applicable regional, country, state, or local government officials or credit monitoring services, individuals affected by such breach, and any applicable media outlets, as required by law.

    19.4 Vendor shall have a process in place to promptly identify violations of security controls including those set forth in these Information Security Requirements by Vendor personnel.  Vendor personnel so identified shall be subject to appropriate disciplinary action subject to the applicable laws. Notwithstanding the foregoing, Vendor personnel shall remain under the authority of the Vendor. CWT shall not be deemed employer of the Vendor personnel.


  20.  Business Continuity Management and Disaster Recovery

    Vendor shall:

    20.1 Develop, operate, manage, and revise business continuity and disaster recovery plans in order to minimize impact for CWT to Vendor’s service or products. Such plans shall include: named resources specific to Business Continuity and Disaster Recovery functions, established recovery time objectives and recovery point objectives, daily back-up of data and systems, off-site storage of backup media and records, record protection and contingency plans commensurate with the requirements of the Agreement, store such plans securely off-site and ensure such plans are available to Vendor as needed.

    20.2 Upon CWT’s request, furnish to CWT a documented business continuity plan that ensures Vendor can meet its contractual obligations under the Agreement, including the requirements of any applicable statement of work or service level agreement. Such plans shall exercise recovery while protecting integrity and confidentiality of CWT Confidential Information and Personal Information.

    20.3 Have documented procedures for the secure backup and recovery of CWT’s Confidential Information and Personal Information which shall include, at a minimum, procedures for the transport, storage, and disposal of the backup copies of CWT’s Confidential Information and Personal Information and, upon CWT’s request, provide such documented procedures to CWT.

    20.4 Ensure that backups of all CWT Confidential Information and Personal Information stored or software and configurations for systems used by CWT are created at least once a week.

    20.5 Regularly, at least annually, or following any material change in business continuity or disaster recovery plans, comprehensively exercise such plans at Vendor’s sole cost and expense. Such exercises shall ensure proper functioning of impacted technologies and internal awareness of such plans.

    20.6 Promptly review its business continuity plan to address additional or emerging threat sources or scenarios and provide CWT a high level summary of plans and testing within a reasonable timeframe upon request.

    20.7 Ensure that all Vendor or Vendor-contracted locations housing or processing CWT Confidential Information and Personal Information are monitored 24 hours a day, seven (7) days per week against intrusion, fire, water, and other environmental hazards.


  21.  Compliance and Accreditations

    21.1 Vendor shall retain complete and accurate records relating to its performance of its obligations arising out of these Information Security Requirements and Vendor’s compliance herewith in a format that shall permit assessment or audit for a period of no less than three (3) years or longer as may be required pursuant to a court order or civil or regulatory proceeding. Notwithstanding the foregoing, Vendor shall only be required to maintain security logs for a minimum of six (6) months after any continuing performance of the Agreement.

    21.2 CWT may, at no additional cost to CWT, upon reasonable advance notice, conduct periodic security assessments or audits of the Technical and Organizational Security Measure used by Vendor during which CWT shall provide Vendor with written questionnaires and requests for documentation. For all requests, Vendor shall respond with a written response and evidence, if applicable, immediately or upon mutual agreement. Upon CWT’s request for an audit by CWT, Vendor shall schedule a security audit to commence within ten (10) business days from such request. CWT may require access to facilities, systems, processes, or procedures to evaluate Vendor’s security control environment.

    21.3 Upon CWT’s request, Vendor shall certify it is in compliance with this document along with supporting certifications for the most recent versions of PCI-DSS, ISO 27001/27002, SOC 2, or similar assessment for the Vendor and for any subcontractor or third party processing, accessing, storing, or managing on behalf of the Vendor.  If Vendor is not able to certify compliance, it shall provide a written report detailing where it is out of compliance and its remediation plan to become compliant.

    21.4  In the event that CWT, in its sole discretion, deems that a security breach has occurred which was not reported to CWT in compliance with is document and Vendor’s Incident Management Process, Vendor shall schedule the audit or assessment to commence within twenty-four  (24) hours of CWT’s notice requiring an assessment or audit.

    21.5 Within thirty (30) calendar days of receipt of the assessment results or audit report, Vendor shall provide CWT a written report outlining the corrective actions that Vendor has implemented or proposes to implement with the schedule and current status of each corrective action. Vendor shall update this report to CWT every thirty (30) calendar days reporting the status of all corrective actions through the date of implementation. Vendor shall implement all corrective actions within ninety (90) days of Vendor’s receipt of the assessment or audit report or within an alternative time period provided such alternative time period has been mutually agreed to in writing by the parties within no more than thirty (30) days of Vendor’s receipt of the assessment or audit report.

    21.6 Vendor shall be currently compliant and continue to be compliant with any applicable government mandated information security standards and reporting requirements and ISO 27001/27002. To the extent that Vendor handles payment account numbers or any other related payment information, Vendor shall be currently compliant with the most current version of Payment Card Industry (PCI-DSS) for the full scope of systems handling this information and continue such compliance. In the event Vendor no longer is compliant with PCI-DSS for any portion of the full scope of systems handling PCI-applicable data, Vendor will promptly notify CWT, immediately proceed without undue delay to remedy such non-compliance, and provide regular status of such remediation to CWT upon request.


  22.  Standards, Best Practices, Regulations, and Laws

    In the event Vendor processes, accesses, views, stores, or manages CWT Confidential Information and Personal Information pertaining to CWT personnel, partners, Affiliates; CWT clients; or CWT client employees, contractors, or subcontractors; Vendor shall employ Technical and Organizational Security Measures no less strict than is required by applicable global, regional, country, state, and local guidelines, regulations, directives and law.


  23. Modification

    CWT reserves the right to update or modify these Information Security Requirements from time to time by posting the latest version on CWT’s website.