RubinBrown Team Member Manual

Information Security 1222

Policy Title: Policy Number:

Section:

Risk Management

Effective Date:

Supersedes Policy Dated:

06/01/2024

06/01/2023

Background: Information security is the responsibility of all partners, team members, visitors, vendors, and contractors (“Users”) accessing or using RubinBrown (“The Firm”) information assets including paper files, intellectual property, or electronic data. All application software that is commercially purchased, information in databases, information in written or electronic form, phones and computers are examples of Firm information assets and require appropriate protection. Policy: This policy is also intended to help Users comply with legal and contractual requirements to protect client and Firm information, help safeguard Firm information technology resources from accidental or intentional damage, alteration, or theft, and designate the appropriate level of security requirements for securing data and IT resources. This policy applies to all Users who accesses, views, or handles data on Firm networks or who store data through the use of Firm credentials or under the authority of and pursuant to Firm contracts. This policy also applies to such access and storage by Users whether the data is accessed, stored, or otherwise resides on Firm owned or controlled devices, personally owned or controlled devices, or devices owned or controlled by a third party under contract with the Firm. Each policy is highlighted below. For additional information, please see the detailed policy at the following path: X:\IT Administration\IT Firmwide Policy. • ACCEPTABLE USE : The Firm reserves the right to revoke the system privileges of any User at any time. It is the obligation of all Users of the company systems to protect the information assets of the company. Conduct that interferes with the normal and proper operation of Firm information systems, adversely affects the ability of others to use these information systems, puts confidential information in harm’s way, or is considered harmful, illegal or offensive to others will not be permitted. • ACCESS CONTROL AND MANAGEMENT: The Firm will establish the identity of the User by enforcing an authentication procedure. Once authenticated, the User will be granted privileges based on their role. Basic authentication implementation (username/password) will be utilized as well as an additional factor using multifactor authentication (MFA) where possible. • APPLICATION SECURITY: All applications that access, store, transmit, or manipulate protected information should be reviewed by Technology Services prior to purchase, use, or development. Secure coding practices should be used for all applications developed or purchased by the Firm and documented security specifications are required. Technology Services must perform a security review of any application prior to purchase and use as well as throughout all stages of the development process and is responsible for implementing the necessary security controls. Applications should be designed to use and/or store the minimum amount of information. Applications should use Active Directory SSO for authentication and MFA for an additional layer of authentication. • BREACH RESPONSE: The Firm requires that Users first notify the HelpDesk and their supervisor, the Chief Risk Officer (“CRO”), and the Chief Information Officer (“CIO”) when unsecured protected information has been impermissibly accessed, acquired, used, or disclosed, compromising the security or privacy of the protected information. • CLASSIFICATION OF INFORMATION: Authorized Users will only have access to information required to perform their job requirements and related duties. Information is classified as follows:

Classification Level 4, Restricted Classification Level 3, Confidential Classification Level 2, Internal Only Classification Level 1, Public

RUBINBROWN TEAM MEMBER MANUAL | 143