Deliverable $3$: Security Policies

$$

Access Control Policy

$$

$1\mathrm{.}0$ Purpose

The purpose is to implement policies and procedures to ensure that physical access controls exist that ensure that all cardholder data can only be accessed by authorized personnel.

$$

$2\mathrm{.}0$ Scope

This policy applies to all employees, contractors, consultants, and temps who utilize IT resources described herein their assigned job responsibilities.

$$

$3\mathrm{.}0$ Policy

$$

$3\mathrm{.}1$ Facility Access

$1.$ Facility entry controls will be implemented to limit and monitor physical access to systems that process or transmit cardholder data.

$2.$ Physical access to publicly accessible network jacks, wireless access points, gateways, and handheld devices will be restricted.

$$

$3\mathrm{.}2$ Visitors

$1.$ Procedures will exist to help personnel to easily distinguish between employees and visitors in areas where cardholder data is accessible.

$2.$ All visitors will be authorized before entering areas where cardholder data is processed or maintained.

$3.$ All visitors will be given a token, such as a badge or access device, which identifies them as non$-$employees, and will be required to surrender the device before leaving the facility or on the data of expiration.

$4.$ All visitors to sensitive area must complete a visitor$$s log which will be maintained for a minimum of three months, unless otherwise restricted by law.

$3\mathrm{.}3$ Media Controls

$1.$ All media back$-$ups will be stored in a secure location, preferably in an offsite facility, such as an alternate or backup site, or a commercial storage facility.

$2.$ All paper and electronic media $($including computers, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes$)$ that contain cardholder data will be physically secured.

$3.$ Strict control will be maintained over the internal and external distribution of any kind of media that contains cardholder data, such that the media is identified as confidential, and will only be sent by secured and traceable courier.