Cyber Security Policy Manual

P OLICY 1) Risk assessments must be conducted annually to identify risks to City of Greensboro’s systems, including card payment systems and terminals, and implemented controls to mitigate identified risks. The risk assessment must take into consideration business objectives, compliance changes and evolving security threats. City of Greensboro cyber security strategy must be defined according to identified risks and must focus on minimizing these risks to an acceptable level. 2) The City’s Cyber Security Team must ensure that all cyber security controls developed and implemented comply with all standards and requirements as defined in the latest version of the Payment Card Industry Data Security Standard (PCI-DSS). 3) The City of Greensboro must undergo annual Payment Card Industry (PCI) audits by the Cyber Security Team to ensure that proper security controls are implemented to protect card payment information traversing the City’s systems and network. 4) IT compliance program must be established to ensure compliance to laws, regulations, and policies and standards. Monthly, quarterly, semi-annually and annual compliance activities must be conducted to identify and mitigate compliance deficiencies. 5) All departments accepting and processing card payments must participate in annual Payment Card Industry (PCI) audits and provide all required documentation to ensure compliance. 6) Accepting and processing card payments must be conducted by authorized individuals that have been properly trained by the Cyber Security Team on handling card payments. 7) All departments accepting and processing card payments must only accept card payments using payment terminals that have EMV Chip Technology and support Point-to-point Encryption capabilities (P2PE). Pa yment terminals must be approved by the City’s merchant service provider. 8) Card payment information must not be stored in systems residing on the City’s network because of the increased risk and liability this may present. 9) Downloading and installing software on computers that process card payments is prohibited. IT has to be notified to conduct a software review and ensure the software is safe to install. 10) Physical documents containing payment information must not be left unattended on desks and must be stored in locked cabinets. If physical documents are no longer needed, they must be disposed of using shredders or secured disposal bins. 11) All computer screens for the computers that process card payments must immediately be locked if the computer is left unattended. 12) Theft or suspected theft of card payment information must be reported to the City’s Cyber Security Team immediately so that action is taken to reduce the impact of such incidents.

Cyber Security Policy Manual

49