SECURITY PRIVACY POLICY

Establishing Guidelines for Information Protection

  1. Purpose
    The purpose of this Information Security Policy is to establish guidelines and procedures to protect the information assets of Emerald Smoke, and to ensure compliance with industry standards, including the Payment Card Industry Data Security Standard (PCI DSS). This policy outlines the responsibilities of all personnel and defines the security measures necessary to maintain the confidentiality, integrity, and availability of our data and systems. Compliance with this policy is mandatory for all employees, contractors, and third-party vendors.

  2. Scope

    a. Departments This policy applies to all departments within Emerald Smoke, including Administration and Sales & Marketing. All employees, contractors, and third-party vendors who have access to our systems and data must adhere to this policy.

    b. Types of Data This policy covers all data handled by Emerald Smoke, including but not limited to:

    • Cardholder Data (CHD): Primary Account Number (PAN), cardholder name, expiration date, and service code.

    • Sensitive Authentication Data (SAD): Full magnetic stripe data, CAV2/CVC2/CVV2/CID, and PIN block. Note: Emerald Smoke does not store SAD.

    • Customer Personal Information: Name, email address, postal address, and phone numbers.

    • Other Confidential Data: Login data, payroll processing applications, cloud storage, and data files.

    c. Key Information Assets The key information assets of Emerald Smoke include all systems, networks, and data storage locations that process, transmit, or store cardholder data or sensitive authentication data.

  3. Information Security Objectives
    The information security objectives of Emerald Smoke are as follows:

    • Comply with all applicable PCI DSS requirements.

    • Ensure the confidentiality, integrity, and availability of our information assets.

    • Protect customer data from unauthorized access, disclosure, alteration, or destruction.

    • Safeguard our systems and networks from security threats and vulnerabilities.

    • Continuously improve our information security posture through regular assessments and updates.

  4. Third-Party Service Provider (TPSP) Management Emerald Smoke recognizes that it uses third-party service providers (TPSPs) that may affect the security of cardholder data. The following procedures are in place:

    • A formal process will be implemented for engaging TPSPs, including due diligence prior to engagement. This process ensures that new vendors meet our security and compliance standards.

    • A list of all TPSPs will be maintained and reviewed annually. The list will include a description of the services provided and the data shared.

    • Written agreements will be maintained with all TPSPs, ensuring their security and compliance responsibilities are clearly defined.

    • A program will be implemented to monitor the PCI DSS compliance status of TPSPs at least once every 12 months.

    • A shared responsibility matrix will be documented to identify the PCI DSS requirements managed by each TPSP, those managed by Emerald Smoke, and those that are shared.

  5. Data Classification

    Emerald Smoke classifies data based on its sensitivity and criticality. The following classification levels are defined:

    • Confidential: Data that, if disclosed, could cause harm to the company or its customers. This includes cardholder data and customer personal information.

    • Internal Use Only: Data intended for internal use and should not be disclosed to external parties without proper authorization.

    • Public: Data that can be freely shared with the public without any restrictions. Employees are responsible for properly handling and protecting data based on its classification level.

  6. Roles and Responsibilities a. Information Security Officer (ISO)

     Julio Sánchez is designated as the ISO and is responsible for overseeing the implementation and enforcement of this policy. The ISO will ensure appropriate security controls are in place, conduct regular risk assessments, and provide guidance to employees. The ISO or a designated staff member will be available 24/7 to respond to suspected or confirmed security incidents.

    b. Employees All employees are responsible for:

    • Complying with this policy and related procedures.

    • Protecting the confidentiality, integrity, and availability of information assets.

    • Reporting any security incidents or vulnerabilities to the ISO immediately.

    • Participating in information security training and awareness programs.

  7. Access Control a. General Access Control

     Access to Emerald Smoke’s systems and data is granted based on the principle of least privilege. The following access control measures are implemented:

    • Employees access our systems via company-issued devices only.

    • Multi-factor authentication (MFA) is required for all remote access.

    • VPNs are used when accessing from outside the office.

    • Access rights are reviewed at least once every six months to ensure employees have the appropriate level of access.

    • Inactive user accounts are removed or disabled within 90 days.

    • Access is immediately revoked for terminated users.

    • All new accounts and changes to privileges are formally approved by the ISO.

    b. Authentication Policies

    Authentication policies and procedures are formally documented and communicated to all users. This includes:

    • Guidance on selecting and protecting strong authentication factors.

    • Instructions on how to change passwords if they are compromised.

    • Instructions on how to report an incident.

    • Where logical authentication factors such as security tokens or certificates are used, they are assigned to an individual user and not shared among multiple users. Physical and/or logical controls ensure only the intended user can use that factor to gain access.

    • Password Policies: All users are required to use strong authentication factors. If passwords are used, they must meet the following minimum complexity requirements:

      • A minimum length of 12 characters (or at least 8 if the system doesn’t support 12).

      • Contain both numeric and alphabetic characters.

      • Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.

    c. Management of Application and System Accounts

     Passwords/passphrases for all application and system accounts are protected against misuse as follows:

    • Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis) and upon suspicion or confirmation of compromise.

    • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.

  8. Security Measures

     a. Physical Security

    Our office is secured with card-based access control and security cameras. Visitors are required to sign-in and are escorted at all times.

    b. Change Management

    All system changes are tracked through a Change Management System and approved before implementation. Changes are tested in a separate environment before deployment.

    c. Secure System Configuration

    Emerald Smoke maintains a documented policy for applying secure configurations to all system components. This policy ensures that all systems are configured to prevent misuse and protect against known vulnerabilities. All configuration changes are documented, approved, and applied in a secure manner. This policy is kept up to date, in use, and communicated to all relevant parties.

    d. Transmission Security

    Emerald Smoke maintains a documented policy for protecting cardholder data with strong cryptography during transmission over open, public networks. This policy ensures:

    • All data, including cardholder data, is transmitted using strong, industry-standard encryption protocols (SSL/TLS).

    • These protocols are configured to use only secure versions and are kept up to date.

    • This policy is reviewed annually, kept up to date, and communicated to all relevant personnel.

    e. Malware Protection

    An industry-standard anti-malware solution is installed and actively monitored on all systems. The solution cannot be disabled by users without proper authorization. The frequency of malware scans (at least weekly) is defined and documented in the entity’s targeted risk analysis. Audit logs for the anti-malware solution are enabled and retained for at least 12 months.

    f. Incident Management We maintain a documented Incident Response Plan (IRP) and follow it for all security incidents. All incidents are logged, investigated, and lessons learned are incorporated into our security procedures. The IRP is tested at least annually.

    g. Business Continuity

    We have a Business Continuity Plan that includes regular data backups and predefined roles and responsibilities.

  9. Policy Compliance

    Non-compliance with this policy may result in disciplinary action, up to and including termination of employment. Employees are required to report any suspected violations of this policy to the ISO or their immediate supervisor.

  10. Logging and Monitoring

    Emerald Smoke maintains a documented policy for logging and monitoring all access to system components and cardholder data. This policy ensures that security policies and operational procedures for logging are documented, kept up to date, and communicated to all affected parties.

    10.1 Log Review and Management

    Audit logs are reviewed at least daily. An automated mechanism is used to perform these daily audit log reviews. The review includes logs of all security events, system components that store, process, or transmit cardholder data, all critical system components, and all servers that perform security functions.

    10.2 Periodic Log Reviews

     Logs of all other system components are reviewed periodically. The frequency of these periodic log reviews is defined in the entity’s targeted risk analysis, as performed according to all elements specified in Requirement 12.3.1.

    10.3 Exception Handling Exceptions and anomalies identified during the log review process are formally addressed.

    All identified issues are investigated, documented, and remediated in a timely manner.

  11. Review and Updates

    This policy will be reviewed annually or as needed. Updates will be communicated to all employees, and their compliance is required.

  12. Definitions

    • CDE: Cardholder Data Environment

    • CHD: Cardholder Data

    • ISO: Information Security Officer

    • IRP: Incident Response Plan

    • MFA: Multi-Factor Authentication

    • PCI DSS: Payment Card Industry Data Security Standard

    • SAD: Sensitive Authentication Data

    • SSL/TLS: Secure Sockets Layer/Transport Layer Security

    • TPSP: Third-Party Service Provider

    • VPN: Virtual Private Network