Web Site Security Policy

Purpose

This policy defines the minimum requirements for Rhuddlan Golf Club with regard to building, operating and maintaining a secure web site.  In order to efficiently transact business with customers, Rhuddlan Golf operates one or more internet-facing web sites.  Due to the complex nature of web technologies, many cyber-criminals exploit weaknesses within a web site in order to harm another organization, or to steal valuable information for profit or other malicious intent

Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at Rhuddlan Golf Club, including all personnel affiliated with third parties.

This policy also applies to all internet-facing web sites owned or operated by Rhuddlan Golf Club.     These web sites include:

  • Club Systems (Club V1) membership and handicapping
  • BRS (tee booking)

Policy

Roles and Responsibilities

Web Content Manager – The club is responsible for appointing from time to time an officer who is responsible for the final approval of all information to be posted on external web sites.

IT Manager – The Information Technology (IT) is outsourced to an appropriate third party software company who is given responsibility for establishing and maintaining the configuration of all Rhuddlan Golf Club web site software.  As Rhuddlan Golf Club uses a third-party to host or manage the club web sites, the appointed Web Content Manager  will be responsible for ensuring that the third-party has the proper controls in place to securely manage these sites.

Web Site Configuration

Secure Configuration Required – All Rhuddlan Golf Club web sites maintain a secure configuration that enables the site to resist common attacks.  The IT Manager will be responsible for establishing and maintaining this configuration based on common standards.

Scanning Required – In order to maintain a secure configuration, Rhuddlan Golf Club  employs a qualified third-party to perform monthly scans of each Rhuddlan Golf Club  web site.

Vulnerability Remediation – Weaknesses or vulnerabilities found on the Rhuddlan Golf Club web site will be corrected within 7 business days.

Encryption Required – All Rhuddlan Golf Club web sites that process sensitive customer data, such as credit cards, or other sensitive personal information, use encryption software, such as Secure Sockets Layer (SSL), to protect these transactions.

Directory Browsing Disabled – All Rhuddlan Golf Club web sites have directory browsing disabled.  In addition, a default error page has been created for all “File-Not-Found” requests processed by the server.

Customer Privacy Protection

Privacy Policy Required – All internet-facing web sites have a posted Privacy Policy that details the ways in which Rhuddlan Golf Club protects the privacy of customers using the internet site.

P3P Standard Privacy Policy – In addition to the human-readable Privacy Policy, the club web site has a machine-readable privacy policy conforming to the Privacy (P3P) Standard.

Privacy Seals – The Club internet-facing public web site has an approved third-party privacy seal prominently displayed on the main home page of the site.

Inventory of Customer PII – Rhuddlan Golf Club maintains an inventory of all Personally Identifiable Information (PII) collected or processed on the club web site.  All web-based forms that collect or process PII must use encryption via secure-sockets-layer (SSL).

Secure Web Forms – All Rhuddlan Golf Club web pages that collect sensitive information from customers  use encryption via Secure Sockets Layer (SSL).

Web Site Content and Changes

Only Approved Content – Rhuddlan Golf Club only posts information on the club external web site that has been approved by the Web Content Manager.  Further, Rhuddlan Golf Club only posts information content that has been classified as “PUBLIC”.  Under no circumstances will CONFIDENTIAL information be posted on any internet web site.

Web Page Changes – No unauthorized persons are permitted to establish new Internet pages dealing with Rhuddlan Golf Club business, or make modifications to existing web pages dealing with Rhuddlan Golf Club  business, unless they have obtained the approval of the Internet management committee. Modifications include the addition of links to other sites, updating the information displayed, and altering the graphic layout of a page. This committee must ensure that all posted material has a consistent and polished appearance, is aligned with business goals, and is protected with adequate security measures.

Web Page Archives – Every version of the Rhuddlan Golf Club Internet site and commerce site files are securely archived in two physically separated locations. The Internet management committee will designate a Web Content Manager who will keep this archive and provide copies of historical pages on demand.

Publicly-Writable Directories – All publicly-writable directories on Rhuddlan Golf Club  Internet-connected computers are reviewed and cleared each evening.

Posting Software or Content – Administrators using Rhuddlan Golf Club  computers must not be involved in any way with the exchange of pirated software, purloined passwords, stolen credit card numbers, and inappropriate written or graphic material.

Company Blogs – In order to communicate with customers, Rhuddlan Golf Club may use special software known as web logs or “blogs”.  Only authorized personnel who have been trained on the use of blogging software and approved by the club are allowed to post information on external blogs.

Violations

Any violation of this policy may result in disciplinary action, up to and including termination of employment.  Rhuddlan Golf Club reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Rhuddlan Golf Club  does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Rhuddlan Golf Club reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.

Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, or to the General Manager as soon as possible.

Definitions

Confidential Information (Sensitive Information) – Any Rhuddlan Golf Club information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form.   Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts.   Confidential Information also includes any confidential information received by Rhuddlan Golf Club from a third party under a non-disclosure agreement.

Electronic Messaging System – Any device or application that provides the capability to exchange digital communication between two or more parties will be known as an “electronic messaging system”.  Examples are electronic mail, instant messaging, and text messaging.

Information Asset – Any Rhuddlan Golf Club data in any form, and the equipment used to manage, process, or store Rhuddlan Golf Club  data, that is used in the course of executing business.  This includes, but is not limited to, corporate, customer, and partner data.

Internet – within this policy, the term “Internet” is used to reference all electronic communications which access the internet, including web sites, internet relay chat (IRC), message boards, or blogs.

PartnerAny non-employee of Rhuddlan Golf Club who is contractually bound to provide some form of service to Rhuddlan Golf Club .

Web Site – Within this policy, the term “web site” refers to all information and software