Overview
Glo Woodstock Day Spa recognizes the importance of electronic commerce (e-commerce) activities to its present day operations. Glo Woodstock Day Spa is committed to using e-commerce activities in a cost effective manner that promotes accuracy, safety, security, and efficiency. These activities bring automation and efficiencies to traditional manual tasks and allow quicker access to information resulting in improved member service.
Purpose
This e-commerce policy is to be used as both a guideline and an overview in the management of Glo Woodstock Day Spa’s electronic services.
Policy Detail
Glo Woodstock Day Spa is committed to enhancing member service through the use of many forms of e-commerce activities.
Electronic commerce activities include Glo Woodstock Day Spa’s web site, email, telephone access system, ACH transactions, ATM system, online bill payment, and home banking services. They also include business-to-business transactions where interaction is conducted electronically between Glo Woodstock Day Spa and its business partners using the Internet as the communications network.
It is the practice of Glo Woodstock Day Spa to safeguard website visitors and customers data at all times, including the processing of e-commerce transactions. Information must be protected at both the sending and receiving ends of each transaction. To accomplish this, there are several levels of protection applied to e-commerce activities.
Encryption
Encrypting transactions provides security by ensuring that no portion of a transaction is readable except by the parties at each end of the transmission. This ensures that data can be transmitted securely without concern that another party could intercept all or part of the transaction. Encryption also makes certain that the transaction is not tampered with as it routes from point to point and data is received exactly as it was sent. Glo Woodstock Day Spa will use a minimum of 128b encryption. This also applies to vendors that host Glo Woodstock Day Spa member data.
Authentication
After a secure connection is established, the initiating party must prove his/her identity prior to conducting the transaction. This is typically handled with user IDs or account numbers, along with password or PIN combinations. Additionally, encryption certificates are also employed to validate the authenticity of both servers and users. System administrators control system access by assigning users different levels of access for applications and data. These access levels are determined by senior management and are specific to each job function. This ensures that access to applications and specific types of transactions are only granted as job functions require.
Firewalls
Glo Woodstock Day Spa will deploy and utilize firewalls as necessary to protect internal systems from threats originating from the Internet, as well as those that might be present when connecting to vendors’ networks. Firewall operating systems and configurations will be reviewed periodically to ensure maximum protection. An audit log will be maintained tracking all attempts to access un-configured (blocked) services. Firewalls and other access devices will be used, as needed, to limit access to sites or services that are deemed inappropriate or non-corporate in nature. Vendor hosted solution firewalls will be reviewed prior to implementation.
Network Traffic Rules and Restrictions
Intra-network traffic is subject to distinct operating rules and restrictions. Through the use of firewall technology, outside parties are directed only to approved, internal resources. An example of this is web page services that allow certain types of traffic from the Internet (web page browsing) but have other types of traffic blocked (i.e. administrative tasks). This strategy dramatically reduces the risk of any party gaining unauthorized access to a protected server.
The internal network is also protected from virus attacks through the use of network-level anti-virus software that is updated automatically on a regular basis. These regular updates are loaded automatically to each PC, as they are available. This provides the most up to date virus protection and security available. E-mail is also scanned prior to delivery, reducing the potential of a virus entering the network in this manner.
User Password Maintenance
Staff passwords, on the host data processing system, expire after 45 or 90 days, forcing users to modify their passwords. This control, along with a strict Glo Woodstock Day Spa policy prohibiting users from sharing or disclosing their passwords, is intended to prohibit unauthorized access to systems and data. After receiving a change in employment status staff immediately removes user access codes from appropriate systems.
Customer Profile
For users/customers that register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information. Your payment and personal information is always safe. Our Secure Sockets Layer (SSL) software is the industry standard and among the best software available today for secure commerce transactions. It encrypts all of your personal information, including credit card number, name, and address, so that it cannot be read over the internet. Your online account/profile with us does not store any of your credit card information. You will be required to reenter this information on each transaction with us.
Expert Assistance
Glo Woodstock Day Spa recognizes that e-commerce security issues change daily. New threats to security, safety, and accuracy appear daily and system vendors publish updates and patches regularly to eliminate the threat.
Response Program
In the event Glo Woodstock Day Spa suspects or detects unauthorized individuals have gained access to member information systems, Glo Woodstock Day Spa will report such actions to appropriate regulatory and law enforcement agencies according to Glo Woodstock Day Spa’s information security response procedures.