PCI / SSAE – Record of Compliance
Leading Business Connectivity.
Frontier Networks Inc. (FRONTIER) and our network is neither a payment processor nor is it a public network unless specified elsewhere by means of our design. We provide for private point to point services between subscribing locations (corporate head office and remote branch office locations). The IP address scheme provided to each of the subscribing locations honors the ‘internal’ network that is extended by the CUSTOMER through the FRONTIER provided network to the subscribing end points.
In some cases, where the design accommodates this, we may use firewall and VPN policies to provide an additional layer of encryption and packet encapsulation over the existing already private network.
CUSTOMER may, by means of their design, may provide for transport from their Internal Network to a Payment Processesor via the public Internet.
The following terminology extends the existing Master Services Agreement (MSA) and provides for additional responsibilities to be performed by, or accommodated by FRONTIER.
Special Terms:
During the term of the CUSTOMER SERVICES AGREEMENT FRONTIER will provide, at no charge the annual Statement of Compliance documentation to support the CUSTOMER requirement for PCI compliance.
Our updated Statement of Compliance (SOC) documentation is noted below of this schedule.
Special Terms of MSA included in this Schedule.
- Customer acknowledges that FRONTIER is not a credit card processor nor does it, itself store CUSTOMER Cardholder Data, or has the ability to control or impact the security of CUSTOMER Cardholder Data, the Processor warrants and undertakes that it will: provide to CUSTOMER a copy of its current DRAFT Statement of Compliance (SOC) within 30 days of the date of this Agreement.
- FRONTIER agrees to notify CUSTOMER in the most expedient time possible under the circumstances and without unreasonable delay if at any time FRONTIER becomes aware that it is no longer adhering to the SOC as provided below
- FRONTIER agrees to provide to CUSTOMER a copy of its current plan for its annual SOC review and if not compliant, the projected date by which it will be compliant, within 30 days of the date of this Agreement and on an annual basis thereafter for the duration of this Agreement.
- FRONTIER agrees to act in the best interest of the CUSTOMER to comply with the Payment Card Industry Data Security Standard in respect of the CUSTOMER Cardholder Data by adhering to the proposed SOC;
- FRONTIER agrees notify CUSTOMER in the most expedient time possible under the circumstances and without unreasonable delay upon discovering that CUSTOMER Cardholder Data was, or is reasonably believed to have been, acquired or accessed by an unauthorized person; and be responsible for compliance with any agreed specific control objectives.
Control Objective 1 – Physical Security
Controls provide reasonable assurance that physical access to the company’s data centers is restricted to authorized and appropriate personnel. It would be here that we note that our 151 Front Street facility is leased through Allied Properties REIT and their registered pursuant to – ISO/IEC 27001:2013
|
Item |
Controls Specified by Company |
Test Requirements |
|
1.1 |
The company has a physical security program in place. | The company has physical security access policies to determine if they include procedures for monitoring, authorizing, and approving physical access privileges to the data center for visitors, contractors, and employees. |
|
1.2 |
Physical access to the company’s facilities is restricted to authorized personnel. | Company’s facilities are restricted to authorized personnel and access to restricted areas is secured through an access badge system.For new users, documentation is present indicating if appropriate approvals were obtained prior to granting access to restricted areas.Quarterly data center access reviews are documented, and performed. Instances of inappropriate access are identified, investigated and removed. |
|
1.3 |
Visitor access to the data centers is restricted to visitors who are preapproved by a company sponsor. Visitors must be escorted at all times. |
Visitors are required to sign the visitors register upon entry to the data center / raised floor areas and are to be escorted by company personnel at all times. |
|
1.4 |
An access badge system has been implemented for restricted areas. | Access control policy for restricted areas should be in place indicating that an access badge system is to be implemented for all restricted areas.Implementation of access badge system should be observable.Effectiveness of access badge controls should be observable (i.e. unauthorized personnel should be denied access) |
|
1.5 |
The data centers are manned by security personnel on a 24 x 7 basis and are monitored using CCTV.Emergency exits are equipped with alarms. When accessed, an alert is sent to security control. | Policy is in place indicating the requirement for the use of cameras to monitor sensitive areas.Contract with a third party security service provider includes the requirement for restricted areas to be manned by security personnel on a 24 x 7 basis.Monitoring of restricted area should be implemented in accordance with policies and contract. (i.e. At least one security guard, CCTV in place)
Emergency exit doors are properly equipped with the specified controls, and are operational. |
Control Objective 2 – Environmental Safeguards
Controls provide reasonable assurance that measures to prevent likely disruptions to processing at data centers are in place and operational.
|
Item |
Controls Specified by Company |
Test Requirements |
|
2.1 |
Raised floors are in place to prevent water damage and to provide circulated air-flow to the computing equipment. | Management is aware of the controls in place.Controls are in existence, observable, and operational. |
|
2.2 |
Sensitive areas of the data center buildings are protected with fire detection and fire suppression equipment. | Fire detection and suppression equipment are located throughout the data centers, smoke detection devices are located in the ceiling and sub-flooring within the raised floor areas, and a staged detection system is in place.Management is aware of the controls in place.Controls are in existence, observable, and operational. |
|
2.3 |
Air-conditioning systems maintain the correct atmospheric conditions in the computing environment and prevent over-heating of operating equipment to reduce failure. | Air-conditioning systems are in place to monitor and maintain safe atmospheric conditions for the computing environment.Policy is in place requiring that air-conditioning systems are to be in place to maintain the correct atmospheric conditions in the computing environment, including safe temperature and humidity levels.Management is aware of the controls in place.
Controls are in existence, observable, and operational. |
|
2.4 |
Generators provide backup power for critical areas of the data centers. | Management is aware of the controls in place.Controls are in existence, observable, and operational. |
|
2.5 |
Uninterruptible backup power modules are in place in the event of a power failure and generators are inoperable. | Management is aware of the controls in place.Controls are in existence, observable, and operational. |
|
2.6 |
Equipment including air conditioning, backup power modules, generators and transfer switches exist in a redundant architecture. | Management is aware of the controls in place.Physical hardware and power schematics should determine that these controls are in existence, observable, and operational. |
|
2.7 |
Preventative maintenance is performed to maintain the continued operability of equipment. | Preventative maintenance schedules are maintained by management for critical environmental equipment in the data centers.Facilities service agreement related to the maintenance of critical environmental equipment should cover the period under examination and includes coverage for:
Preventative maintenance schedules should be supported by work orders, and/or completed compliance reports to document the completion of preventative maintenance of critical equipment. |
Control Objective 3 – Incident Management
Controls provide reasonable assurance that significant operations incidents are identified, recorded, and tracked through resolution.
|
Item |
Controls Specified by Company |
Test Requirements |
|
3.1 |
A process has been established for providing ongoing support for user entities, including incident identification, recording, communication, escalation, confirmation, resolution, and measurement. | Management is aware of the controls in place.Incident management policies and procedures include procedures for the identification, recording, communication, escalation, confirmation, resolution, and measurement of incidents. |
|
3.2 |
Tools are used to monitor, escalate, record, and analyze IT system incidents. | Management is aware of the controls in place.Tools are in place to monitor, escalate, record, and analyze IT system incidents. |
|
3.3 |
Significant operations incidents are tracked through resolution. | Management is aware of the controls in place.Closed significant operations incident tickets should be supported by ticket details with the completed record reporting the following details:
|
Control Objective 4 – Change Management
Controls provide reasonable assurance that operating system, hardware, network device, and job scheduling changes are performed in accordance with company policy to prevent unauthorized changes.
|
Item |
Controls Specified by Company |
Test Requirements |
|
4.1 |
A change control process exists for operating system, hardware, network device, and job scheduling changes. | Management is aware of the controls in place.Change control policies and procedures include requirements for approval, testing, implementation, and documentation of operating systems, hardware, networks device, and job scheduling changes. |
|
4.2 |
Normal and emergency changes are tested based upon documented testing plans. | Management is aware of the controls in place.Completed normal and emergency changes have supporting documentation (including ticket details) to show that change was appropriately tested based upon documented test plans. |
|
4.3 |
Normal and emergency changes are approved by authorized approvers. | Management is aware of the controls in place.Normal and emergency changes have supporting documentation to show approval by an authorized approver prior to implementation. |
|
4.4 |
Change control functions are segregated to prevent incompatible job functions from being performed by one person. | Management is aware of the controls in place.Change control policies and procedures include requirements for change control functions to be segregated to prevent incompatible functions from being performed by one person.Normal and emergency changes have supporting documentation to show that the approval and implementation functions were performed by different individuals. |
Control Objective 5 – Network Access
Controls provide reasonable assurance that logical access to the company’s network is restricted to authorized and appropriate users for authorized uses.
|
Item |
Controls Specified by Company |
Test Requirements |
|
5.1 |
All users requiring access to the company’s internal systems must first have a record of employment in the human resource management system.User credentials are created, account and password information are securely communicated to each user on their start date.The password is pre-expired, so each user must change the temporary password to a password known only to them at first logon. | Management is aware of the controls in place.Each new hire’s information is recorded in the human resource management system and appropriate access is granted to the new hire.Passwords are configured to be pre-expired so that users are required to change the password on initial login. |
|
5.2 |
When initially signing on to company computer, a non-trespass message is displayed. | Management is aware of the controls in place.Controls are in existence, observable, and operational. |
|
5.3 |
Domain security controls include password configuration settings for an appropriate minimum password length, expiration frequency, and the number of consecutive unsuccessful logon attempts before the account is suspended. If a user fails to enter a valid user ID and password, the security screen is redisplayed prompting the user to enter the user ID and password again. | Management is aware of the controls in place.Password management standards are in place, indicating password requirements for a minimum length and expiration frequency consistent with requirements for complexity.Domain security controls include password confirmation settings requiring the following (if applicable):
User attempts to change the domain password to a non-compliant password construction are denied the password change. Entry of an invalid user ID and password redisplays the security screen prompting the user to enter the user ID and password again. |
|
5.4 |
Users who have forgotten their password have multiple options for obtaining a new password. All of these options require that the users authenticate themselves or they send a temporary password to a company controlled mailbox/voicemail system. All temporary passwords are required to be changed at first use. | Management is aware of the controls in place.User attempts to request a temporary password online require user authentication, or the password is sent to a company controlled mailbox/voicemail system.Password configurations for temporary passwords require users to change the password on initial login. |
|
Item |
Controls Specified by Company |
Test Requirements |
|
5.5 |
Policy, procedure, and standard build documents contain the required minimum standards for configuration and deployment for network devices such as firewalls and routers on the company network. Network diagrams also exist to present a pictorial representation of the network infrastructure in place. | Management is aware of the controls in place.Policy, procedure, and standard build documents include the required minimum standards for the configuration and deployment of network devices such as firewalls and routers.Network diagrams are in place to provide a pictorial representation of the network infrastructure present. |
|
5.6 |
Firewall devices have been deployed to restrict access to the computing environment and enforce boundaries between network compartments. | Management is aware of the controls in place.Company policy includes procedures for the installation, configuration and enablement of firewalls.Logical network diagrams show firewalls are in place to restrict access to the computing environment and enforce boundaries between network compartments.
Configuration of firewall devices enforces the boundaries between network compartments and restricted access to the computing environment. |
|
5.7 |
Automated tools are used for network monitoring and management. | Management is aware of the controls in place.Controls are in existence, observable, and operational. |
|
Item |
Controls Specified by Company |
Test Requirements |
|
5.8 |
Intrusions and attempted intrusions are detected and prevented by automated software installed. Network monitoring and management tools are configured to issue alerts to predefined support groups when critical operations or security conditions are detected. | Management is aware of the controls in place.Malware protection policy is in place, requiring the installation of intrusion prevention and detection tools.Policy servers distribute traffic filtering definitions for the company.
End users cannot permanently disable traffic filters. A workstation’s configuration is configured with traffic filtering definitions in compliance with company policy. Alerts are issued to predefined individuals or an incident ticket is created when critical operations or security conditions are detected. |
|
5.9 |
Antivirus software is installed on company systems. | Management is aware of the controls in place.Anti-virus is observable on company desktops.Virus definition policy servers distribute virus definitions and enforce antivirus configurations for the company.
End users cannot permanently disable virus protection. A workstation’s configuration is configured with antivirus definitions in compliance with company policy Updates are automatically obtained from a policy server. |
|
5.10 |
Access to the company network requires multiple layers of authentication in order to obtain access to the user entity’s environment. | Management is aware of the controls in place.Controls are in existence, observable, and operational.User attempts to access without having authenticated through multiple layers are not granted access. |
|
5.11 |
Authentication requirements to access management compartments comply with established company policies. | Management is aware of the controls in place.Company policies outline a structure of secured access to management compartments, enforced through the use of an authentication system (i.e. badge ID, unique PIN)Controls are in existence, observable, and operational. |
|
5.12 |
Users are granted access to network devices and the corresponding management compartments based upon job responsibilities.Upon termination, an employee’s access to network devices and management compartments is immediately disabled. | Management is aware of the controls in place.Users and managers/approvers are identified in the company employee directory for the following actions:
Users granted access to management compartments have supporting documentation to determine the access was approved by management. Accounts are configured to be expired after a set amount of time, unless revalidated as appropriate by the user’s manager. The above controls are in existence, observable, and operational. |
Control Objective 6 – Data Backup
Controls provide reasonable assurance that data is backed up regularly and available for restoration in the event of processing errors and unexpected processing interruptions.
|
Item |
Controls Specified by Company |
Test Requirements |
|
6.1 |
Backups are conducted in accordance with company policies and procedures. | Management is aware of the controls in place.Servers being backed up are configured to backup in accordance with company policies and procedures. |
|
6.2 |
Backups are performed using automated software, are monitored for successful completion, and failed backups are re-run when necessary. | Management is aware of the controls in place.Backup logs are present to determine the status of backups is monitored using automated software, and that failed backups are re-run when necessary. |
|
6.3 |
Tape backups are prepared for transit to an off-site facility when required. | Management is aware of the controls in place.Daily tape checklists are present to determine tapes were picked up and/or dropped off at the data center. |
|
6.4 |
A process is used to track the location of all backed up files. | Management is aware of the controls in place.Controls are in existence, observable, and operational. |
