Comprehensive IT Security Policy

Account Rules

• Written request with signed management approval required
• Uniquely identifiable accounts only — shared accounts prohibited
• Passwords and expiration per Password Policy
• Immediate disablement upon termination

Active Management

Least privilege principle enforced. No single user can authorize, perform, review, and audit a single transaction. Monthly review: 30 days inactive → notification; 45 days → disablement. Independent audit reviews may occur at any time.

Definitions

Requirements

• All networked devices: approved anti-virus, actively running, current definitions, automatic updates
• Anti-virus must not be disabled, bypassed, or settings altered
• File servers and email gateways use IT-approved protection
• Periodic scans; unresolved viruses = security incidents
• Infected devices may be disconnected until cleaned

User Responsibilities

Covers laptops, notebooks, tablets, smartphones, and any BrandLock-owned device on unmanaged networks.

Access Control

• All devices registered with IT; only approved devices connect
• Laptops: SSL VPN or IPSec VPN only
• Smart devices: IT-installed Mobile VPN
• IT can refuse connectivity for risky devices

Security

• Full disk encryption on laptops — no cleartext data
• Strong passwords per Password Policy
• Lost/stolen: immediate report → IT remote wipes
• No location services within workplace
• Regular patching and security audits by IT

Protocol

Audit trails track all device activity. Access monitored without notice. Enterprise-sanctioned data removal on device retirement. Unsafe mobile device use (texting while driving) prohibited. Users sign Mobile Device Agreement (Exhibit A) before access.

Prevents exposure of confidential data to unauthorized individuals. Applies to: day planners, file cabinets, briefcases, confidential reports/lists/statements, electronic devices, keys, printouts on printers/copiers/fax machines, portable media (CDs, flash drives), workstations, desks, and white boards.

Covers all electronic financial services: website, email, web account access, fund transfers, online applications, bill paying, mobile banking.

Security Layers

• Encryption: Minimum 128-bit for all transactions and vendor-hosted data
• Authentication: User IDs + password/PIN; encryption certificates validate servers/users; access levels by job function
• MFA: Multiple verification forms for online banking
• Firewalls: Protect from Internet/vendor threats; configs reviewed periodically; audit logs maintained
• Network Rules: Firewall directs outside parties to approved resources only; network-level anti-virus; email scanned pre-delivery
• Physical Security: Card access for IT; data center restricted; off-site backups and replicated SAN
• Passwords: Expire 45–90 days; sharing prohibited

Response

Suspected unauthorized access reported to regulatory and law enforcement per incident response procedures.

Security Controls

• Inbound scanning for viruses, malicious code, spam
• Anti-spoofing detection for forged headers
• Malware-associated attachment extensions stripped before delivery
• Malicious domains/IPs blocked; misbehaving accounts shut down
• All outgoing attachments auto-scanned

Prohibited

• Harassing, offensive, discriminatory, or sexually explicit emails
• Personal business, spam, unauthorized solicitations, copyright violations
• Using another person’s account, forging messages, chain letters, hoaxes
• Knowingly sending viruses or circumventing email security

Encryption

All confidential material outside BrandLock network must be encrypted. Never email SSNs, account numbers, PINs, DOBs externally without encryption. No non-BrandLock email (Hotmail, Yahoo, AOL) for business.

Retention

36-month retention. Older emails, deleted/archived items, appointments/tasks/notes beyond retention auto-purged.

Services

Access control between trusted/untrusted networks, traffic blocking per ruleset, hiding internal systems, logging, robust authentication, and VPN connectivity.

Capabilities

Packet filtering (by address/port/protocol), application proxy (every packet examined), stateful inspection (monitors active connections). Protects against IP spoofing, DoS attacks, and information disclosure.

Covers: computers, printers, handheld devices, servers, networking equipment, floppy disks, backup tapes, CDs/DVDs, hard drives, flash memory, and all portable storage.

All disposition centrally managed by IT: data backup, tag removal, approved external agents for sanitization/recycling/destruction, chain of custody documentation per legal and environmental regulations. Where assets haven’t reached end of life, residual value pursued through reselling, auctioning, or donating.

Seven Stages of Response

1. Preparation — Plans, roles, communication strategies
2. Detection — Monitoring for indicators of compromise
3. Analysis — Assess magnitude, scope, impact
4. Containment — Prevent spread
5. Eradication — Remove threat (malware removal, quarantine, drive wiping)
6. Recovery — Restore operations
7. Post-Incident — Lessons learned, plan updates

Testing

Annual simulated incidents test response. Results documented and shared. Plans updated for lessons learned and industry developments. Team members trained annually.

All purchases with BrandLock funds are company property. All requests submitted to IT via Service Desk.

Categories

• Standard Items: Pre-approved vendors, Service Desk request only
• Non-Standard: Formal vendor sourcing, IT review for compatibility, support plan required
• Capital Expenses (>$2,500): CFO and CEO approval, department managers only

Asset Management

Equipment >$300 with semi-permanent assignment tracked via Asset Management Program (identification, assignment, tracking, lifecycle, reporting, disposition). Annual hardware replenishment review.

Access

• Provided for job performance; revocable at any time
• Standard suite or IT-approved software with security patches only
• Must go through approved firewall — bypassing prohibited
• Filters block high-risk content and malware

Prohibited

Unauthorized remote access, software piracy, illegal activities, transmitting threatening/obscene materials. No downloading/installing software without IT authorization. No deliberate malware propagation.

Content & Usage

Sexually explicit/inappropriate sites blocked; display/storage prohibited. Excessive Internet use, games, streaming restricted. Personal use limited to break room PCs. All sensitive transmissions must be encrypted.

Critical for forensics analysis and detecting compromise indicators. Periodic risk assessments determine capture scope.

Log Types

• Application: Transactions, timing, user, resources
• System: OS/service activity, change management, workstation logs
• Network: Firewall, IDS/IPS, router, switch, DHCP/DNS

Synchronization

All components use NTP for time synchronization enabling cross-source correlation.

Baseline & Retention

Baseline behavior tracked over time to detect anomalies. Retention balances privacy, investigation needs, and cost. Thresholds define response levels. Centralized log management infrastructure provides common record management.

Ensures NCUA Part 748 compliance. Protects confidentiality, security, and integrity of member non-public personal information.

Core Commitments

• Only collect information necessary for products/services/business
• Never sell or provide member info to third parties
• Information Security Officer reviews annually; Board approves policy
• Board receives annual status reports and breach notifications

Ten Security Control Categories

1. Vendor Management (due diligence, SSAE 16, confidentiality agreements)
2. Software Inventory
3. Hardware Inventory
4. Critical Systems List
5. Records Management
6. Clean Desk (Policy 5)
7. Hardware Disposal (Policy 9)
8. IT Acquisition (Policy 11)
9. Incident Response (Policy 10)
10. Information Sharing (threat intelligence, peer forums)

Training & Testing

Regular security training via meetings and tutorials. Employees trained to recognize/report unauthorized access attempts. New employees receive security orientation. Annual audit by Information Security Officer.

Network Security

• Only BrandLock-assigned network addresses
• All remote access via secure VPN on BrandLock devices with current anti-virus
• No simultaneous internal + external connections (no split-tunneling/dual homing)
• No installing routers, switches, hubs, or WAPs without IT approval
• No running password crackers, sniffers, scanners, or mapping tools

Remote Access

• MFA required for all secure remote access
• Never share credentials with anyone including family
• No non-BrandLock email for business
• Dial-in modem not supported

VPN

• Multi-factor authentication; all traffic forced through tunnel
• 30 min inactivity → auto-disconnect; 24 hr max connection
• IT-approved clients only; VPN gateways managed by IT
• Wireless: 128-bit minimum encryption, MAC tracking, strong auth (TACACS+/RADIUS)

Wireless

Only IT-waivered systems access BrandLock networks. All APs/base stations registered. SSID must not contain identifying info.

Exhibit A: VPN Agreement — signed by each user before access.

Governs personally-owned laptops, tablets, smartphones for corporate data access. Access is a privilege, not a right.

Eligibility

• Management’s written permission certifying need
• Device on IT’s approved list
• Signed BYOD Agreement; adherence to all policies
• Data sensitivity and legislative compliance reviewed

IT Responsibilities

Centrally manage BYOD program: onboarding, monitoring, terminating on separation. IT can install anti-virus, restrict apps, limit network resources, wipe data on loss/termination, and inspect all devices on unmanaged networks.

User Responsibilities

• Register devices with IT before use
• Approved encryption for data transmission; device lock with fingerprint/strong password
• Keep firmware/OS current; maintain anti-virus on sync computers
• Never disclose passwords to anyone
• Report lost/stolen immediately; contact IT before upgrading
• No location services within workplace
• Accept monitoring without notice

Third-Party Vendors

Must maintain current anti-virus/anti-malware. Signed Third Party Agreement required (VP approval). IT can provide cellular hot spot if needed.

Reimbursement

Fixed monthly reimbursement may be offered per Mobile Device Procedure. Users personally liable for device and carrier costs beyond reimbursement.

Exhibit A: BYOD Agreement — signed before enrollment.

Passwords are the front line of protection. A poorly chosen password may compromise BrandLock’s entire corporate network.

User Network Passwords

• Changed every 90 days
• Minimum 10 characters
• Must contain alpha, numeric, and special characters
• Must not be tied to account owner (name, SSN, birthday, dictionary words, acronyms)
• Cannot be reused for 1 year

System-Level Passwords

• Changed at least every 6 months
• All admin accounts: 12 characters minimum with 3 of 4 types (upper, lower, numeric, special)
• Non-expiring passwords must be documented; same standards as admin accounts

Password Protection

• Same password must not be used for multiple accounts
• Never shared with anyone — treated as confidential BrandLock information
• Stored passwords must be encrypted
• Never sent via email, revealed by phone, or written on questionnaires
• Never written down or stored unencrypted on any device
• No auto-logon, application remembering, embedded scripts, or hard-coded passwords without IT approval
• Security tokens must be returned upon demand or termination

Required to mitigate risk to confidential data and system integrity. Applies to all equipment owned or leased by BrandLock — servers, desktops, routers, switches, and all electronic devices.

Policy Detail

• Security-related or critical patches installed as soon as possible
• If central deployment impossible, install using best resources available in a timely manner
• Failure to properly configure workstations or disabling/circumventing patch management is a policy violation

Responsibilities

• VP of IT responsible for secure network environment
• IT monitors CERT notifications, vendor websites, and security mailing lists
• Scheduled third-party network scanning to identify vulnerabilities
• IT Administrators download, review, and categorize patches by criticality
• Patching procedures documented (what, where, when, how) for auditing

Covers all BrandLock facilities housing information systems: data centers, data rooms, switch/wiring closets.

Controls

• Access limited to authorized personnel only, demonstrated via badges/identity cards
• Controlled at defined access points with card readers and locked doors
• Authentication required before physical access granted
• Equipment delivery and removal controlled and logged at access points
• Authorized personnel list maintained and reviewed at least annually

Visitors

• Must have prior authorization, be positively identified, and authorization verified
• Must be escorted at all times and activities monitored

Ensures BrandLock makes appropriate cloud adoption decisions. Covers public cloud, private cloud, and hybrid models.

Protected Data Categories

• Financial information (BrandLock, employees, members, third parties)
• Intellectual property owned by BrandLock or provided by third parties
• Personally Identifiable Information (PII) of members, employees, or third parties
• Other non-public and public data/information deemed BrandLock property

Requirements

• All cloud use cases approved on a case-by-case basis by IT
• Vendor due diligence including data residency, encryption, access controls, and compliance certifications
• No unauthorized cloud storage of member information or PII
• Cloud service contracts must address data ownership, portability, breach notification, and termination rights

Establishes standards for base configuration of internal server equipment owned and/or operated by BrandLock.

Requirements

• Servers registered in IT’s asset management system with designated owner
• Servers located in access-controlled environments (data center or secured room)
• Operating systems configured per approved IT security guidelines
• Unnecessary services and applications disabled
• All security patches applied per Patch Management Policy (Policy 18)
• Access to server administration restricted to authorized IT staff only
• Server logs maintained and reviewed for anomalous activity
• Regular backups per IT backup and recovery procedures

Establishes guidelines for safe social media usage, protecting BrandLock information while leveraging social media for business.

Official Use

• All requests for official social media use submitted to Senior Management
• Only pre-approved social media sites via BrandLock security protocols
• Personal social media accounts/IDs prohibited for BrandLock use (and vice versa)
• BrandLock email addresses must not register on personal social networks
• Designated team manages/responds to social media issues
• All content must comply with applicable laws and regulations
• BrandLock owns all authorized social media content

Personal Blogs & Posts

• Employees identifying as BrandLock officials must ensure profiles are professional
• Must not reveal proprietary info, post exaggerations/obscenities inviting litigation
• Must include disclaimer: “views are my own and not those of BrandLock”
• Must not disclose confidential member, vendor, or employee information
• Must not harass, threaten, discriminate, or defame

Rules of Engagement

• Protecting member information is #1 responsibility — never post identifying info
• Brand, trademark, copyright, fair use, and privacy laws must be respected
• Financial disclosure laws apply to mentions of financial products
• Retaliation against reporters of policy deviations is prohibited

Determines when security failures or breaches have occurred. Monitoring detects in real-time; auditing detects after the fact.

Policy Detail

• All systems configured to record login/logout and all administrator activities
• Automatic notification of inappropriate, unusual, or suspicious activity
• Primary storage: 30 days online log data; secondary: 1 year offline
• Oldest logs overwritten if capacity exceeded; admin notified on logging failures
• System logs manually reviewed weekly
• All findings reported to VP of IT or COO
• System logs treated as confidential — access requires prior authorization and strict authentication
• All access to logs is itself captured in logs

Establishes standards for periodic vulnerability assessments across all computer and communication devices on BrandLock premises. Denial of Service testing is not performed.

Policy Detail

• Regular vulnerability assessments of all operating systems and environments
• Vulnerabilities identified and corrected to minimize associated risks
• Audits verify compliance with security policies and identify exploitable conditions
• All employees expected to cooperate fully with risk assessments
• IT empowered to initiate appropriate remediation

Governs the development, maintenance, and security of BrandLock’s public-facing web properties.

Requirements

• All websites hosted or managed by BrandLock must comply with Acceptable Use and Privacy Policies
• No internal data made available to hosted internet websites without IT approval
• No personal or non-BrandLock commercial advertising via hosted sites
• All web application code reviewed for security vulnerabilities before deployment
• Departments may not host websites or contract hosting without IT permission
• SSL/TLS encryption required for all pages handling member data

Ensures all workstations are provisioned and operated per company-defined security standards. VP of IT has overall responsibility for confidentiality, integrity, and availability of BrandLock data.

Standards

• OS configured per approved IT procedures; unused services/applications disabled
• All patch management monitored through reporting with remediation procedures
• Workstations joined to BrandLock domain automatically receive policy updates
• Anti-virus, malware, and data leakage protection required on all systems
• All systems managed through central tools — no manual management
• Third-party applications updated quarterly; browsers kept up to date
• Critical security updates reviewed and applied per patch management program
• Local security settings applied through domain policies

Establishes server virtualization requirements for acquisition, use, and management. Encompasses all new and existing workloads.

Requirements

• All new and existing workloads migrated from physical servers to virtual machines
• Hardware retired per IT management plan or OS/software incompatibility
• Support industry-wide open standards and standard x86 hardware/storage
• Embedded security technology (e.g., TPM)
• Single centralized management console with role-based access
• LDAP authentication/authorization for admin console
• All intra-host and admin console traffic encrypted
• Support unmodified guest operating systems
• Live migration of running guests without interruption
• Automatic hardware failure detection with guest restart on another physical server
• Integrated CPU, memory, disk, and network performance monitoring and alerting

Secures and protects BrandLock information assets when connecting to Wi-Fi networks — both corporate and public.

BrandLock Wi-Fi Network

• Secured with passphrase and encryption per current industry practice
• Physically or logically separate from production wired LAN
• Production LAN access only via approved VPN connection for business use
• Service may be changed or removed without notice for security/sustainability

Public Wi-Fi Usage

• Defend devices with latest antivirus, firewall enabled, strong passwords
• Position device screen away from onlookers
• Choose connections carefully — assume all links are suspicious
• Avoid free Wi-Fi without encryption; seek connections using current encryption standards
• Never perform high-risk transactions without VPN connection
• Consider cellular data plan or personal hotspot for sensitive activities
• Ensure HTTPS with lock icon visible for any sensitive entry
• Must use BrandLock VPN at all times when connecting to corporate network remotely

Covers employees who regularly perform work from a remote office. Arrangements are case-by-case, focusing on business needs.

Equipment & Support

• BrandLock may provide hardware, software, mobile phone, email, voicemail, connectivity
• IT notified in advance of telecommuting start date for provisioning
• Equipment limited to authorized persons for BrandLock business only
• BrandLock covers repairs/replacement; damage outside employee’s control covered by insurance
• IT responsible for installation, maintenance, security access, support, and training
• All qualified equipment tracked in IT asset program

Employee Responsibilities

• Designate safe, hazard-free workspace at remote location
• Keep BrandLock materials in designated work area, not accessible to others
• Comply with all applicable use, security, and information protection policies
• Personally owned equipment may not be connected to BrandLock equipment
• Return all BrandLock equipment within 5 business days upon cessation or termination

Exhibits A & B: Telecommuting Equipment Agreement and Telecommuting Equipment Inventory — signed before start.

Establishes a defined IoT structure to ensure data and operations are properly secured. IoT devices include appliances, thermostats, monitors, sensors, and portable items that measure, store, and transmit information.

Procurement

• Company IoT devices purchased and installed by IT personnel
• Employee-owned IoT devices used per BYOD Policy (Policy 16)
• All IoT devices require IoT Device Usage Request Form (Addendum A) submitted to IT
• Only manager-level and above may request IoT device usage/procurement
• IT responsible for identifying compatible platforms, purchasing, and supporting

Cybersecurity & Privacy Risks

• IoT devices affect cybersecurity and privacy risks differently than conventional IT devices
• Risk management considers differences between IoT and conventional devices
• Controls adapted for IoT acquisition requirements
• IoT Risk Management Guide maintained in IT document storage area

Addendum A: IoT Device Usage Request Form — submitted to IT before device deployment.