Information & Data Security Policy

Policy Foundation and Regulatory Compliance

This Information Security Policy (“Policy”) promotes an effective balance between information security practices and business needs. The Policy helps Downland LLC (the “Company”) meet its legal obligations and its customers’ expectations. From time to time, Company may implement different levels of security controls for different information assets, based on risk and other considerations. 

You are expected to read, understand, and follow this Policy. However, no single policy can cover all the possible information security issues you may face. You must seek guidance from your manager or other designated Company resource before taking any actions that create information security risks or otherwise deviate from this Policy's requirements. Company may treat any failure to seek and follow such guidance as a violation of this Policy. 

Our clients, employees, and others rely on us to protect their information. An information security breach or cyber incident could severely damage our credibility. Security events can also cause loss of business and other harm to Company. Strong information security requires diligence by all workforce members, including employees, contractors, volunteers, and any others accessing or using our information assets. It is part of everyone's job.

  1. Guiding Principles. Company follows these guiding principles when developing and implementing information security controls:

    1. Company strives to protect the confidentiality, integrity, and availability of its information assets and those of its clients.

    2. We will comply with applicable information security, privacy, and data protection laws.

    3. We will balance the need for business efficiency with the need to protect sensitive, proprietary, or other confidential information from undue risk. 

    4. We will grant access to sensitive, proprietary, or other confidential information only to those with a need to know and at the least level of privilege necessary to perform their assigned functions. 

    5. Recognizing that an astute workforce is the best line of defense, we will provide training opportunities and resources to help individuals understand and meet their information security obligations.

  2. Scope. This Policy applies across the entire Company enterprise. This Policy provides detailed information security guidance that you must follow in addition to any obligations outside of this document.


This Policy states Company's information security policy. In many cases, you are personally responsible for taking or avoiding specific actions as the Policy states. In some situations, the Information Security Coordinator or another Company resource takes or avoids the stated actions.


From time to time, Company may approve and make available more detailed or location or business unit-specific policies, procedures, standards, and processes to address specific information security issues. Those additional policies, procedures, standards, and processes are extensions to this Policy. You must comply with them, where applicable, unless you obtain an approved exception.


  1. Resources. No single document can cover all the possible information security issues you may face. Balancing our need to protect Company's information assets with getting work done can also be challenging. Many effective administrative, physical, and technical safeguards are available. Do not make assumptions about the cost or time required to implement them. Ask for help. You must seek guidance before taking any actions that create information security risks. Contact your manager.

    1. For questions about this Policy or technical information security issues contact: hello@godownland.com 

  2. No Expectation of Privacy and Monitoring. Except where applicable law provides otherwise, you should have no expectation of privacy when using Company's network or systems, including, but not limited to, transmitting and storing files, data, and messages. To enforce compliance with Company's policies and protect Company's interests, Company reserves the right to monitor any use of its network and systems to the extent permitted by applicable law. By using Company's systems, you agree to such monitoring. Monitoring may include (but is not necessarily limited to) intercepting and reviewing network traffic, emails, or other messages or data sent or received and inspecting data stored on individual file directories, hard disks, or other printed or electronic media.

  3. Regulatory Compliance. Various information security laws, regulations, and industry standards apply to Company and the data we handle. Company is committed to complying with applicable laws, regulations, and standards. Our clients expect nothing less from us. This section lists the obligations that you are the most likely to encounter. Do not assume that these are the only laws that may apply. To identify specific obligations, you must seek guidance from Legal and the Information Security Coordinator when collecting, creating, or using new or different types of information.

    1. Personal Information: Data Protection and Breach Notification Laws. Various laws protect individuals' personal information, such as government-assigned numbers, financial account information, and other sensitive data. Many jurisdictions have enacted data breach notification laws that require organizations to notify affected individuals if personal information is lost or accessed by unauthorized parties. Some locations have data protection laws that require organizations to protect personal information using reasonable data security measures or more specific means. These laws may apply to personal information for Company's employees, clients, business partners, and others. Before collecting, creating, or using personal information for any purpose, confirm that such collection, creation or use is consistent with this Policy.  If there is any doubt, contact management to further assess. 

    2. Protecting client information is of utmost importance to Company and the following are some practical means that we expect you to take to protect such information.

      1. Never take client information out of the Company workplace without proper authorization from firm management;

      2. Follow all proscribed Information Security Laws that are applicable to data protection in the course of business at Company;

      3. Never assume that it is okay to share or disclose client   information except when explicitly authorized; and 

      4. Maintain tight control over records and documents that pertain to ANY client information.

  1. Responsibilities: Security Organization, Authority, and Obligations. Company and its leadership recognize the need for a strong information security program.

    1. Information Security Coordinator. Company has designated Jessi Roesch to be its Information Security Coordinator and accountable for all aspects of its information security program. To the extent Jessi Roesch is unavailable, then other individuals from firm management will appoint another coordinator or otherwise perform such obligations.

    2. Policy Authority and Maintenance. Company has granted the Information Security Coordinator the authority to develop, maintain, and enforce this Policy and any additional policies, procedures, standards, and processes, as they may deem necessary and appropriate.

    3. Policy Review. On at least an annual basis, the Information Security Coordinator will initiate a review of this Policy, engaging stakeholders such as individual business units and other Company organizations, as appropriate. In addition, clients will have an opportunity to provide input to the Information Security Coordinator relating to Information Security Policies. 

    4. Exceptions. Company recognizes that specific business needs and local situations may occasionally call for an exception to this Policy. Exception requests should be made in writing. The Information Security Coordinator must approve in writing, document, and periodically review all exceptions.


Do not assume that the Information Security Coordinator will approve an exception simply because they have previously approved a similar exception. Each non-compliant situation requires a review of the specific facts and risks to Company's information assets and those of our clients. 


  1. Workforce Obligation to Comply. Employees and contractors are obligated to comply with all aspects of this Policy that apply to them. This Policy is not intended to restrict communications or actions protected or required by applicable law. Company may treat any attempt to bypass or circumvent security controls as a violation of this Policy. For example, sharing passwords, deactivating anti-virus software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless the Information Security Coordinator has granted an exception as described in Section 2.4.


You are responsible for your own actions and compliance with this Policy. You should question and report any situation to your manager or the Information Security Coordinator that appears to violate this Policy or creates any undue information security risk.


  1. Sanctions. Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include suspension, access restrictions, work assignment limitations, or more severe penalties up to and including termination, in accordance with applicable law. If Company suspects illegal activities, it may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved. 

  2. Acknowledgment. All employees and contractors must acknowledge that they have read, understood, and agree to comply with this Policy either in writing or through an approved online process. Acknowledgment must be completed on a timely basis following a new hire or as otherwise designated by the Information Security Coordinator. Material changes to this Policy may require additional acknowledgment. Company will retain acknowledgment records.

  3. Training. Company recognizes that an astute workforce is the best line of defense. We will provide security training opportunities and expert resources to help employees and contractors understand their obligations under this Policy and avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire. All workforce members must complete information security training on at least an annual basis. Managers must ensure that their employees complete all required training. Company may deem failure to participate in required training a violation of this Policy. Company will retain attendance records and copies of security training materials delivered.

  4. Client Policies. Company may handle sensitive client information. In some cases, Company may agree to comply with specific client information security policies or standards. To minimize special cases, Company has developed this Policy to include the requirements common to most of our clients. If Company agrees to comply with additional client-specific information security policies or standards, we will notify affected workforce members. You must comply with any such policies or standards, including any related training or additional background screening requirements. The Information Security Coordinator must review and approve any client agreements that require compliance with specific information security policies or standards.

  1. Data: Information Classification and Risk-Based Controls. Company has established a three-tier classification scheme to protect information according to risk levels. The information classification scheme allows Company to select appropriate security controls and balance protection needs with costs and business efficiencies. All Company information is classified as (from least to most sensitive): (1) Public Information, (2) Confidential Information, or (3) Highly Confidential Information. Unless it is marked otherwise or clearly intended to be Public Information, treat all Company and client information as if it is at least Confidential Information, regardless of its source or form, including electronic, paper, verbal, or other information. You must apply security controls appropriate for the assigned information classification level to all information you store, transmit, or otherwise handle. Use classification level markings, where feasible. 

    1. Public Information. Public Information is information that Company or its clients has made available to the general public. Information received from another party (including client information) that is covered under a current, signed non-disclosure agreement must not be classified or treated as Public Information. Some Public Information examples include, but are not limited to:

      1. press releases;

      2. Company or client marketing materials that have previously been disclosed to the general public;

      3. job announcements; and

      4. any information that Company or clients makes available on its publicly accessible website.

Do not assume that any information you obtain from Company's internal network or systems is publicly available. For example, draft marketing materials are typically Confidential Information until their release. Consider all information to be at least Confidential Information, and not available for public disclosure without authorization, until you verify it is Public Information.


  1. Confidential Information. Confidential Information is information that may cause harm to Company, its clients, employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual's privacy, Company's marketplace position or that of its clients, or legal or regulatory liabilities. Mark Confidential Information to denote its status when technically feasible. Applications or databases that contain Confidential Information may be marked with an initial banner shown upon system access. You must have authorization to disclose Confidential Information to an external party. Seek guidance from the Information Security Coordinator prior to disclosing Confidential Information and verify that an appropriate non-disclosure or other agreement is in effect.

    1. Some Confidential Information examples include, but are not limited to:

      1. Company financial data, client lists, revenue forecasts, program or project plans, and intellectual property;

      2. client-provided data, information, and intellectual property;

      3. client contracts and contracts with other external parties, including vendors;

      4. communications or records regarding internal Company matters and assets, including operational details and audits;

      5. Company policies, procedures, standards, and processes (for example, this Policy is Confidential Information and should not be shared without authorization from the Information Security Coordinator);

      6. any information designated as "confidential" or some other protected information classification by an external party and subject to a current non-disclosure or other agreement;

      7. information regarding employees (see also, Section 3.3, Highly Confidential Information, regarding personal information);

      8. any summaries, reports, or other documents that contain Confidential Information; and

      9. drafts, summaries, or other working versions of any of the above.

      10. Any and all information that is not public information of Company or its Clients. 

    2. Safeguards. You must protect Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks, including (but not necessarily limited to):

      1. Authentication. Electronically stored Confidential Information must only be accessible to an individual after logging in to Company's network. Further, Company's Network is not to be accessed remotely, except by authorized parties. These parties shall be established by the Information Security Coordinator.

      2. Discussions. Only discuss Confidential Information in non-public places, or if a discussion in a public place is absolutely necessary, take reasonable steps to avoid being overheard.

      3. Copying/Printing/Scanning/Faxing/Electronic Distribution. Only scan, make copies, and distribute Confidential Information to the extent necessary or allowed under any applicable non-disclosure agreement or other applicable agreement. Take reasonable steps to ensure that others who do not have a business need to know do not view the information. When distributing Confidential Information, use a cover sheet, document footers, watermarks or disclosure pages to inform the recipient that the information is Company's Confidential Information. Set fax machines to print a confirmation page after sending a fax. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Confidential Information. Do not print, fax, or scan out of the offices of Company unless expressly authorized by the Information Security Coordinator. 

      4. Mailing. Use a service that requires a signature for receipt of the information when sending Confidential Information outside Company. When sending Confidential Information inside Company, use a sealed security envelope marked “Confidential Information.”

      5. Meeting Rooms. You should only share Confidential Information in physically secured meeting rooms. Erase or remove any Confidential Information that you write on a whiteboard or other presentation tool at the meeting's conclusion.

      6. Need to know. Only access, share, or include Confidential Information in documents, presentations, or other resources when there is a business need to know.

      7. Physical Security. Only house systems that contain Confidential Information or store Confidential Information in paper or other forms in physically secured areas.

  2. Highly Confidential Information. Highly Confidential Information is information that may cause serious and potentially irreparable harm to Company, its clients, employees, or other entities or individuals if disclosed or used in an unauthorized manner. Highly Confidential Information is a subset of Confidential Information that requires additional protection. Mark Highly Confidential Information to denote its status when technically feasible. Applications or databases that contain Highly Confidential Information may be marked with an initial banner shown upon system access. You may not remove Highly Confidential Information from Company's environment without authorization. You must have express authorization from the Information Security Coordinator to disclose Highly Confidential Information to an external party. Seek guidance from the Information Security Coordinator prior to disclosing Highly Confidential Information externally to ensure Company meets its legal obligations.

    1. Some Highly Confidential Information examples include, but are not limited to:

      1. personal information for employees, clients, business partners, or others; and

      2. sensitive Company business information, such as budgets, financial results, or strategic plans.

    2. Safeguards. You must protect Highly Confidential Information with specific administrative, physical, and technical safeguards implemented according to risks and as prescribed by applicable laws, regulations, and standards, including (but not necessarily limited to):

      1. Authentication. Electronically stored Highly Confidential Information must only be accessible to an individual after logging in to Company's network and with specific authorization.

      2. Discussions. Only discuss Highly Confidential Information in non-public places.

      3. Copying/Printing/Scanning/Faxing/Electronic Distribution.Do not scan, copy, or distribute Highly Confidential Information unless absolutely necessary. Take reasonable steps to ensure that others who do not have a specific business need to know do not view the information. When distributing Highly Confidential Information, use a cover sheet, document footers, watermarks or disclosure pages to inform the recipient that the information is Company's Highly Confidential Information. Locate copiers, fax machines, scanners, and other office equipment in physically secured areas and configure them to avoid storing Highly Confidential Information. 

      4. Mailing. Do not mail Highly Confidential Information unless absolutely necessary. Use a service that requires a signature for receipt of the information when sending Highly Confidential Information outside Company. When sending Highly Confidential Information inside Company, use a sealed security envelope marked "Highly Confidential Information." If you use electronic media to mail Highly Confidential Information, you must encrypt and password protect it.

      5. Meeting Rooms. You must only share Highly Confidential Information in physically secured meeting rooms. Erase any Highly Confidential Information that you write on a whiteboard or other presentation tool at the meeting's conclusion.

      6. Need to know. Only access, share, or include Highly Confidential Information in documents, presentations, or other resources when there is a specific business need to know. 

      7. Network Segmentation. You may only make Highly Confidential Information available to areas of Company's network where there is a specific business need. Highly Confidential Information must be segmented from the rest of Company's network using controls such as firewalls, access control lists, or other security mechanisms. 

      8. Physical Security. Only house systems that contain Highly Confidential Information or store Highly Confidential Information in paper or other forms in physically secured areas, accessible only to those with a specific business need to know. 

  1. People: Roles, Access Control, and Acceptable Use. People are the best defense in information security; they are also the weakest link. Company grants access to its systems and data based on business roles. Company places limits on how you may use and interact with its information assets. These restrictions help lower risks and protect you, Company, and its clients. 

    1. Roles. Business roles and role-based access are based on the individual's relationship with Company and assigned activities.

      1. Employees. Company’s office manager provides employee screening. Company may require employees who handle Highly Confidential Information to undergo additional background screening and testing where permitted by applicable laws. Supervising managers may request access for their employees only to those Company systems and data required to meet business needs. 

      2. External Parties. Company grants systems access to approved external parties, such as contractors, vendors, service providers, business partners, or others with a demonstrated business need that cannot be reasonably met through other means (see Section 7, Service Providers: Risks and Governance). Company may support different access levels for different business situations. 

    2. Identity and Access Management. Company uses identity and access management controls to provide user accounts with appropriate privileges to employees and others. Company will assign each individual a unique identifier using a standard convention (the individual's "primary ID"). You should only create device or application-specific identifiers if the primary ID cannot be used. Device or application-specific identifiers must be linked to an accountable individual. 

      1. Unique User Accounts. Company assigns unique user accounts and passwords to individuals, using their primary ID. You must not share your account or password with others. If system or other administrative accounts cannot be uniquely assigned to specific individuals, use mediated access, audit logs, or other technical controls to provide individual accountability.

      2. Add, Change, Terminate Access. Company restricts access to specific resources to those with a business need to know. Responsible managers should direct requests to add or change access levels to Jessi Roesch. System and application administrators must periodically review user accounts and access levels to confirm that a legitimate business need for the access still exists. When an employee leaves the business, Company will timely deactivate the individual's account(s).

      3. Authorization Levels and Least Privilege. Proper authorization levels ensure that Company only grants individuals the privileges they need to perform their assigned activities and no more. Known as least privilege access, this method minimizes risks. Least privilege applies to user and administrative access. You must not grant administrative privileges unless there is a specific business need and you limit them to the extent feasible.

      4. Role-Based Access Controls. Use role-based access control methods whenever feasible to assign authorization levels according to business functions, rather than uniquely for each individual. This method supports the least privilege approach by standardizing access. It also simplifies periodic access reviews.

    3. Acceptable Use Policy. Company provides employees and others with network resources and systems to support its business requirements and functions. This section limits how you may use Company's information assets and explains the steps you must take to protect them. If you have any questions regarding acceptable use of Company's resources, please discuss them with your manager or contact the Information Security Coordinator for additional guidance.

      1. General Use of Information Technology Resources. Company provides network resources and systems for business purposes. Any incidental non-business use of Company's resources must be for personal purposes only. Do not use Company's resources for commercial purposes, personal gain, or any purpose that may create a real or perceived conflict of interest with Company. Do not use Company's resources in a manner that negatively impacts your job performance or impairs others' abilities to do their jobs. Company's network and systems are subject to monitoring (see Section 1.4, No Expectation of Privacy and Monitoring). Do not use Company's network or systems for activities that may be deemed illegal under applicable law. If Company suspects illegal activities, it may report them to the appropriate authorities and aid in any investigation or prosecution of the individuals involved. 

      2. Prohibited Activities. Company prohibits using its resources to engage in activities such as (but not necessarily limited to) the following:

        1. hacking, spoofing, or launching denial of service attacks; 

        2. gaining or attempting to gain unauthorized access to others' networks or systems; 

        3. sending fraudulent email messages; 

        4. distributing or attempting to distribute malicious software (malware); 

        5. spying or attempting to install spyware or other unauthorized monitoring or surveillance tools; 

        6. committing criminal acts such as terrorism, fraud, or identity theft; 

        7. downloading, storing, or distributing child pornography or other obscene materials;

        8. downloading, storing, or distributing materials in violation of another's copyright;

        9. creating undue security risks or negatively impacting the performance of Company's network and systems;

        10. causing embarrassment, loss of reputation, or other harm to Company;

        11. uploading, downloading, or disseminating defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate or offensive messages or media;

        12. distributing joke, chain letter, commercial solicitations, or hoax emails or other messages (spamming);

        13. disrupting the workplace environment, creating a hostile workplace, or invading the privacy of others;

        14. using encryption or other technologies in an attempt to hide illegal, unethical, or otherwise inappropriate activities; and

        15. installing or distributing unlicensed or pirated software.

      3. Desktop, Laptop, and End-User Controls. You may only access Company's network using approved end-user devices that support our current minimum information security standards. Standards for end-user devices may include protective controls and specific configurations, such as anti-virus software, patching levels, and required operating system or other software versions. Company-owned machines may be configured to automatically receive upgrades. You may be denied remote access using non-Company owned devices that do not meet current standards.

        1. Use your own Company-provided account(s) to access Company's network and systems, unless you have been specifically authorized to use a device-specific, administrative, or other account (see Section 4.2, Identity and Access Management).

        2. Screen saver passwords, also known as "workstation timeouts" or "lock screens," secure Confidential Information by protecting active computer sessions when you step away. If you handle Highly Confidential Information, lock your screen any time you leave it unattended. 

      4. Information Handling and Storage. You must properly handle, store, and securely dispose of Company's information in accordance with Company's internal policies. You are responsible for any Confidential or Highly Confidential Information that you access or store. Do not allow others to view, access, or otherwise use any Confidential or Highly Confidential Information you control unless they have a specific business need to know. Store files or other data critical to Company's operations on regularly maintained (backed up) servers or other storage resources. Do not store business critical data only on end-user devices such as desktops, laptops, smartphones, or other mobile devices. Physically secure any media containing Company information, including hard drives, CDs, disks, paper, voice recordings, removable drives (such as thumb drives, flash drives, or USB drives), or other media. You must store media containing Confidential or Highly Confidential Information in a locked area when not in use. Shred or otherwise destroy paper that contains Confidential or Highly Confidential Information prior to disposal. Return all electronic, magnetic, or optical media to IT for secure disposal when it is no longer required to meet business needs.

      5. Internet Use: Email, Messaging, Social Media, and Cloud Computing. The internet offers a variety of services that Company employees and contractors depend on to work effectively. However, some technologies create undue risks to Company's assets. Some uses are not appropriate in the workplace. Company may block or limit access to particular services, websites, or other internet-based functions according to risks and business value. Recognize that inappropriate or offensive websites may still be reachable and do not access them using Company resources. 

        1. General Internet Use. Limit your web browsing and access to streaming media (such as videos, audio streams or recordings, and webcasts) to business purposes or as otherwise permitted by this Policy. Internet use must comply with this Policy. 

        2. Never use internet peer-to-peer file sharing services, given the risks to Company's information assets they create.

        3. Do not use internet-based remote access services to access Company's network or systems, including desktop computers. If you need remote access, use Company-provided or authorized methods (see Section 4.3(f), Remote Access).

      6. Email and Social Media. Do not disclose Confidential or Highly Confidential Information to unauthorized parties on blogs or social media or transmit it in unsecured emails or instant messages (see Section 3, Data: Information Classification and Risk-Based Controls). Do not make postings or send messages that speak for Company or imply that you speak for Company unless you have been authorized to do so.

        1. Use good professional judgment when drafting and sending any communications. Remember that messages may be forwarded or distributed outside your control, and your professional reputation is at stake. Email signatures should be professional, appropriate for your business role, and not unreasonably long or complex.

        2. Never open an email attachment that you did not expect to receive, click on links, or otherwise interact with unexpected email content. Attackers frequently use these methods to transport viruses and other malware. Be cautious, even if messages appear to come from someone you know, since attackers can easily falsify (spoof) email senders. Company may block some attachments or emails, based on risk.

        3. Do not respond to an email or other message that requests Confidential or Highly Confidential Information unless you have separately verified and are certain of its origin and purpose. Even then, always protect Confidential or Highly Confidential Information as described in Section 3, Data: Information Classification and Risk-Based Controls. 

        4. If you have any doubts regarding the authenticity or risks associated with an email or other message you receive, contact Jessi Roesch immediately and before interacting with the message. Do not reply or forward suspicious messages, including clicking links or making unsubscribe requests. Taking those actions may simply validate your address and lead to more unwanted or risky messages.

      7. Cloud Computing. Company may use internet-based, outsourced services for some computing and data storage activities based on business needs. Cloud computing services store data and provide services in internet-accessible data centers that may be located almost anywhere. Cloud services vary significantly in their service levels and security measures. While cloud services may offer an attractive cost model, they also present significant risks. Using them may also affect Company's ability to comply with some laws. Before using any cloud computing services to collect, create, store, or otherwise manage Company's Confidential or Highly Confidential Information, you must obtain approval from Legal and the Information Security Coordinator (see Section 7, Service Providers: Risk and Governance). This Policy applies to any document sharing or other internet-based services, if Company Confidential or Highly Confidential Information is stored.

      8. Mobile Devices and Bring Your Own Device to Work. Mobile devices, including laptops, smartphones, and tablet computers, can provide substantial productivity benefits. Mobile storage devices may simplify information exchange and support business needs. However, all these mobile devices also present significant risks to Company's information assets, so you must take appropriate steps to protect them. Company may permit employees and others to use their own equipment to connect to its network and systems. If you choose to do so, you agree that your use of those devices is subject to this Policy and any additional policies, procedures, standards, and processes Company implements. Company may require you to install specific security controls on your device (for example, device management software, access controls, encryption, remote wiping in case your device is lost or stolen, or other security controls). You must allow firm management (or another Company resource) to review your device and remove any Company data, if your relationship with Company terminates, you change devices or services, or in other similar situations. You must also promptly provide Company with access to your device when requested for Company's legitimate business purposes, including any security incident or investigation. Use encryption, other protection strategies (for example, device management software, access controls, remote wiping in case your device is lost or stolen, or other security controls), or both on any mobile device that contains Confidential or Highly Confidential Information. Mobile devices, including those that provide access to Company email, must be protected using a password or other approved authentication method. 

        1. Physically secure any mobile devices you use to access or store Company information. Never leave laptops or other devices unattended unless locked or otherwise secured. Do not leave mobile devices or the bags containing them visible in a parked car or check them as baggage on airlines or other public transportation. Do not connect a mobile device containing Company information to any unsecured network without an up-to-date firewall configured (or other security controls in place). Unsecured networks include home networks, hotel networks, open or for-pay wireless hotspots, convention networks, or any other network that Company has not approved or does not control.

      9. Remote Access. If you have a business need to access Company's network and systems from home, while traveling, or at another location, Company may grant you remote access. Use multifactor authentication to access Company's network remotely. Configure remote access capabilities to limit access to only those assets and functions the Information Security Coordinator approves. You may only use Company-provided means for remote access (for example, VPN connections, dial-up modems, or a Company portal). Do not install or setup any other remote connections, including remote desktop software, without the Information Security Coordinator's authorization. Remote access connections should timeout (be disconnected) after a maximum of one hour of inactivity. Company does not permit split tunneling or other mechanisms that bridge unsecure networks with Company's network. 

      10. External Network Connections. Some business situations may require creating a secure connection from Company's network to an external party's network (extranet). Examples include working extensively with client systems, outsourcing, or partnering with another organization for an extended period. Extranet connections allow the organizations to share information and technical resources in a secure manner by connecting the two networks at their respective perimeters. The Information Security Coordinator must review and approve all extranet and any other external connections to Company's network before implementation. A signed business agreement between the two organizations must accompany any extranet connection. Limit connectivity to only those assets required to perform the specified functions. Company monitors extranet connections and may deactivate them if unusual or inappropriate traffic is detected. 

      11. Wireless Network Connections. Do not connect any wireless access points, routers, or other similar devices to Company's network unless the Information Security Coordinator has reviewed and approved them.  Secure and maintain approved wireless network (WiFi) connections according to current Company technical and physical security standards. Do not connect wireless access points (WAPs) directly to Company's trusted network without going through a firewall or other protective controls. Deactivate WAPs when they are not in use, including during non-business hours. Only transmit, receive, or make available Highly Confidential Information through WiFi connections using appropriate protective controls, including encryption. If you have questions regarding appropriate WiFi security measures to take when handling Highly Confidential Information, contact the Information Security Coordinator. End-user devices that access wireless networks, such as laptops, must have personal firewalls installed and maintained according to current Company standards. Deactivate your computer's wireless networking interface when it is not in use.

  1. Information Assets: Protecting and Managing Company's Information Technology Environment. This section describes key safeguards that Company uses to protect and manage its information technology (IT) environment. You must support their use to the extent that they apply to you. 

    1. Protecting Information Assets. Install and configure Company-owned computers according to current technical standards and procedures, including anti-virus software, other standard security controls, and approved operating system version and software patches. Company supports preventive controls to avoid unauthorized activities or access to data, based on risk levels. Company supports detective controls to timely discover unauthorized activities or access to data, including continuous system monitoring and event management.

      1. End-User Computers and Access. Configure end-user computers to request authentication from Company's domain at startup and user login. Company may deny network access to end-user computers if installed software versions do not match current standards. Users may not access Company's network unless they have been properly authenticated. Configure user accounts to require strong passwords. To protect against password guessing and other brute force attacks, Company will deactivate user accounts after five failed login attempts. Reactivation may be based on a timeout or manual reset according to risk and technical feasibility. Secure remote access points and require multifactor authentication. Encrypt authentication credentials during transmission across any network, either internal or external.

      2. Passwords and User Credentials. Select strong passwords and protect all user credentials, including passwords, tokens, badges, smart cards, or other means of identification and authentication. Implement password rules so that users select and use strong passwords. Automate password rule enforcement to the extent technically feasible. Several techniques can help you create a strong password. Substituting numbers for words is common. For example, you can use the numerals two or four with capitalization and symbols to create a memorable phrase. Another way to create an easy-to-remember strong password is to think of a sentence and use the first letter of each word as a password. Treat passwords as Highly Confidential Information. You may be required to change your password periodically according to current Company standards. Change your password immediately and report the incident (see Section 6.1, Incident Reporting) if you have reason to believe that it has been compromised. 

      3. Password Protection. Protect your passwords at all times by: (i) Not disclosing your passwords to anyone; (ii) Not sharing your passwords with others (including co-workers, managers, clients, or family); (iii) Not writing down your passwords or otherwise recording them in an unsecure manner; (iv) Not using save password features for applications, unless provided or authorized by Company; (v) Not using the same password for different systems or accounts, except where single sign-on features are automated; and (vi) Not reusing passwords.

      4. Perimeter Controls. Perimeter controls secure Company's network against external attacks. Use firewalls, configured according to current technical standards and procedures, to separate Company's trusted network from the internet or internet-facing environments. Company may implement additional perimeter controls including intrusion detection and prevention services, data loss prevention software, specific router or other network configurations, or various forms of network monitoring according to risks. Do not create internet connections outside perimeter controls.

      5. Data and Network Segmentation. Company may use technical controls, such as firewalls, access control lists, or other mechanisms, to segment some data or areas of its network according to risks. Segment Highly Confidential Information from the rest of Company's network, to the extent technically feasible and reasonable (see Section 3.3, Highly Confidential Information). Do not alter network segmentation plans without approval from the Information Security Coordinator.

      6. Data and Media Disposal. When Company retires or otherwise removes computing, network, or office equipment (such as copiers or fax machines) or other information assets that may contain Confidential or Highly Confidential Information from the business, specific steps must be taken to scrub or otherwise render the media unreadable. Simply deleting files or reformatting disks is not sufficient to prevent data recovery. Either physically destroy media, according to applicable waste disposal regulations, or scrub it using data wiping software that meets generally accepted data destruction standards. 

      7. Log Management and Retention. Company logs system and user activities on network, computing, or other information assets according to risks. Security controls or other network elements may also produce logs. Secure log data and files to prevent tampering and retain them according to Company's internal policy. [Regularly review logs, using automated means where feasible, to identify any anomalous activities that may indicate a security incident.

      8. Physical (Environmental) Security. Company uses physical safeguards to avoid theft, intrusions, unauthorized use, or other abuses of its information assets. You must comply with Company's current physical security policies and procedures: (i) position computer screens where information on the screens cannot be seen by unauthorized parties; (ii) not display Confidential and Highly Confidential Information on a computer screen where unauthorized individuals can view it; (iii) log off or shut down your workstation when leaving for an extended period or at the end of your workday; (iv) house servers or other computing or network elements (other than end-user equipment) in secure data centers or other areas approved by the Information Security Coordinator; (v) not run network cabling through unsecured areas unless it is carrying only Public Information or otherwise protected data, such as encrypted data; (vi) deactivate network ports that are not in use; and (vii) store end-user devices that are not in use for an extended period in a secure area or securely dispose of them (see Section 5.1(e), Data and Media Disposal).

      9. Disaster Preparedness (Business Continuity and Disaster Recovery). Company develops, maintains, and periodically tests disaster preparedness plans. These plans support continuity of operations and systems availability if a disaster or other unplanned business impacting event occurs. The plans must be developed, reviewed, and tested according to internal policies. Treat disaster preparedness plans as Confidential Information. System administrators must perform regular data backups for the information assets they maintain. When selecting a backup strategy, balance the business criticality of the data with the resources required and any impact to users and network resources. Protect backups according to the information classification level of the data stored. Document and periodically test restoration procedures.

    2. Managing Information Assets. Jessi Roesch and firm management manage IT operations and related activities at Company. Only Company-supplied or approved software, hardware, and information systems, whether procured or developed, may be installed in Company's IT environment or connected to Company's network. Firm management must approve and manage all changes to Company's production IT environment to avoid unexpected business impacts. Direct questions regarding IT operations to Jessi Roesch. Development environments must comply with this Policy and current Company standards to minimize information security risks. 

      1. Procurement. Only those authorized by Company management may procure information assets for use in or connection to Company's network. This Policy applies whether software or other assets are purchased, open source, or made available to Company at no cost. Seek guidance from the Information Security Coordinator early in the software development process to identify and manage information security risks before implementation. Before using cloud computing services to access, store, or manage Confidential or Highly Confidential Information, you must obtain authorization from Legal and the Information Security Coordinator (see Section 4.3(e)(iii), Cloud Computing).

      2. Asset Management. Track and document all information assets, including hardware, software, and other equipment, using Company's asset management system(s). This inventory tracking should include operating system levels and all installed software and software versions to support vulnerability identification and mitigation (see Section 9.2, Vulnerability Management). Update the asset inventory as assets are removed from the business. Confidential or Highly Confidential Information must have an assigned data owner who is responsible for tracking its location, uses, and any disclosures. Properly dispose of all data and media to help avoid a breach of Confidential or Highly Confidential Information (see Section 5.1(e), Data and Media Disposal).

      3. Authorized Environments and Authorities. Only authorized personnel or other project personnel approved by Company may install and connect hardware or software in Company's IT environment. Do not convert end-user computers to servers or other shared resources without assistance from IT. Limit administrative or privileged systems access to those individuals with a business need to know. IT must distribute administrative access and information regarding administrative processes to more than one individual to minimize risks. Internet connections and internet-facing environments present significant information security risks to Company. The Information Security Coordinator must approve any new or changed internet connections or internet-facing environments.

      4. Change Management. IT maintains a change management process to minimize business impact or disruptions when changes are made in Company's production IT environment. Change requests must be accompanied by an action plan that includes assigned roles and responsibilities, implementation milestones, testing procedures, and a rollback plan, if the change fails. Implement and maintain a change management process to track identified problems, fixes, and releases during software development. Design these processes to include code archiving (versioning) tools so that earlier versions can be recovered and rebuilt, if necessary.

      5. Application and Software Development. To avoid any undue or unexpected impact to Company's production IT environment, application and other software development activities, including system testing, must take place in reasonably segmented environments. Maintain segregation of duties between development and operations. Developers may be granted limited access to production environments where personnel and expertise availability is limited, but only for specific troubleshooting or support purposes. Software development must take place in authorized environments (see Section 5.2(c), Authorized Environments and Authorities). Use security by design principles to identify potential information security risks and resolve them early in the development process. Seek guidance from the Information Security Coordinator, critical vendors, industry experts, and best practices to identify and avoid application-level security risks. Pay particular attention to protecting Highly Confidential Information through encryption or other appropriate means. Use defensive coding techniques and regular code review and application-level scanning to identify and remediate any information security issues before releasing software.

  2. Incident Reporting and Response. The Information Security Coordinator maintains a security incident reporting and response process that ensures management notifications are made based on the seriousness of the incident. The Information Security Coordinator investigates all reported or detected incidents and documents the outcome, including any mitigation activities or other remediation steps taken. 

    1. Incident Reporting. Immediately notify Jessi Roesch if you discover a security incident or suspect a breach in Company's information security controls. Company maintains various forms of monitoring and surveillance to detect security incidents, but you may be the first to become aware of a problem. Early detection and response can mitigate damages and minimize further risk to Company. Treat any information regarding security incidents as Highly Confidential Information and do not share it, internally or externally, without specific authorization.

      1. Security Incident Examples. Security incidents vary widely and include physical and technical issues. Some examples of security incidents that you should report include, but are not limited to:

        1. loss or suspected compromise of user credentials or physical access devices (including passwords, tokens, keys, badges, smart cards, or other means of identification and authentication);

        2. suspected malware infections, including viruses, Trojans, spyware, worms, or any anomalous reports or messages from anti-virus software or personal firewalls;

        3. loss or theft of any device that contains Company information (other than Public Information), including computers, laptops, tablet computers, smartphones, USB drives, disks, or other storage media;

        4. suspected entry (hacking) into Company's network or systems by unauthorized persons;

        5. any breach or suspected breach of Confidential or Highly Confidential Information;

        6. any attempt by any person to obtain passwords or other Confidential or Highly Confidential Information in person or by phone, email, or other means (sometimes called social engineering, or in the case of email, phishing); and

        7. any other any situation that appears to violate this Policy or otherwise create undue risks to Company's information assets. 

      2. Compromised Devices. If you become aware of a compromised computer or other device: 

        1. immediately deactivate (unplug) any network connections, but do not power down the equipment because valuable information regarding the incident may be lost if the device is turned off; and 

        2. immediately notify Jessi Roesch. 

    2. Event Management. The Information Security Coordinator defines and maintains a security incident response plan to manage information security incidents. Report all suspected incidents, as described in this Policy, and then defer to the incident response process. Do not impede the incident response process or conduct your own investigation unless the Information Security Coordinator specifically requests or authorizes it.

    3. Data Breach Notification. Applicable law may require Company to report security incidents that result in the exposure or loss of certain kinds of information [or that affect certain services or infrastructure] to various authorities or affected individuals or organizations, or both. Breaches of Highly Confidential Information (and especially personal information) are the most likely to carry these obligations (see Section 1.5, Regulatory Compliance). The Information Security Coordinator's incident response plan includes a step to review all incidents for any required notifications. Coordinate all external notifications with Legal and the Information Security Coordinator. Do not act on your own or make any external notifications without prior guidance and authorization.

  3. Service Providers: Risks and Governance. The Information Security Coordinator maintains a service provider governance program to oversee service providers that interact with Company's systems or Confidential or Highly Confidential Information. The service provider governance program includes processes to track service providers, evaluate service provider capabilities, and periodically assess service provider risks and compliance with this Policy. 

    1. Service Provider Approval Required. Obtain approval from Legal and the Information Security Coordinator before engaging a service provider to perform functions that involve access to Company's systems or Confidential or Highly Confidential Information.

    2. Contract Obligations. Service providers that access Company's systems or Confidential or Highly Confidential Information must agree by contract to comply with applicable laws and this Policy or equivalent information security measures. Company may require service providers to demonstrate their compliance with applicable laws and this Policy by submitting to independent audits or other forms of review or certification based on risks.

  4. Client Information: Managing Intake, Maintenance, and Client Requests. Company frequently creates, receives, and manages data on behalf of our clients. With guidance from the Information Security Coordinator, each business unit develops, implements, and maintains an appropriate process and procedures to manage client data intake and protection. Business unit-specific client data intake and protection processes may vary but must include, at minimum, means for (1) identifying client data and any pertinent requirements prior to data intake or creation; (2) maintaining an inventory of client data created or received; and (3) ensuring Company implements and maintains appropriate information security measures, including proper data and media disposal when Company no longer has a business need to retain the client data (or is no longer permitted to do so by client agreement).

    1. Requirements Identification. Identify any pertinent client data requirements prior to data intake or creation according to your business unit's client data intake and protection process. Requirements may be contractual or the result of applicable law or regulations, or both (see Section 1.5, Regulatory Compliance). 

    2. Client Data Protection. Protect all client data Company creates or receives in accordance with this Policy and the data's information classification level, whether Confidential or Highly Confidential Information, in addition to any specific client-identified requirements.

    3. Client Data and Media Disposal. Ensure that any client data or media containing client data is securely disposed of when it is no longer required for Company business purposes, or as required by client agreement. Update the applicable business unit client data inventory accordingly. 

  5. Risk and Compliance Management. Company supports an ongoing risk management action cycle to (1) enforce this Policy; (2) identify information security risks; (3) develop procedures, safeguards, and controls; and (4) verify that safeguards and controls are in place and working properly. 

    1. Risk Assessment and Analysis. Company maintains a risk assessment program to identify information security risks across its IT environment, including application software, databases, operating systems, servers, and other equipment, such as network components. The Information Security Coordinator coordinates risk assessment activities that may take several forms, including analyses, audits, reviews, scans, and penetration testing. Do not take any actions to avoid, impact, or otherwise impede risk assessments. Only the Information Security Coordinator is authorized to coordinate risk assessments. Seek approval from Legal and the Information Security Coordinator prior to engaging in any risk assessment activities or disclosing any assessment reports outside Company.

    2. Remediation and Mitigation Plans. The Information Security Coordinator maintains and oversees remediation and mitigation plans to address risk assessment findings according to risk levels. 

    3. Vulnerability Management. Manufacturers, security researchers, and others regularly identify security vulnerabilities in hardware, software, and other equipment. In most cases, the manufacturer or developer provides a patch or other fix to remediate the vulnerability. In some situations, the vulnerability cannot be fully remediated, but configurations can be changed or other steps taken to mitigate the risk created. The Information Security Coordinator maintains a process to identify and track applicable vulnerabilities, scan devices for current patch status, and advise system administrators. Schedule any necessary updates using standard change management processes and according to risk level. Make all Company-owned devices available to IT for timely patching and related activities. 

    4. Compliance Management. Company maintains compliance management processes to enforce this Policy. Company may automate some monitoring and enforcement processes. If compliance management processes indicate that you may have acted contrary to this Policy, you may be contacted by the Information Security Coordinator to explain. In some cases, the Information Security Coordinator may contact your supervising manager to resolve the issue.

  6. Effective Date. This amended and restated Information Security Policy is effective as of January 22, 2022.


ADDITIONAL POLICIES, PROCESSES, PROCEDURES, AND STANDARDS

  1. Company and its employees will follow ALL relevant information associated with ABA Rule 1.6 on confidentiality and information.

  2. To the best of its ability, Company will attempt to mirror GDPR and CCPA policies to better protect Confidential Information.