RubinBrown Team Member Manual

POLICY CONTINUED Policy Title: Policy Number:

Information Security 1222

Section:

Risk Management

• DATA PROTECTION AND ENCRYPTION: Software that contains and holds usernames, passwords, and other access tokens for Users must protect or otherwise encrypt such data. Client data, personally identifiable information (PII), electronic personal health information (ePHI), and other confidential data must be transferred using an encrypted medium. This policy stands regardless of the source or destination of the communication. • INCIDENT MANAGEMENT: When security incidents are identified Users will contact the Technology Services Help Desk. The Help Desk will contact the Information Security Manager or CIO to determine how the security incident must be dealt with, by whom, and in what priority. After assessing an incident, Technology Services will define a response for all internal functions and organizations that will be involved during the management of an incident. • PHYSICAL SECURITY: All Firm locations must be physically protected in proportion to the criticality or importance of their function. Physical access procedures must be documented and access to such facilities must be limited and controlled. The data center access list must be reviewed quarterly or more frequently depending on the nature of the systems that are being protected. • PRIVACY: All information created, sent, or received via the Firm’s information resources, including but not limited to, Firm computer hardware, software, electronic messaging systems, network, Intranet, web sites, including social media sites containing Firm information, is the property of the Firm. Users should not have expectations of privacy regarding such information. • MOBILE DEVICES: Users that connect to Firm internal network resources using a personal device must protect their device login credentials from misuse, maintain the software configuration of the device, and strongly recommend using anti-virus software. Users may not store Firm owned confidential, ePHI, or PII on their personal device. If a device is lost or stolen, or if it is believed to have been compromised in some way, the Users must report the incident immediately to the Help Desk. • REMOTE ACCESS: Remote access for User devices and related applications are intended for business use. Authorized vendors must protect their device login and password from any accidental use. All hosts that connect to the Firm internal network via remote access technologies must use the most up-to-date anti-virus software loaded on their devices. Remote access connections are required to have the same security standards as the on site connection. • SECURITY AWARENESS AND TRAINING: New Users are required to complete mandatory security awareness training. Annual web-based cybersecurity training will be completed by all Firm Users. Periodic security reminders will be used to keep Users up-to-date with new threats. Firm will provide regular and relevant information security awareness communications at least monthly to all Users. • VENDOR 3rd PARTY SOFTWARE AND HARDWARE: All requests for third-party software or hardware must be made by submitting a written request and be approved by the Firm leadership. On at least an annual basis, designated representatives of Firm will review the operational and financial performance of vendors to ensure that the vendor meets, and can continue to meet, the terms and conditions of the third-party arrangement. • ENDPOINT PROTECTION : All servers and workstations will have an anti-virus and anti-malware software installed on the system. Virus definitions will be updated at least daily. Full system scans will be performed at least weekly. Software must be activated during system boot and must remain active at all times.

RUBINBROWN TEAM MEMBER MANUAL | 144