Reference

Physical Security – Control Description

A.1.

Policy

FOS Hosting will maintain a formal physical and environmental security program for any FOS Hosting operated facilities used to perform the Services.

A.2.

Access

Visitors to FOS Hosting facilities used to perform the Services will be required to check in with reception/security before being granted access to FOS Hosting facilities. The visitor log will be compiled and reviewed in the event of an incident. Visitors without a government-issued ID will be denied access to FOS Hosting facilities used to perform the Services. Visitor badges are used to identify visitors at FOS Hosting facilities.

A.3.

Security

Controlled building access and secure access to specific areas of FOS Hosting operated facilities used to perform the Services will be enforced through the administration of proximity-based access cards and biometric hand scanners or other approved security authentication methods. FOS Hosting will use proximity cards at its facilities used to provide Services to secure access to buildings and sensitive areas appropriately. Physical access is disabled within the timeframe specified by a maintained access termination standard when physical access is no longer needed due to termination of employment or Services. To effectively manage physical security incidents, an incident response process has been instituted to respond to, and document physical security incidents at FOS Hosting operated facilities used to perform the Services.

Reference

Access Controls – Control Description

B.1.1.

Access & Bastions

For Hosted Systems: FOS Hosting’s access to the Customer Hosted System and Customer VLANs will occur through dedicated bastion servers designed for this purpose, and FOS Hosting employees will authenticate with the bastion server using a dedicated user ID (including the assigned corporate SSO credential) and a two-factor authentication mechanism.

For Customer Configurations other than Hosted Systems: FOS Hosting’s access to the control panel permitting access to the Customer Configuration will require

Reference

Access Controls – Control Description

two-factor authentication, will be managed through FOS Hosting’s LDAP Active Directory group, and will be limited to support personnel and those ancillary services teams at FOS Hosting who require that access to provide or support the Services. Network security group rules are maintained on the Customer Configuration subnets to allow access over established RDP and SSH ports for remote administration. In addition, the Customer Configuration bastion subnet is locked down to only allow remote access from the FOS Hosting Support Bastions. FOS Hosting manages and leverages local server users, tied back to established corporate identities. Server authentication requests are directed to a known FOS Hosting ADFS endpoint for dual-factor authentication. As part of the user authentication flow, local user accounts are only enabled when an authenticated access request is granted and are constrained to the requested device. The FOS Hosting support team maintains a list of approved technicians who can execute the user access workflow.

B.1.2.

Access Review

FOS Hosting will maintain a formal program to review access to the Customer Configuration by any FOS Hosting employee (“Access Review Program”). This does not include additional logging at the server or device or instance level (which a customer can enable at their option or request assistance as part of the Services). The Access Review Program is designed to ensure that no active IDs or accounts exist that are not linked to one or more FOS Hosting Personnel; IDs, or accounts for terminated FOS Hosting Personnel are deleted as appropriate; and that FOS Hosting is complying with its access provisioning process.

B.1.3.

Remote Access

FOS Hosting personnel may use a Virtual Private Network (VPN) utilizing two-factor authentication (RSA token and password) to connect remotely to FOS Hosting networks. Once inside the FOS Hosting network, support staff members are required to go through a second level of authentication through the FOS Hosting Support Bastion/jump hosts/gateway servers to access Customer

Configurations.

B.1.4.

Password Policy

FOS Hosting will maintain a formal policy concerning the requirements for password and authentication regarding FOS Hosting’s access to Customer Configurations and the FOS Hosting Shared Infrastructure (“Password Policy”). The Password Policy will provide for a secure method of assigning and selecting passwords or require the use of unique identifier technologies (e.g., biometrics or token devices); require control of data security passwords to ensure that those passwords are kept in a location or format that does not compromise the security of the data they protect; require FOS Hosting to prevent or limit users from further access after a number of unsuccessful attempts to gain access; ensure that access to each user account relating to the FOS Hosting Shared Infrastructure meets: (a) the authentication requirements set out in the Agreement and (b) if and to the extent not otherwise set out in the Agreement, industry standards (two-factor authentication when accessing FOS Hosting Shared Infrastructure from the Internet); and ensure that all FOS Hosting managed computing devices will be configured to lock (i.e. prevent access to the computing device) after a period of

Reference

Access Controls – Control Description

inactivity (which period of inactivity will be no longer than 15 minutes or the applicable period set out in the Agreement) requiring users of the applicable computing device to enter their credentials to regain access to the computing device.

B.1.5.

Encryption or

Pseudonymization

Customer may employ encryption of data stored within the Customer Configuration by electing to purchase or use capabilities provided by FOS Hosting or otherwise obtained by Customer from nonparties.

Reference

Vulnerability Assessments – Control Description

B.2.1.

Customer Testing

Subject to FOS Hosting’s written consent (for Hosted Systems) or agreement of any applicable Third-Party Cloud provider (for Third-Party Cloud infrastructure), Customer may perform network and application security scans that tests the Customer Configuration for one or more of the following: (a) security vulnerabilities, (b) denial of service vulnerabilities, (c) system access, and (d) other intrusive activities including password cracking. Unless identified in the Service Order, the Services do not include support for those activities. If, as a result of those activities, Customer identifies any vulnerabilities on the FOS Hosting Shared Infrastructure, FOS Hosting will correct any discovered vulnerabilities on FOS Hosting Shared Infrastructure within a reasonable timeframe or as otherwise required by the Agreement.

B.2.2.

Monitoring, AoC

FOS Hosting will perform ongoing monitoring and testing of the FOS Hosting Shared Infrastructure (to include vulnerability scanning, scheduled penetration testing, and maintenance) under applicable PCI standards and applicable FOS Hosting Policies and Standards (“Vulnerability Assessments”). FOS Hosting will make available its Attestation of Compliance to Customer on an annual basis.

Reference

System Defense – Control Description

B.3.1.

General

FOS Hosting will: (a) use reasonable current security measures (including IDS/IPS/virus and malware scanning/cryptographic and key management processes) designed to protect the FOS Hosting Shared Infrastructure; (b) secure web servers used by FOS Hosting to provide the Services and the FOS Hosting customer portal to reduce the risk of infiltration, access penetration by, or exposure to, a nonparty by (i) protecting against intrusions, (ii) securing those servers, and (iii) protecting against intrusions of operating system software, in each case under the FOS Hosting Policies and Standards; (c) maintain patching practices for FOS Hosting Shared Infrastructure under the FOS Hosting Policies and Standards; and (d) maintain current firewalls around the FOS Hosting Shared

Reference

System Defense – Control Description

Infrastructure and provide general maintenance and monitoring of those firewalls and active 24/7 monitoring of those firewalls to identify attempted unauthorized access to the FOS Hosting Shared Infrastructure.

B.3.2.

DDoS Mitigation

FOS Hosting will use several tools to detect and trace network-wide anomalies, including denial-of-service (DoS) attacks and worms against the FOS Hosting Shared Infrastructure. Access control lists (ACLs) are used on Internet edge routers to mitigate distributed denial of service (DDoS) attacks against the FOS Hosting Shared Infrastructure. Through network-wide, router-based sampling, FOS Hosting will evaluate existing, and potential threats by aggregating traffic from across the FOS Hosting Shared Infrastructure. To help maintain the integrity of the FOS Hosting Shared Infrastructure and prevent disruption to support operations, FOS Hosting will continuously monitor connectivity and performance for multiple bandwidth providers, including routers and switches. FOS Hosting will use fully redundant routing and switching equipment for its core networking infrastructure elements of the FOS Hosting Shared Infrastructure.

B.3.3.

Separation

FOS Hosting will use logically separate networks (vLANs) for internal traffic, administering customer environments from specified networks within the FOS Hosting Shared Infrastructure.

B.3.4.

Role-Based Access

Controls

FOS Hosting will secure access to core networking infrastructure elements of the FOS Hosting Shared Infrastructure using the inherent access control functionality in TACACS+/ACS software (or equivalent). Administrator access to network devices supporting FOS Hosting Shared Infrastructure is limited to authorized FOS Hosting Personnel. New administrator access to network devices supporting FOS Hosting infrastructure is granted through a maintained new user creation process. Access is role-based, and deviations require managerial approval. TACACS+/ACS (or equivalent) access lists are reviewed periodically to verify that those users on the list still require access to network devices. Any discrepancies found are corrected.

B.3.5.

Security Services

FOS Hosting will provide a firewall, IDS, and any other security devices in Customer’s dedicated Hosted System only if Customer purchases those devices and then under the applicable Product Terms for those devices.

B.3.6.

FOS Hosting Support

Bastion Security

FOS Hosting will maintain a formal program to ensure that the FOS Hosting Support Bastions used to access the Customer Configuration have malicious software protections in place, are maintained in good technical working order, are regularly scanned for vulnerabilities, and are patched with the latest applicable software updates.

B.3.7.

Policy, Demarcation

FOS Hosting will maintain a formal program for securing access to the FOS Hosting Shared Infrastructure and ensure all access points and boundaries to FOS Hosting’s network are clearly documented and protections against unauthorized access are implemented.

Reference

Incident Response – Control Description

C.1.

Notification

FOS Hosting will report to Customer as soon as reasonably practicable in writing and in accordance with law, of a material breach of the Customer Configuration security that results in unauthorized access to Customer Data resulting in the destruction, loss, unauthorized disclosure, or alteration of Customer Data of which FOS Hosting becomes aware. On request, FOS Hosting will promptly provide to Customer all relevant information and documentation that FOS Hosting has available regarding the Customer Configuration for any security incident. FOS Hosting is not obligated to notify routine security alerts concerning the Customer Configuration (including pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing, or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) except as otherwise specifically set out in the Agreement. FOS Hosting will follow standard incident procedures defined in FOS Hosting’s Policies and Standards.

C.2.

Policy

FOS Hosting responds to security incidents identified on the FOS Hosting Shared Infrastructure with a defined process to rate and remediate those incidents within reasonable timeframes depending on the severity of the incident and maintains a documented process to report, evaluate, and respond to security incidents (“Management of Information Security Incidents Policy”).

Reference

Personnel Controls – Control Description

D.1.

Screening

FOS Hosting will screen individuals with access to organizational information systems when the role or position of those individuals with FOS Hosting provides access to Customer Data and as otherwise required by the Agreement. FOS Hosting will conduct the appropriate level of background screening required by ISO/PCIDSS, as applicable to FOS Hosting. FOS Hosting will maintain documentation that validates that FOS Hosting has completed the appropriate level of screening requirements. FOS Hosting will maintain and follow a written procedure for how FOS Hosting will comply with the screening and requirements, which will be available for review by Customer on request.

D.2.

Removal

If an employee satisfies the screening requirements, but FOS Hosting later becomes aware of any information that would result in an employee failing any of the screening requirements, FOS Hosting will promptly suspend or remove the employee’s access to Customer Data and prohibit the employee from performing any Services for Customer involving access to Customer Data in accordance with any requirements under the Agreement.

Reference

Personnel Controls – Control Description

D.3.

Policy

FOS Hosting will maintain documented and monitored procedures that define appropriate IT security-related roles and responsibilities for FOS Hosting Personnel; ensure that FOS Hosting Personnel have access only to the systems they have a business need and authorization to use; prohibit the copying of Customer Data to any portable physical device of any kind for access of Sensitive Data outside of a FOS Hosting controlled access facility; identify an owner for critical systems and responsibilities for key tasks and assign those tasks to individuals capable of performing them as they relate to the FOS Hosting Shared

Infrastructure; include security responsibilities and confidentiality provisions within FOS Hosting employees’ terms of employment; retain documentation of security awareness training, confirming the completion of this training for each member of FOS Hosting Personnel engaged in providing the Services requiring access to Customer Data; control the creation, change, and termination of FOS Hosting Personnel user accounts; and maintain a disciplinary process for policy violations.

D.4.

Awareness

As part of implementing and ongoing support for information security policies, all FOS Hosting Personnel are required to participate in training and awareness sessions to support the importance of security within FOS Hosting’s organization. FOS Hosting will maintain an ongoing security awareness program for employees to provide updated guidance and practice information on (a) securing data and assets and (b) threat reports. FOS Hosting will release regular notifications to employees focusing on prominent security issues.

D.5.

Competence

FOS Hosting will maintain 24/7 staffing to support FOS Hosting Shared Infrastructure systems critical to FOS Hosting’s performance of the Services under the Agreement, including staffing support and data center operations teams with technicians certified in various areas of expertise.

D.6.

Hiring

FOS Hosting will base hiring decisions on factors relevant to the performance of FOS Hosting’s obligations under its customer agreements, including evaluating educational background, prior relevant experience, past accomplishments, and evidence of integrity and ethical behavior.

Reference

Data Center Controls – Control Description

E.1.

Environmental

Controls

FOS Hosting Shared Infrastructure data center facilities are equipped with redundant HVAC units to maintain consistent temperature and humidity levels. FOS Hosting Shared Infrastructure HVAC systems are inspected regularly, and air filters are changed as needed. Redundant lines of communication exist within the FOS Hosting Shared Infrastructure to telecommunication providers providing FOS Hosting customers with failover communication paths in the event of data

Reference

Data Center Controls – Control Description

communications interruption. FOS Hosting Shared Infrastructure data centers are equipped with sensors to detect environmental hazards, including smoke detectors and floor water detectors. FOS Hosting Shared Infrastructure data centers are also equipped with raised flooring to protect hardware and communications equipment from water damage. FOS Hosting Shared

Infrastructure data centers are equipped with fire detection and suppression systems and fire extinguishers. Fire detection systems, sprinkler systems, and chemical fire extinguishers FOS Hosting Shared Infrastructure are inspected annually. FOS Hosting Shared Infrastructure data center facilities are equipped with uninterruptible power supplies (UPS) to mitigate the risk of short-term utility power failures and fluctuations. The FOS Hosting Shared Infrastructure UPS power subsystem is at least N+1 redundant with instantaneous failover in the event of a primary UPS failure. The FOS Hosting Shared Infrastructure UPS systems are inspected or serviced or both at least annually. FOS Hosting Shared Infrastructure data center facilities are equipped with diesel generators to mitigate the risk of long-term utility power failures and fluctuations. FOS Hosting Shared Infrastructure generators are tested at least every 120 days internally and tested at least annually by a third-party contractor to maintain proper operability in the event of an emergency.

E.2.

Physical Controls

FOS Hosting Personnel are on duty at FOS Hosting operated data center facilities 24 hours a day, seven days a week. FOS Hosting Personnel are required to display their identity badges at all times when onsite at FOS Hosting facilities. Two-factor authentication is used to gain access to the server room floors of FOS Hosting Shared Infrastructure. Electromechanical locks within FOS Hosting Shared Infrastructure are controlled by biometric authentication (e.g., biometric scanner) and keycard/badge. Only authorized personnel have access to FOS Hosting operated data center facilities. Closed-circuit video surveillance has been installed at entrance points on the interior and exterior of the buildings housing FOS Hosting operated data centers and is monitored by authorized personnel. The CCTV retention period is at least 90 days.

Reference

Media Protection – Control Description

F.1.

Single-Pass

FOS Hosting will zero-fill (meaning to format the hard disk drive by filling available sectors with zeroes) any hard disk drive dedicated to Customer’s use as part of a Hosted System before re-using the hard disk drive in an FOS Hosting data center.

F.2.

Physical

Destruction

On Customer’s written request, FOS Hosting will destroy (by hole punch, degaussing, or other mechanisms) any media dedicated to Customer’s use as part of a Hosted System, and FOS Hosting will provide documentation or certification to Customer of that destruction. FOS Hosting may charge Customer a fee for those Services at its then-current rates as applicable.

Reference

Media Protection – Control Description

F.3.

Multi-Pass

Customer may designate the hard drives dedicated to Customer’s use as part of a Hosted System as requiring a three-pass wipe (on failure as possible, or on replacement or cancellation) on written notice to the FOS Hosting account manager. FOS Hosting will perform a three-pass wipe on that media on a failure, replacement, or cancellation event, and Customer will reimburse FOS Hosting at FOS Hosting’s then-current rates for those Services.

F.4. Geographic

F.5.

Control

Except in the case of a consolidation of FOS Hosting data center facilities or as otherwise specifically stated in the Agreement, FOS Hosting will not relocate the Customer’s Hosted System from a FOS Hosting data center in one country to another without Customer’s express written permission. The parties acknowledge that off-site backup involves transporting encrypted media containing Customer Data to a third-party site.

Reference

Risk Assessment Controls – Control Description

G.1.

Policy

FOS Hosting will incorporate risk management throughout its business operations. FOS Hosting will conduct internal information security risk assessments regarding FOS Hosting Shared Infrastructure.

G.2.

Oversight

FOS Hosting will manage identified risks to the FOS Hosting Shared Infrastructure on an ongoing basis through formal project management processes, provide an overall strategic plan, and operationalize that plan.

G.3.

Review

FOS Hosting will assign managerial and supervisory personnel to be responsible for monitoring the quality of internal FOS Hosting Shared Infrastructure security control performance as a routine part of their job responsibilities. FOS Hosting’s management will review key reports to verify appropriate actions have been taken.

G.4.

Assessments

FOS Hosting will undertake security risk assessments per the FOS Hosting Policies and Standards regarding FOS Hosting Shared Infrastructure and FOS Hosting corporate networks. The risk assessment includes: (a) identifying and assessing reasonably foreseeable internal and external threats and risks to the privacy, confidentiality, security, integrity, and availability of personal information; (b) assessing the likelihood of, and potential damage that can be caused by, identified threats and risks; (c) assessing the adequacy of and compliance with personnel training concerning FOS Hosting’s information security program; (d) assessing the adequacy of service provider arrangements; (e) adjusting and updating FOS Hosting’s information systems and information security program to limit and mitigate identified threats and risks and to address material changes in relevant technology, business practices, personal information practices, and sensitivity of personal information that FOS Hosting processes; and (f) assessing whether

Reference

Risk Assessment Controls – Control Description

FOS Hosting’s information security program is operating in a manner reasonably calculated to prevent and mitigate information security incidents.

Reference

Business Continuity Planning – Control Description

I.1.

Policy

FOS Hosting maintains an Information Security Aspects of Business Continuity Policy that includes defined requirements for information security and continuity of information security management for FOS Hosting Shared Infrastructure during FOS Hosting business recovery events; defined management structure to prepare for, mitigate, and respond to a FOS Hosting business recovery

Reference

Change & Configuration Management Controls – Control Description

H.1.

Process

FOS Hosting will cooperate in good faith with Customer to create a run book or account management guidelines (“Run Book”), which will contain the controls applicable to system or network changes and detail the system or change management process as agreed on with Customer. FOS Hosting will provide Customer with a mechanism to apply patches to the Hosted System and apply patches at Customer’s request, as stipulated in the Run Book.

H.2.

Run Book

FOS Hosting will make the Run Book and any attendant documentation available to Customer promptly on Customer’s request, will update the Run Book with any reasonable process management controls for the Customer Configuration requested by Customer, and will otherwise cooperate with Customer in good faith to review or implement those system/network change management processes for the Customer Configuration as Customer requests.

H.3.

Windows

FOS Hosting will maintain change windows for implementing or completing system/network changes to the Customer Configuration that comply with any change window requirements in the Agreement.

H.4.

Approval, History

Customer is required to approve material changes to be made by FOS Hosting to the Customer Configuration before the change is implemented, except in the cases of predefined proactive FOS Hosting Shared Infrastructure maintenances, urgent security patches and fixes, downtime events where Customer cannot be reached (or has provided prior approval for action), and emergency maintenances (in which case FOS Hosting will provide Customer with reasonable notice of that change activity). The ticket history associated with the FOS Hosting account will be available for review through the FOS Hosting customer portal, thus providing a history of changes to the Customer Configuration performed by the FOS Hosting support team.

Reference

Business Continuity Planning – Control Description

event involving FOS Hosting Shared Infrastructure using personnel with the necessary authority, experience, and competence; and verification, review, and testing of defined information security continuity controls related to the FOS Hosting Shared Infrastructure regularly.

I.2.

BCP

FOS Hosting maintains an internal business continuity plan designed to permit FOS Hosting to resume its business operations after an interruption (“Business Continuity Plan”). This Business Continuity Plan does not cover Customer Configuration directly (is no substitute for redundancy or data backup, and in no way guarantees the restoration of the Customer Configuration or any Customer Data in the event of severe business interruption).