��������’s Corporate Information Security Program has implemented administrative, technical and physical safeguards that help to protect the confidentiality, integrity and availability of systems, networks, and information. To secure the internal systems and networks that support Enterprise Services (“�������� Assets”), �������� operates in a manner consistent with its information security policies and maintains physical, technical, and administrative safeguards appropriate to protect �������� Assets.   While �������� information security policies are based on generally accepted industry practices, individual Enterprise Services may have different and/or additional security features. ��������’s substantial investment in the people, processes and tools necessary to secure the products and services that our customers trust and depend on, demonstrates our commitment to security excellence every day. Our continuous improvement strategy strives to stay ahead of the curve by implementing forward thinking security controls and techniques to protect customer data and the �������� Network.

�������� scope for securing Internal Systems includes the following:

• �������� maintains a formal, documented information security policy, which is based on various recognized industry security standards and is aligned to the NIST Cybersecurity Framework and is applicable to all �������� employees and Authorized Users on �������� Assets
• �������� maintains information security teams to promote and assist in the enforcement of ��������’s information security policy and practices.
• �������� has a formal Cyber Security Awareness Program to ensure �������� personnel are provided with cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with policy and the underlying control framework.
• �������� develops and maintains systems designed to secure Customer Data through privacy and cybersecurity risk assessments, and where appropriate uses automation in the development lifecycle to enforce controls, among other practices.
• �������� complies with applicable privacy laws and regulations to which �������� is subject.

• �������� uses a variety of industry-recognized security practices to protect our internal networks, including appropriately configured firewalls, network segmentation and networking monitoring.
• �������� implements security continuous monitoring which includes logging and monitoring access to ��������’s networks and assets. Hardware and software-based tools have been deployed throughout the �������� network to provide real-time alerting from devices such as firewalls, intrusion detection systems, routers and switches.
• �������� changes vendor-supplied defaults for system passwords and other security parameters.
• �������� regularly tests systems and processes utilized for network security to maximize operational capacity.
• �������� develops and maintains systems designed to secure Customer Data through privacy and cybersecurity risk assessments, and where appropriate uses automation in the development lifecycle to enforce controls, among other practices.

• �������� maintains a �������� Code of Conduct for �������� employees (available to the public at ) which requires that they comply with information security policies and procedures.
• �������� uses contractual and other measures to obtain third party suppliers’ compliance with appropriate information security requirements, such as ��������’s baseline security requirements for suppliers, our Supplier Code of Conduct and other materials.
• �������� develops and maintains systems designed to secure Customer Data through privacy and cybersecurity risk assessments, and where appropriate uses automation in the development lifecycle to enforce controls, among other practices.
• �������� manages data protection in a systematic and structured manner to enforce confidentiality requirements throughout the data’s lifecycle of creation, transmission, storage, modification, retention and destruction. Based on risk, industry standard encryption is used to protect data-in-transit and data-at-rest.
• �������� provides physical security controls for each computer room, data center, and similar facilities that may contain sensitive information.
• �������� complies with applicable laws and regulations related to protecting sensitive information stored by ��������.

• �������� uses anti-virus software on systems to address malware threats against its systems.
• �������� has an established patch management process for production hardware and software installed on the �������� network.
• �������� schedules, monitors, controls, and tracks significant changes affecting �������� Assets.
• �������� performs internal and external vulnerability scans on a periodic basis.  System owners may schedule real-time vulnerability system scans as needed to adapt to changing threat vectors.

• Logical access control policies are defined, documented and managed to ensure that only authorized personnel have access to critical business applications and systems based on position and job requirements.
• Access to �������� Assets requires the use of multi-factor authentication. Where appropriate and based on risk, network integrity is further protected by incorporating network segregation between production systems.
• �������� assigns a unique ID, consistent with ��������’s information security policies, for employees, agents, and contractors to use when accessing �������� Assets.
• �������� implements controls to restrict physical access to facilities housing �������� systems to authorized personnel. Depending on the type of facility, access may be permitted by electronic card access readers, keys, security guards, or local company personnel.
• �������� utilizes the Principle of Least Privilege to manage access for each of its systems. Privileged access for production network, system or application functions are controlled and restricted to as few personnel as operationally feasible and is authorized on a “need to know” or “event by event” basis.

• �������� maintains business continuity and disaster recovery protocols designed to enhance ��������’s ability to respond to significant events that might disrupt ��������’s networks and facilities or otherwise impair ��������’s ability to provide service.
• ��������’s business continuity and disaster recovery practices identify potential recovery risks to �������� Assets, and implement measures designed to help minimize and mitigate those risks using industry-accepted practices.

• �������� maintains a written, actionable incident response plan to ensure timely reaction to Security Events, Security Incidents and Data Breaches by the �������� Threat Management Center.
• �������� addresses the identification, management, and resolution of security issues requiring attention.
• �������� communicates, consistent with contractual and legal obligations, the status of material issues affecting the Customer.

Last update, September, 2020