What security controls and procedures is a Budget licensee required to maintain to protect computer systems and data?

• A. REQUIRED CONTROLS: Licensee must acquire, install, maintain and implement the following security Controls for its Equipment in accordance with ABCR'S Security Policies and Procedures:
  • 1. Hardware Firewall Protection placed so as to intercept and control all electronic data traffic between the Internet and Licensee's business systems or networks with access to the System.
  • 1. Anti-Malware Protection providing scanning for computer viruses and other malware of any (a) electronic data file or e-mail obtained via the Internet or other network or (b) removable media that is used in or transmitted by Licensee's business systems or networks with access to the System.
  • 1. Personal Firewall Protection providing the client machine with firewall capabilities to locally protect the device.
  • 1. Intrusion Detection at all Internet or Third Party access points and portals of Licensee's business systems or networks with access to the System. The intrusion detection controls must be positioned to monitor all electronic data traffic between such business systems or networks and the Internet or other Third Party connections.
  • 1. Encryption of at least 128-bit must be employed for electronic data transmission that contains confidential, credit card and/or PII (Personally Identifiable Information) data that traverse any network and are processed by Licensee's business systems or networks with access to the System. For encryption in storage, such as email or local media, industry standard encryption tools must be utilized.
  • 1. Wireless Networking is not generally acceptable for systems that will be interfacing with the System. Should Licensee have a requirement to utilize Wireless Networking for the devices that interface with the System, the wireless network must be protected with a minimum of WPA-2 encryption with keys rotated quarterly. Additionally, MAC address filtering should be implemented to only permit known devices on the wireless network.
• B. APPROVED PRODUCTS: The security products approved by ABCR for use by Licensee as of the date of execution of this Addendum are listed below in order of preference. Any exceptions must be approved in advance, in writing, by ABCR Data Security. ABCR may modify this list, including adding or deleting products or categories, in accordance with the terms of this Addendum.

rules set forth in this paragraph. All users must identify themselves and be authenticated, whether accessing the System from Licensee's locations or some other location. Licensee must disable any "save password" features in software present on Licensee's Equipment.

• (i) Licensee must establish and make best efforts to enforce policies that require Licensee's employees to scan all files obtained via the Internet, electronic mail, or diskette or other means for computer viruses, using the virus detection software specified in the Controls. Under no circumstances must Licensee knowingly permit any user of Licensee's Equipment to transfer or transmit any infected files, or files that have not been scanned as required by the Controls, to other individuals or organizations. If a computer virus is detected, Licensee's policy must require the individual to contact the Help Desk immediately.
• (j) All of Licensee's business systems which have access to the System and have some form of access to the Internet, or which are connected to any network which has access to the Internet, must be protected by a firewall system specified in the Controls. The firewall must be placed so as to intercept and control all data traffic between the Internet and Licensee's business systems or networks so protected. No gateway or multi-user system with access to the System may be directly accessed from the Internet.
• (k) The Licensee must implement a network intrusion detection system ("IDS") at all Internet access points and portals as specified in the Controls. ABCR may require the IDS to be positioned to monitor all traffic to and from the Internet.
• (l) All of Licensee's Equipment which has access to the System, or connects to a network or via a network to such Equipment, must be installed and configured in accordance with the manufacturer's recommendations or provisions for a secure configuration. All default passwords and accounts must be changed or removed prior to access to the System.
• (m) All operating systems and applications that reside on the Equipment must have all manufacturer-supplied service packs, security patches, updates or other corrective measures applied. The service packs, security patches, updates or measures must be reviewed by the administrator designated by Licensee at least every 60 days and updated as recommended by the manufacturer.
• (n) All connections between remote users and Licensee's business systems that traverse the Internet in any form, over any protocol, must utilize strong encryption (at least 128 bit).
• (o) In the event Licensee believes a security breach has occurred or is occurring, Licensee must contact the Help Desk immediately. Licensee will cooperate fully with ABCR or its designated agents when investigating or resolving any actual or potential incident.

Licensee warrants, represents and covenants that it has and will maintain on a continual basis, security controls and procedures in place which meet current industry standards, (including firewalls, web security, email protection, intrusion detection, incident response process, malware protection, information protection (including PII and physical security) and the necessary security processes, procedures, and practices to support the security controls and infrastructure to protect its computer systems, reservation systems, network devices and/or the data processed thereon against the risk of hacking, surveillance, theft or penetration by, or exposure to, a third party via any system or feature utilized by Licensee.

Licensee shall also implement and maintain current industry standard anti-malware measures to detect, prevent and remove computer malware and/or other contaminants to prevent the spread of computer viruses between the parties which access or exchange data or software through any network connectivity.

Anti-malware measures shall be incorporated on all data transfer mechanisms, including current industry encryption standards, as well as any other points reasonably requested by Budget.

Licensee is expected to employ the Controls available, and commercially reasonable security mechanisms and procedures including those specified herein.

• (f) Licensee is responsible for making best efforts to enforce a policy under which (i) its authorized users log off Licensee's business systems when not in use or lock their screens when leaving their Equipment unattended and (ii) the business systems cannot be remotely operated or accessed by an unauthorized user.

Licensee must automatically log all remote logins through Licensee's Equipment, whether successful or failed, and the logs must be reviewed at least once per week by senior supervisory personnel of Licensee for signs of unauthorized access.

• (g) Licensee will provide "administrator" or "super-user" access to Licensee's business systems only to Licensee's employees, agents and contractors to whom Licensee has assigned responsibility to maintain such systems.

• (h) Licensee will appoint a password administrator who will assign to each of Licensee's authorized users a unique password and a unique User ID.

Licensee will establish policies and make reasonable efforts to protect the confidentiality of each such password and User ID.

Licensee must instruct its employees to keep such passwords and User ID information confidential and to avoid sharing or disclosing such passwords and User ID's except to the password administrator.

Licensee must establish and enforce policies and procedures governing its authorized users.

Unless ABCR for good reasons advises otherwise, Licensee will follow the

• (c) If Licensee fails to install, maintain, implement and observe the Controls as mandated by ABCR in written procedures, Licensee will be in material breach of the Rental System Agreement, the License Agreement and responsible for any resulting damage or expense incurred by ABCR and the System.

Licensee will be responsible for the expense required to correct any non-conformity of Licensee's Equipment or communication systems employed by Licensee with the System, including non-PCI compliance.

As a result of any such material breach, Licensee will be suspended from network access until the failure is remedied to ABCR'S satisfaction.

If any such failure happens more than twice within any one-year period, ABCR may also, at its discretion, suspend permanently Licensee's connection to the System via the Internet, and require Licensee to follow dedicated connection procedures at Licensee's expense as provided in the Rental System Agreement.

• (d) Licensee will be responsible for any damage suffered by ABCR and/or the System as a result of unauthorized access, use or code or file transmission from Licensee's Equipment during any period in which the Controls are not in place on Licensee's Equipment.

• (e) Licensee is responsible for the actions of all of its authorized users who have access to Licensee's Equipment at Licensee's locations, regardless of the location of the persons or the means by which such persons access the Equipment.

This responsibility exists regardless of the security mechanisms that are in place.

This responsibility also extends to actions taken by persons who are not authorized to (i) use Licensee's Equipment but who use Licensee's Equipment while physically located at one of Licensee's locations or (ii) access the System remotely but nevertheless have such access due to Licensee's intentional or negligent act or omission.

Licensee is expected to employ the Controls available, and commercially reasonable security mechanisms and procedures including those specified herein.

Source: Item 23 — RECEIPTS (FDD pages 80–426)