ActiFi s Information Technology Security Policy

(1)

Revised 03/2015 Page 1 of 16

Introduction

ActiFi, Inc. is committed to the protection of information technology resources that support our mission. In order to provide these services, a large quantity of electronic information is sent, saved, and processed on a daily basis. These resources are subject to potential damage, and information could be compromised if the appropriate security measures and controls are not in place.

Scope – Who needs to comply?

The Information Technology Security Policy applies to:

 Anyone using equipment, technology, and mobile devices owned, leased, or reimbursed by ActiFi, Inc. (Including but not limited to)

o ActiFi Employees o Independent Contractors o Interns

o Temporary Staff o Affiliates

Internet/Intranet/Extranet-related systems are the property of ActiFi, Inc. These systems are to be used for business purposes in serving the interests of the company, and our clients and customers in the course of normal operations. (Including but not limited to)

 Computer equipment

 Software applications

 Mobile devices (smart phones & tablets)  Operating systems

 Storage media (hard drives, flash drives)  Email (Google Gmail & Calendar)

 Cloud based applications & services (Box, Smartsheets, Google Drive, Asana)

Purpose

General purpose of the Information Technology Security Policies:

 Outline the acceptable use of technology and equipment at ActiFi.

 Reduce the potential risks of unauthorized modification, destruction, disclosure or use of information, whether intentional or accidental.

 Maintain confidentiality, integrity, and availability.

Effective security is a team effort. Failure to comply with this Policy could expose ActiFi and individual employees to many risks, including but not limited to:

 Virus & Malware attacks

 Compromise of the network systems and services  Damage to application software integrity

 Loss of confidential information and client data  Legal Issues

(3)

The basic pillars of security are as follows:

 Confidentiality: Information determined to be sensitive or confidential is protected and unavailable

to those who do not have the necessary approval to view it. This includes data in storage, processing, or in transit.

 Integrity: Information is correct and has not been altered or corrupted in some way. Programs,

applications, and technical resources function as intended.

 Availability: Users have timely and reliable secure access to information technology resources and

data for authorized use.

Responsibilities

System (IT) Administrator (TBD)

 Responsible for implementing and maintaining all information technology related policies.  Periodic reviews on all employees for adherence to policies.

 Review these policies annually and periodically arrange for independent security reviews including vulnerability assessments and penetration tests.

 Maintain a current inventory of all ActiFi hardware, software, and other information technology assets.

Technical Support Provider (Techgen)

 Responsible for applying security updates to all servers and personal computers.  Notifying the IT Administrator and Management of any attempted breaches of security.

 Work proactively to identify security vulnerabilities and threats, notify the IT Administrator, and take the appropriate measures to rectify those vulnerabilities.

 Assistance in maintaining a current inventory of all ActiFi hardware, software, and other information assets.

ActiFi Management (Jeff Haines, Spenser Segal, Emily Cattoor)

 Support IT Administrator, Technical support provider & employees  Disciplinary action for violations of policy

Everyone – End Users

 Protect the confidentiality, integrity and availability of the organization's information and information assets.

 Be aware and compliant with all ActiFi Security Policies & Best Practices by following the specific end user responsibilities outlined in the organization's security policy & standards.

 Report all security incidents immediately.

(4)

Acceptable Use of Technology Resources Policy

The purpose of this Policy is not to impose restrictions that are contrary to ActiFi’s established culture of openness, trust, and integrity, but to outline acceptable and ethical use of information technology resources. Enforcing this Policy is an integral part of ActiFi’s commitment to protecting its clients, employees, and itself from illegal, unethical or damaging actions by individuals, either knowingly or unknowingly.

Effective security is a team effort involving the participation and support of every user and affiliate who deals with information or information systems. It is important that every computer user know the guidelines of this Policy, and to conduct their work accordingly.

Acceptable Use

Prior to gaining access to the Firm’s information technology resources, all employees, contractors, temporary staff, interns, affiliates, and guests must acknowledge acceptance of the ActiFi Information Technology Security Policy and sign an acknowledgement of the receipt and understanding of the policy. See Appendix A.

While ActiFi desires to provide a reasonable level of privacy, all users should be aware that all documents, data, information and programs in electronic & paper form, created on, or generated by/from, ActiFi’s resources shall be property of ActiFi, Inc. Due to the need to protect ActiFi’s network, management cannot guarantee the confidentiality of personal information stored on any network device belonging to ActiFi, Inc. For security and maintenance purposes, as well as ensuring policy compliance, authorized individuals within ActiFi, Inc. may monitor equipment, systems and network traffic, at any time, without prior notification. Users are responsible for exercising good judgment regarding the reasonableness of personal use. ActiFi users are expected to protect all information technology resources under their control, including passwords, computers, and data. All computers, laptops, and workstations must be logged off or have a

password locked screensaver when unattended or unsupervised.

 Users must have the automatic lock feature set to 10 minutes or less.

 *Press the Windows key and the letter “L” to lock your computer when you step away from your desk. You may also use Ctrl/Alt/Delete and select “lock computer”

Prohibited Use

Prohibited use of ActiFi information technology resources, including hardware, software, licensed cloud storage, and network access, includes but is not limited to:

 Engaging in any illegal activity under local, state, federal or international law, or in violation of ActiFi policies.

 Sharing network user accounts and passwords, even on a temporary basis unless specifically instructed by your supervisor. This includes family and household members when work is being done at home.

 Gaining unauthorized access or making modifications to any ActiFi network or information technology resources for any reason.

(5)

Revised 03/2015 Page 5 of 16  Attaching personally owned devices to ActiFi’s network – all phones & tablets should be using the

AF-Guest & AF-Guest 5G wireless connections.

 Violating the rights of any person or company protected content by copyright, trade secret, patent or other intellectual property.

 Violations of any copyright laws including but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted material. Downloading illegal music, non-work related video files or software that is not appropriately licensed by ActiFi, Inc. or the end user.

 Setting up file sharing other than the ActiFi licensed file sharing programs including Box, Smartsheet, and Asana.

 Using ActiFi information technology resources for private financial gain.

 Using ActiFi informational technology resources and devices to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace policies or laws.  Exporting software, technical information, encryption software or technology, in violation of

international or regional export control laws. The appropriate management should be consulted prior to export of any material that is in question.

 Damaging ActiFi information technology resources including, computers, computer systems, computer networks.

 Introduction of malicious programs into the network or server including but not limited to, viruses, worms, Trojan horses, email bombs, etc.

 Making fraudulent offers of products, warranties, items, or services originating from any ActiFi, Inc. account.

 Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.

 Port scanning or security scanning is expressly prohibited.

 Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.

 Circumventing user authentication or security of any host, network or account.

 Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).

 Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the

Internet/Intranet/Extranet.

 Providing information about, or lists of, ActiFi, Inc. employees to parties outside ActiFi, Inc.

Mobile Device Policy

ActiFi Inc. grants its employees the privilege of purchasing and using smartphones and tablets of their choosing at work for their convenience. ActiFi Inc. reserves the right to revoke this privilege if users do not abide by the policies and procedures outlined below.

(6)

Acceptable Use

 The company defines acceptable business use as activities that directly or indirectly support the business of ActiFi Inc.

 The company defines acceptable personal use on company time as reasonable and limited personal communication or recreation, such as reading or game playing.

 Employees are blocked from accessing certain websites during work hours/while connected to the corporate network at the discretion of the company. Such websites include, but are not limited to…  Devices’ camera and/or video capabilities are/are not disabled while on-site.

 Devices may not be used at any time to:  Store or transmit illicit materials

 Store or transmit proprietary information belonging to another company  Harass others

 Engage in outside business activities

 The following apps are not allowed: (apps not downloaded through iTunes or Google Play, etc.)  Employees may use their mobile device to access the following company-owned resources: email,

calendars, contacts, documents.

 ActiFi Inc. has a zero-tolerance policy for texting or emailing while driving and only hands-free talking while driving is permitted.

Devices and Support

 Smartphones including iPhone, Android, Blackberry and Windows phones are allowed  Tablets including iPad and Android are allowed.

 Connectivity issues are supported by IT; employees should contact the device manufacturer or their carrier for operating system or hardware-related issues.

Security

 In order to prevent unauthorized access, devices must be password protected (lock code) using the features of the device.

 Lock code PIN must be enabled

 The device must lock itself with a password or PIN if it’s idle for five minutes.  After five failed login attempts, the device will lock.

 Find My Device must be enabled

 Remote Wipe must be enabled

 Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network.  The employee’s device should be remotely wiped if the device is lost or stolen.

Risks/Liabilities/Disclaimers

 Lost or stolen devices must be reported to the company within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.

 The employee is expected to use his or her devices in an ethical manner at all times and adhere to the company’s acceptable use policy as outlined above.

 The employee is personally liable for all costs associated with his or her device.

 The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.  ActiFi Inc. reserves the right to take appropriate disciplinary action up to and including termination

(7)

Security Incident Report

Responsibility: Everyone

All Employee’s must immediately inform their direct supervisor, IT security administrator, and Techgen of a possible or confirmed security breach (incident).

This should be done verbally with follow up email to include additional details. Direct Supervisor – you should have their phone number in your list of favorites Techgen - (612-279-2400 Option 1) [email protected]

IT (Security) Administrator – John Anderson, (763-746-1263), [email protected]

What is a Security Incident?

• A security incident is any attempted or successful unauthorized access, disclosure, or misuse of computing systems, data or networks (including hacking and theft).

• A computer security incident may involve any or all of the following: • unauthorized computer access

• loss of information confidentiality • loss of information availability • computer/device theft

• compromise of information integrity

• a denial of service condition against data, network or computer/device • misuse of service, systems or information

• physical or logical damage to systems

Examples of security incidents: (May include but not limited to)

• lost or stolen equipment

• presence of a virus or spyware or any other malicious program • sudden appearance of unexpected/unusual programs

• posting of confidential/restricted data to a publicly-accessible web site • inadvertent sending of restricted data to unauthorized recipients • establishment of an unauthorized account for a computer or application • unusual network connections to a computer/device

• sharing/revealing passwords • phishing emails

• hack attempts

(8)

Use the following format for reporting a security incident:

ActiFi Security Incident Report

Your Name Submitted to Department Office Phone Mobile Phone Email Address Incident Date/Time

Priority (Informational, High, Medium)

Type of Incident (Misuse of service, system, or information; port, network scan/probe; system compromise/intrusion; denial of service attack; Virus or Malware; Other: )

System IP or DNS Name If applicable or known Location of Device If applicable or known Operating System If applicable or known Incident Description Actions Taken

(9)

Laptop/PC Encryption Policy

Responsibility: Techgen

All ActiFi, Inc computers are required to be monitored and encrypted using Sophos Encryption. Windows computers will use Bitlocker encryption if available, All Mac computers are required to be

encrypted by Sophos and/or Filevault. All contractors are required to have their personally owned computer equipment encrypted by Bitlocker, FileVault, or Truecrypt. All computers, both ActiFi owned and contractor owned will be audited for encryption compliance.

Encryptions are mandatory and a condition of employment. If an employee refuses the Sophos encryption they will be given 2 warnings prior to termination

All network transmissions from remote locations require SSL tunnels and other encrypted channel procedures.

No ActiFi or client data is to be stored on your hard drive.

 The only exceptions is Box Sync to sync files from their computers to Box.com.

Anti-Malware Policy

To protect the ActiFi’s information technology resources, Techgen & the system administrator will ensure all ActiFi-owned computers connected to the network have the standard supported Sophos antivirus program installed and scheduled to run at regular intervals. The antivirus and antispyware programs cannot be disabled by end users.

Please report any access issues to the system administrator.

The first line of defense against virus infection is good internet behavior. ActiFi staff is required to use their workstation under the following guidelines:

 Do NOT run any files without first scanning them, no matter what the file extension is, i.e. (.exe, .bat, .com, .doc, etc.).

 Do NOT download any files and/or programs from unknown sources; if in doubt, contact the system administrator as soon as possible.

 Do NOT open attachments, even if they were sent by a friend or family member; verify first that indeed, he/she has sent the user the file, but nevertheless scan before open/run anything.

 Do NOT run any programs found on flash drives, diskettes/CD’s if not completely sure that they are authorized; someone might have placed it there specially so that the user will "find it and check it out".

 If downloading is allowed, limit it to the minimum; if a user needs a specific application or something else, always contact the system administrator for further information BEFORE downloading and installing something.

 If you feel your computer is infected with a virus, contact your supervisor or our technical service provider immediately.

(10)

Revised 03/2015 Page 10 of 16 The system administrator will usually NEVER email a user the latest updates of any software (unless this is preceded by a much publicized, well-advertised, company-wide campaign). If a user detects suspicious activity, do not delete the email received and contact the system administrator as soon as possible; if a user has any doubts regarding malicious software (viruses/trojans/worms), contact the system administrator immediately. This way will prevent any potential devastating mishaps, due to inappropriate and erroneous handling of dangerous and harmful incidents.

How to tell if your computer is infected – Warning Signs

These are all symptoms associated with an infected computer, though they could have other causes. If your work computer has a number of these warning signs, or has an extreme version of one of the warning signs, contact the Techgen (contact info below

 Your browser homepage changing unexpectedly

 Being redirected to unknown search sites when trying to go to Google or Yahoo  Persistent and unexpected popup windows when your browser is open

 Persistent system tray popups from programs you did not install, especially ones which purport to be anti‐virus or anti spyware programs

 Windows Update is unable to download or install available updates  Windows Update is turned off and cannot be turned back on  You are unable to update your anti‐virus/anti/malware software  You are unable to launch your anti‐virus software

 You are unable to run Windows utilities such as msconfig, regedit, or Task Manager  Unexpected new icons on your desktop, quick launch, or system tray areas

 New programs which you did not install in the Add/Remove Programs control panel  New favorites in your browser bookmarks not placed there by you

 Odd behavior such as Windows becoming very slow and unresponsive  Applications start failing to launch properly

 Frequent firewall alerts about an unknown program attempting to access the internet

 Multiple and frequent bounced‐back emails may indicate that your system is sending email without your knowledge

 New toolbars in your browser not placed there by you

To minimize the chance of spreading an infection:

 Stay calm & Stop what you are doing

 Unplug your computer from the network, and turn off wireless, if you have it  Don't turn your computer off

(11)

Revised 03/2015 Page 11 of 16

Computer & Communications Systems Access and Use

Security and Proprietary Information

The user interface for information contained on ActFi systems and ActiFi licensed software cloud storage should be classified as either confidential or not confidential. Examples of confidential information include but are not limited to:

 Company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer/client lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information.

 Postings by employees form and ActiFi, Inc. email to newsgroups should contain a disclaimer stating the opinions expressed are strictly their own and not necessarily those of ActiFi, Inc. unless the posting is in the course of business duties.

All computer, workstation, server and device access requires permission from the ActiFi system administrator. Ethernet port level authentication is in place to protect against rogue machines from accessing the ActiFi network.

 ActiFi Staff need to be fully aware of their responsibility to keep their User ID and password as secret as possible. It is completely forbidden to share his/her ID and password with ANYONE including the system administrator, their direct report and their family members.

 Staff are required not to write any accounting data or ID/password information on loose papers, or sticky (post- it) notes, or leave sensitive information on white boards (for example, after a meeting, white boards, and/or flip charts should be cleared off) as this could result in a potential break-in, due to the improper handling of sensitive data. Do not hide passwords under keyboards, or on some "secret" place.

Software development resources at ActiFi do not store any client data on their personal laptops and keep all checked out versions of code on an encrypted partition of their laptops. All software development devices (i.e., laptops) follow ActiFi password and encryption requirements.

Employee E-mail Policy

ActiFi provides email resources to support its work of serving clients and facilitating internal and external communications. Email systems are a high risk area due to their constant availability to the outside world. This is the number one entry point from which most of the malicious programs enter the company.

ActiFi enforces best practices in regards to E-mail usage to protect against security breaches. All ActiFi staff members must adhere to the following:

 Do not use the company e-mail accounts for registration purposes of any kind, and do not use it while posting messages in web forums or newsgroups. Users may want to create one, special (possibly aliased) account for this purpose only;

(12)

Revised 03/2015 Page 12 of 16  Never forward any company data to external e-mail accounts (i.e. send a work document to a home

email account, so to work on it further from home that evening), without first checking with a manager and/or contacting the system administrator;

 The proper use of the E-mail system should continuously be monitored and the users should be aware that they could be held liable for illegal activities, such as spamming, sending and receiving illegal content, etc.

 Do not send unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).

 Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages is prohibited.

 Unauthorized use, or forging, of email header information is Prohibited

 Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

 Be aware of social engineering emails. These are emails designed to gain information from you. The may use a variation of a company email address to confuse you. (i.e. [email protected] instead of the correct [email protected]).

Employee Password Requirements

Responsibility: Everyone, IT Security Administrator

 All employees are required to obtain an ActiFi approved password manager. Roboform and Lastpass are recommended. The annual fee may be expensed.

 Passwords must be changed every 90 days.

 Passwords must not contain the word ActiFi, any of our product names, user account name or parts of the user's full name that exceed two consecutive characters. Passwords must be at least eight

(8) characters in length. 12 characters are recommended.

 Contain characters from three of the following four categories: · English uppercase characters (A through Z)

· English lowercase characters (a through z) · Base 10 digits (0 through 9)

· Non-alphabetic characters (for example, $, #, %)

 Complexity requirements are enforced when passwords are changed or created.  Passwords should be unique – don’t use the same password on multiple sites.

 All passwords will be disabled upon termination of employment by either the employee or ActiFi, Inc.

(13)

Revised 03/2015 Page 13 of 16

Multifactor Authentication – (2 Step Verification)

Multi-factor authentication (MFA) is a method of computer access control which a user can pass by

successfully presenting authentication factors from at least two of the three categories:  Knowledge factors ("things only the user knows"), such as passwords

 Possession factors ("things only the user has"), such as phone text message with code  Inherence factors ("things only the user is"), such as biometrics

Requiring more than one independent factor increases the difficulty of providing false credentials. Everyone should enable this where ever possible. Currently the following apps support this feature:

 Google

 Box

Operating Systems Security & Configuration Standards

Freeware, or any other type of software, obtained or downloaded from unknown or untrustworthy sources could easily affect company security, exposing critical business data and/or corrupting sensitive ones. Use extreme caution before installing any software to ensure it is from a trustworthy source.

Files downloaded from the Internet, copied from flash drive, CD/DVD, or anything coming from an unknown source, or anything else that has not been reviewed by the system administrator or not been scanned for potential malicious code (by the Sophos security application) will be classified as untrustworthy, unknown and dangerous.

Patch Management Policy

ActiFi computers and laptops are set up to automatically update patches for OS and applications. Please make sure to allow the updates when starting, re-booting, or shutting down.

Microsoft Updates, Patch My PC, Ninite Pro

Data Destruction Policy

Responsibility: IT Security Administrator

(14)

Revised 03/2015 Page 14 of 16

Privacy of Client Data

Individual network access accounts enforce and manage user specific data, email, files and workstations. NTFS folder and file level security protect data access and provide visibility to all users of who has access to what resources.

ActiFi staff is required to follow Internet usage best practices to protect against privacy breaches  Do not visit inappropriate web sites with objectionable content; pornography, gambling, warez

(pirated software), hacker/hacking sites, as well as those generally considered as prohibited.

 If the use of Instant Messaging (IM) applications is allowed in a user’s department, do not accept any attachments no matter of the file type, extension, or originator.

 All internet activity should continuously be monitored and the ActiFi staff should be aware that they could be held liable for visiting prohibited web sites, downloading illegal files and content, as well as face a penalty of having their access to the Internet limited (until they can prove that they are fully aware of the risks created by their actions).

Remote Access & Physical Access

Remote Access Policy

It is the responsibility of ActiFi, Inc. employees, contractors, vendors and agents with remote access

privileges to ActiFi, Inc.’s corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to ActiFi, Inc.

General access to the Internet for recreational use by immediate household members through the ActiFi, Inc. computers is not permitted. The ActiFi, Inc. employee is responsible to ensure the family member does not violate any ActiFi, Inc. policies, does not perform illegal activities, and does not use the access for outside business interests. The ActiFi, Inc. employee bears responsibility for the consequences should the access be misused.

Blogging

Blogging by employees, whether using ActiFi, Inc.’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of ActiFi, Inc.’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate ActiFi, Inc.’s policy, is not detrimental to ActiFi, Inc.’s best interests, and does not interfere with an employee's regular work duties. Blogging from ActiFi, Inc.’s systems is also subject to monitoring.

 ActiFi, Inc.’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any confidential or proprietary information, trade secrets or any other ActiFi sensitive material when engaged in blogging.

(15)

Revised 03/2015 Page 15 of 16 engaging in any conduct prohibited by ActiFi, Inc.’s Non-Discrimination and Anti-Harassment policy.

 Employees may also not attribute personal statements, opinions or beliefs to ActiFi, Inc when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of ActiFi, Inc. Employees assume any and all risk associated with blogging.

 Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, ActiFi, Inc.’s trademarks, logos and any other ActiFi, Inc intellectual property may also not be used in connection with any blogging activity

Enforcement - Compliance

(16)

Revised 03/2015 Page 16 of 16

Appendix A

Employee/Contractor Acknowledgement Form

I acknowledge that I have received a copy the ActiFi Information Technology Security Policy, and I

understand that it is my responsibility to read and comply with the policies contained in this document and any revisions made to it. I understand that I should consult with my manager regarding any questions or issues I might have that are not addressed in this document.

_______________________________________________ Employee Name (printed)

______________________________________________ Employee Signature

_______________________________________________ Date