Written Information Security Policy

V2Incentives

 

Overview

The security coordinator oversees the development and implementation of the Firm’s cybersecurity controls in conjunction with a third-party consultant(s). The security coordinator utilizes the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”) to help guide the development of the information security program.

 

The Firm’s Written Information Security Policy (“WISP”) establishes practices, requirements, and responsibilities for the protection of and prevention against the misuse and/or loss of the Firm’s information assets, establishing the basis for self-assessments, and preserving the Firm’s options and legal remedies in the event of asset loss or misuse. The WISP also defines the specific information security roles necessary to reasonably implement the Policy. The Firm’s view is that its information assets (including its file network and any sensitive data stored therein) should be protected from unauthorized use, disclosure, modification, destruction, or misrepresentation. Accordingly, the Firm has implemented several information security controls (including technical means, processes, standards, and practices) to ensure that data is not compromised.

 

The primary information security objectives of the Firm are as follows:

  • Ensure employees have appropriate and authorized access to the Firm’s information and assets.
  • Ensure employees understand their responsibilities and duties regarding information security.
  • Ensure that appropriate security controls are implemented and reasonably effective.
  • Ensure compliance with the established security policies.
  • Ensure all deviations from security policy (including unauthorized access attempts) are monitored, detected/reported, documented, and escalated, as appropriate.

 

Scope

The WISP applies to each of the Firm’s systems and devices as well as all employees.

 

The primary purpose of the WISP is as follows:

  • Document the current state of the Firm’s information security stance.
  • Provide a framework for any new or modified information security policies.
  • Establish a process to document, track, monitor, and review information security incidents and/or breaches.
  • Establish a process to document access requirements to the organization (including third-party access)

 

Policies & Controls

Acceptable Use

See the Firm’s Acceptable Use Policy for details.

 

Access Controls and Account Management

Access Control Policy

An access control policy outlines appropriate access control rules as well as access rights and restrictions for specific user roles, with the level of detail taking into consideration associated information security risks.

 

Access controls can be both logical and physical, and the Firm considers both when granting permissions to users, including employees, contractors, consultants, temporary workers, and other workers (collectively, “Users”). Users and third-party vendors should be given a clear statement of the requirements to be met as it relates to their corresponding access controls.


1.  Access Control: The Firm’s applications and file network (“Systems”) authenticate the identity of users using unique usernames and passwords. These Systems have defined complexity, length, change schedule, reuse/history, session timeout, maximum login attempts, lockout handling, and logon limit requirements. Access to Systems should follow the principle of least privilege. The Firm controls access with the following measures:


a.  A limit of successive incorrect logons will be enforced, and an automatic account lock will be enabled.


b.  Time and date of logons and account changes will be appropriately recorded and monitored.


c.  Network and information systems sessions remain locked for a predetermined time or until the user re-establishes access through an established authentication procedure (generally by contacting the security coordinator and/or NetProtect.


d.  The Firm will establish appropriate restrictions around remote access, wireless access, and mobile devices.


2.  Reauthorization of Access Privileges: System privileges granted to Users should be re-evaluated by the security coordinator (or his designee) annually to determine whether currently enabled access rights are required to perform their then-current job duties/responsibilities.


3.  Inactive Account Maintenance: Inactive usernames should be either removed or disabled by NetProtect (in conjunction with the security coordinator (or his designee)), as appropriate.


4.  Unique Username and Password Required: Users are required to have a unique username and password for access to the Firm’s Systems. See the Firm’s Password Policy for information about the Firm’s password guidance, recommendations, and/or requirements.


5.  User Accountability: Users are accountable for all activities associated with their individual username and password. Users must not share their personal login credentials with any other person or any third parties.


6.  Access Control System Logging: Access control systems should be configured to capture and maintain the following (where feasible and applicable):


a.  The creation date for every username


b.  Date and time of the last login for every username


c.  Date and time of the last logoff for every username


d.  Date and time of the last password change for every username


e.  An expiration date for every username that represents the last date that the username is active for use.


f.   Details of additions/changes to the privileges for individual usernames


7.  Third Party Access: Any requests from third parties for independent access to the Firm’s networks or proprietary data must be forwarded to the security coordinator. Only the security coordinator may respond to such access requests.

 

Account/Credentials Management Policy

Accounts give users access to the Firm’s systems, file network, and data. The Firm differentiates between multiple categories of accounts, including standard user accounts and administration accounts. Each category will have specific requirements regarding usage and responsibilities.


1.  User Accounts – Employees who have standard user accounts are responsible for familiarizing themselves with and complying with the WISP and other applicable Firm policies, procedures, and standards associated with the use Systems and devices (including Firm-provided laptops as well as mobile devices (e.g. phones, tablets) (collectively, “Devices”)) associated with such user account.


2.  Administrator Accounts – Users who have administrator accounts bear responsibility for the security of the Firm’s IT assets and information (in conjunction with NetProtect).

 

Management of an account includes its establishment, suspension, termination, and removal. Each account should be assigned the minimum required privilege level for effective business operations. If unauthorized access is detected, the event should be reported to the security coordinator immediately to determine appropriate next steps.


1.  Access Credentials – Users establishing login credentials to be used for third-party websites/service provider portals (“Portals”) should comply with the Firm’s existing policy guidelines, recommendations, and/or requirements for secure passwords (see the Firm’s Password Policy).


a.  This includes avoiding using the same passwords for these Portals as those used for the Firm’s accounts.


2.  Management Reporting – In the event sensitive or confidential data/information will be stored with a new third party, the security coordinator (or his designee) should be notified about the details of the account being established and the type(s) of data being stored.

 

Anti-Virus/Anti-Malware Software

Where possible, all Systems and Devices, whether connected to the Firm’s network or standalone, are equipped with Firm-approved anti-virus and anti-malware software. The software deployed by the Firm include: WebRoot

 

Anti-virus and anti-malware software updates are to be pushed automatically to all non-server Systems (including workstations, tablets and laptops).

 

If Users detect malicious code or content on Firm Devices, they should report this information to the security coordinator (or his designee) as soon as possible so that further investigation may be performed. The security coordinator (or his designee) will work in conjunction with NetProtect to determine the appropriate next steps.

 

Firm Systems

Cloud Services

To maintain rigor regarding data privacy and access standards within the Firm, the utilization of cloud-based services (including online backup) may only be used with the permission of the security coordinator (or his designee). The list of cloud services permitted within the organization is maintained by the security coordinator and/or NetProtect. Additional security controls may be required when using cloud services (including additional encryption and/or tokenization methods).

 

Firm E-mail

Users are granted access as appropriate to the Firm’s e-mail system. E-mail communications written or viewed using the Firm’s resources (including those of a personal nature) are deemed to be the Firm’s property. Users acknowledge that the certain members of the Firm have the right to access, obtain, and review all e-mails, including personal emails that users send or receive through the Firm’s Systems. Users expressly consent to such monitoring and review of all e-mails by these certain members of the Firm.

 

All e-mails and attachments sent from, received by, or processed on the Firm’s e-mail systems will be retained in a searchable archive for at least 2 years and may be subject to inspection by regulatory bodies or law enforcement. This archive will include e-mail messages deleted from user mailboxes.

 

Inbound e-mail is generally acknowledged to be the greatest potential source for malicious content. The Firm deploys an upstream anti-spam service designed to catch most phishing attempts before there is a chance that they can reach the Firm’s internal network. Through the upstream anti-spam service and other technical methods, the Firm reserves the right to block certain e-mail messages and attachments to protect the Firm’s infrastructure from malicious attack attempts.

 

Although the Firm utilizes and continues to adopt technologies to secure the messaging platform, Users should not open attachments, click on links, execute macros, or download files from unknown or suspicious sources.

 

Users are strictly prohibited from using personal e-mail (e.g. Gmail, Yahoo) for any Firm business purpose. All Users should be aware that, in the past, both regulatory and law enforcement agencies have subpoenaed individuals’ personal e-mail correspondence during examinations and/or investigations.

 

Instant Messaging

Instant messaging is archived on an ongoing basis and is subject to review by the security coordinator (or his designee). Users may not, under any circumstances, use instant messaging software that has not been approved by the security coordinator and installed by NetProtect to send or receive correspondence directly or indirectly related to the Firm and its business.

 

Desk Telephones & Voicemail

Firm telephones should generally be used for business purposes-only. However, the Firm understands that incidental personal use will occur. Users should not record messages containing sensitive Firm information on answering machines or voicemail systems. Users are discouraged from sending voicemail messages should not be saved as .wav files and sent via e-mail.

 

Mobile Devices

Certain mobile devices owned by Users (i.e., BYOD) are granted access to the Firm’s Systems or networks. Although the Firm does not own these devices, Users should nevertheless adhere to the criteria of this policy. The owner of such a device understands that by connecting an employee-owned device to Firm Systems or networks that he or she is agreeing to allow the Firm to access, monitor, and, as necessary, erase information from these devices without notification or prior to written consent of the owner.

 

All mobile devices accessing Firm e-mail should have a Firm-approved mobile device management solution installed and configured.

 

Users should safeguard their mobile devices from theft by always keeping them in a secure place, and they should promptly report lost, stolen, or damaged mobile devices to the security coordinator (or his designee). Additionally, all mobile devices should “lock out” or “reset” if an incorrect password is entered more than 10 times in a row.

 

Removable Media

Removable media (including but not exclusive to recordable media and USB-attached drives) should not be connected to or used in computers or laptops provided by the Firm without explicit permission from the security coordinator (or his designee). This policy is established to reduce the risk of virus/malware infection spread through this entry point and to minimize the risk of loss or exposure of sensitive or personally identifiable information.

 

Device, Software, Data, and Media Destruction

At the end of the life of all Devices, sensitive data should be properly erased, destroyed, or otherwise made unreadable. This action should be performed to ensure that appropriate measures are taken to comply with software license agreements and non-disclosure agreements in addition to maintaining critical and/or confidential information (including personal identifiable information) safeguarded. Repurposed Devices should have hard drives removed and destroyed before reuse.

 

Prior to disposal, donation, recycling, or destruction of any Device, the security coordinator (or his designee) and/or NetProtect shall validate that sensitive data has been completely removed. If a third-party provider will be engaged for destruction purposes, pre-approval from the security coordinator (or his designee) is required.

 

Encryption

Encryption technology is used within the Firm to keep data secure both in motion (transmission security) and at rest. As appropriate to the data and access being protected, strong encryption technology shall be used on all laptops and portable computing devices. Users must not include non-public/sensitive personal information in unencrypted emails sent outside of the Firm’s network.

 

The e-mail servers are configured to use opportunistic TLS (Transport Layer Security) to provide a transparent encryption process when email is exchanged between servers configured appropriately. Internet-facing systems that require credentials for access are configured to use HTTPS. Where possible and appropriate, HTTPS should be used when accessing critical or sensitive data.

 

Incident Response

The Firm’s Incident Response Plan is established to coordinate a response to information security-related events. This includes phases of discovery/detection, initiation, escalation, reporting, and remediation appropriate to the type of event that occurs, including malware attacks, data egress/loss or misuse, or specific activities that contradict this Policy.

 

Any suspected events that compromise the Firm’s information security or are known to violate this Policy should be reported to the security coordinator (or his designee). Examples of these events include:

  • Any unauthorized use of Devices
  • Loss or theft of endpoints or devices
  • Passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed.
  • Unusual System behavior, such as missing files, frequent crashes, and/or misrouted messages
  • Suspected or actual disclosure of sensitive information to unauthorized third parties

 

To ensure that sufficient data exists for analysis when a security event occurs, logging should occur on the following:

  • Authentication systems
  • Networking equipment (including firewalls, switches)

 

Security logs (including executive reports and access logs) are analyzed periodically by NetProtect. These logs may include changes seen on Active Directory, File, Exchange, and SQL Servers and may require further investigation. Users should report any anomalies in System performance to the security coordinator (or his designee). Executive reports produced by NetProtect should be reviewed by the security coordinator on at least a quarterly basis.

 

See the Incident Response Plan for additional details.

 

Monitoring of Devices

The Firm reserves the right to monitor and ensure the appropriate use of Firm Devices in a manner consistent with all applicable laws (including national, state, and local jurisdictions). These actions may include periodic assessments of software use, unannounced inspections of the Firm’s endpoints and mobile devices, monitoring of website visits and network traffic, and the removal of any software found on Firm Devices for which a valid license or proof of purchase cannot be located or is determined to be inappropriate. Users should be aware that their internet activity while using the Firm’s Devices may be monitored and recorded. This information may include websites visited, files downloaded, time spent on the internet, and related information.

 

Any source may be appropriate for monitoring activity, including, but not limited to:

  • Authentication logs
  • Network Activity logs
  • Intrusion Detection/Prevention logs
  • Application logs
  • Network vulnerability assessment logs/reports
  • Backup/recovery caches and logs
  • Forensic images created for investigative purposes.

As needed, these sources could be used within the context of the investigation of a security event for incident response purposes.

 

The Firm reserves the right to limit access to any program, service, or capability accessed through the Firm’s network or via Firm Devices that is deemed to pose a threat to information systems, violates any internal policy, or impacts User productivity.

 

Websites

Users may not publicly disclose non-public Firm information to any website, including blogs, newsgroups, social media, or other forums without prior approved from the security coordinator (or his designee).

 

The ability for Users to access a particular website does not mean that use of such website is permitted. The Firm may, in its sole discretion, restrict or block websites and the downloading of information or files types.

 

Network Access

The Firm’s network provides an access vector to its confidential and business-critical information and assets. Only computer/laptop equipment with express authorization to be connected to the Firm’s network should be given appropriate access. All other equipment requires advance approval by the security coordinator (or his designee) before it is installed or connected. In many cases, installation by NetProtect (under the direction of the security coordinator (or his designee)) will be required.

 

Patch Management & System Updates

Applications and/or systems connected to and/or which are part of the Firm’s network shall be patched on at least a weekly basis to maintain the Firm’s security stance and provide ongoing protection. Critical security patches shall be installed (after appropriate testing) as needed after being released by the vendor. Other patches (not designated as critical by the vendor) may be applied on at least a weekly basis.

 

This policy applies to all equipment, including computers, laptops, network equipment, mobile devices, and third-party systems.

 

Personally Identifiable Information (“PII”)

The Firm will seek to limit its collection of PII to that which is reasonably necessary for legitimate business purposes. The Firm will not disclose PII except in accordance with its internal policies and procedures, as permitted or required by law, or as authorized in writing by the owner of said information.

 

With respect to PII, the Firm will strive to:

  • Ensure the security and confidentiality of the information.
  • Protect against anticipated threats and hazards to the security and integrity of the information.
  • Protect against unauthorized access to, or improper use of, the information.

 

The Firm has developed a Privacy Protection and Cyber Security Policy within its Compliance Manual which also addresses PII and/or other sensitive information. In accordance with that policy, Users should notify the security coordinator promptly of any threats to, or improper disclosure of, PII.

 

Physical Security

The Firm’s office is securely locked during non-business hours. Users should shut down or lock their computers/laptops when they leave the office (or non-office workspace) for any extended period.

 

Access to the server room is controlled via <ENTER TYPE HERE>

 

Clean Desk

It is the Firm’s policy that each User maintain a clean desk. This policy is intended to minimize inappropriate access to sensitive data (including PII). At the end of each business day, employees should store all hardcopy sensitive information (including PII) in a location other than their desk space.

 

Policy Compliance

Compliance Management

The Firm will verify compliance to this policy through various methods, including, but not limited to, periodic acknowledgements of receipt and understanding of the document.

 

Exceptions

Any exceptions to the policy must be approved by the security coordinator (or his designee) in advance.

 

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

 

Policy Review

This document will be reviewed on at least an annual basis.New ParagraphNew Paragraph

Written Information Security Policy

V2Incentives

 

Overview

The security coordinator oversees the development and implementation of the Firm’s cybersecurity controls in conjunction with a third-party consultant(s). The security coordinator utilizes the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”) to help guide the development of the information security program.

 

The Firm’s Written Information Security Policy (“WISP”) establishes practices, requirements, and responsibilities for the protection of and prevention against the misuse and/or loss of the Firm’s information assets, establishing the basis for self-assessments, and preserving the Firm’s options and legal remedies in the event of asset loss or misuse. The WISP also defines the specific information security roles necessary to reasonably implement the Policy. The Firm’s view is that its information assets (including its file network and any sensitive data stored therein) should be protected from unauthorized use, disclosure, modification, destruction, or misrepresentation. Accordingly, the Firm has implemented several information security controls (including technical means, processes, standards, and practices) to ensure that data is not compromised.

 

The primary information security objectives of the Firm are as follows:

  • Ensure employees have appropriate and authorized access to the Firm’s information and assets.
  • Ensure employees understand their responsibilities and duties regarding information security.
  • Ensure that appropriate security controls are implemented and reasonably effective.
  • Ensure compliance with the established security policies.
  • Ensure all deviations from security policy (including unauthorized access attempts) are monitored, detected/reported, documented, and escalated, as appropriate.

 

Scope

The WISP applies to each of the Firm’s systems and devices as well as all employees.

 

The primary purpose of the WISP is as follows:

  • Document the current state of the Firm’s information security stance.
  • Provide a framework for any new or modified information security policies.
  • Establish a process to document, track, monitor, and review information security incidents and/or breaches.
  • Establish a process to document access requirements to the organization (including third-party access)

 

Policies & Controls

Acceptable Use

See the Firm’s Acceptable Use Policy for details.

 

Access Controls and Account Management

Access Control Policy

An access control policy outlines appropriate access control rules as well as access rights and restrictions for specific user roles, with the level of detail taking into consideration associated information security risks.

 

Access controls can be both logical and physical, and the Firm considers both when granting permissions to users, including employees, contractors, consultants, temporary workers, and other workers (collectively, “Users”). Users and third-party vendors should be given a clear statement of the requirements to be met as it relates to their corresponding access controls.


1.  Access Control: The Firm’s applications and file network (“Systems”) authenticate the identity of users using unique usernames and passwords. These Systems have defined complexity, length, change schedule, reuse/history, session timeout, maximum login attempts, lockout handling, and logon limit requirements. Access to Systems should follow the principle of least privilege. The Firm controls access with the following measures:


a.  A limit of successive incorrect logons will be enforced, and an automatic account lock will be enabled.


b.  Time and date of logons and account changes will be appropriately recorded and monitored.


c.  Network and information systems sessions remain locked for a predetermined time or until the user re-establishes access through an                    established authentication procedure (generally by contacting the security coordinator and/or NetProtect.


d.  The Firm will establish appropriate restrictions around remote access, wireless access, and mobile devices.


2.  Reauthorization of Access Privileges: System privileges granted to Users should be re-evaluated by the security coordinator (or his designee) annually to determine whether currently enabled access rights are required to perform their then-current job duties/responsibilities.


3.  Inactive Account Maintenance: Inactive usernames should be either removed or disabled by NetProtect (in conjunction with the security coordinator (or his designee)), as appropriate.


4.  Unique Username and Password Required: Users are required to have a unique username and password for access to the Firm’s Systems. See the Firm’s Password Policy for information about the Firm’s password guidance, recommendations, and/or requirements.


5.  User Accountability: Users are accountable for all activities associated with their individual username and password. Users must not share their          personal login credentials with any other person or any third parties.


6.  Access Control System Logging: Access control systems should be configured to capture and maintain the following (where feasible and applicable):


a.  The creation date for every username


b.  Date and time of the last login for every username


c.  Date and time of the last logoff for every username


d.  Date and time of the last password change for every username


e.  An expiration date for every username that represents the last date that the username is active for use.


f.   Details of additions/changes to the privileges for individual usernames


7.  Third Party Access: Any requests from third parties for independent access to the Firm’s networks or proprietary data must be forwarded to the security coordinator. Only the security coordinator may respond to such access requests.

 

Account/Credentials Management Policy

Accounts give users access to the Firm’s systems, file network, and data. The Firm differentiates between multiple categories of accounts, including standard user accounts and administration accounts. Each category will have specific requirements regarding usage and responsibilities.


1.  User Accounts – Employees who have standard user accounts are responsible for familiarizing themselves with and complying with the WISP and other applicable Firm policies, procedures, and standards associated with the use Systems and devices (including Firm-provided laptops as well as mobile devices (e.g. phones, tablets) (collectively, “Devices”)) associated with such user account.


2.  Administrator Accounts – Users who have administrator accounts bear responsibility for the security of the Firm’s IT assets and information (in conjunction with NetProtect).

 

Management of an account includes its establishment, suspension, termination, and removal. Each account should be assigned the minimum required privilege level for effective business operations. If unauthorized access is detected, the event should be reported to the security coordinator immediately to determine appropriate next steps.


1.  Access Credentials – Users establishing login credentials to be used for third-party websites/service provider portals (“Portals”) should comply with the Firm’s existing policy guidelines, recommendations, and/or requirements for secure passwords (see the Firm’s Password Policy).


a.  This includes avoiding using the same passwords for these Portals as those used for the Firm’s accounts.


2.  Management Reporting – In the event sensitive or confidential data/information will be stored with a new third party, the security coordinator (or his designee) should be notified about the details of the account being established and the type(s) of data being stored.

 

Anti-Virus/Anti-Malware Software

Where possible, all Systems and Devices, whether connected to the Firm’s network or standalone, are equipped with Firm-approved anti-virus and anti-malware software. The software deployed by the Firm include: WebRoot

 

Anti-virus and anti-malware software updates are to be pushed automatically to all non-server Systems (including workstations, tablets and laptops).

 

If Users detect malicious code or content on Firm Devices, they should report this information to the security coordinator (or his designee) as soon as possible so that further investigation may be performed. The security coordinator (or his designee) will work in conjunction with NetProtect to determine the appropriate next steps.

 

Firm Systems

Cloud Services

To maintain rigor regarding data privacy and access standards within the Firm, the utilization of cloud-based services (including online backup) may only be used with the permission of the security coordinator (or his designee). The list of cloud services permitted within the organization is maintained by the security coordinator and/or NetProtect. Additional security controls may be required when using cloud services (including additional encryption and/or tokenization methods).

 

Firm E-mail

Users are granted access as appropriate to the Firm’s e-mail system. E-mail communications written or viewed using the Firm’s resources (including those of a personal nature) are deemed to be the Firm’s property. Users acknowledge that the certain members of the Firm have the right to access, obtain, and review all e-mails, including personal emails that users send or receive through the Firm’s Systems. Users expressly consent to such monitoring and review of all e-mails by these certain members of the Firm.

 

All e-mails and attachments sent from, received by, or processed on the Firm’s e-mail systems will be retained in a searchable archive for at least 2 years and may be subject to inspection by regulatory bodies or law enforcement. This archive will include e-mail messages deleted from user mailboxes.

 

Inbound e-mail is generally acknowledged to be the greatest potential source for malicious content. The Firm deploys an upstream anti-spam service designed to catch most phishing attempts before there is a chance that they can reach the Firm’s internal network. Through the upstream anti-spam service and other technical methods, the Firm reserves the right to block certain e-mail messages and attachments to protect the Firm’s infrastructure from malicious attack attempts.

 

Although the Firm utilizes and continues to adopt technologies to secure the messaging platform, Users should not open attachments, click on links, execute macros, or download files from unknown or suspicious sources.

 

Users are strictly prohibited from using personal e-mail (e.g. Gmail, Yahoo) for any Firm business purpose. All Users should be aware that, in the past, both regulatory and law enforcement agencies have subpoenaed individuals’ personal e-mail correspondence during examinations and/or investigations.

 

Instant Messaging

Instant messaging is archived on an ongoing basis and is subject to review by the security coordinator (or his designee). Users may not, under any circumstances, use instant messaging software that has not been approved by the security coordinator and installed by NetProtect to send or receive correspondence directly or indirectly related to the Firm and its business.

 

Desk Telephones & Voicemail

Firm telephones should generally be used for business purposes-only. However, the Firm understands that incidental personal use will occur. Users should not record messages containing sensitive Firm information on answering machines or voicemail systems. Users are discouraged from sending voicemail messages should not be saved as .wav files and sent via e-mail.

 

Mobile Devices

Certain mobile devices owned by Users (i.e., BYOD) are granted access to the Firm’s Systems or networks. Although the Firm does not own these devices, Users should nevertheless adhere to the criteria of this policy. The owner of such a device understands that by connecting an employee-owned device to Firm Systems or networks that he or she is agreeing to allow the Firm to access, monitor, and, as necessary, erase information from these devices without notification or prior to written consent of the owner.

 

All mobile devices accessing Firm e-mail should have a Firm-approved mobile device management solution installed and configured.

 

Users should safeguard their mobile devices from theft by always keeping them in a secure place, and they should promptly report lost, stolen, or damaged mobile devices to the security coordinator (or his designee). Additionally, all mobile devices should “lock out” or “reset” if an incorrect password is entered more than 10 times in a row.

 

Removable Media

Removable media (including but not exclusive to recordable media and USB-attached drives) should not be connected to or used in computers or laptops provided by the Firm without explicit permission from the security coordinator (or his designee). This policy is established to reduce the risk of virus/malware infection spread through this entry point and to minimize the risk of loss or exposure of sensitive or personally identifiable information.

 

Device, Software, Data, and Media Destruction

At the end of the life of all Devices, sensitive data should be properly erased, destroyed, or otherwise made unreadable. This action should be performed to ensure that appropriate measures are taken to comply with software license agreements and non-disclosure agreements in addition to maintaining critical and/or confidential information (including personal identifiable information) safeguarded. Repurposed Devices should have hard drives removed and destroyed before reuse.

 

Prior to disposal, donation, recycling, or destruction of any Device, the security coordinator (or his designee) and/or NetProtect shall validate that sensitive data has been completely removed. If a third-party provider will be engaged for destruction purposes, pre-approval from the security coordinator (or his designee) is required.

 

Encryption

Encryption technology is used within the Firm to keep data secure both in motion (transmission security) and at rest. As appropriate to the data and access being protected, strong encryption technology shall be used on all laptops and portable computing devices. Users must not include non-public/sensitive personal information in unencrypted emails sent outside of the Firm’s network.

 

The e-mail servers are configured to use opportunistic TLS (Transport Layer Security) to provide a transparent encryption process when email is exchanged between servers configured appropriately. Internet-facing systems that require credentials for access are configured to use HTTPS. Where possible and appropriate, HTTPS should be used when accessing critical or sensitive data.

 

Incident Response

The Firm’s Incident Response Plan is established to coordinate a response to information security-related events. This includes phases of discovery/detection, initiation, escalation, reporting, and remediation appropriate to the type of event that occurs, including malware attacks, data egress/loss or misuse, or specific activities that contradict this Policy.

 

Any suspected events that compromise the Firm’s information security or are known to violate this Policy should be reported to the security coordinator (or his designee). Examples of these events include:

  • Any unauthorized use of Devices
  • Loss or theft of endpoints or devices
  • Passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed.
  • Unusual System behavior, such as missing files, frequent crashes, and/or misrouted messages
  • Suspected or actual disclosure of sensitive information to unauthorized third parties

 

To ensure that sufficient data exists for analysis when a security event occurs, logging should occur on the following:

  • Authentication systems
  • Networking equipment (including firewalls, switches)

 

Security logs (including executive reports and access logs) are analyzed periodically by NetProtect. These logs may include changes seen on Active Directory, File, Exchange, and SQL Servers and may require further investigation. Users should report any anomalies in System performance to the security coordinator (or his designee). Executive reports produced by NetProtect should be reviewed by the security coordinator on at least a quarterly basis.

 

See the Incident Response Plan for additional details.

 

Monitoring of Devices

The Firm reserves the right to monitor and ensure the appropriate use of Firm Devices in a manner consistent with all applicable laws (including national, state, and local jurisdictions). These actions may include periodic assessments of software use, unannounced inspections of the Firm’s endpoints and mobile devices, monitoring of website visits and network traffic, and the removal of any software found on Firm Devices for which a valid license or proof of purchase cannot be located or is determined to be inappropriate. Users should be aware that their internet activity while using the Firm’s Devices may be monitored and recorded. This information may include websites visited, files downloaded, time spent on the internet, and related information.

 

Any source may be appropriate for monitoring activity, including, but not limited to:

  • Authentication logs
  • Network Activity logs
  • Intrusion Detection/Prevention logs
  • Application logs
  • Network vulnerability assessment logs/reports
  • Backup/recovery caches and logs
  • Forensic images created for investigative purposes.

As needed, these sources could be used within the context of the investigation of a security event for incident response purposes.

 

The Firm reserves the right to limit access to any program, service, or capability accessed through the Firm’s network or via Firm Devices that is deemed to pose a threat to information systems, violates any internal policy, or impacts User productivity.

 

Websites

Users may not publicly disclose non-public Firm information to any website, including blogs, newsgroups, social media, or other forums without prior approved from the security coordinator (or his designee).

 

The ability for Users to access a particular website does not mean that use of such website is permitted. The Firm may, in its sole discretion, restrict or block websites and the downloading of information or files types.

 

Network Access

The Firm’s network provides an access vector to its confidential and business-critical information and assets. Only computer/laptop equipment with express authorization to be connected to the Firm’s network should be given appropriate access. All other equipment requires advance approval by the security coordinator (or his designee) before it is installed or connected. In many cases, installation by NetProtect (under the direction of the security coordinator (or his designee)) will be required.

 

Patch Management & System Updates

Applications and/or systems connected to and/or which are part of the Firm’s network shall be patched on at least a weekly basis to maintain the Firm’s security stance and provide ongoing protection. Critical security patches shall be installed (after appropriate testing) as needed after being released by the vendor. Other patches (not designated as critical by the vendor) may be applied on at least a weekly basis.

 

This policy applies to all equipment, including computers, laptops, network equipment, mobile devices, and third-party systems.

 

Personally Identifiable Information (“PII”)

The Firm will seek to limit its collection of PII to that which is reasonably necessary for legitimate business purposes. The Firm will not disclose PII except in accordance with its internal policies and procedures, as permitted or required by law, or as authorized in writing by the owner of said information.

 

With respect to PII, the Firm will strive to:

  • Ensure the security and confidentiality of the information.
  • Protect against anticipated threats and hazards to the security and integrity of the information.
  • Protect against unauthorized access to, or improper use of, the information.

 

The Firm has developed a Privacy Protection and Cyber Security Policy within its Compliance Manual which also addresses PII and/or other sensitive information. In accordance with that policy, Users should notify the security coordinator promptly of any threats to, or improper disclosure of, PII.

 

Physical Security

The Firm’s office is securely locked during non-business hours. Users should shut down or lock their computers/laptops when they leave the office (or non-office workspace) for any extended period.

 

Access to the server room is controlled via <ENTER TYPE HERE>

 

Clean Desk

It is the Firm’s policy that each User maintain a clean desk. This policy is intended to minimize inappropriate access to sensitive data (including PII). At the end of each business day, employees should store all hardcopy sensitive information (including PII) in a location other than their desk space.

 

Policy Compliance

Compliance Management

The Firm will verify compliance to this policy through various methods, including, but not limited to, periodic acknowledgements of receipt and understanding of the document.

 

Exceptions

Any exceptions to the policy must be approved by the security coordinator (or his designee) in advance.

 

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

 

Policy Review

This document will be reviewed on at least an annual basis.New Paragraph

Written Information Security Policy

V2Incentives

 

Overview

The security coordinator oversees the development and implementation of the Firm’s cybersecurity controls in conjunction with a third-party consultant(s). The security coordinator utilizes the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”) to help guide the development of the information security program.

 

The Firm’s Written Information Security Policy (“WISP”) establishes practices, requirements, and responsibilities for the protection of and prevention against the misuse and/or loss of the Firm’s information assets, establishing the basis for self-assessments, and preserving the Firm’s options and legal remedies in the event of asset loss or misuse. The WISP also defines the specific information security roles necessary to reasonably implement the Policy. The Firm’s view is that its information assets (including its file network and any sensitive data stored therein) should be protected from unauthorized use, disclosure, modification, destruction, or misrepresentation. Accordingly, the Firm has implemented several information security controls (including technical means, processes, standards, and practices) to ensure that data is not compromised.

 

The primary information security objectives of the Firm are as follows:

  • Ensure employees have appropriate and authorized access to the Firm’s information and assets.
  • Ensure employees understand their responsibilities and duties regarding information security.
  • Ensure that appropriate security controls are implemented and reasonably effective.
  • Ensure compliance with the established security policies.
  • Ensure all deviations from security policy (including unauthorized access attempts) are monitored, detected/reported, documented, and escalated, as appropriate.

 

Scope

The WISP applies to each of the Firm’s systems and devices as well as all employees.

 

The primary purpose of the WISP is as follows:

  • Document the current state of the Firm’s information security stance.
  • Provide a framework for any new or modified information security policies.
  • Establish a process to document, track, monitor, and review information security incidents and/or breaches.
  • Establish a process to document access requirements to the organization (including third-party access)

 

Policies & Controls

Acceptable Use

See the Firm’s Acceptable Use Policy for details.

 

Access Controls and Account Management

Access Control Policy

An access control policy outlines appropriate access control rules as well as access rights and restrictions for specific user roles, with the level of detail taking into consideration associated information security risks.

 

Access controls can be both logical and physical, and the Firm considers both when granting permissions to users, including employees, contractors, consultants, temporary workers, and other workers (collectively, “Users”). Users and third-party vendors should be given a clear statement of the requirements to be met as it relates to their corresponding access controls.

    1.  Access Control: The Firm’s applications and file network (“Systems”) authenticate the identity of users using unique usernames and passwords.                These Systems have defined complexity, length, change schedule, reuse/history, session timeout, maximum login attempts, lockout handling, and            logon limit requirements. Access to Systems should follow the principle of least privilege. The Firm controls access with the following measures:

              a.  A limit of successive incorrect logons will be enforced, and an automatic account lock will be enabled.

              b.  Time and date of logons and account changes will be appropriately recorded and monitored.

              c.  Network and information systems sessions remain locked for a predetermined time or until the user re-establishes access through an                                 established authentication procedure (generally by contacting the security coordinator and/or NetProtect.

              d.  The Firm will establish appropriate restrictions around remote access, wireless access, and mobile devices.

    2.  Reauthorization of Access Privileges: System privileges granted to Users should be re-evaluated by the security coordinator (or his designee)                     annually to determine whether currently enabled access rights are required to perform their then-current job duties/responsibilities.

    3.  Inactive Account Maintenance: Inactive usernames should be either removed or disabled by NetProtect (in conjunction with the security   
         coordinator (or his designee)), as appropriate.

    4.  Unique Username and Password Required: Users are required to have a unique username and password for access to the Firm’s Systems. See the           Firm’s Password Policy for information about the Firm’s password guidance, recommendations, and/or requirements.

    5.  User Accountability: Users are accountable for all activities associated with their individual username and password. Users must not share their                 personal login credentials with any other person or any third parties.

    6.  Access Control System Logging: Access control systems should be configured to capture and maintain the following (where feasible and                 
         applicable):

              a.  The creation date for every username

              b.  Date and time of the last login for every username

              c.  Date and time of the last logoff for every username

              d.  Date and time of the last password change for every username

              e.  An expiration date for every username that represents the last date that the username is active for use.

              f.   Details of additions/changes to the privileges for individual usernames

    7.  Third Party Access: Any requests from third parties for independent access to the Firm’s networks or proprietary data must be forwarded to the                 security coordinator. Only the security coordinator may respond to such access requests.

 

Account/Credentials Management Policy

Accounts give users access to the Firm’s systems, file network, and data. The Firm differentiates between multiple categories of accounts, including standard user accounts and administration accounts. Each category will have specific requirements regarding usage and responsibilities.

    1.  User Accounts – Employees who have standard user accounts are responsible for familiarizing themselves with and complying with the WISP and            other applicable Firm policies, procedures, and standards associated with the use Systems and devices (including Firm-provided laptops as well            as mobile devices (e.g. phones, tablets) (collectively, “Devices”)) associated with such user account.

    2.  Administrator Accounts – Users who have administrator accounts bear responsibility for the security of the Firm’s IT assets and information (in         
        conjunction with NetProtect).

 

Management of an account includes its establishment, suspension, termination, and removal. Each account should be assigned the minimum required privilege level for effective business operations. If unauthorized access is detected, the event should be reported to the security coordinator immediately to determine appropriate next steps.

    1.  Access Credentials – Users establishing login credentials to be used for third-party websites/service provider portals (“Portals”) should comply with         the Firm’s existing policy guidelines, recommendations, and/or requirements for secure passwords (see the Firm’s Password Policy).

              a.  This includes avoiding using the same passwords for these Portals as those used for the Firm’s accounts.

    2.  Management Reporting – In the event sensitive or confidential data/information will be stored with a new third party, the security coordinator (or             his designee) should be notified about the details of the account being established and the type(s) of data being stored.

 

Anti-Virus/Anti-Malware Software

Where possible, all Systems and Devices, whether connected to the Firm’s network or standalone, are equipped with Firm-approved anti-virus and anti-malware software. The software deployed by the Firm include: WebRoot

 

Anti-virus and anti-malware software updates are to be pushed automatically to all non-server Systems (including workstations, tablets and laptops).

 

If Users detect malicious code or content on Firm Devices, they should report this information to the security coordinator (or his designee) as soon as possible so that further investigation may be performed. The security coordinator (or his designee) will work in conjunction with NetProtect to determine the appropriate next steps.

 

Firm Systems

Cloud Services

To maintain rigor regarding data privacy and access standards within the Firm, the utilization of cloud-based services (including online backup) may only be used with the permission of the security coordinator (or his designee). The list of cloud services permitted within the organization is maintained by the security coordinator and/or NetProtect. Additional security controls may be required when using cloud services (including additional encryption and/or tokenization methods).

 

Firm E-mail

Users are granted access as appropriate to the Firm’s e-mail system. E-mail communications written or viewed using the Firm’s resources (including those of a personal nature) are deemed to be the Firm’s property. Users acknowledge that the certain members of the Firm have the right to access, obtain, and review all e-mails, including personal emails that users send or receive through the Firm’s Systems. Users expressly consent to such monitoring and review of all e-mails by these certain members of the Firm.

 

All e-mails and attachments sent from, received by, or processed on the Firm’s e-mail systems will be retained in a searchable archive for at least 2 years and may be subject to inspection by regulatory bodies or law enforcement. This archive will include e-mail messages deleted from user mailboxes.

 

Inbound e-mail is generally acknowledged to be the greatest potential source for malicious content. The Firm deploys an upstream anti-spam service designed to catch most phishing attempts before there is a chance that they can reach the Firm’s internal network. Through the upstream anti-spam service and other technical methods, the Firm reserves the right to block certain e-mail messages and attachments to protect the Firm’s infrastructure from malicious attack attempts.

 

Although the Firm utilizes and continues to adopt technologies to secure the messaging platform, Users should not open attachments, click on links, execute macros, or download files from unknown or suspicious sources.

 

Users are strictly prohibited from using personal e-mail (e.g. Gmail, Yahoo) for any Firm business purpose. All Users should be aware that, in the past, both regulatory and law enforcement agencies have subpoenaed individuals’ personal e-mail correspondence during examinations and/or investigations.

 

Instant Messaging

Instant messaging is archived on an ongoing basis and is subject to review by the security coordinator (or his designee). Users may not, under any circumstances, use instant messaging software that has not been approved by the security coordinator and installed by NetProtect to send or receive correspondence directly or indirectly related to the Firm and its business.

 

Desk Telephones & Voicemail

Firm telephones should generally be used for business purposes-only. However, the Firm understands that incidental personal use will occur. Users should not record messages containing sensitive Firm information on answering machines or voicemail systems. Users are discouraged from sending voicemail messages should not be saved as .wav files and sent via e-mail.

 

Mobile Devices

Certain mobile devices owned by Users (i.e., BYOD) are granted access to the Firm’s Systems or networks. Although the Firm does not own these devices, Users should nevertheless adhere to the criteria of this policy. The owner of such a device understands that by connecting an employee-owned device to Firm Systems or networks that he or she is agreeing to allow the Firm to access, monitor, and, as necessary, erase information from these devices without notification or prior to written consent of the owner.

 

All mobile devices accessing Firm e-mail should have a Firm-approved mobile device management solution installed and configured.

 

Users should safeguard their mobile devices from theft by always keeping them in a secure place, and they should promptly report lost, stolen, or damaged mobile devices to the security coordinator (or his designee). Additionally, all mobile devices should “lock out” or “reset” if an incorrect password is entered more than 10 times in a row.

 

Removable Media

Removable media (including but not exclusive to recordable media and USB-attached drives) should not be connected to or used in computers or laptops provided by the Firm without explicit permission from the security coordinator (or his designee). This policy is established to reduce the risk of virus/malware infection spread through this entry point and to minimize the risk of loss or exposure of sensitive or personally identifiable information.

 

Device, Software, Data, and Media Destruction

At the end of the life of all Devices, sensitive data should be properly erased, destroyed, or otherwise made unreadable. This action should be performed to ensure that appropriate measures are taken to comply with software license agreements and non-disclosure agreements in addition to maintaining critical and/or confidential information (including personal identifiable information) safeguarded. Repurposed Devices should have hard drives removed and destroyed before reuse.

 

Prior to disposal, donation, recycling, or destruction of any Device, the security coordinator (or his designee) and/or NetProtect shall validate that sensitive data has been completely removed. If a third-party provider will be engaged for destruction purposes, pre-approval from the security coordinator (or his designee) is required.

 

Encryption

Encryption technology is used within the Firm to keep data secure both in motion (transmission security) and at rest. As appropriate to the data and access being protected, strong encryption technology shall be used on all laptops and portable computing devices. Users must not include non-public/sensitive personal information in unencrypted emails sent outside of the Firm’s network.

 

The e-mail servers are configured to use opportunistic TLS (Transport Layer Security) to provide a transparent encryption process when email is exchanged between servers configured appropriately. Internet-facing systems that require credentials for access are configured to use HTTPS. Where possible and appropriate, HTTPS should be used when accessing critical or sensitive data.

 

Incident Response

The Firm’s Incident Response Plan is established to coordinate a response to information security-related events. This includes phases of discovery/detection, initiation, escalation, reporting, and remediation appropriate to the type of event that occurs, including malware attacks, data egress/loss or misuse, or specific activities that contradict this Policy.

 

Any suspected events that compromise the Firm’s information security or are known to violate this Policy should be reported to the security coordinator (or his designee). Examples of these events include:

  • Any unauthorized use of Devices
  • Loss or theft of endpoints or devices
  • Passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed.
  • Unusual System behavior, such as missing files, frequent crashes, and/or misrouted messages
  • Suspected or actual disclosure of sensitive information to unauthorized third parties

 

To ensure that sufficient data exists for analysis when a security event occurs, logging should occur on the following:

  • Authentication systems
  • Networking equipment (including firewalls, switches)

 

Security logs (including executive reports and access logs) are analyzed periodically by NetProtect. These logs may include changes seen on Active Directory, File, Exchange, and SQL Servers and may require further investigation. Users should report any anomalies in System performance to the security coordinator (or his designee). Executive reports produced by NetProtect should be reviewed by the security coordinator on at least a quarterly basis.

 

See the Incident Response Plan for additional details.

 

Monitoring of Devices

The Firm reserves the right to monitor and ensure the appropriate use of Firm Devices in a manner consistent with all applicable laws (including national, state, and local jurisdictions). These actions may include periodic assessments of software use, unannounced inspections of the Firm’s endpoints and mobile devices, monitoring of website visits and network traffic, and the removal of any software found on Firm Devices for which a valid license or proof of purchase cannot be located or is determined to be inappropriate. Users should be aware that their internet activity while using the Firm’s Devices may be monitored and recorded. This information may include websites visited, files downloaded, time spent on the internet, and related information.

 

Any source may be appropriate for monitoring activity, including, but not limited to:

  • Authentication logs
  • Network Activity logs
  • Intrusion Detection/Prevention logs
  • Application logs
  • Network vulnerability assessment logs/reports
  • Backup/recovery caches and logs
  • Forensic images created for investigative purposes.

As needed, these sources could be used within the context of the investigation of a security event for incident response purposes.

 

The Firm reserves the right to limit access to any program, service, or capability accessed through the Firm’s network or via Firm Devices that is deemed to pose a threat to information systems, violates any internal policy, or impacts User productivity.

 

Websites

Users may not publicly disclose non-public Firm information to any website, including blogs, newsgroups, social media, or other forums without prior approved from the security coordinator (or his designee).

 

The ability for Users to access a particular website does not mean that use of such website is permitted. The Firm may, in its sole discretion, restrict or block websites and the downloading of information or files types.

 

Network Access

The Firm’s network provides an access vector to its confidential and business-critical information and assets. Only computer/laptop equipment with express authorization to be connected to the Firm’s network should be given appropriate access. All other equipment requires advance approval by the security coordinator (or his designee) before it is installed or connected. In many cases, installation by NetProtect (under the direction of the security coordinator (or his designee)) will be required.

 

Patch Management & System Updates

Applications and/or systems connected to and/or which are part of the Firm’s network shall be patched on at least a weekly basis to maintain the Firm’s security stance and provide ongoing protection. Critical security patches shall be installed (after appropriate testing) as needed after being released by the vendor. Other patches (not designated as critical by the vendor) may be applied on at least a weekly basis.

 

This policy applies to all equipment, including computers, laptops, network equipment, mobile devices, and third-party systems.

 

Personally Identifiable Information (“PII”)

The Firm will seek to limit its collection of PII to that which is reasonably necessary for legitimate business purposes. The Firm will not disclose PII except in accordance with its internal policies and procedures, as permitted or required by law, or as authorized in writing by the owner of said information.

 

With respect to PII, the Firm will strive to:

  • Ensure the security and confidentiality of the information.
  • Protect against anticipated threats and hazards to the security and integrity of the information.
  • Protect against unauthorized access to, or improper use of, the information.

 

The Firm has developed a Privacy Protection and Cyber Security Policy within its Compliance Manual which also addresses PII and/or other sensitive information. In accordance with that policy, Users should notify the security coordinator promptly of any threats to, or improper disclosure of, PII.

 

Physical Security

The Firm’s office is securely locked during non-business hours. Users should shut down or lock their computers/laptops when they leave the office (or non-office workspace) for any extended period.

 

Access to the server room is controlled via <ENTER TYPE HERE>

 

Clean Desk

It is the Firm’s policy that each User maintain a clean desk. This policy is intended to minimize inappropriate access to sensitive data (including PII). At the end of each business day, employees should store all hardcopy sensitive information (including PII) in a location other than their desk space.

 

Policy Compliance

Compliance Management

The Firm will verify compliance to this policy through various methods, including, but not limited to, periodic acknowledgements of receipt and understanding of the document.

 

Exceptions

Any exceptions to the policy must be approved by the security coordinator (or his designee) in advance.

 

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

 

Policy Review

This document will be reviewed on at least an annual basis.