Table of Contents. 1.1 Terminology Acronyms Related Documents... 7

Transcription

1 Information Security Program Company Policy Document Version /20/2017

2 Table of Contents 1 OVERVIEW Terminology Acronyms Related Documents DUTY TO PROTECT AND STANDARDS FOR PROTECTING PERSONAL INFORMATION (201 CMR 17.03) Information Security Program (201 CMR Sec ) Compliance Considerations (201 CMR Sec ) General InfoSec Program Controls (201 CMR Sec ) Designated ISP Manager (201 CMR Sec ) Identifying and Assessing Risk (201 CMR Sec ) Retaining, Accessing and Transporting Personal Information (201 CMR Sec ) Disciplinary Actions for Violations (201 CMR Sec ) Terminated Employee Access (201 CMR Sec ) Third Party Service Providers (201 CMR Sec ) Amount of Personal Information (201 CMR Sec ) Definition of Records and Devices (201 CMR Sec ) Physical Access (201 CMR Sec ) Monitoring (201 CMR Sec ) Review of Security Measures (201 CMR Sec ) Incident Handling (201 CMR Sec ) COMPUTER SYSTEM SECURITY REQUIREMENTS (201 CMR 17.04) Authentication Protocols (201 CMR Sec ) DM Platform Access Authorization EM Platform Access Authorization Access Control (201 CMR Sec ) Network, Remote, Network Administrator and Database Access Controls DM Platform Access Control EM Platform Access Control Exceptions for Emergency Access Encryption of Transmitted Data (201 CMR Sec ) Monitoring of Systems (201 CMR Sec ) Encryption of Personal Information (201 CMR Sec ) Firewall Protection and Operating System Security (201 CMR Sec ) System Security Agent Software (201 CMR Sec ) Employee Training and Education (201 CMR Sec ) Certent Company Confidential Page 2

3 3.8.1 Security Awareness Training Program General Security Awareness Training Targeted Security Awareness Training Phishing Campaigns ADDENDUM Physical Security and Protection Data Center Locations: Corporate Network Room Description: Facility Security: Environmental Protection: Annual Vendor Review: Asset Management Hardware Management Software Management Network and Application Security Protection of Data: Accessibility: EM Platform Application Security: Security Related Testing: System Protection Separate Environments: Data Destruction: Active and Terminated Customers Hardware Maintenance Production Maintenance Disk Replacement: Disk Destruction Vendor TCP/IP Ports and Protocols Utilized Software Escrow Account (Optional) System Hardening Database Servers Active Directory and Domain Name Service Web, Application and File Servers Cryptography Cryptography - EM Platform Cryptography - DM Platform SSL Certificate and Key Management Server Synchronization Patch Management Certent Company Confidential Page 3

4 Patch Management - EM Platform Patch Management - DM Platform Corporate, Development and Windows Test Machines Availability and Continuity General Availability Scheduled Releases Planned Maintenance Redundancy and Failover System Monitoring EM Platform Activity Auditing Audit Logs EM Platform Database Backups Website Monitoring Disaster Recovery and Business Continuity Backup of Data for Restoration Disaster Recovery - Production Database Server Failure Disaster Recovery Full Production System Failure Business Continuity of Certent Offices Corporate User Systems Central Management of Systems Removable Media Password Management Policy Network Password Management DM Password Management EM Platform Passwords Incident Response Evidence Policy Evidence Preservation and Extraction Chain of Custody Cooperation with Law Enforcement Government Requests of Client Data Certent Company Confidential Page 4

5 1 Overview Certent's user-friendly, web-based technology streamlines equity plan management, financial reporting for ASC718, and SEC filings in XBRL and HTML. With technology based on in-depth accounting expertise, an open ecosystem of industry partners, and an expert services organization focused on customer success, Certent has helped more than 1,300 companies worldwide innovate their stock plan and external reporting processes. Certent Equity Compensation Management simplifies and streamlines all the crucial aspects of your stock administration process. Certent improves productivity and tightens compliance with innovative software and a dedicated team of industry experts. Certent Disclosure Management delivers greater control over your financial documents and eliminates manual processes. Data connectors and linking functionality across Word and Excel automate the flow of data. Our rightsourcing model allows you to choose the right level of service for your needs. Certent respects the privacy and security of Customer Data. Certent has implemented several controls to provide sufficient security and protection of Customer data. These controls are reviewed annually by a Third Party as part of a SOC 1 Audit. The sections that follow provide information regarding the security measures employed by Certent to ensure the privacy and availability of data to Certent Customers. The Information Security Program described in this document is specifically intended to address the 201 CMR Standards for the Protection of Personal Information of Residents requirements for of the Commonwealth (of Massachusetts). Additional information regarding Physical Security and Protection, Network and Application Security, Protection of Systems and Availability and Continuity is provided in the Addendum of this document. 1.1 Terminology Breach of Security*: The unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that can compromise the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure. Certent Company Confidential Page 5

6 Electronic*: Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities. Encrypted*: The transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key. OWASP Top 10 - A list of the most dangerous security flaws in web applications. The list is considered an industry standard and is compiled by the Open Web Application Security Project. Owns or licenses*: Receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. Person*: A natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof. Personal information*: A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that Personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. Record or Records*: Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics. Service Provider*: Any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation. User Entity: A Certent Customer contracting with Certent to use the Certent Platform. * - Descriptions as specified in the 201 CMR Standard. Certent Company Confidential Page 6

7 1.2 Acronyms CA CS CSR DM DNS EM ISP MFA PI PII SaaS TTP VM WAS Certificate Authority Customer Support Customer Support Representative Disclosure Management Application Domain Name Service Equity Management Application Information Security Program Multi-Factor Authentication Personal Information Personally Identifiable Information Software as a Service Trusted Third Party Depending on context Virtual Machine or Vulnerability Management Web Application Scan 1.3 Related Documents Certent Acceptable Use Policy Certent Business Continuity/Disaster Plan Certent Incident Management Plan Certent SOC 1 Report for the DM Platform Certent SOC 1 Report for the EM Platform Certent Risk Management Plan 201 CMR Standard: 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH ( 2 Duty to Protect and Standards for Protecting Personal Information (201 CMR 17.03) 2.1 Information Security Program (201 CMR Sec ) This section covers the following topics: Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which Certent Company Confidential Page 7

8 the person who owns, licenses, stores or maintains such information may be regulated. * - Descriptions as specified in the 201 CMR Standard This Information Security Program is intended to minimally address the requirements of 201 CMR Compliance Considerations (201 CMR Sec ) This section covers the following topics: Whether the comprehensive information security program is in compliance with these regulations for the protection of personal information, whether pursuant to section or hereof, shall be evaluated taking into account: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.* - Descriptions as specified in the 201 CMR Standard Evaluation of Certent s compliance with 201 CMR should be considered in light of the following: Size, Scope and Type of Business: Certent currently has approximately 180 Employees and provides Software-as-a-Service applications available over the internet in support of Equity and Disclosure Management. Amount of Resources Available: Part of Certent s SaaS offering is a commitment to provide enough storage capacity to support the Customer s data requirements. Amount of Stored Data: Certent provides a structure for storing data typically required for equity and disclosure management. The volume of data is Customer dependent. Need for Security and Confidentiality: Certent respects the privacy and security of Customer Data and has implemented several controls to provide sufficient security and protection to Customer data. Customers are in control of what, if any, personal identifiers and level of personal information they decide to store in the Certent platform, except when required for the application to perform its function. Every attempt is made to ensure the security and privacy of Customer data as described in this document. 2.3 General InfoSec Program Controls (201 CMR Sec ) The sections below describe the core information security controls in place at Certent in support of 201 CMR Certent Company Confidential Page 8

9 2.3.1 Designated ISP Manager (201 CMR Sec ) This section covers the following topics: Designating one or more employees to maintain the comprehensive information security program. * * - Descriptions as specified in the 201 CMR Standard Certent s designated ISP Manager is Vasanth Madhure. Vasanth is the Vice President of Technical Operations and Information Security. He has overall responsibility for InfoSec and Compliance Identifying and Assessing Risk (201 CMR Sec ) This section covers the following topics: Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: a. ongoing employee (including temporary and contract employee) training; b. employee compliance with policies and procedures; and c. means for detecting and preventing security system failures.* * - Descriptions as specified in the 201 CMR Standard Certent's risk assessment process involves weekly management meetings to identify and monitor risks related to the Certent Platform. For any significant risks identified, management implements the appropriate measures to monitor and manage the risks. In addition, recurring risk management meetings are held involving all functional teams within Certent. Strategic issues affecting the overall business are presented and reviewed by the functional managers. The status of any outstanding risk is reviewed and new risks are assigned an owner, prioritized and the management of the risks are discussed and agreed to. In addition, training requirements, employee compliance and potential security risks are reviewed, at a minimum, annually in conjunction with the SOC 1 Audits. Improvements to controls and the overall Information Security Program are considered and implemented as appropriate to ensure proper security of data in support of the audit and secure data business practices. More specifically: Background Checks: Certent performs background checks as described below: Certent Company Confidential Page 9

10 Permanent and Temporary Employees, Interns, Contractors, Consultants: Social Security Number Verification (SSNV) Social Security Fraud Detection National Sex Offender Registry Search 7-year criminal check (Checks all residences included in SSNV results. Includes all felonies and misdemeanors held in felony court) Employment Verification (last 5 years for up to 3 employers) Education Verification (highest level attained) Any employee or temp who accesses Customer data including Customer Support, IT and Quality Assurance have an OFAC check (Office of Foreign Assets Control checks for association with Terrorism - Foreign-Assets-Control.aspx All professional references are checked. Partner Employees: Certent does not perform background checks, but encourages the partner company to perform the appropriate checks. Ongoing Employee Training: All Certent employees are required to read the Certent Employee Handbook and to sign a confidentiality agreement when they are hired. The Handbook and Agreement stipulate that employees treat any Third-Party information confidential and proprietary and not disclose it to any person, firm or corporation or use it except as necessary in carrying out their work for Certent and the Third Party. All employees are required to attend Security Awareness Training annually. Certent employees are also encouraged to review the Certent SOC 1 Reports and Information Security Program (this document) annually. The SOC 1 Reports documents the process for authorizing access to customer data which the SOC 1 Audit verifies. Employee Compliance with Policies and Procedures: Certent is not authorized to provide access to User Entity data without a proper request from an authorized User Entity contact. The relevant annual SOC 1 Audit is used to verify access was granted per procedure. Once the Security Admin access is provided to the Customer, the Customer is responsible for authorizing and providing access to User Entity users desiring access to the Certent Platform. Means for Detecting and Preventing Security System Failures: Means of monitoring for unauthorized access to Customer data include the vulnerability management scans, threat management and intrusion protection that is reviewed on a weekly basis and additionally sends alerts to the TechOps Certent Company Confidential Page 10

11 Team if attacks are detected. Refer to the Computer System Security Requirements Section below from more detailed information Retaining, Accessing and Transporting Personal Information (201 CMR Sec ) This section covers the following topics: Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises. * * - Descriptions as specified in the 201 CMR Standard The Certent Platform is a SaaS offering where User Entities and authorized Certent employees access User Entity data via the internet. The data is accessible via the Certent Platform via a browser utilizing HTTPS. Certent employees do not maintain or transport records containing personal information offsite. Refer to the Computer System Security Requirements Section of this document for more information regarding the authentication, access control and encryption of data Disciplinary Actions for Violations (201 CMR Sec ) This section covers the following topics: Imposing disciplinary measures for violations of the comprehensive information security program rules. * * - Descriptions as specified in the 201 CMR Standard Violations of the Information Security Program requirements are reviewed by the Certent Management team. Appropriate disciplinary action, including dismissal of the employee, is taken based on the seriousness of the situation Terminated Employee Access (201 CMR Sec ) This section covers the following topics: Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. * * - Descriptions as specified in the 201 CMR Standard Access to the Certent Network and Facilities is removed immediately for terminated employees. Facility and Network Access Authorization Forms with Certent Company Confidential Page 11

12 appropriate approvals are required for initial access when employees are hired. Upon termination, HR creates a helpdesk ticket to track the term process. The TechOps group is responsible for collecting or disabling key cards, disabling access to the Certent network and resources. If the employee worked from a corporate office, the data and voice ports are disabled at the switch to reduce risk of rouge devices being plugged in behind corporate firewalls Third Party Service Providers (201 CMR Sec ) This section covers the following topics: Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such Third-Party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR * * - Descriptions as specified in the 201 CMR Standard Third Parties that require access to the Certent Platform are only granted access if agreed to by the Customer. Third parties may optionally contract directly with Customers and are bound by the Customer/Third Party Agreement put in place. Third Parties may also be engaged by Certent, with disclosure to the Customer, and are bound by the Master Service Agreement in place between Certent and the Third Party. Certent Third Party Service Providers are required to sign a Master Service Agreement, which includes a Confidential Information section, before engaging in business with Certent. Certent also makes available the Certent SOC 1 Report as well as the Certent Information Security Program document (this document) to all Third Parties it partners with so they are familiar with their obligations regarding the security and privacy of Customer data. Certent performs annual reviews of User Considerations as specified in Third Party Service Providers SOC 1 Reports. Certent takes appropriate steps to mitigate any risk associated with the User Considerations Amount of Personal Information (201 CMR Sec ) This section covers the following topics: Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information Certent Company Confidential Page 12

13 in order to accomplish such purpose or to comply with state or federal record retention requirements. * * - Descriptions as specified in the 201 CMR Standard Certent provides robust platforms for Equity Compensation and Disclosure Management based on industry standards and requirements. Customers are in control of what, if any, personal identifiers and level of personal information they decide to store in the Certent platform, except when required for the application to perform its function. Retention of information in the Certent Platform for active Customers is up to the Customer. Upon termination, Customer information is removed from the production database 90 days after termination and from backup disk 365 days after that unless agreed to otherwise. Access to Customer information requires approval by the Customer and is limited to authorized users Definition of Records and Devices (201 CMR Sec ) This section covers the following topics: Identifying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information. * * - Descriptions as specified in the 201 CMR Standard Customer Data and personal information can be stored on the Certent Platform and the Certent FTP site. All access to Customer data is performed via the Certent Platform using a browser with HTTPS or file transfers using FTPS. The Certent Platform does not require the use of laptops or portable devices for accessing or managing Customer data. However, in the event Certent Support needs to store Customer data on a laptop at the Customer s request, all laptops are encrypted. Storage of data on portable devices other than laptops is not allowed Physical Access (201 CMR Sec ) This section covers the following topics: Reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas or containers. * * - Descriptions as specified in the 201 CMR Standard Certent Company Confidential Page 13

14 The Certent Platform is a SaaS offering where User Entities and authorized Certent employees access User Entity data via the internet. The data is accessible via the Certent Platform using a browser with HTTPS. As such, physical records containing personal information are not generally maintained. However, in the event Certent Support needs to utilize hardcopy of Customer data at the Customer s request, documents are kept only long enough to complete the task and hand. Documents are locked when the employee leaves their desk. Any document containing client information is discarded into locked boxes for shredding in accordance with the Certent Acceptable Use Policy. Certent uses a contracted third-party vendor to securely destroy documents using cross cut shredding to ensure client data privacy Monitoring (201 CMR Sec ) This section covers the following topics: Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.* * - Descriptions as specified in the 201 CMR Standard Certent Customer Support is primarily responsible for ensuring access to Customer data is authorized. To authorize User Entity access, the authorized User Entity contact s the Certent Customer Support Representative (CSR). A Certent CSR verifies the request is valid, sets up the user entity access and provides a logon ID and temporary password to the requesting user. A Certent CSR is not authorized to provide access to User Entity data without a proper request from an authorized User Entity contact. The annual SOC 1 Audit is used to verify access was granted per procedure. The Support Organization reviews employee access to the EM platform on a quarterly basis. Additionally, an Access Log is maintained documenting Certent employee network, EM and DM platform, office and Colocation access. The Director of TechOps reviews the log at least annually to verify the access is restricted to authorized personnel. Access reviews of Co-location data centers conducted at least quarterly, by the Director of Tech Ops or InfoSec and Compliance Manager. Other means of monitoring for unauthorized access to Customer data include the vulnerability management scans, threat management and intrusion protection that is reviewed on a weekly basis and additionally sends alerts to the TechOps Team if attacks are detected. Refer to the Computer System Security Requirements Section below from more detailed information. Certent Company Confidential Page 14

15 The overall Information Security Program is reviewed on an ongoing basis. Upgrades to information and privacy safeguards may be initiated by as business needs change, industry trends evolve, or new threats emerge. However, all security program policies and documents are reviewed and at least annually as part of the SOC 1 Audit. Changes to controls are considered and implemented as appropriate to ensure proper security of data. changes in business practices, changes to infrastructure item configuration and/or Vendors as well as emerging threats, and by issues or concerns raised by Customers and Prospective Customers Review of Security Measures (201 CMR Sec ) This section covers the following topics: Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. * * - Descriptions as specified in the 201 CMR Standard Certent performs a review of the Information Security Program minimally in conjunction with the SOC 1 Audit. The SOC 1 Audit covers a twelve-month period. In addition, the Information Security Program is reviewed as needed when changes occur due to changes in business practices, infrastructure item configuration and/or Vendors as well as issues or concerns raised by Customers and Prospective Customers Incident Handling (201 CMR Sec ) This section covers the following topics: Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. * * - Descriptions as specified in the 201 CMR Standard If access to Customer data is confirmed to be breached beyond the Customer and Certent, the following actions are performed by Certent as documented in the Certent Data Security Incident Management Policy: 1. Immediately resolve the breach by removing, locking and/or blocking inappropriate access to re-institute security to Customer confidential data. 2. Notify the Customer of the unauthorized access to confidential data including PII and/or Customer proprietary data as soon as practicable (target of 1 Certent Company Confidential Page 15

16 business day) unless prevented from doing so by a law enforcement or regulatory agency. Notification will be via and phone. 3. Determine the extent of the breach by reviewing the Certent Platform and audit logs for evidence of log-ins, changes and deletions of data. 4. Provide the Customer with a summary of the extent of the security breach within 24 hours after the remediation of the breach. 5. Assist the Customer where possible in the development and execution of a plan to resolve any additional issues or concerns. 6. Review processes and controls to prevent similar incidents in the future. 3 Computer System Security Requirements (201 CMR 17.04) 3.1 Authentication Protocols (201 CMR Sec ) This section covers the following topics: Control of user IDs and other identifiers. * Reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices. * Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect. * Restricting access to active users and active user accounts only. * Blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. * * - Descriptions as specified in the 201 CMR Standard Certent has created access levels to appropriately restrict access to systems and data by Certent personnel. The various types of access available to Certent personnel is listed below. Certent will only grant access to a specific named user. Access credentials should never be shared, and should only be used in accordance with the Acceptable Use Policy. DM Platform User: A company level role which allows a Certent employee to access only the data of the company profile for which the role was granted. Requires approval from Support Management, or Director of TechOps DM Platform Administrator: Administrator level access to the EM Platform provided to Certent Customer Support. Requires approval from Support Management, or Director of TechOps EM Platform User: Access provided to user entities and Certent employees, to access equity compensation data. Requires approval from Support Management, or Director of TechOps EM Platform System Administrator: Administrator level access to the EM Platform provided to Certent Customer Support. Requires approval from Support Management, or Director of TechOps Certent Company Confidential Page 16

17 Network: Basic network access to the corporate network for performing regular duties (e.g., , internet, shared file access) provided to all Certent employees. Access is given to employees by default. VPN: Virtual Private Network required for remotely accessing Certent systems. Access is given to employees by default. Network Administrator: Administrator level access to the Certent Corporate and Colocation Networks provided to the TechOps Team only. Requires SVP Engineering or Director of TechOps approval. Database Administrator (DBA): Administrator level access to the EM platform database is provided only to approved members of the TechOps Team. Requires SVP Engineering or Director of TechOps approval DM Platform Access Authorization The access authorization process implemented for the DM Platform is described below: Certent Personnel Access Authorization Certent personnel who require access to the DM platform are required to have a formal either Administrator or User roles based on their position. Certent employees do not have access to customer profiles in t h e DM platform u n t i l assigned access. Support Services is responsible for granting Certent employee access to customer profiles in DM once the employee is assigned to specific customers and approved by his or her manager. Certent Personnel Access Disablement/Deletion When Certent employees are terminated, HR initiates the Employee Termination process by notifying Support Services and TechOps personnel to revoke the employee's logical access to Certent systems, including DM, e- mail, CRM system, and training resources. Termination notifications are sent via to all relevant departments to authorize and track revocation of both logical and physical access to Certent facilities, devices, and systems. TechOps personnel verify that network and building access has been removed within a day of notification. Service and Support verify that DM access is removed within a day of notification. User Entity Certent DM Platform Access Authorization For customer access, the assigned Account Manager at Certent works with the customer to determine the appropriate customer access required and communicate the required access to Sales Operations ("Sales Ops"). For customer access requests, Sales Ops either s Support Services or submits a support case through the CRM system requesting that the access be set up. If customers contact Support Services directly, Support Services validates the appropriateness of the customer's request with Sales Ops prior to granting c u s t o m e r s a c c e s s. Once the access has been set up and a Certent Company Confidential Page 17

18 password has been automatically generated by the DM Platform. The DM platform automatically sends an e -mail to the new user with the l o g i n information. Certent employee access to customers in the DM Platform and customer access to DM is set up by Support Services, based on approval from authorized individuals, and is documented in the CRM system. User Entity Certent DM Platform Access Disablement/Deletion Customer requests for access removal are tracked in a support case. Once a case is received, Support Services removes the appropriate access and updates the support case. The client is automatically notified through the case. Customer access is removed from the DM platform within one day of the customer request. DM Platform User Access Reviews Support Services performs a quarterly review of employee access to DM platform. The review confirms that access remains authorized and appropriate EM Platform Access Authorization The access authorization process implemented for the EM Platform is described below: Certent Personnel Access Authorization To authorize administrator access to the network, the Certent Platform or the Certent Platform database, first the hiring manager submits a request. The Director of TechOps completes and signs the Access Authorization Form. If the hiring manager is the Director of TechOps, a secondary approval is not required. The Network Administrator sets up the access as authorized. Network administrator and the Certent Platform database administrator access are restricted to authorized personnel. Access to the system administrator role within the Certent Platform is restricted to the Service and Support and Quality Assurance. Any Certent employee in production support role requires administrator access to the Certent Platform and database. Certent Personnel Access Disablement/Deletion When employees terminate, the Office Manager notifies the TechOps Team to disable/delete the terminated employee s access, as applicable. The TechOps Team disables/deletes the terminated employee s access and notifies the Office Manager. The TechOps Team completes and signs the termination portion of the Access Authorization Form to acknowledge that the terminated employee s access was disabled/deleted. User List Review The Director of TechOps reviews the network, remote, Certent Platform system administrator, network administrator, and Certent Platform database user access lists annually to verify that the access is restricted to authorized personnel. The Certent Company Confidential Page 18

19 Director of TechOps signs the User Access Audit Log to evidence the review performed. Network To authorize network, or remote access (as applicable), the Director of TechOps, TechOps Team, or hiring manager completes and signs the Access Authorization Form. The Network Administrator sets up the access as authorized. User Entity Certent EM Platform Access Authorization The Certent Service and Support and Quality Assurance are by default provided with stock option administrator (SOA) access as well as security/group administrator access to user entity level stock option system functions. Each user entity assumes responsibility for setting up and maintaining access within its own organization by requesting the Certent Service and Support Group to set up security/group administrator access for the entity. The user entity personnel with security/group administrator access are then responsible for the creation of SOA and lower roles for the given user entity. The security administrator and group administrator level access provides the user the ability to: 1. Add new users 2. Update user information 3. Grant additional user roles 4. Delete users 5. Unlock user access 6. Reset user passwords To authorize new or additional user entity security administrator or group administrator access, the authorized user entity representative s the Certent Service and Support Group. An Certent Service and Support Group member with the Certent Platform system administrator access sets up the user entity s security administrator or group administrator access and provides a logon ID and temporary password to the user entity personnel with the security/group administrator access via a telephone call. User Entity Certent EM Platform Access Disablement/Deletion To delete a user entity s security administrator or group administrator access, the authorized user entity representative or Corporate Officer notifies the Certent Service and Support Group. Upon notification, a Certent Services and Support Group member deletes the security administrator or group administrator access and confirms to the user entity by or updating the CRM request that the Certent Platform access was deleted. The end user access for user entity users is deleted by the respective user entity personnel with the security/group administrator access. Certent Company Confidential Page 19

20 3.2 Access Control (201 CMR Sec ) This section covers the following topics: Restrict access to records and files containing personal information to those who need such information to perform their job duties. * Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. * * - Descriptions as specified in the 201 CMR Standard Network, Remote, Network Administrator and Database Access Controls Corporate Network and remote access is restricted to authorized Certent personnel via local LAN or remote Virtual Private Network (VPN). Measures are in place to ensure network traffic is secure from Bridging, Multi-Homing, or Split Tunneling. To authenticate to a Certent corporate network requires a user to enter valid credentials. Remote and wireless VPN access requires MFA. User specific logins and passwords are utilized on all systems on the Network Password security parameters for the corporate network include the following requirements: Minimum password length 12 characters Password expiration 45 days Password history is maintained for 24 passwords Password complexity enabled Resets Allowed: Once per 24 hour period. Account lockout after 5 unsuccessful logon attempts with an automatic 30- minute reset. Production Production access is restricted to authorized Certent personnel via Virtual Private Network (VPN) and requires multi-factor authentication. User specific logins and passwords are utilized on all systems on the Network. Measures are in place to ensure network traffic is secure from Bridging, Multi-Homing, or Split Tunneling Password security parameters for the corporate network include the following requirements: Minimum password length 12 characters Password expiration 45 days Password history is maintained for 24 passwords Certent Company Confidential Page 20

21 Password complexity enabled Resets Allowed: Once per 24 hour period. Account lockout after 5 unsuccessful logon attempts with an automatic 30- minute reset. Network and Database Administration Network administrator access is restricted to the TechOps Team. Network Administrators are required to use a normal network account (non-distinguishable) from their Administrator access for all non-administrative activity. Direct access to Certent Platform databases is restricted to the Database Administrators Team and requires multifactor authentication to log into the production environment. DBA s are required to sudo into Linux servers so that an audit trail can be maintained DM Platform Access Control Password security parameters for the Certent DM Platform include the following requirements: Minimum password length 8 alphanumeric characters Password complexity Requires uppercase characters, lowercase characters, and numbers. Password expiration 30 days Password history is maintained for 24 passwords Idle session time out Set by the client and the company level. Account lockout after 6 unsuccessful log on attempts with an administrator reset required. First login requires password change. To access data provided by DM Excel customers via Secure File Transfer Protocol ("SFTP") users need domain administrator access. Domain administrator access is limited to TechOps personnel. The DM platform a l l o w s users to be set up as the administrator r o le ("Admin"). The Admin can add and remove user access to the DM platform. Certent personnel are granted the admin role upon authorized approval. DM Admin access is limited to authorized personnel. DM access is systematically enforced through group permissions and program logic. All Certent Customers access the same servers and all Customer data is stored in a single database instance (multi-tenant). Customer information is logically separated using a unique Customer identifier and access to Customer information is further protected based on roles. All data is encrypted using a Customer specific key. Access to the Certent DM Platform requires a user to enter a unique user ID and confidential password. Certent utilizes single-factor Certent Company Confidential Page 21

22 authentication with strong passwords as described previously. A user may access only the data for the company for which the user has been given access by Certent EM Platform Access Control The Certent EM Platform is a SaaS offering where User Entities and authorized Certent employees access User Entity data via the internet. The data is accessible via the Certent EM Platform using a browser with HTTPS. Data can also be imported to the Certent EM database and output reports obtained using a Secure FTP Client (e.g., CuteFTP). The Certent EM Platform access is restricted to authorized Certent personnel and users authorized by the user entity. The Certent EM Platform system administrator access is restricted to the Certent Service and Support and Quality Assurance. Access to the Certent EM Platform requires a user to enter a user ID and password. Password security parameters for the Certent EM Platform include the following requirements: Minimum password length 10 alphanumeric characters Password complexity Requires three of the following four: uppercase characters, lowercase characters, numbers, special characters. Password expiration 45 days Password history is maintained for 24 passwords Idle session time out 45 minutes of inactivity Account lockout after 5 unsuccessful log-on attempts with an administrator reset required. Upon successful logon, users are provided access to a drop-down list of companies for which the user has access. The user can only access company data to which they have been provided access. Passwords are encrypted in the database using an Oracle encryption algorithm scheme using AES256. All Certent Customers access the same servers and all Customer data is stored in a single database instance (multi-tenant). Customer information is logically separated using a unique Customer identifier and access to Customer information is further protected based on roles. Data encrypted includes User Passwords, Tax IDs and Broker Account Numbers. Access to the Certent EM Platform requires a user to enter a unique user ID and confidential password. Certent utilizes single-factor authentication with strong passwords as described previously. A user may access only the data for the company or companies for which the user has been given access by Certent. After authenticating a user, Certent validates the user s access permissions. Certent then displays a series of pages and allows the user to select the role and Certent Company Confidential Page 22

23 company to access based on the access configured by Certent Customer Support. Authentication is re-validated on each page refresh per session variables. All page transitions are logged Exceptions for Emergency Access The processes and controls outlined in section 3.2 govern the accesses Certent provides employees to controlled resources, platforms and Production environments. This section outlines the exception process in place for granting emergency access authorization for trouble shooting. If emergency access to a non-authorized employee is required, the following process shall be followed: or help desk ticket is created to initiate the request. o If not initially made in a help desk ticket, the chain will be transferred to the helpdesk for tracking. The authenticity of the request will be confirmed through a phone call, IM, or manager, director, or VP confirmation. The request must include the business reason for the need. Emergency authorization to access to the Production network, EM or DM platforms must be authorized by the Director of TechOps, or a member of the executive management team. If approved, the access will be granted for a time not to exceed 7 business days without further review and approval. The TechOps team is responsible for tracking the access and updating the ticket if the access should require early revocation. 3.3 Encryption of Transmitted Data (201 CMR Sec ) This section covers the following topic: Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. * * - Descriptions as specified in the 201 CMR Standard Wireless Access: There is no wireless access to the Certent production system. Wireless connections in the corporate offices are segregated from the corporate network. Protection of Data via Browser Access by User Entities: To protect against disclosure to third parties, the above website transmits data utilizing Hypertext Transfer Protocol Secure (HTTPS) using Secure Socket Layer (SSL) encryption which utilizes 256-bit encryption when communicating with Certent Company Confidential Page 23

24 Internet browsers. In addition, Certent uses trusted certificate authorities to assure user entities that the Certent Web Applications are authentic. Protection of Data via File Transfer by User Entities: Customers can transfer Customer data to Certent as follows: EM Platform: Customers can bulk import data into the Certent database using templates provided by Certent. Files being transferred to the system for upload can be optionally encrypted using PGP encryption and then transferred using Secure FTP. The import process requires that Customers use Secure FTP software (FTPs), such as the Globalscape CuteFTP product, to transfer files from their company to the Certent FTP site. Once the files have been transferred securely, they are automatically imported into the Certent database. Customers use the Certent Importer console to view the status of their data import activity. DM Platform: Customers can transfer data to the Certent Platform for access by Customer Support as need to support Customer requests. The import process requires that Customers use Secure FTP software (FTPs), such as the Globalscape CuteFTP product, to transfer files from their company to the Certent FTP site. Protection of Data Transferred by Certent Employees: Certent employees have access to the Certent Network and Certent Platform as described in the Access Control Section of this document. The primary activities engaged in by Certent employees is accessing data and performing backups of data. Certent CS has access to User Entity data via the Certent Platform using a browser with HTTPS in the same manner as User Entities. Data files containing Customer data are made available to Customers by Certent CSRs via the FTP site. Backups of the production database at the PHX Colocation facility are written to backup disk. Disk backups are encrypted using 256 bit AES software encryption. Database backups are also copied nightly over the network (via VPN) from the PHX Colocation to the SAC Colocation where it is stored on disk. 3.4 Monitoring of Systems (201 CMR Sec ) This section covers the following topics: Reasonable monitoring of systems for unauthorized use of or access to personal information. * Certent Company Confidential Page 24