1

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

108
109
110
111
112
113
114
115
116

117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

Have there been any recent fraud incidents at the facility being used in the service engagement? Describe the incidents an

Have there been any recent security incidents (e.g., theft of property, vandalism, network intrusion, loss of personally identif
etc.)? Describe the incidents and actions to address them specifically and prevent future incidents.
Have there been any recent audit reviews? What were the issues? How were they remediated?
Have there been any recent network configuration changes?
Have there been any recent platform changes or are there any planned?
Have there been any changes to the facility, or are there any planned?
Are visitors signed into the building by an employee who accepts responsibility for the visitors during the course of their visit
Are all visitors issued numbered visitor badges or does badge include visitor name?
Are all visitors badges required to be turned in at the end of the day?
Are employees and contractors required to show proper identification (badge with photo ID) to gain entrance to the building
Are employees, contractors, and visitors required to have badges visible?
Do you utilize guard service?
Who is the guard service provider?
Are guards licensed through the state/territory/province?
If not licensed, are background checks conducted on the guards?
What is the guard staff turnover?
Is there a process for authorizing access to secured areas?

Is there an audit process in place to monitor who has access to secured areas on a periodic basis?
Is access to sensitive areas (server location, tape library, computer room, etc.) physically restricted to authorized personnel?
Are your facilities physically secured (all accesses are locked or guarded)?
Is there an access control system?
Are access control logs periodically reviewed and retained per retention requirements?
Are all emergency exits secured, alarmed, and functioning properly?
Is access to cable and wiring closets restricted? Explain how it is restricted.
Is there a security intruder or alarm system? If yes, is it deemed adequate for the operation?
Is the security intruder alarm system connected to a security company or a law enforcement agency?
Do you use cameras to monitor the facility on a 7x24-hour basis?
Are all cameras operating and positioned properly to view activity at all entrances/exits to the facility and sensitive areas (e.

Is recording equipment operational and recording properly?

How long are recordings retained?
Are recordings periodically reviewed for quality?
Is there a formal policy for the approval of the removal of equipment? Is there a log with an approval process? Do you allo

What preventative measures do you have in place regarding portable systems? Cable locks for laptops? Other security me

Do Policies or Procedures include an Acceptable Use Policy (including computer resource use, fax, phone, Internet access,
Do Policies and Procedures include data and system authorization access criteria and mechanisms to ensure least-privilege
access, as well as procedures to validate and maintain user access rights (i.e. add new users, modify the access levels of e

Do Policies and Procedures include an Authorized Use Policy including user responsibilities for data confidentiality, privacy,
unauthorized access?
Do Policies and Procedures include a Network Security and Network Access control policy which includes (if applicable) pol
wireless access?
Do Policies or Procedures include a Change Control Policy including the assignment of responsibility and accountability for
components prior to implementation?
Do Policies or Procedures address ways to resolve complaints and requests relating to security, confidentiality, and availabi
agencies and use of 3rd party dispute resolution process?
Do you have policies and procedures to address handling security breaches and other incidents, including Notification of Af

Do Policies or Procedures address monitoring for compliance and exceptions to the security policies, standards, and proced
etc.)?
Do Policies and Procedures include a provision for the identification of, and compliance to, applicable laws and regulations
provide details on what procedures are in place to handle breaches or fraudulent activity once identified.

Do Policies and Procedures include data classification and procedures for labeling, retention, handling and destroying data
security controls based on the data classification?
Are security policies or procedures periodically reviewed, updated, and approved by a designated individual or group? How
Are policies or procedures accessible to employees, contractors, and sub-vendors and are changes to these policies comm

Do you have a formal and documented security awareness program?

Is security awareness training performed annually? (maximum interval allowed)
Are pre-employment background checks conducted on employees working with American Express data?
Are cleaning and maintenance personnel properly controlled and supervised?
Are background checks required of cleaning and maintenance personnel?
Is the Information Protection Contract Requirements contractual agreement in place?
Are employees required to sign a confidentiality agreement as a routine part of their employment? Indicate if the "G4S Con
employees with access to G4S confidential information?
Is G4S proprietary data disclosed to subcontractors, service providers, or any third parties? If so, describe the type of data a
member account number. Also, was G4S approval obtained?
Are subcontractors used to process or store G4S proprietary data? If so, describe the type of data and specifically if it inclu
Also, is there a binding agreement in place with those subcontractors requiring them to comply with the Information Protecti

Is a data retention and disposal policy in place to limit storage amount and retention time of G4S proprietary data to that wh
documented in the G4S Data Retention Guidelines and Requirements?
Describe the types of G4S proprietary data including the format used that is processed, stored, accessed, and displayed. S
card member account numbers. Is this documented formally in an Asset Inventory which includes the type of data and stor

Is G4S proprietary information accessible to employees, contractors and/or sub-vendors based on business need to know o
controlled?
Is G4S proprietary information protected from unauthorized disclosure and not divulged without expressed approval?
Are safeguards in place for all G4S personalized material on-site including labels, reports, tapes and blank stock?
Is G4S data disseminated in a secure manner?
Is G4S data labeled in a manner that is appropriate to its classification?
Are obvious identifiers used to identify G4S information?
Does the application permit a user to save reports, capture screenshots, etc. and store the G4S data to a local system (wor

Is G4S work conducted in an area that has the necessary controls in place to ensure adequate protection of G4S informatio

If employees supporting G4S services have internet access, what controls are in place to protect G4S data from potential c

Are there internet usage polices documented that include provisions to protect data confidentiality (dissemination of sensitiv
representative of the company, etc.) and have employees been advised of and agree to such policies?

Are any system interfaces used that could potentially retain G4S data (i.e. databases, replication utilities, website cookies, w
the data? Is the data deleted after it is no longer needed and what is the process of deletion?

Is any of G4S sensitive data retained? Describe purpose and retention procedures.
If call recording is performed, is encryption, access controls and other security controls in place to protect the confidentiality

Are there procedures for Service Provider relationships with access to G4S data that include initial security due diligence, ri
compliance visits or audits, and compliance enforcement?
Is all G4S Data logically separate from other customers' data and identifiable as G4S Data?
Has a risk analysis been performed to identify the need for physical separation (i.e., separate servers) of G4S stored data?

Is a disposition strategy in place and documented (i.e., sensitive data disposal policy) which includes: sensitive trash and el
Is all sensitive computer room trash shredded or erased?
Are areas clear of sensitive material left lying around (FAX areas, down lines, printouts, etc)? Sensitive material is anything
number, SS number, spending info, Membership Rewards account info, etc.
Is sensitive trash contained in locked bins until disposed?
Are there procedures for secure destruction of sensitive data on tapes and other electronic media (including hard drives) tha
controls for the media prior to destruction?
Is a certified (i.e. NAID) external company being employed to remove sensitive waste for destruction and has their process

Are there procedures for secure handling of sensitive data on removable media (i.e., tape, CD, disk, USB devices, etc.) in s
encryption?
Do employees (or applications) accessing G4S data or systems currently require G4S-issued user IDs to access G4S syste
Are there any generic, temporary, guest, shared, application level, or group logins used? If so, describe associated controls
using these IDs.
Are User IDs reviewed periodically to ensure that inactive IDs (period of 90 days) are removed from the system?
Are screen savers activated after a period of inactivity requiring a password to reactivate? Alternatively, does the terminal s
reactivate?
Are there policies and security controls to prevent and detect unauthorized transfer of confidential information via mobile de
cameras, cell phones), instant messaging, email and other communication mechanisms?
Are terminal screens protected from viewing by unauthorized personnel?
Are hardware, operating system, and application software configuration tables restricted to appropriate personnel?
Are utility programs that can read, add, change or delete production data or programs restricted to authorized technical serv
computer operations?
Is access to network devices and storage media controlled, logged, and reviewed for unauthorized access? How often is th

Do all systems and devices (Servers, workstations, VPN, routers, RAS, etc.) have mechanisms in place to identify the syste
logon help messages?
Is the listing of all master passwords (System Level Passwords) stored in an encrypted database and an additional copy ma

Are there procedures in place to track and review user access activity?
Are there documented procedures in place to periodically review user access activity logs and/or reports which includes act
retained?
Are there thin-client (browser based) applications used for data processing? Elaborate on whether these are Internet facing

If the web applications are Intranet only, are these protected from being accessed from the Internet? Elaborate on details.
Is there a documented application development process or methodology for in-house developed applications? Does it inclu
backdoors, and coding vulnerabilities (e.g. invalidated input, cross-site scripting, insecure session management, etc).

Do authentication features require user-specific user-ID and password?

Do the authentication features use full SSN / National ID, card member account number, mothers maiden name, email add
password?
Are password complexity rules implemented on systems with G4S data consistent with G4S password requirements (minim
requirements? What history requirements are there regarding re-use of passwords? What lockout settings are there?

Is there a capability for users to change their password?

Do passwords expire periodically requiring a user to change their password or a system reset of password?
Is there a temporary lock-out in the case of repeated logon attempts with an invalid password?
Is there strong authentication criteria used to adequately identify a user prior to allowing user to reset a forgotten password?
Does the system ever e-mail a copy of the password over the Internet without using secured e-mail?
Are there documented procedures in place regarding steps to be followed for voluntary and involuntary employee terminatio
Physical Access - Is there a process to revoke/suspend badge access when an employee terminates or transfers and are b

Logical Access - Are IDs of terminated or transferred employees revoked immediately?

Are there documented policies and procedures to separate the application Development environment from the Production e

Is access to production servers and/or data prohibited for developers with appropriate level of approvals, documentation, ov
controls, problem management procedures)?
Is access control and monitoring in place to ensure continued adherence to development and production separation policies
Does data used in the development and test system contain direct copies of production data?
Is an adequate active load balancing system implemented to support availability requirements?
Does a single point of failure exist in the production implementation of the application?
Is a tape backup system used and are tapes transferred to a secure offsite data repository as appropriate for the application
Do you have configuration and change management procedures that include the use of standard configuration builds, serve
and approval process, back-out procedures, monitoring system and application changes, etc.
Are there written procedures covering security patch and system updates?
Are there written procedures covering escalation procedures in the event of operational failures, or an intrusion being detec
Do you have documented security policies and procedures that are dedicated to work at home users including screening, p
network (including wireless) and telecommunications security, equipment restrictions such as company owned equipment a
support (i.e. configuration management and security patching), home-sourcing specific security training, audit and enforcem

Is host-based intrusion detection/prevention capabilities (HIDS/HIPS) used on high risk platforms? Provide details on produ

If HIDS/HIPS is used, are there procedures in place to document and maintain the security rules?
Do you have formal problem management procedures including: problem tracking, documentation, root cause analysis, int

Are remote access capabilities provided? Provide details on capabilities.

If remote access is available (for users or system maintenance), is communication encrypted and access authenticated by t
(e.g. production network for technical staff and corporate network by remote travelers) ?
Do you allow remote access to production servers for system maintenance? If so, is it performed over a protected, dedicate
corporate offices or other locations?
Is 128-bit encryption or higher used when transmitting and/or communicating sensitive data or user credentials across netw
and external networks and conditions of the transmission (when and how).
Is sensitive data (e.g. account numbers, employee or customer data such as Name, Address, SSN, spend history; Card ma

For proprietary (in house developed) or purchased package applications with internal authentication mechanisms, are the p

Is the backup copy of all sensitive data encrypted?

Do you use any other public or private keys? Describe key management procedures (storage, distribution, access, revocat

Are laptop computers that contain sensitive data protected with PC encryption software?
Is there a comprehensive network management program including procedures for alerting on network failures and anomalie
devices and wireless access points, access and change audit log review, etc.?
Is there a documented procedure for the addition, removal, and transport of network devices? (e.g., change management p

Is there a documented network topology/register which includes phone (PBX), voice and wireless networks? How is it main

Is there a network Intrusion Detection System (IDS) implemented to detect unauthorized traffic on the internal network. Inclu
What is the immediate response? How are event management and forensics handled?
For all wireless networks, are transmissions encrypted using Wi-Fi Protected Access (WPA or WPA2) technology, IPSEC VP

If network IDS is implemented, are there Internet facing IDS sensors documented and maintained to detect attempted attac

Are first-level firewalls (in front of the web servers) implemented to protect the web servers from attack? Include information

Are second-level firewalls (in between the web servers and application servers) implemented to provide additional security t
web servers are compromised? Include information on how the firewall rules are documented and maintained.

Are all Internet systems implemented to ensure that sensitive data cannot be downloaded by an unauthorized person(s) wh
tier architectures, no sensitive data stored unencrypted on web tier, etc.)

Is there mechanism(s) such as firewalls in place to protect the internal network from exterior networks (Internet, other conne

Is virus and spyware detection software utilized on all susceptible platforms (desktops, laptops, email gateways, servers, pr
system? List platforms.
Is the virus protection managed on all platforms to ensure anti-virus engines and signature files remain current to provide m

Are all systems including network and storage devices maintained with up-to-date security patches for the operating system
and procedures for confirming these (vulnerability scanning, manual review, etc.).
Is there regular system and application vulnerability scanning performed using commercial scanning tools? How is the tool

Are independent security providers used to conduct periodic security reviews, vulnerability assessments, and/or penetration
Are there internal reviews conducted on system security controls as part of internal audit or other review functions? Are res
management?
Are there internal reviews conducted at remote or satellite company locations (including development and data centers, cus
policies, standards, and procedures?
Are logs analyzed to identify trends that may have a potential impact on the ability to achieve system security objectives?
Are regular IT staff meetings held to address system security concerns and trends? Are findings discussed at periodic man

Do you have procedures in place for periodic review of sensitive systems, infrastructure, and applications including frequen

Are heat sensitive sprinklers located in all areas of the facilities?

Are fire extinguishers present throughout the facility and do they have proper identifying signage, a current inspection on fil

Are heat/smoke detection systems adequate and accurately placed?

Are water detectors installed within raised floor areas?
Is the fire alarm system connected to an off-site monitoring location, security company or fire department agency?
Is there a UPS System (uninterrupted power supply) or alternative power source (back-up generators)? Is there redundant e
secondary power lines, etc)?
Is the equipment tested semiannually?
Have you ever had to use your UPS, fire alarm systems, sprinklers, etc.? What were the results?
Are preventative maintenance agreements and scheduled maintenance procedures in place for key system hardware comp
How long will back-up power systems maintain critical systems? How long will onsite fuel last?
Are physical security procedures relating to environmental system monitoring defined, documented and provided to employ
Are emergency procedures for protecting the security of information defined, documented and provided to employees?
Is there a documented and tested Disaster Recovery Plan in place for all critical and essential systems? Provide details rela
approval, testing, maintenance, communications and notifications.
When was the last time the Disaster Recovery Plan was tested?
Have you ever had to invoke the Business Continuity Plan or Disaster Recovery Plan? What were the results?
Are there automated backup procedures in place and can the backup data that is generated by these automated backups b
Is the usability of backups verified at least annually?
Are the backup systems and data tested as part of the annual Disaster Recovery test?