|
Company: AlterHosting LLC
Website: alterhosting.com
Document: Information Security Policy (ISP)
Version: 1.0
Effective date: 2026-01-10
Owner: Information Security Officer (ISO) — I.D. Kotik (support@alterhosting.com)
Approved by: Managing Member / Owner — I.D. Kotik (support@alterhosting.com)
Review cadence: At least annually, and after material changes or security incidents.
Scope note (PCI): AlterHosting LLC uses a third-party hosted payment page for card payments. AlterHosting LLC policy is to not store, process, or transmit cardholder data (CHD) on AlterHosting-owned systems. Customers enter payment details directly in the payment processor’s environment.
0. Roles, responsibilities, and definitions
0.0 Policy exceptions and enforcement
- Exceptions to this policy require written approval from the ISO and Executive Officer/Approver, including scope, duration, and compensating controls.
- Enforcement: Violations may result in access revocation, disciplinary action (up to termination), and potential legal action.
0.1 Roles (fill in once)
| Role | Responsibility | Name | Contact |
|---|
| Executive Officer / Approver | Final accountability for security and PCI compliance | I.D. Kotik | support@alterhosting.com | | Information Security Officer (ISO) | Owns this policy, incident response lead, risk decisions | I.D. Kotik | support@alterhosting.com | | IT Administrator (if different) | System administration, patching, access management | I.D. Kotik | support@alterhosting.com | | All personnel | Follow this policy, report incidents, complete training | n/a | n/a |
0.2 Definitions (high level)
- CHD (Cardholder Data): Primary Account Number (PAN) and any related elements as defined by PCI DSS.
- SAD (Sensitive Authentication Data): Track data, CVV/CVC, PIN/PIN block (must never be stored after authorization).
- CDE (Cardholder Data Environment): Systems that store/process/transmit CHD. For AlterHosting LLC, CDE is outsourced to the payment processor for hosted checkout.
- TPSP: Third-Party Service Provider (payment provider, hosting provider, etc.).
Introduction
AlterHosting LLC handles business and customer information that must be protected from unauthorized access, misuse, alteration, and loss. This Information Security Policy establishes minimum security requirements for people, process, and technology to protect AlterHosting LLC information assets and to support PCI DSS compliance for e-commerce activity.
This policy applies to:
- All AlterHosting LLC personnel (employees, contractors, temporary staff).
- All AlterHosting LLC devices and accounts used for company work.
- All third parties that access AlterHosting LLC systems or data.
All personnel must:
- Handle information according to its classification (see Section 4).
- Use only approved systems and accounts for company work.
- Maintain strong authentication (unique IDs, MFA where available).
- Protect devices (screen lock, encryption, updates).
- Never request, accept, or store CHD via email, chat, or tickets.
- Report suspected incidents immediately (see Section 10).
AlterHosting LLC may monitor, log, and audit use of company systems to protect security and ensure compliance.
1. Network security
1.1 Network boundaries and diagram
- Maintain a high-level diagram of the environment relevant to PCI scope, including:
- Public website hosting and admin access paths
- Third-party hosted payment page relationship (redirect/link/iframe if applicable)
- Any externally accessible administrative interfaces
- Review the diagram at least annually and after material changes.
1.2 Firewalls and secure configuration
- Internet-facing and internal network devices (routers, firewalls, cloud security groups) must:
- Use secure configuration (deny by default, allow only necessary ports/services).
- Disable unused services and management interfaces.
- Restrict management access to authorized admins only.
- Vendor default credentials must be changed before use (see also Section 13).
1.3 Remote access
- Remote administrative access must:
- Use MFA where available.
- Use encrypted protocols only (HTTPS, SSH).
- Be restricted by IP allowlists where feasible.
- Be logged.
1.4 Logging and time synchronization (minimum)
- Enable logging for:
- Website administration access
- Critical account changes (admin accounts, MFA, password resets)
- Security alerts (malware, endpoint protection)
- Systems should use automatic time synchronization.
1.5 Vulnerability scanning (where applicable)
- Where AlterHosting LLC has public-facing systems in scope (for example the web server used for redirects/iframes, or any internet-facing admin systems), vulnerability scans should be performed:
- After significant changes, and periodically (recommended at least quarterly).
- Critical/high vulnerabilities must be prioritized and remediated promptly.
2. Acceptable use policy
2.1 Approved use
Company systems may be used for legitimate business purposes only. Limited personal use is allowed only if it:
- Does not interfere with work,
- Does not introduce security risk,
- Complies with law and this policy.
2.2 Prohibited activities
Personnel must not:
- Share accounts or passwords.
- Install unapproved software, browser extensions, or remote access tools.
- Disable security controls (MFA, antivirus/EDR, disk encryption).
- Use company systems for illegal, offensive, discriminatory, or harassing activity.
- Store CHD or SAD in any form (email, chat, docs, screenshots, tickets).
2.2a Clean desk and screen
- Do not leave confidential/restricted information unattended on desks, printers, or shared spaces.
- Lock screens when away from devices (even briefly).
- Store any necessary paper records in locked storage, then shred when no longer needed.
2.2b Technology change approval
- New software, hardware, browser extensions, integrations, and third-party connections must be approved by the ISO (and documented) before use in the production environment.
2.3 Email and phishing safety
- Treat unexpected links/attachments as suspicious.
- Verify payment-related requests (bank changes, refunds, credentials) out-of-band.
- Report suspected phishing immediately to the ISO.
2.4 Mobile/BYOD (if used)
- If personally owned devices are used for company access, they must meet minimum controls:
- Screen lock enabled
- OS supported and updated
- Disk encryption enabled (where available)
- No rooted/jailbroken devices
- If these controls cannot be met, BYOD use is not permitted.
3. Protect stored data
3.1 Cardholder data (policy)
- AlterHosting LLC does not store CHD or SAD electronically or on paper.
- Personnel must never ask customers to send card details by email or chat.
- If CHD is received inadvertently:
- Do not forward or copy it.
- Notify the ISO immediately.
- Delete it securely from email/tickets where possible, and document the action.
3.2 Other sensitive data
For non-CHD sensitive data (credentials, customer PII, internal financials):
- Store only in approved systems.
- Use encryption at rest where available (device encryption, secure cloud storage).
- Apply least privilege access.
3.3 Masking
If any system displays partial card data (for example processor receipts):
- Display must be masked (for example first 6 and last 4 digits at most), and never include CVV/CVC.
All information must be classified and handled as follows:
| Classification | Examples | Handling rules |
|---|
| Public | Public website content, marketing | May be shared freely | | Internal | Internal procedures, non-sensitive operations data | Share internally only; protect from public disclosure | | Confidential | Customer PII, credentials, contracts, invoices, access keys | Encrypt where feasible; restrict access; do not share externally without approval | | Restricted | Security keys, admin credentials, incident details, sensitive legal matters | Need-to-know only; MFA required where possible; store in approved vault/secure storage |
Data owners (management or ISO) may reclassify data if risk changes.
- Access is granted on least privilege and need-to-know basis.
- Each user must have a unique ID before access is granted.
- Shared/generic accounts are prohibited (except non-interactive service accounts, if required).
- MFA is required for:
- Email accounts
- Hosting control panels and DNS registrar accounts
- Payment processor portal (if used)
- Any remote admin access
- Access reviews:
- Review administrative access at least quarterly.
- Remove access immediately upon termination or role change.
6. Physical security
Because AlterHosting LLC primarily operates in an office/home-office environment:
- Work devices must be physically secured (locked room when unattended, screen lock).
- Visitors must not be left unattended near work devices or printed sensitive information.
- Printed sensitive information should be minimized and stored in locked storage when needed.
- If laptops are used, they must have:
- Disk encryption enabled
- Screen lock with password/PIN
- Ability to remote wipe where feasible
7. Protect data in transit
- Use encryption for all transmissions of confidential/restricted data:
- HTTPS/TLS for web access
- SSH/SFTP for server administration
- Do not transmit CHD by email, chat, SMS, or ticketing systems.
- If confidential data must be shared externally:
- Use approved secure sharing (encrypted link, secure portal), and
- Approve recipient and purpose, and
- Time-limit access where possible.
8. Disposal of stored data
- Electronic data: securely delete using platform secure deletion, or wipe devices prior to disposal.
- Paper: shred using cross-cut shredding (or equivalent irreversible destruction).
- Retention: keep data only as long as needed for business/legal reasons, then dispose securely.
- Devices being retired must be wiped or physically destroyed, including external drives.
9. Security awareness and procedures
- All personnel must complete security awareness training:
- On onboarding (before receiving production access), and
- At least annually thereafter.
- Training must cover:
- Phishing/social engineering
- Password hygiene and MFA
- Handling of confidential data
- Incident reporting procedures
- PCI basics (no CHD storage; hosted payment page model)
- Where legally permitted and appropriate for the role, personnel with elevated access may be subject to background screening.
- Personnel must sign the acknowledgement in Appendix A.
10. Credit Card (PCI) security incident response plan
10.1 What counts as an incident
Examples:
- Website compromise or suspected web skimming/malicious scripts
- Unauthorized access to hosting/DNS/email accounts
- Malware on a work device
- Any suspected exposure of customer data (including accidental receipt of CHD)
- Report: Notify ISO immediately.
- Contain: Disconnect affected device/account where possible (disable account, remove from network).
- Preserve evidence: Do not wipe systems unless instructed by ISO; preserve logs and timestamps.
- Assess scope: Identify affected systems, accounts, and data types.
- Engage vendors: Contact hosting provider and payment processor support as needed.
10.3 Notification and escalation (same day)
ISO coordinates notifications as appropriate:
- Payment processor (CardPointe/CardConnect) support
- Acquiring bank/merchant provider
- Law enforcement (if required)
- Customers (if a breach notification obligation exists)
- Cyber insurance carrier (if applicable)
10.4 Post-incident requirements
- Root cause analysis and remediation plan
- Reset credentials and rotate keys/tokens
- Apply patches/hardening
- Document incident timeline, actions taken, and lessons learned
- Update this policy and controls where needed
| Contact type | Organization | Contact | Notes |
|---|
| ISO | AlterHosting LLC | I.D. Kotik / support@alterhosting.com | Primary incident lead | | Payment processor support | CardPointe/CardConnect | 877-828-0720 | Hosted payment page support | | Merchant bank/acquirer | Fiserv / First Data | 877-828-0720 | CardPointe Merchant Support (acquirer contact) | | Hosting provider | IBM Corporation (bare metal) | IBM Cloud Support Center; 1-800-426-7378 | Web server compromise | | Domain/DNS provider | Joker.com | abuse@joker.com; +49 211 86767447 | DNS takeover risk |
- Maintain an inventory of TPSPs that could affect security or availability (Appendix C).
- Before engaging a TPSP, perform due diligence:
- Security features (MFA, encryption, logging)
- Data handling and retention
- Breach notification process
- PCI compliance status (where applicable)
- Contracts should include:
- Security responsibilities and incident notification timelines
- Confidentiality and permitted use of data
- Subprocessor controls (if applicable)
- Monitor TPSP status at least annually and when major changes occur.
12. User access management
12.1 Provisioning
- Access requests must be approved by management/ISO.
- Accounts must be created as individual unique IDs.
- Admin access is granted only when required.
12.2 Changes and periodic review
- Review admin and high-risk access at least quarterly.
- Remove access that is no longer required.
12.3 Termination
- Disable accounts immediately upon termination or contract end.
- Revoke access tokens, API keys, and shared secrets where applicable.
12.4 Vendor default accounts
- If a vendor default account must be used, the default password is changed before enabling the account.
- If not needed, default accounts are removed or disabled.
13. Access control policy (authentication standards)
13.1 Passwords and MFA
- Use MFA wherever supported for company accounts.
- Passwords must be:
- Minimum 12 characters (or the maximum supported by the system)
- Unique per system (no reuse)
- Stored only in an approved password manager (not documents/spreadsheets)
- Change passwords immediately if compromise is suspected.
13.2 Privileged access
- Limit privileged roles to the minimum number of people.
- Separate admin accounts from daily-use accounts where feasible.
- Log admin actions where supported by the platform.
13.3 Secure configuration and change control (web and systems)
- Use approved change control for website/hosting/DNS changes:
- Document change, approve, implement, validate, and record.
- Keep CMS/plugins/themes and server packages updated.
- Disable unused accounts, services, and ports.
13.4 E-commerce script and website integrity (summary)
- Maintain an inventory of scripts loaded by the website pages involved in the payment journey (including redirects or embedded components, if any).
- Authorize scripts before deployment.
- Review scripts periodically (recommended monthly) for unauthorized changes.
- Implement integrity and hardening controls where feasible (CSP, SRI, file integrity monitoring).
(See Appendix D for detailed e-commerce hardening controls.)
Maintain and review this list at least annually and when devices are added/removed.
| Asset/Device | Type | Owner/Primary user | Location | Serial/ID | Encryption (Y/N) | Notes |
|---|
| | | | | | |
Appendix C. Third-party service providers (TPSP inventory)
| Service provider | Service | Data involved | PCI relevance | Contract/terms on file (Y/N) | Compliance evidence/review date |
|---|
| CardPointe / CardConnect | Hosted payments | Payment data (in their environment) | Yes (hosted payment page) | Y | 2026-01-10 |
Appendix D. E-commerce configuration and hardening policy (minimum controls)
These controls apply to systems used to host, administer, or modify alterhosting.com, including any pages that redirect customers to the hosted payment page.
D.1 Standard configuration
- Harden servers and admin portals:
- Disable unnecessary services
- Remove/disable default accounts
- Enforce MFA for admin access
- Restrict admin access by IP allowlists where feasible
- Use HTTPS/TLS for all public web pages.
D.2 Patch and vulnerability management
- Monitor trusted sources for vulnerabilities affecting:
- CMS, plugins, themes
- Web server/OS packages
- Admin tools and endpoints
- Apply security patches in a timely manner (target: within 30 days for high risk issues, sooner if exploited).
- Perform vulnerability scans after major changes and periodically.
D.3 Script management and tamper prevention
- Maintain an inventory of all scripts that can execute in customer browsers on relevant pages.
- Only authorized scripts may be deployed.
- Review script inventory and changes periodically (recommended monthly).
- Implement technical controls where feasible:
- Content Security Policy (CSP)
- Subresource Integrity (SRI) for third-party scripts
- File integrity monitoring and alerting
- Web application firewall (WAF) or equivalent protections
D.4 Backups and recovery
- Maintain backups of critical website configuration and content.
- Test restoration periodically.
- Protect backups with access control and encryption where feasible.
|  Shared Hosting from $4.99/mo  Reliable shared hosting with Plesk control panel, email, backups, and friendly support. Fast Mail Hosting  Professional mailboxes with IMAP/POP/SMTP, webmail, and spam protection. Plesk Control Panel  Manage domains, databases, and apps with a modern, easy-to-use panel. Need help choosing?  Tell us your goals and we will point you to the right plan. | |
View plans...