INFORMATION SECURITY POLICY

PURPOSE

This policy document defines common security requirements for all Practice personnel and systems that create, maintain, store, access, process or transmit information. This policy also applies to information resources owned by others, such as contractors of the Practice, entities in the private sector, in cases where Practice has a legal, contractual or fiduciary duty to protect said resources while in Practice custody. In the event of a conflict, the more restrictive measures apply. This policy covers the Practice network system which is composed of various cloud, hardware, software, communication equipment and other devices designed to assist the company in the creation, receipt, storage, processing, and transmission of information.

OVERVIEW

See purpose.

POLICY

1. SECURITY POLICY REVIEWS

Security policies are reviewed annually and updated as needed to reflect changes to business objectives or the risk environment. In the event of environment changes or changes to any software, reviews are required to ensure security and business objectives are met.

A risk assessment enables an organization to identify threats and associated vulnerabilities with the potential to negatively impact their business. Resources can then be effectively allocated to implement controls that reduce the likelihood and/or the potential impact of the threat being realized.

Performing risk assessments at least annually and upon significant changes allows the organization to keep up to date with organizational changes and evolving threats, trends, and technologies.

The CTO and the security governance board will establish, document, and distribute security policies and procedures.

2. NEW TECHNOLOGY USE

Any introduction to new technologies, either in the software, cloud or hardware stack requires approval from the CTO or governing board. New technologies will need to be audited appropriately, including authenticated usage of passwords, tokens, VPNs and acceptable network locations. Acceptable use of various technologies is discretionary and up to the company governance.

Without requiring proper approval for implementation of these technologies, individual personnel may innocently implement a solution to a perceived business need, but also open a huge hole that subjects critical systems and data to malicious individuals.

If technology is implemented without proper authentication (user IDs and passwords, tokens, VPNs, etc.), malicious individuals may easily use this unprotected technology to access critical systems and cardholder data.

3. EMPLOYEE DEVICES & SOFTWARE DISCLOSURE

Employees must disclose their own non-company issued hardware if used to directly interface with company software. Company issued hardware will be labeled and coded for inventory tracking if distributed. Software requirements for installation on a workstation irregardless to company issued or non-issued requires governance approval. Acceptable use of hardware and software is discretionary and up to the company governance.

Malicious individuals may breach physical security and place their own devices on the network as a "back door." Personnel may also bypass procedures and install devices. An accurate inventory with proper device labeling allows for quick identification of non-approved installations.

4. COMPANY APPROVED PRODUCTS

Employees must use company-approved devices and technology, the company is better able to manage and control gaps in configurations and operational controls, to ensure a "back door" is not opened for a malicious individual to gain access to critical systems and cardholder data. Company list of approved products should be created and maintained.

5. AUTOMATIC DISCONNECT OF SESSIONS OF REMOTE-ACCESS TECHNOLOGIES

Applies to:

• Internal remote access technologies

• third-party vendors and business partners technologies

Remote-access technologies are frequent "back doors" to critical resources and cardholder data. By disconnecting remote-access technologies when not in use (for example, those used to support your systems by your POS vendor, other vendors, or business partners), access and risk to networks is minimized.

6. CARDHOLDER DATA POLICY

Personnel with access to cardholder information are prohibited from copying, moving, and storage of the said data onto local hard drives and removable electronic media. Any business need must require approval from the CTO and the governance board. Handling of said data must follow usage policies and require the data be protected in accordance with all applicable PCI DSS Requirements. Please read the Kredit Card Handling policies for more.

7. SERVICE PROVIDERS

Prior to or during the engagement of a service provider, they will be thoroughly vetted internally by Kredit, which should include a risk analysis prior to establishing a formal relationship with the service provider. Considerations include requiring written documentation of the provider's reporting practices, breach-notification and incident response procedures, and proof if they are PCI DSS compliant.

Third party service providers must maintain a program to monitor its service providers' PCI DSS compliance status at least annually.

Review any third party service providers' PCI DSS compliance statuses and be aware of whether they comply with the same requirements Kredit is subject to. If the service provider offers a variety of services, this requirement should apply to those services delivered to the client, and those services in scope for the client's PCI DSS assessment.

Third party service providers must acknowledge security of cardholder data if applicable. By default, third party service providers would never have access to cardholder data unless there is a valid business reason and will be judged on a case-per-case basis. Please refer to the Kredit Service Provider Inventory Log excel sheet and the Service Provider Oversight Policy.

8. SECURITY MONITORING

The security governance board will actively monitor any security concerns on a daily basis and bring this up to the CTO and the engineering team to remediate. Any security incidents that are deemed critical will be escalated per our security escalation guidelines.

9. ROLES AND RESPONSIBILITIES

The CTO and/or board of governance will manage and administer accounts. Assignment for monitoring and controlling all access to data will be assigned by the CTO as needed. See System access policy for more details.

10. PERSONNEL SECURITY AWARENESS

Kredit personnel will be educated about their security responsibilities, security safeguards and processes that have been implemented. Periodic training will be provided, along with tests that ensure team members are within compliance.

POLICY COMPLIANCE

COMPLIANCE MEASUREMENT

The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

EXCEPTIONS

Any exception to the policy must be approved by the Infosec team in advance.

NON-COMPLIANCE

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. External service providers found to have violated this policy may be subject to financial penalties, up to and including termination of contract.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Information Security Policy

Policy Name: Information Security Policy