MassPay's Information Security Policy

Information Security Policy

Last Updated: 8 March 2023
Effective Date: 1 July 2022

1. Purpose

The purpose of this Information Security Policy (“Policy”) is to establish a security framework for MassPay Inc ( or “Company”) that will ensure the ongoing protection of MassPay information systems, networks, and data from unauthorized access, damage, loss, theft, or disclosure, while still permitting the efficient use of business computing assets globally.

2. Scope

This Policy applies to all MassPay officers, employees, contractors, affiliates, subsidiaries, partners, contracted third parties, and users of MassPay products, systems, networks, or data.

This Policy is intended to protect all data, networks, and information systems used by MassPay anywhere in the world, regardless of how, where, or when the information is used, generated, hosted, transmitted, stored, or printed. Information covered by this policy includes all data that is:

stored in computers, servers, file shares, or databases
stored in application data repositories,
transmitted across internal or public networks
printed or handwritten on any surface, including paper, white boards, and computer screens
stored on fixed or removable media, including hard drives, floppy drives, CDs, DVDs, tape, portable hard drives, USB and flash drives, camera drives, and backup systems
stored in the cloud or other third-party environments, including Amazon Web Services (AWS), Google Workspace etc

This Policy supersedes previous MassPay security policy documents, and is considered effective on the latest date of approval by the Compliance team, or Board of Directors, as noted within the Change History section of this Policy. Time-sensitive updates to this Policy may also be granted interim approval by the Chief Information Security Officer or Head of Compliance.

This Policy is intended to serve as a broad cybersecurity framework. Other supportive Information Security policies, standards, guidelines, and procedures, which are included here by reference, will be published separately to specify how the requirements in this Policy shall be exercised in greater detail.

3. Policy Statement

MassPay must develop, adopt, and enforce strategies to mitigate cybersecurity risks that threaten the confidentiality, integrity, and availability of the Company’s information systems and data. An effective Information Security Program will clearly convey the goals, approach, and controls necessary for securing MassPay’s information assets.

This Policy serves as a comprehensive approach to information security. It encompasses the following important protocols:

Ensure the confidentiality, integrity, and availability of information at all times through the proper application of policies, standards, guidelines, procedures, controls, auditing, and monitoring
Protect information assets from internal, external, deliberate, and accidental threats, including unauthorized access
Develop Incident Response plans for when defenses are breached
Develop Business Continuity Plan (BCP) and Disaster Recovery (DR) plans permitting the Company to continue operations, and maintain the confidence of stakeholders and customers, even during or after a disaster
Satisfy legislative and regulatory cybersecurity requirements globally
Prohibit the use of MassPay information or systems to violate law, breach privacy, compromise performance, or damage MassPay’s operations or reputation

The Company will take appropriate action in response to the misuse of Company information assets. Any violation of this Policy may result in legal action and/or disciplinary action under applicable Human Resources policy, up to and including termination.

The Information Security department will conduct annual reviews of this Policy and make necessary corrections to MassPay’s security policies, standards, guidelines, and procedures. More frequent interim reviews and updates may also be required any time that security needs change.

4. Information Security Program Framework

4.1. Alignment with Global Security Frameworks

MassPay information security management, strategies, policies, standards, guidelines, procedures, and controls will draw from, and comply with, the cybersecurity frameworks established by the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC), and the European Union’s General Data Protection Regulation (GDPR). PCI-compliant network zones will also comply with the Payment Card Industry Data Security Standard (PCI DSS) framework.

If information security scenarios arise that are not addressed by existing MassPay policies and standards, NIST and FFIEC guidance should be consulted. See the References section for a list of helpful documents.

4.2. Information Security Management Scope and Responsibilities

The Information Security department is the owner of the Company’s security information systems, and responsible for ensuring that network, computer, and software systems are effectively designed, configured, managed, and maintained to provide optimal confidentiality, integrity, and availability. Information Security is also responsible for writing, publishing, and providing training for, all security policies, standards, guidelines, and procedures required as a result of the publication of this Policy.

The Information Security department has the following responsibilities that include, but are not limited to,

Implementing and maintaining an Information Security Program
Identifying, assessing, tracking, and mitigating risks to the Company’s information and cyber assets
Developing, maintaining, and/or revising information security policies, standards, guidelines, procedures, and contract language
Creating and maintaining security classifications for Company data
Selecting, deploying, and monitoring security controls that adhere to established best practice frameworks, and support global Compliance and Legal requirements
Conducting regular external and internal vulnerability assessments and penetration testing to verify that security controls are working properly, and to identify weaknesses
Assuring the confidentiality, integrity, availability, and accountability of all information while it is being processed, stored, and/or transmitted electronically, and protecting the security of the resources associated with those processing functions
Developing, deploying, and monitoring systems and processes for detecting intrusions and malicious code
Identifying business owners for all systems and information
Establishing a risk management process for the lifecycle of each critical information system
Developing, implementing, and testing Business Continuity Plans for critical information systems
Helping enforce records management policies and standards
Assisting with external audit exams
Supplying information security training and awareness globally

Information Security owns MassPay’s security governance, the Company’s technical infrastructure is owned by the Information Technology Engineering department. If far-reaching technology changes are required to help Information Security accomplish its mission, Engineering will own the implementation and maintenance.

4.3. MassPay Security Policy Framework

This section summarizes the high-level security requirements that shall be applied to MassPay systems, processes, data, and behavior. More specific requirements will be conveyed in Information Security standards, guidelines, and procedures that will be published separately, but that are included here by reference.

The requirements below are not exhaustive. More sections will be added when necessary.

4.3.1 Acceptable Use

An Acceptable Use Standard shall establish rules for how MassPay computing resources may be used, and how adherence to rules will be monitored and enforced.

MassPay employees, contractors, and users must agree to abide by the Acceptable Use Policy and Standard whenever using MassPay computing resources, which include MassPay-provided or contracted computers, servers, printers, peripherals, appliances, programs, web applications, data, networks, email, and the Internet.

MassPay strives to maintain a workplace free of harassment and sensitive to the diversity of its employees. The Company therefore prohibits the use of computers in ways that are disruptive, offensive to others, or harmful to morale.

The Company values information security, which may be compromised by insecure computing practices. Users agree not to use MassPay computing systems to download or install unauthorized software, use unapproved third-party services, visit potentially dangerous websites, connect to unapproved hardware devices, or store sensitive information insecurely.

Workplace monitoring may be conducted by MassPay to ensure quality control, employee safety, security, and customer satisfaction. While on MassPay’s premises or using MassPay computing resources, employees have no expectation of privacy in their belongings or in the non-private workplace areas, which include, but are not limited to, offices, cubicles, work locations, MassPay-provided or designated parking areas, desks, computers, data storage devices, lockers, rest or eating areas, or vehicles engaged in MassPay operations, and any personal belongings on or in any of the above.

In order to secure its computing infrastructure and enforce Acceptable Use, MassPay reserves the right to monitor all electronic communications and data stored on, or passing through, its computing resources.

4.3.2 Access Controls

MassPay’s access controls shall balance the desire for system access against the Company’s need to defend systems and data from unauthorized access.

All MassPay computing resources shall be protected from unauthorized access, use, modification, disclosure, or destruction to satisfy regulatory, legal, corporate, Human Resources, and contractual requirements.

No MassPay system or data shall be used to violate local, federal, or international law; run a personal business; engage in gambling; or, access pornography.

Role-based access controls (RBAC) shall be applied to all systems and networks, with roles segregated by Least Privilege and Segregation of Duty principles that inhibit access abuses and collusion, with each role attributed to an individual.

Access to all resources on the network will be controlled by a centralized authenticating mechanism, with exceptions granted to devices that only support local or internal access controls.

Users must agree not to circumvent or disable MassPay access controls.

4.3.3 Application & Database Security

Information Security shall publish an Application and Database Security Standard that outlines required best practices and controls for all MassPay software and web applications and database systems. Information Security may also recommend additional or custom controls at times, depending on the nature of an application or database, unique threats that may be present, the sensitivity of any data present, and whether systems interface with other networks or third-parties.

Developed, acquired, and purchased applications and database systems, as well as third parties contracted to handle MassPay data or interface with MassPay systems, must meet the protections required by this Information Security Policy, and by MassPay’s Application and Database Security Standard.

At minimum, applications and database systems must be protected by access controls that provide Segregation of Duty and Least Privilege; defenses that prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection (SQLi), buffer overflows, brute forcing, and other common attacks; input filtering of all form, HTTP header, cookie, JSON, XML, Flash, web service, and URL parameter data fields; and, encryption of session tokens, all passwords, and other Confidential data.

Applications shall not contain undocumented features or secret back doors.

Applications and database systems must log all security-related events, and logs must adhere to MassPay logging policies and standards.

Prior to production deployment, an application or database must be documented with narratives and diagrams detailing all of its communications, including network perimeters, zones, hosts, ports, protocols, encryption methods, key storage, access control requests, and data requests and responses.

Before production deployment, all applications and database systems must undergo review and testing by Information Security, and all vulnerabilities must be mitigated or managed.

Information Security shall regularly perform scans and penetration tests of all MassPay applications, and all critical and major vulnerabilities must be mitigated or managed.

4.3.4 Asset Management

Information Security shall adopt, publish, and promote policies and standards for the continual protection of computing, digital, and paper assets. Users of MassPay information systems agree to follow Information Security’s published rules for protecting MassPay assets at all times, which include, but are not limited to, computers, servers, files, data, databases, networks, networked devices, printouts, faxes, repositories, financial and other reports, architecture and infrastructure documents, vulnerability lists, Company strategies and plans, privileged legal documents, customer lists, audio recordings, voice and electronic mail, meeting minutes, and video.

MassPay information systems shall be managed by the MassPay ENGINEERING and Information Security departments.

ENGINEERING and Information Security shall deploy a centralized mechanism for maintaining a current inventory of all MassPay systems worldwide.

Each system used for MassPay business shall be inventoried by Information Security and ENGINEERING, and have a named System or Data Owner responsible for ensuring that protective controls commensurate with the system’s data classification are applied and enforced, and that the system’s hardware and software are maintained.

Users shall not deploy servers, networks, or network devices for MassPay business or personal use without prior permission from Information Security and ENGINEERING.

Information Security and ENGINEERING will perform regular scans of MassPay networks to detect assets that have not been inventoried; discovered assets must be either inventoried, or removed from MassPay networks.

All users of MassPay information systems and data shall undergo security awareness training and agree to follow Information Security policies, prior to being granted access to MassPay systems.

4.3.5 Audit & Accountability Controls

4.3.5.1 Security and ENGINEERING Audits

Regular audits are critical for identifying and managing enterprise risks across MassPay, and for ensuring accountability.

The ENGINEERING department will conduct an annual internal audit to inventory and assess all known MassPay hosts and networked devices, including routers, firewalls, load balancers, switches, wireless devices, IDS systems, servers, and computers, as well as the software stacks installed on each of these. The assessment will identify gaps in inventory lists; pinpoint systems with stability problems; note old or orphaned systems eligible for retirement; detect missing patches that need to be installed; check that local access privileges are appropriate; and, produce a timeline and strategy for fixing findings.

The Information Security department will lead several annual audits, including a MassPay-wide review of system access privileges; a penetration test of all perimeters and high-risk systems; and, a cyber risk assessment intended to inform the MassPay Board of vital security risks. Any technical findings uncovered will be submitted to ENGINEERING and the CIO for remediation planning.

Audit findings shall be protected as Confidential information.

4.3.5.2 Audit Logs

All MassPay computing resources must generate and store audit records concerning all events relevant to security. Authentication attempts, registry or configuration changes, software installation activity, information egress, intrusion and malware detections, and all attempts to access, modify, destroy, or export data are examples of events that should be logged.

Logs shall contain evidence sufficient to establish the facts of an event, including when and where it occurred, the accountable actors involved, and the systems or objects affected.

Logs must be protected against tampering. File permissions shall prohibit unauthorized access, and when possible, logs should be transmitted to a centralized logging system managed by Information Security for protection.

Information Security, together with ENGINEERING, shall deploy a mechanism for correlating, monitoring, and the alarming of important log events.

Procedures will be developed to regularly review audit records for indications of suspicious activities, and to report findings to management for resolution.

Audit logs shall be protected as Internal information.

4.3.5.3 Other Accountability Controls

When technically feasible, computing activity should be attributable to a person in order to establish accountability. Shared accounts and passwords must be avoided for this reason. Users and system administrators will perform computing, administration, and reporting activities using their own individual system administrator accounts, rather than using shared or anonymous accounts.

Any file system or database that houses Confidential information must have audit monitoring and logging enabled in order to identify who operated on sensitive data, when it occurred, and what the operation entailed.

All employee and contractor Internet access shall pass through MassPay proxy servers for monitoring and web site blocking. No MassPay user shall bypass the Company’s web proxies.

4.3.5.4 Backup and Recovery

Important data must be backed up on a regular basis. Such data includes, but is not limited to, data used by MassPay web and wire applications; customer and agent data; financial transaction data; programming source code; software and licenses; decryption keys; assets and instructions needed for Disaster Recovery; Accounting and Human Resources files; business contracts; electronic documents stored locally or in file shares; and, emails.

ENGINEERING will deploy a data backup system capable of backing up all important MassPay data globally, and provide users with file server or cloud drives for file storage that are regularly backed up. Information Security will train users how to use drives to store information securely.

Confidential data will be encrypted in backups, in accordance with MassPay’s Encryption Standard.

Some backups must be stored offsite; in the event that a MassPay data center is destroyed, data should still be recoverable. ENGINEERING will determine the backup frequency required to restore data that will prove reasonably recent enough to permit business operations to continue.

ENGINEERING will conduct recovery tests of backed up data every six months.

4.3.5.5 Business Continuity Plan (BCP) / Disaster Recovery Plan (DR)

BCP and DR plans describe processes and procedures for the protection of MassPay’s assets and services from disasters, recovery from service interruptions, and the resumption of key business processes.

ENGINEERING and Information Security shall collaborate to document, publish, and provide training for a global DR plan. The DR plan will describe how to fail over and recover computing operations and services during and after a disaster.

Operations shall document, publish, and provide training for a global BCP plan. The BCP will document how to sustain business operations during and after disasters, which includes human safety factors, management and business process continuity, and communication and PR plans.

The DR and BCP plans will both be updated and tested each year, and participants will undergo training annually.

4.3.5.6 Change Management

Change management is a formal process for making measured and approved changes to ENGINEERING services across MassPay in order to increase change awareness, synchronize efforts between I.T. groups, and ensure changes have no disruptive impact on customers or service.

A Change Management Program will be developed to assess, manage, and control all technology changes made to MassPay computing resources. The program will include process gates that prevent changes from being made that have not undergone review by ENGINEERING and Information Security, and technical controls to prevent unauthorized changes from being made to systems, applications, configurations, and programming code.

In order to detect rogue changes made to code, web pages, and file systems, MassPay will deploy a file integrity monitoring system capable of detecting unauthorized file changes.

4.3.5.7 Cloud Environments

Cloud, leased, and other contracted third-party environments that contain MassPay computing resources or data must adhere to MassPay’s Information Security policies, standards, and guidelines.

4.3.5.8 Data Classification

Data classification, in the context of information security, is the categorization of data based on its level of sensitivity and the impact to MassPay if the data were disclosed, altered or destroyed without authorization.

Data security and classification measures will be implemented commensurate with sensitivity of data, and the risk to MassPay if data were to be compromised.

A Data Classification Standard published by Information Security shall provide the framework for classifying and securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal. The Standard shall define four data classification categories that include Public, Internal, Confidential, and Privileged.

Each System or Data Owner shall evaluate and classify data for which he/she is responsible, and enforce protective controls recommended by Information Security to guard the data based on its classification level.

4.3.5.9 Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is a comprehensive approach applied to people, processes, and systems for identifying, monitoring, and protecting data while it is stored, in use, or in motion. DLP is used for identifying sensitive data stores; enforcing enterprise data protection policies; validating that defensive controls are sufficient to protect data of varying classifications; detecting both accidental and intentional data leaks across computers, servers, and networks; and, generating data protection reports for auditing and compliance.

MassPay shall create and implement a Data Loss Prevention Program.

4.3.5.10 Encryption

Encryption is required for all Confidential and Privileged information that is stored or in transit. Authentication may also need to accompany encryption, if communicating parties require identity assurance in addition to confidentiality.

Perfunctory encryption that does not enforce Segregation of Duty and Least Privilege is insufficient. For example, while whole disk encryption is advisable to prevent a thief from accessing data on a stolen hard drive, it will not prevent a Database Administrator (DBA) from viewing sensitive data fields in a database that should be off limits; Segregation of Duty and Least Privilege would require that field-level encryption also be used in this scenario.

All encryption systems must support the ability to change keys (“rekey” or “rotate keys”). Databases that house Confidential data must be rekeyed annually, and after the termination of staff with database access.

Decryption keys must be made inaccessible to unauthorized persons, not stored in cleartext on any system, and be stored encrypted offsite for use during DR/BCP events.

Specific encryption and key protection baseline standards will be published in an Encryption Standard by Information Security.

System and Data Owners are responsible for ensuring that any systems, devices, and data under their purview are encrypted in accordance with this policy, and with the Encryption Standard. MassPay personnel, contractors, and vendors using mobile computing devices (e.g. laptops, tablets, PDAs, smart phones, wearables) or mobile data storage devices (e.g. CDs, DVDs, flash memory, portable hard drives) are responsible for the protection of sensitive data on those devices.

Exceptions to the Encryption Policy may be granted by Information Security in cases where encryption is not feasible, and where mitigating controls lower residual risk to acceptable levels.

4.3.5.11 Identification & Authorization Control

Information systems must be configured to uniquely identify users, devices, and processes through the assignment of unique user accounts, and validate users (or processes acting on behalf of users) using standard, Information Security-approved authentication methods such as passwords, tokens, certificates, smart cards, or biometrics (“authenticators”).

MassPay shall implement a centrally controlled mechanism for Identity Access Management (IAM). All applications and systems capable of using the mechanism for IAM will do so, rather than using decentralized or local mechanisms.

Any authenticator used for identification, authentication, or authorization is rated as Confidential, and must be protected by commensurate digital and physical controls. Users of MassPay computing resources must protect authenticators and not share them with others.

4.3.5.12 Incident Response

An Incident Response Standard shall be adopted and published that defines cybersecurity incidents, their severities, and how they should be prioritized and managed so operations can be restored as quickly as possible with minimal impact. The Standard should discuss how an incident is reported and assessed; how damage is minimized; how the incident and resolution are documented; how forensic evidence should be preserved; and, whom to contact, and when.

Any user of MassPay computing resources who encounters a potential cybersecurity incident that could violate the confidentiality, integrity, or availability of MassPay information, or impact MassPay’s reputation, must notify his or her manager or Information Security immediately. Examples of cybersecurity incidents include attempts to gain unauthorized access to systems or data; attempts to obtain others’ passwords or elevate privileges; bypassing security controls; denials of service (DoS); the installation of unauthorized software; the unauthorized use of hacking tools; and, the introduction or spread of malware.

4.3.5.13 Malware Protection

All MassPay information systems, including computers, servers, networks, networked devices, and Bring Your Own Devices (BYODs) shall be protected against potentially malicious software and hardware. All such systems will be equipped with real-time defenses against viruses, spyware, unauthorized remote access, trojans, back doors, and worms. Information Security will adopt defenses that detect and/or block the installation of unauthorized software. Computers and servers will have USB, Bluetooth, and all other non-essential interfaces disabled, with exceptions evaluated on a case-by-case basis as business needs require.

All systems will be scanned for viruses twice per week, including Friday mornings, and malware definition files shall be updated daily.

Malware-related security incidents must be detected, logged, investigated, verified, and remediated by Information Security.

4.3.5.14 Media Protection

Information Security shall publish standards governing how media will be continually protected, which owners and users of media must enforce. Media includes, but is not limited to, hard and floppy disks; backup tapes; data files; readable discs, such as CDs, DVDs, laser discs, and Zip Disks; USB, Firewire, Thunderbolt, and other internal or external storage devices; smartphone, camera, and copier storage; electronic RAM and ROM circuits; and, printed material, such as documents or reports.

Digital and physical protection of media must be commensurate with the data classification of the information stored on the media. Confidential and Privileged information, for example, must be encrypted at rest whenever stored on media.

Media may contain malware capable of infecting MassPay systems. Media whose origin is unknown should not be connected to MassPay systems or networks. Owners and users of media shall be trained on the safe use of media, and the threat it poses for transmitting malware.

Information Security shall publish a Data Destruction Standard, which owners and users of media must enforce to ensure that residual data stored on media is safely destroyed to prevent it from being recovered after media is repurposed or discarded.

4.3.5.15 Mobile Devices / Bring Your Own Device (BYOD)

Tablets, smartphones, and other consumer mobile devices are popular for their convenience, but in many instances, such devices are not capable of protecting MassPay data reliably.

Confidential and Privileged information must not be stored on devices without approval by Information Security. When approval is granted, Information Security may mandate that a device be equipped with a hardened operating system, encryption, anti-malware, and/or ENGINEERING management software that allow stored data to be protected, and the device wiped remotely if stolen.

4.3.5.16 Network Security

Information Security shall publish a Network Security Standard establishing how networks should be architected and secured, how networks may be accessed and used, and how policies should be enforced.

MassPay networks must comply with the published Network Security Standard. Prior to a network’s deployment or use, Information Security will be consulted, both to determine if additional controls are required due to risks present, and to test the networks to identify vulnerabilities.

Information Security will deploy and maintain security controls to protect MassPay networks. At minimum, networks shall employ firewalls, Demilitarized Zones (DMZs), the use of discrete zones segregated by data classification, intrusion detection/prevention (IDS), encryption for sensitive data, and access controls that promote Least Privilege and Segregation of Duty.

Information Security shall regularly scan MassPay networks to identify vulnerabilities, unauthorized ingress or egress points, unknown or insecure hosts, unauthorized wireless access points, and sensitive data that has not been acceptably secured. System and Data Owners who are notified of vulnerabilities or policy violations shall be responsible for remediating findings.

Information Security shall provide users with training and guidance conveying the importance of protecting networks against intrusion and abuse.

4.3.5.17 Onboarding and Offboarding

Information Security shall publish standards for Onboarding and Offboarding.

All prospective employees and contractors must successfully complete a criminal background check before hire.

Before new employees or contractors are permitted access to MassPay systems or data, they must first sign a MassPay NDA, and an agreement promising compliance with all MassPay information security policies, standards, and guidelines.

Employees and contractors being onboarded must complete MassPay’s cybersecurity training program within one week of hire.

When a MassPay employee, contractor, agent, partner, or vendor relationship is terminated, access to MassPay systems and data must be revoked immediately. The manager responsible for the terminating relationship shall notify the Help Desk within three hours of termination. Once notified of the termination, the Help Desk shall disable access within four hours.

Once access is disabled, the user’s identity record shall remain in the Identity and Access Management (IdM) system for MassPay’s published retention period, after which the record should be deleted.

4.3.5.18 Passwords and Other Credentials

Information Security shall publish a Password Standard that establishes the minimum requirements for generating, using, managing, changing, and protecting passwords, passphrases, session tokens, and other credentials used to identify, validate, or authenticate users, systems, networked devices, databases, applications, and sessions.

Users of MassPay computing resources, networks, networked devices, and data must follow and enforce the Password Standard. Each user must protect his or her password against disclosure, never store passwords unencrypted, and never share passwords with others.

Information Security will deploy and require the use of security controls that enforce password policies and standards.

Passwords and other credentials shall be protected as Confidential information, which requires that they be encrypted in transit and in storage.

4.3.5.19 Patch Management

Information Security and ENGINEERING shall jointly create a Patch Management Program. The program will monitor the Internet for news of important manufacturer-supplied patches that should be applied; scan MassPay networks to detect systems or software that are in need of patches for security and stability; evaluate and test patches; deploy and install patches; confirm that patch installations were successful; and, maintain an inventory of current patch levels of all MassPay systems and software worldwide.

System Owners are responsible for ensuring that systems under their control are included in MassPay’s patch management program.

Patches will be evaluated and deployed in descending order of their importance to MassPay system stability and security. If a patch is deemed critical for stability or security by a manufacturer, ENGINEERING and Information Security shall evaluate its stability and fitness for deployment within thirty calendar days of its release.

Enterprise-wide patch scanning should occur no less frequently than every thirty calendar days.

When a system or software reaches its end of life, and patches for security or stability are no longer provided by the manufacturer, the asset must be updated to a newer and patchable version within six calendar months, unless a formal exception is granted by ENGINEERING and Information Security. Exceptions shall not be granted for operating systems, application server or container software, or database server software, due to their importance to MassPay operations.

4.3.5.20 Physical and Environmental Security

MassPay shall adopt policies, standards, guidelines, and controls to protect information and technology from physical and environmental threats in order to reduce the risk of loss, theft, damage, unauthorized access, breaches, and service disruption.

Physical security zones will be established to control and monitor access to assets at all MassPay facilities and data centers, with controls commensurate with the classification level of the systems, data, or other assets being protected.

Any zone housing computers, servers, networks or network devices, or data must be protected by, at minimum, day and night surveillance cameras; overnight burglar alarms; doors that automatically lock if public-facing; keycards or other identity mechanisms that identify individuals entering; and, logging of all visitors. Visitors must sign in prior to entry, wear an assigned visitor badge, and remain accompanied by a MassPay employee at all times. Data centers will also be equipped with advanced physical access controls; reinforced and attacker-resistant walls, ceilings, floors, doors, and windows; fire alarms and fire suppression; HVAC and power redundancy; and, 24/7 security guards who authenticate and log all visitors, and permit entry only to MassPay personnel authorized by ENGINEERING or Information Security management.

MassPay staff who encounter a person suspected of breaching physical security protocols should immediately contact management, campus security guards, or emergency responders.

All computers and servers not housed in data centers must be equipped with a means for locking them up to prevent equipment theft. Cable locks, locking enclosures, locking docking bays, and locking desk drawers are acceptable. MassPay employees and contractors must not leave computers unlocked at MassPay facilities overnight or during weekends.

Printed information must be protected at all times, since it may contain information useful to hackers, criminals, competitors, and other actors. Business plans, product strategies and timelines, development plans, HR and legal documents, network architecture diagrams, system and vulnerability lists, login credentials, and similar printed information should not be visible on desks or white boards at night or during weekends. Live computer screens that display the above information should also be turned off during non-business hours. Staff must put away papers, and if needed, close office doors and window blinds to keep information from being viewed, photographed, or stolen by visitors, workers, intruders, or the public.

Commuters and travelers must protect MassPay equipment and data while traveling. Computers and sensitive papers must not be left unattended in public spaces or vehicles. While staying in a hotel, unattended computers should be locked up in the hotel safe. Before crossing any international border, MassPay users must check that computers do not contain Confidential MassPay information that could be confiscated by U.S. or foreign governments. Any employee or contractor who suffers a theft of MassPay equipment or data should notify a manager or Information Security immediately.

4.3.5.21 Records Management and Retention

MassPay Information Security, ENGINEERING, Legal, HR, and Compliance departments shall together establish an enterprise Records Management and Retention Program. The program will feature an inventory of record types across all MassPay departments; retention periods for each type; technical and procedural enforcement methods for ensuring retention; procedures for destroying digital and physical records that exceed their retention periods; strategies for reducing records retention costs; and, training for MassPay staff. The program shall maintain MassPay records, including documents and data, for the durations required by state, federal, and international law.

All MassPay employees, contractors, partners, and third-party vendors must comply with the Records Management and Retention Program.

Data shall not be shared with any third party without a signed contract that enforces a MassPay-approved retention period. The contract must also specify how and when data will be destroyed, and require that MassPay be provided with an affidavit of destruction.

4.3.5.22 Remote Network Access

MassPay will provide remote access to network, computing, and email resources for employees when necessary.

Since there are security risks associated with providing remote access, MassPay will adopt strong controls for controlling and monitoring all remote access activities.

Remote access to MassPay’s network shall require multifactor authentication (MFA).

Remote connections into MassPay’s network or servers must pass through MassPay’s perimeter firewalls and Intrusion Detection system earmarked for use with remote access. Users will not install their own remote access software or hardware, or otherwise open up back door remote access ports into MassPay environments.

Any client system used for remote access must be hardened against attack, with anti-virus and firewall software running.

Remote access for third-parties and contractors must be approved by the Information Security Officer.

4.3.5.23 Security Controls

Security controls are the management, preventive, detective, corrective, and measurement tools for enforcing Information Security policy. This Information Security Policy describes many MassPay security controls, with additional control details and requirements provided in accompanying policies, standards, and guidelines that are included here by reference.

All MassPay computing resources, data, and projects should undergo review by Information Security before deployment to determine which security controls should be applied. It then becomes the duty of the System or Data owner to ensure that the selected controls are incorporated and tested.

Information Security shall maintain an inventory of its available security controls, and review it annually to ensure controls remain viable against new attacks. Deficient controls will be identified and corrected.

MassPay shall adopt controls required by audit exam bodies to maintain MassPay’s financial licenses, plus controls recommended by cybersecurity best practice organizations such as the Open Web Application Security Project (OWASP).

4.3.5.24 Servers and Computers

Information Security shall publish standards for hardening servers and computers, which must be enforced by system and database administrators, and by MassPay users.

At minimum, servers and computers shall be equipped with remote and centralized administration capabilities; defenses that prevent unauthorized reconfiguration of any system; access controls that promote Segregation of Duty and Least Privilege; endpoint protection that defends against malware and intrusion; an encryption mechanism for sensitive data that cannot be compromised if a system’s hard drive is removed; and, tools for monitoring all user activity.

Any system that houses or accesses sensitive data should have audit logging enabled for data-related operations, and also be equipped with Data Loss Prevention (DLP) monitoring.

Technical controls shall prevent users from making unauthorized configuration changes to servers and computers. Local admin, root, and other super-user privileges must not be granted by default to any user whose primary job function is not system administration. Temporary exceptions may be made when a user needs local admin access to install authorized software, after which admin rights should be revoked.

Users and administrators of systems must not install unauthorized software onto MassPay servers or computers without prior permission from Information Security.

Before any server is opened for user or public access, it must be tested by Information Security, and all vulnerabilities mitigated or managed.

Logs generated by defensive mechanisms on servers and computers must be protected against tampering.

4.3.5.25 System and Information Integrity

Integrity of MassPay systems and applications shall be enforced using controls described in this Information Security Policy that prevent unauthorized changes to systems and data, and validate the integrity of changes that might or do occur.

Firewalls, intrusion detection, and audit monitoring shall be used by Information Security to protect all MassPay computing assets and data.

All computers and servers shall be protected by hardened operating systems, access controls, regularly updated and real-time anti-virus software, and monitoring. Users shall be prevented from installing unauthorized software, or making Registry or other configuration changes. Access controls shall enforce Segregation of Duty and Least Privilege, and privileges shall be reviewed regularly.

Databases shall be protected against unauthorized modification of data, and critical data shall be backed up regularly.

Confidential data shall be encrypted at rest and in transit to guard against intentional and accidental modification.

For cases where data integrity is especially critical for operational, financial, accounting, or regulatory tasks, audit monitoring must be enabled to record all data access and modification activity. The use of salted hashes is also recommended to verify that data has not been altered while in storage or in transit.

Software and web applications must defend against common integrity-based attacks, including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection (SQLi), buffer overflows, and tampering of web or program parameters. Programs shall filter all input against unexpected content, type, length, or encoding. All applications should be penetration tested prior to production, and vulnerabilities mitigated.

4.3.5.26 System Maintenance

Only personnel explicitly authorized by ENGINEERING or Information Security shall perform maintenance on MassPay information systems, which includes monitoring system health, running diagnostic tools, adjusting configurations, and removing, installing, and upgrading software and hardware.

MassPay shall ensure that system maintenance is scheduled and documented; announced in advance to stakeholders if possible; aligned with manufacturer recommendations; and also, that results are validated, with a roll-back plan available if maintenance fails.

4.3.5.27 System and Data Ownership

Each MassPay system and set of data shall have a functional owner who is responsible for its management, protection, retention, and destruction. Each System and Data Owner will be a Manager, Director, or higher level employee who is required to understand and enforce all published MassPay security policies, standards, and guidelines.

The Data Owner will set and enforce the classification level of data under his or her control in accordance with MassPay’s Data Classification Policy and Standard. MassPay shall not share data with any third party without the written permission of the data’s Data Owner.

The System and Data Owners shall be responsible for establishing access privileges for systems and data under their control.

4.3.5.28 Third-Party Products, Systems, and Data

Third-party providers who design, implement, furnish, or maintain technologies for MassPay must protect MassPay systems and data using Information Security policies, standards, and controls that are equivalent to MassPay’s own.

Third party contracts must include cybersecurity provisions governing access controls, shared architecture, data classifications and handling, network and host monitoring and protection, data protection and encryption, data sharing with fourth parties, code security standards, password standards, incident response, breach notification, operational support, service levels, vulnerabilities and defects, security assessments and testing, right to report, data retention and destruction, and lists of formal documentation required. Information Security will collaborate with MassPay’s Legal Department to develop the above provisions into a standard boilerplate Information Security Contract Schedule. If a standard vendor contract does not include the above provisions, a mutual contract that includes MassPay’s Information Security Contract Schedule would be required.

No third party services shall be contracted until the contract has been reviewed by MassPay’s Information Security Officer.

No MassPay employee, contractor, partner, or vendor shall share MassPay Confidential or Privileged information with any third party unless the share has been approved by the information’s MassPay Data Owner; a mutual Non-Disclosure-Agreement (“NDA”) has been signed by both MassPay and the third-party’s officers; and, an information sharing contract approved by Information Security has been signed by both parties.

4.3.5.29 Threat & Vulnerability Management

Information Security shall establish a Threat and Vulnerability Management Program for detecting, evaluating, prioritizing, tracking, and mitigating potential cybersecurity threats against MassPay operations, systems, data, employees, and partners worldwide. Threat intelligence and recommended defenses will be regularly socialized across the enterprise for awareness.

Information Security shall also adopt a vulnerability management system to identify, assess, inventory, prioritize, track, and remediate cybersecurity vulnerabilities.

Threat and vulnerability information shall be protected as Confidential data.

5. Training and Awareness

Training employees is a crucial element in building a strong and lasting culture of compliance.

Regular Company-wide security awareness and training are vital for ensuring compliance with Information Security policies, standards, and guidelines, and for maintaining a security culture where employees, contractors, partners, and service providers.

Information Security shall establish and maintain a cybersecurity Training and Awareness Program to provide ongoing education about MassPay’s security policies, standards, and guidelines; the use of Information Security’s Intranet site; general best practices for computer, Internet, and operational cyber safety; how information should be classified, handled, and protected; the breach methods used by insiders and outside attackers, and how to defend against them; and, proper incident response and reporting procedures for when security incidents do occur. Training shall be global, and available in local languages.

All employees and contractors must undergo cybersecurity training during initial onboarding, and then annually thereafter.

MassPay requires additional detailed training for employees, affiliates, and service providers whose jobs are impacted by specific policies receive training appropriate for their roles and responsibilities at least annually. Examples include Record Retention, secure programming practices, employee screening etc

The Training and Awareness Programs shall be reviewed and updated annually by Human Resources and Information Security.

6. Records Retention

MassPay records, including data, files, and email, will be retained in accordance with a Records Management Retention Schedule that MassPay shall establish.

7. Policy Exceptions

Exceptions to this policy may be allowed by Senior Management. All exceptions must be made in writing prior to the exception being made.

Exceptions to this Information Security Policy, or to other policies, standards, or guidelines, may be granted if they pertain to a single record and do not include a bulk or categorical exception to the standards outlined in this Policy. Requests for exceptions to this policy must be specific to the record and must be provided in writing to the Chief Information Security Officer or Chief Information Officer. Exceptions that impact third party service providers must be provided to the service provider.

Exceptions and their dispositions shall be tracked by Information Security, and all exceptions must be reviewed annually.

8. Policy Compliance

All MassPay officers, employees, contractors, affiliates, subsidiaries, partners, agents, contracted third parties, and users of MassPay products, systems, networks, or data are required to enforce this Information Security Policy. Failure to do so may result in corrective employment action or other disciplinary measures, up to and including termination of employment or contracts.

9. Other Reviews & Approvals

This Policy will be reviewed and approved annually by the MassPay Board of Directors, or by the Audit and Finance Committee acting as a delegate to the MassPay Board of Directors. Time-sensitive updates to this Policy may also be granted interim approval by the Chief Information Officer.

10. Contact Information

If you have any questions about this Information Security Policy, please contact us at: privacy@masspay.io.

If you need to access this Policy in an alternate format due to having a disability, please contact us at privacy@masspay.io.

11. References

This Policy draws from the following sources:

Framework for Improving Critical Infrastructure Cybersecurity, v.1.1, NIST, January 10, 2017
FFIEC Information Technology Examination Handbook, Information Security, FFIEC, September, 2016.
EU Directive 95/46/EC – The Data Protection Directive, 2016.
PCI DSS v.3.2, PCI Security Standards Council, April, 2016.