IT - General Security

Scope

The following sections define policy and assign responsibilities for ensuring adequate levels of protection for FulcrumWay Information Technology facilities, computer systems, data, networks, and other related IT components.

Policy

This security policy applies to all Fulcrum Information Technology, Inc. (FulcrumWay) employees including permanent, temporary, and part-time employees, contractors, third party service providers, and all other authorized users of any FulcrumWay electronic communications system.

Facility Physical Access Controls:

• Key locks limit physical access to facilities used to store or maintain sensitive information and electronic communications resources.

• Physical Access to the computer room is controlled by
– Key assignments
Currently the authorized roles of users have access to the server rooms Chief Security Officer (CSO), IT Administration (ITA), Data Center Manager, VP Client Manager, and a representative of the third party technical support provider (eLevel – approved by the CSO). The CSO or ITA must authorize the issuance of keys to the server room.
– Access logs
o Any new or unfamiliar visitor's identity must be verified before access to the computer room is granted and an authorized FulcrumWay employee must initially accompany them.
o Everyone entering the Data Center, including the ITA, must sign in and out using the Data Center logs.

• Employee termination procedures performed by HR include the retrieval of card keys, door keys and passwords. HR returns server room keys to the ITA. After notification, the ITA will inactivate or modify IDs and passwords as appropriate.

Environmental Controls:

• FulcrumWay ITA is responsible for executing appropriate measures for the prevention, detection, early warning of, and recovery from emergency conditions.

• Data Center Manager personnel responsible for each area have operating manuals and/or guidelines for the following applicable environmental equipment.
– HVAC and controls, including temperature.
– Fire Suppression (Gas/Water) equipment and controls, including fire extinguishers.
– Uninterrupted Power Supply systems and controls.

Environmental Equipment Maintenance Records:

FulcrumWay facilities are inspected regularly by the responsible official or vendor to ensure equipment checks and preventive maintenance are performed as stated in Service Level Agreements (SLA's), vendor contracts, or equipment requirements. A record of inspection for each environmental system is readily available for review. Inspection records may consist of tags, charts taped to or placed next to equipment, or other means of indicating inspections were completed. The building manager maintains all records of local Fire Marshal inspections.

Facility Inspections:

The ITA inspects the corporate offices on a random basis to insure that computers, electronic equipment, software and data are physically secure. Any deficiencies and concerns are communicated to the CSO and the Data Center Manager.

Technology Components:

The ITA of FulcrumWay Information Technology directs the use and network configurations within corporate for Internet, e-mail, workstations, and portable computing. The Data Center Manager is responsible for voice, phones (including wireless), voice-mail and fax.

FulcrumWay Information Technology is protected at a level commensurate with the sensitivity of information processed, stored, or transmitted. Specifically:

• FulcrumWay information and Information Technology are treated as corporate assets.

• Personal use of FulcrumWay computer resources, including client-server resources, is not authorized except as described in other corporate policies.

• Access to sensitive information and Information Technology is based on business needs.

The sensitivity of information will be evaluated and classified according to the following sensitivity attributes:

Confidentiality Data confidentiality pertains to the degree to which data must be protected from unauthorized disclosure.

Integrity
Data integrity pertains to the degree to which data must be protected from unauthorized alteration or destruction.

Availability
Data availability relates to the degree to which data must be protected against loss of use

Sensitive information is appropriately protected from unauthorized modification, destruction, or disclosure, whether accidental or intentional, through the use of appropriate technical, administrative, physical and personnel controls.

Security Controls

• Controls are based on an assessment of risks. Risk assessments may be quantitative or qualitative.

• Security awareness is developed and implemented to ensure that users of Information Technology know and understand their responsibilities for the protection of FulcrumWay information resources.

• All instances of actual or suspected fraud, waste, abuse or other wrong doing relating to IT security are reported to the CSO.

IT Administration

The ITA establishes, maintains and directs the implementation of corporate-wide Information Technology (IT) security to ensure that FulcrumWay Information Technology is adequately protected. IT security reflects applicable state and federal laws and regulations as well as other FulcrumWay corporate policies.

Disciplinary Action

Employees who willfully or knowingly violate or otherwise abuse the provisions of this policy may be subject to disciplinary action. Any disciplinary action is administered in accordance with applicable laws and regulations, including other corporate policies.

Responsibility

The ITA is responsible for

• Implementing and operating Information Technology installations under IT control in accordance with FulcrumWay security policies, standards, and procedures.

• Reviewing physical maintenance records and performing inspections on a random basis.

• Ensuring that security policies are consistent with policies issued by applicable regulatory agencies.

• Acting as the corporate liaison for Information Technology security matters.

• Establishing and overseeing the management control process to ensure that appropriate technical, administrative, physical, and personnel controls are incorporated as appropriate.

• Promoting security awareness and providing security training for FulcrumWay personnel and others who use FulcrumWay Information Technology.

• Coordinating with FulcrumWay staff and vendors/contractors to ensure that appropriate IT security requirements are included in contracts that involve the acquisition of Information Technology components, applications systems, or related services.

• Conducting periodic security assessments to ensure that corporate computer and communications systems are in compliance with applicable security policies, standards, and procedures.

• Advising appropriate personnel of issues and problems relating to Information Technology security that are not being satisfactorily addressed within IT or the company as a whole.

• Recommending that implementation of any proposed changes to the FulcrumWay information processing environment not meeting security requirements be deferred until security deficiencies have been addressed.

• Reporting to the CSO or appropriate manager any known or suspected instances of misuse of corporate Information Technology or resources.

Users of FULCRUMWAY Information technology are responsible for

• Using FulcrumWay for lawful and authorized purposes only.

• Protecting Information Technology and the information processed, stored, or transmitted by them by complying with this policy and related applicable policies, standards, and procedures.

• Promptly reporting to their supervisor or IT management, known or suspected unauthorized use of electronic information communications or other misuse of information or information resources.

• Reporting all instances of actual or suspected fraud, waste, abuse or other wrongdoing relating to Information Technology security to the ITA in accordance with FulcrumWay policy.

Distribution

CSO – Chief Security Officer

• Responsible for securing FulcrumWay's information and data both in physical and digital form. He directs staff in identifying, developing, implementing and maintaining security processes across the organization to reduce risks, respond to incidents, and limit exposure to liability in all areas of financial, physical, and personal risk; establish appropriate standards and risk controls associated with intellectual property; and direct the establishment and implementation of policies and procedures related to data security.

ITA

The ITA establishes, maintains, and directs the implementation of corporate-wide Information Technology (IT) security to ensure that FulcrumWay Information Technology is adequately protected. IT security reflects applicable state and federal laws and regulations as well as other FulcrumWay corporate policies. ITA personnel have multiple roles relevant to their areas of expertise.

• Network Administrators – Responsible for maintaining hardware and software comprising the networks. This includes the deployment, configuration, maintenance and monitoring of active network gear: switches, routers, firewalls, etc.

• Database Administrators – Responsible for managing and maintaining the databases.
Responsible for backups and restore of databases.

• Application Administrators – Responsible for configuration and maintenance of applications. Also responsible for upgrades, patching and data migrations of applications.

• Security Analyst - Responsible for implementing security policies as per company guidelines

Internal Audit

• Internal auditor responsible for the utilization of a systematic methodology for analyzing business processes or organizational problems and recommending solutions. Responsible for audit and review efficacy of operations, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations. Review's Data Center policies and approves changes to policies.

Data Center Manager

• Responsible for overall management and maintenance of Data Center. Responsible for VP Client Manager
• Responsible for client data residing in the data center. Coordinates management of client data with ITA personnel responsible for maintenance of client data. Responsible for on boarding client data and release of client data on termination of contract.

Users of FulcrumWay Information Technology

Ownership

The Information Technology Administrator is responsible for ensuring that this document is necessary and that it reflects actual practice.

FulcrumWay Cyber Security FAQ

Security Policy and Organization

1. Are security requirements explicitly detailed in the service contract, including an Incident Response/Threat Management process and Security Vulnerability Management process? Yes

2. How do you ensure that the security policy, standards and procedures are current? We regularly review and update our policies and procedures to reflect our current environments and our client's needs.

3. How often are risk assessments performed? Annually or more often if needed

4. Please provide a clear definition of roles and responsibilities for security within the organization structure. See Security Policy

Personnel Security

1. Do you employ comprehensive employment contracts including a confidentiality clause, reference to security responsibilities, penalties/disciplinary proceedings for non‐compliance, etc.? Yes

2. Do you regularly review staff compliance for security responsibilities and other legal and regulatory requirements? Yes

3. Do you have adequate backup of all key roles and responsibilities? Yes

4. Is a regular review of system access rights conducted? Yes –quarterly

5. Are automated expiration dates for contractor sites and system access used? Yes

6. Do you perform detailed background checks on employees with access to sensitive / customer information? Yes

Physical Security

1. Is access controlled at all times? Yes

2. Is all access recorded and authorized by designated management? Yes

3. Is all visitor access authorized, justified and supervised? Yes

4. Do you use 24x7 on‐site security guards? Yes

5. Is CCTV monitoring of external perimeter and external access points used? Yes

6. Is access to the computer room(s) restricted? Yes

7. How do you protect the computer room(s) against: See Attached Disaster Recovery Plan from The Planet
a. Water
b. Fire
c. Power surge
d. Power loss

Media and Data Security Disposal

1. Please provide your policy on the classification and safe handling of third party (e.g. CLIENT) data? All access to data is through the application. Access to the application is restricted to authorized CLIENT users of the application. This access to the users can be controlled by CLIENT identified administrators. The Administrators provision access to users and setup roles for access to the application data.

2. Describe your methods of permanent physical data erasure and destruction. We reformat the drives using Bios level tools.

3. Please describe your system backup and data retention policy with regards to third party data. We have a variety of backups available to meet our clients' needs. GRC Monitor is backed up nightly. World‐class data centers provide the infrastructure and support necessary to manage your data protection needs and easily accommodate your requirements.

4. Will computing and storage resources be shared or dedicated to CLIENT? FulcrumWay GRC Monitor will store CLIENT's data in a SEPARATE schema which cannot be accessed from other hosted customers. Only authorized application users and administrators from CLIENT will have access to retrieve this data.

5. Describe your policy and procedure for customer notification in the event of significant security events. Email notifications are sent to a distribution list whenever there is system outage, maintenance or upgrade. We can include a list of CLIENT users in the email distribution list.

6. How long are system lobs and audit trails maintained? Client can retain the logs as long as needed.

Platform Security

1. Describe your user account and password policies for:
a. Local users
b. Privileged users
c. External users (CLIENT)

Access to the application is through privileged users who are provisioned through the application user administration functionality. Passwords are a minimum of 7 characters and must have a mix of Numbers and Letters in them. Users cannot use the same password again and after 3 attempts the account is locked out. Administrators setup the password but users have to change it when they login the first time.

2. Describe your policy for creating a secure system with regards to:
a. Default accounts
b. Default passwords
c. Unused applications / ports

All Default accounts are disabled and new administrator accounts are created. Also these accounts are segregated by system admin functions and application maintenance functions. All unused applications are uninstalled and all ports closed except authorized ports. (Implicit deny policy for ports.) All default passwords are changed.

3. Do you use Anti‐virus, spyware, IPS/IDS, and spam protection? Yes

4. Do you have configuration management techniques and policies in place? Yes

Application Security

1. Do you use a separate audit log server for the applications? (Optional)

2. Describe your policy for application accounts with regards to:
a. Multi‐factor authentication ‐ (Optional)
b. Encryption for authentication ‐ Yes
c. Lockout following # of failed attempts ‐ Yes
d. Unlocking of locked out accounts ‐ Yes (Admin Function)
e. Disabling of inactive accounts ‐ Yes

3. Are backups of application data encrypted? ‐ (Optional)

4. How are application vulnerabilities identified, tracked, and mitigated? FulcrumWay has its own ticketing system where application vulnerabilities are logged in with the highest severity and tracked and mitigated. These vulnerabilities are reviewed and security policies updated to eliminate occurrence of these vulnerabilities.

Network Security

1. Briefly describe your existing Firewall infrastructure with regards to:
a. Use of DMZs Yes
b. Redundant clustered Firewalls Yes
c. Stateful inspection technology Yes. The firewall uses SPI
d. Access control ‐ Managed by authorized data center manager
e. Change management ‐ Managed by authorized data center manager
f. Default‐Deny policy ‐ There is an implicit deny rule for all incoming traffic meaning if there is not an explicit rule allowing traffic it is denied.

2. Do you use routers that enforce ACLs? Yes

3. Will specific firewall rules be implemented for CLIENT's activity? Yes

4. Do you use host based and network based IDS / IPS systems? No

5. Who will be responsible for incident escalation and notifying CLIENT in the event of a security breech? Technical Account Manager.