Etchinghill Golf Club
INFORMATION SECURITY POLICY
Membership Agreement and Understanding
* By joining you consent to Etchinghill Golf Club retaining your personal information for the duration of your membership as defined below in the Information Security Policy.
* By joining you consent to Etchinghill Golf Club processing your personal information, including any legitimate third-party processing, as defined below in the Information Security Policy.
1 Introduction
2 Acceptable Use Policy
3 Disciplinary Action
4 Protect Stored Data
5 Access to the sensitive data
6 Physical Security
7 Disposal of Stored Data
8 Security Awareness and Procedures
9 System and Password Policy
10 Anti-virus policy
11 Patch and Updates Policy
12 Change Control Process
13 Penetration and Vulnerability testing methodology
14 User Access Management
15 Access Control Policy
Appendix A
List of EGC Service Providers
1 INTRODUCTION
This Policy Document encompasses all aspects of security surrounding confidential Etchinghill Golf Club (EGC) information and should be distributed to all EGC Officers and committee members. All EGC Officers should read this document in its entirety and should confirm they have read and understand this policy fully. This document will be reviewed and updated if necessary by the EGC committee on a regular basis specifically when relevant to include newly developed security standards into the policy.
EGC utilise online services to administer the organisation of golf for club members who are based at Etchinghill Golf Club, Canterbury Road, Lyminge. All the systems used by EGC are cloud-based systems and are wholly hosted and maintained by service providers. No members personal data is held or stored on the premises at EGC. This information security policy is intended to be a blanket policy and includes policy relating to infrastructure even though it may not necessarily exist.
EGC utilise the services of Club Systems, Clear Accept and England Golf and have a responsibility for ensuring that the service providers who store EGC member data and member payment card information, on behalf of EGC, do so in accordance with this EGC Information Security Policy or their own Information Security Policy.
Officers within EGC are authorised to access the systems provided by the service providers to EGC using their personal electronic devices (PC’s, laptops and mobile devices) with their own username and passwords. In some cases club Officers have the capability to download member personal data, but in no case do any club Officers have the capability to either access or store member payment card data.
EGC handles sensitive cardholder information daily through its’ association with the 3rd party company, Clear Accept. Clear Accept or any other service provider acting on behalf of EGC must have adequate safeguards in place to protect them, to protect cardholder privacy, to ensure compliance with various regulations and to guard the future of the organisation. For the avoidance of doubt, EGC does not directly store or have access to any cardholder data. Card transactions and the data associated with them are handled entirely by the service providers that EGC partners with.
EGC commits to respecting the privacy of all its members and to protecting any data about members from outside parties. To this end the officers and committee are committed to maintaining a secure environment in which to process cardholder information so that we can meet these objectives.
Service providers handling Sensitive cardholder data should ensure that they:
• Handle EGC and cardholder (member) information in a manner that fits with their sensitivity;
• Do not disclose personnel information unless authorised;
• Protect sensitive cardholder information;
• Keep passwords and accounts secure;
• Any Information security incidents experienced by club Officers must be reported, without delay, to the EGC Chairperson / Secretary and Treasurer and escalated to the appropriate service provider immediately.
We each have a responsibility for ensuring the EGC systems and data are protected from unauthorised access and improper use. If there is any doubt or lack of clarity about any of the policies detailed herein advice should be sought from the EGC Chairperson / Secretary or Treasurer.
2 ACCEPTABLE USE POLICY
The EGC intentions for publishing an Acceptable Use Policy is not to impose restrictions that are contrary to EGC established culture of openness, trust and integrity. The officers and committee are committed to protecting the members, partners and EGC from illegal or damaging actions by individuals, either knowingly or unknowingly.
• Officers should ensure that they have appropriate credentials and are authenticated for the use of technologies
• Officers should take all necessary steps to prevent unauthorised access to member confidential data which includes card holder data.
• Officers should ensure that technologies should be used and setup in acceptable network locations
• Keep passwords secure and do not share accounts.
• Authorised users are responsible for the security of their passwords and accounts.
• All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.
• All POS and PIN entry devices (if any are used) should be appropriately protected and secured so they cannot be tampered or altered.
• Postings by Officers from a EGC email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of EGC, unless posting is in the course of EGC duties.
• Officers must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses or other malicious content.
3 DISCIPLINARY ACTION
Violation of the standards, policies and procedures presented in this document by an employee will result in disciplinary action as described in the EGC Rules. Claims of ignorance, good intentions or using poor judgment will not be used as excuses for non-compliance.
4 PROTECT STORED DATA
All sensitive data (including cardholder data) stored and handled by EGC, its Officers or any of its service providers must be securely always protected against unauthorised use. Any sensitive card data that is no longer required by EGC or its’ service providers for business reasons must be discarded in a secure and irrecoverable manner.
5 ACCESS TO THE SENSITIVE DATA
All Access to sensitive data should be controlled and authorised. Any role functions that require access to member (including cardholder) data should be clearly defined.
• Access rights to privileged user IDs should be restricted to least privileges necessary to perform role responsibilities
• Privileges should be assigned to individuals based on role classification and function (Role based access control)
• Access to sensitive data, personal information and EGC data is restricted to Officers that have a legitimate need to view such information.
• No other Officers should have access to this confidential data unless they have a genuine business need.
• EGC will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess.
• EGC should ensure that a there is an established process including proper due diligence is in place before engaging with a service provider.
• EGC should have a process in place to monitor the PCI DSS compliance status of the Service provider.
6 PHYSICAL SECURITY
Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.
Officers are responsible for exercising good judgment regarding the reasonableness of personal use.
Officers should ensure that they have appropriate credentials and are authenticated for the use of technologies
Officers should take all necessary steps to prevent unauthorised access to confidential data
Officers should ensure that, if used, technologies should be used and setup in acceptable locations:
• A list of devices that accept payment card data should be maintained, where they exist.
• The list should include make, model and location of the device
• The list should have the serial number or a unique identifier of the device
• The list should be updated when devices are added, removed or relocated
• POS devices surfaces should be periodically inspected to detect tampering or substitution.
• Personnel using the devices should be trained and aware of handling the POS devices
• Personnel using the devices should verify the identity of any third party personnel claiming to repair or run maintenance tasks on the devices, install new devices or replace devices.
• Personnel using the devices should be trained to report suspicious behaviour and indications of tampering of the devices to the appropriate personnel.
• All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered
• Keep passwords secure and do not share accounts. Authorised users are responsible for the security of their passwords and accounts.
• Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.
• Strict control is maintained over the storage and accessibility of media
• All computers that store sensitive data must have a password protected screensaver enabled to prevent unauthorised use.
7 DISPOSAL OF STORED DATA
All data must be securely disposed of when no longer required by EGC, regardless of the media or application type on which it is stored.
A process must exist to permanently delete on-line data, when no longer required.
All hard copies of member data (including cardholder data) must be manually destroyed as when no longer required for valid and justified business reasons
EGC require that all retiring Officers, return, destroy or erase any media containing member data. This includes but is not restricted to data on hardcopy (paper), hard disk on a computer and removable electronic media.
8 SECURITY AWARENESS AND PROCEDURES
The policies and procedures outlined below must be incorporated into EGC practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all Officers and 3rd party suppliers.
• Ensure that new Officers have read the Information Security Policy and understand the practical steps required of them to ensure compliance.
• Distribute this security policy document to all EGC Officers to read. It is required that all Officers confirm that they understand the content of this security policy document.
• All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS).
• EGC security policies should be reviewed annually and updated as needed.
9 SYSTEM AND PASSWORD POLICY
All Officers and service providers with access to EGC systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
• All users must use their own username and password to access EGC members data.
• A minimum password history of four must be implemented, where possible.
• A unique password must be setup for new users and the users prompted to change the password on first login or instructions provided on how the password should be changed.
• Group, shared or generic user account or password or other authentication methods must not be used to administer any EGC member data.
• Administrator access to web based management interfaces should be encrypted.
• The responsibility of selecting a password that is hard to guess generally falls to users. A strong password must:
• Be as long as possible (never shorter than 6 characters).
• Include mixed-case letters, if possible.
• Include digits and punctuation marks, if possible.
• Not be based on any personal information.
• Not be based on any dictionary word, in any language.
10 ANTI-VIRUS POLICY
Where possible all devices must be configured to run an up-to-date anti-virus software. There is no stipulation as to which Anti-virus is used but an adherence to industry-standard products is required. The antivirus software should have periodic scanning enabled for all the systems and must be set to update with latest virus signatures.
All removable media (USB, MMC, SD, Micro-SD, etc) should be scanned for viruses before being used.
E-mail with attachments coming from suspicious or unknown sources should not be opened. All such e-mails and their attachments should be deleted from the mail system as well as from the trash bin. No one should forward any e-mail, which they suspect may contain virus.
11 PATCH AND UPDATES POLICY
All Workstations, servers, software, system components etc. used by Officers of EGC must have up-to-date system security patches (eg Windows updates, Apple updates) installed to protect the device from known vulnerabilities.
Computers and other machines used by EGC Officers should have automatic operating system updates enabled for system patches released from their respective vendors. Security patches should be installed as soon as possible.
EGC service providers are required to ensure that their systems should have automatic operating system updates enabled for system patches released from their respective vendors. Security patches should be installed as soon as possible.
12 CHANGE CONTROL PROCESS
The service providers used by EGC should have a Change Control process documented and operational to ensure that the security and stability of their service. This includes but is not limited to:
• Change proposal and authorisation plan
• Change implementation plan including
• Pre-change test pan
• Change implementation steps
• Post-change testing plan
• Change reversal plan
• Post-change reversal test plan
• Customer change communication plan
13 PENETRATION AND VULNERABILITY TESTING METHODOLOGY
The online services used by EGC are all established adopted services used by many golfing organisations. All are “off the shelf” services and no specific customisation has been done to the systems expressly for EGC. On this basis EGC do not have a mandatory policy to perform penetration and vulnerability testing of the services used.
Only, where expressly required by regulatory authorities, EGC will perform regular penetration and vulnerability testing of services provided by each Service Provider.
14 USER ACCESS MANAGEMENT
Access to EGC systems is controlled through a user registration and creation process beginning with a request for access to the EGC Chairperson / Secretary / Treasurer.
A periodic review of user accounts and access levels should be performed and any redundant access or accounts should be removed and access revoked.
Upon the retirement of an EGC Officer, their account must be removed and access to the system is revoked.
15 ACCESS CONTROL POLICY
Access Control systems are in place to protect the interests of all users of EGC systems by providing a safe, secure and readily accessible environment in which to perform their duties.
EGC will provide all Officers with the information they need to carry out their responsibilities in as effective and efficient manner as possible.
Generic or group IDs shall not normally be permitted but may be granted under exceptional circumstances if sufficient other controls on access are in place.
The allocation of privilege rights shall be restricted and controlled, and authorisation provided jointly by the EGC Chairperson / Secretary / Treasurer.
Access rights will be accorded following the principles of least privilege and need to know.
Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms fail or are absent.
Officers are obligated to report instances of non-compliance to the EGC Chairperson / Secretary / Treasurer.
Appendix A
List of EGC Service Providers
Name of Service Provider Services Provided Contact Details
Club Systems Ltd
ClubV1 golf club management system
Contact support
South Central, 4th Floor, 11 Peter Street, Manchester M2 5QR, UK
+44-0345 222 9999 - UK
+44-048 9077 8887 - Ireland
Mon-Thur - 08:00 - 20:00
Friday 08:30 - 20:00
Saturday 08:00 - 20:00
Sunday 09:00 - 20:00
Clear Accept
Online Card Payment System Call 020 7186 2186, email support@clearaccept.com
Our team are available:
Mon-Fri: 08.00 - 18.00
Sat: 09.00 - 18.00
Sun: 10.00 - 17.00
Bank Holidays (excl. Christmas and New Years Day): 10.00 - 17.00
England Golf
England Golf WHS Portal
https://www.englandgolf.org/my-england-golf-access
Natwest
Banking services
For business banking support call this number:
UK: 0345 711 4477