wealthengine.com Page 1 This document sets forth the security policies and procedures for WealthEngine, Inc. (“WealthEngine” or the “Company”).
A. Retention & Destruction
Retention & Destruction of Client Data
All data sent to WealthEngine by clients (“Client Data”) for data screening processing is destroyed 120 days after the processing has been completed unless the client has requested in writing a longer retention period. Hard copies of Client Data and other sensitive information are shredded and disposed of. A client’s data can only be returned to a client if the client makes a written request to WealthEngine within 120 days of client’s receipt of the data screening results.
Online search results performed by a client through WealthEngine’s online portal are retained within the portal for the duration of the client’s subscription. Clients can delete any search results at their discretion; therefore, the retention policy is controlled by the client based on their requirements. All online search results stored in the portal are destroyed 120 days after the expiration or termination of a the client’s subscription,.
Third Party Access
Client Data is maintained exclusively within WealthEngine’s security environment except in limited situations.
Certain limited data enhancement services are provided by third party data providers. In these cases the provider being used is enumerated in the contract with the client. Client Data is transferred to and returned by the provider via secure encrypted methods.
Third party vendors who have access to Client Data are subject to contractual agreements whereby such vendors agree to be bound by security policies and procedures no less rigorous than those of the Company.
Security Environment
Secure Areas
All hardware hosted internally in the Company’s headquarters office is protected within a locked data center to
which only technical staff has access. The building has motion detectors for the alarm system that is connected
to a third party security monitoring vendor and the Montgomery County (Maryland) Police Department. All
hardware hosted externally in a third party co-location data center is housed in a locked cage within a secured,
disaster-proof building. The exterior of the building is monitored by video cameras to detect unauthorized
activities for 24-hour surveillance. All visitors enter WealthEngine buildings through reception areas. Once they
pass these areas, employees escort visitors throughout the buildings to ensure that they do not gain access to
unauthorized areas. Any internal secure areas are locked to prevent unauthorized access.
Equipment Security and Disaster Recovery
Servers are backed up on a nightly basis and mirrored to duplicate servers to ensure recovery of all data in case of disaster.
A fire suppression system and fire extinguishers are located throughout both internal and external data centers.
Multiple pull locations exist that trigger the system to spray water throughout the building.
All power in WealthEngine buildings come from the same grid and distributed throughout the buildings from the same location. All systems in the internal data center are attached to a UPS system that runs constantly. If the power were to go out, the UPS systems would come on automatically and supply power to the data center.
The external data center location has back-up power from multiple sources to provide uninterrupted service.
WealthEngine’s internal data center has a cooling system. A separate, free-standing air conditioning unit is used to provide additional cooling to all systems in the data center. A thermometer is used and monitored
throughout the day to detect heat variances. The external data center has redundant cooling systems.
Network Management
The network usage and availability is monitored by WealthEngine personnel as well as a third party vendor.
Reports on network performance are provided real time and on demand as needed.
Intrusion detection systems identify, log and alert on attacks as they occur. Centralized logging and log filtering techniques are used in addition to network-based IDS. The IDS in use is integrated with our firewall. When a new intrusion attack is identified, the attack signature is acknowledged and recorded to prevent future attacks.
Critical systems and applications are properly segmented to provide security and traffic oversight. Required management traffic passes over well-segmented management networks, incorporating strong encryption and authentication, where possible. All operating system events are logged in the server event logs.
Capacity Planning and Performance Monitoring
All servers are continually monitored to ensure that their performance is acceptable to maintain system
capacity levels. On a quarterly basis, the IT management team reviews our capacity levels based on current and projected usage and the growth of data. The IT staff performs an analysis of single point of failure on
equipment and network prior to deployment. All web and database servers have failover and redundancy.
Protection Against Malicious Software and Loss
Only IT administrators have access to install software on equipment. All machines in the environment have anti-
virus protection to ensure that malicious software does not enter the environment. WealthEngine employs an
antivirus suite and host-based firewall on all servers and workstations. Full scans of the servers are performed
on a weekly basis and real-time scanning is employed for read/writes to the server files. IT administrators
receive CERT and other advisories to stay current on vulnerabilities.
wealthengine.com Page 3 Exchanges of Information and Software
WealthEngine uses standard, secure data transfer methods that include SSL and SSH. Files are encrypted with PGP encryption keys upon request. All desktop and laptop hard drives are encrypted as well as any servers used to store Client Data. Once the data is no longer needed for this purpose, it is securely destroyed.
Although WealthEngine’s preferred method of data transfer is SFTP, clients do submit sensitive data to us via email. WealthEngine has secure email policies in which all employees are educated on what information can and cannot be transmitted via email. Any data that is submitted via email is saved to WealthEngine’s internal servers and the email containing the data is destroyed.
Change Management for Systems and Applications
Prior to applying any change to our network, hardware, software and applications, the changes are reviewed for applicability and appropriateness. All changes are evaluated for potential risks to the availability and security of our systems. Where appropriate, WealthEngine executive management is consulted prior to proceeding. Once a change is approved, all changes are fully tested in our test environments before being rolled into production.
Changes are normally applied during regular maintenance windows. All customers are notified of changes and development projects in our monthly newsletter and via announcements on our website during the login process.
Data Changes: WealthEngine acquires data from a wide variety of sources. All primary data providers perform their own quality checks prior to sending data to WealthEngine. However, prior to loading any new data or applying data updates, WealthEngine performs a robust series of quality checks to validate the format of the data records.
Software Changes, Operating System, Database, and Application: All testing is conducted in a test environment.
Tests are then applied to a replica of our production environment and then scheduled for full release into the production environment. Client supplied data is not used for testing. The exception to this is when
WealthEngine staff is working to resolve an issue raised by a client and must use their data to recreate the issue.
Only IT team members using the test environment have access to the data. Source code for our applications is tightly controlled and managed. Source code is maintained and managed in a source code management system. Permissions to access, check out, or check in source code is maintained by senior engineering management team. Source code is backed up nightly and copies are stored in secure off-sight facilities.
Hardware Changes: All changes to hardware components or configuration settings are handled by senior staff members only. These settings are changed on an as needed basis with significant impact assessments
performed. Outages caused by inadvertent changes are highly noticeable based on high volume client usage at
any given time. WealthEngine maintains manufacturers’ warranties and service level agreements with 4 hour
replacement parts terms on all hardware equipment. Hardware is closely monitored for exceptions, errors and
outages.
Technical Architecture
All systems that are accessible from the internet are segregated from internal systems by placing them in a DMZ. The DMZ is on a different physical network and is firewalled. The firewall is configured to all only those inbound ports that are required for normal business operations. There are specific instances where a host in the DMZ must communicate with a host on the internal network, an application server querying a database, for instance. In these cases the firewall rules are configured to allow only the specific ports needed to allow that communication. The firewall configuration is periodically reviewed to ensure that it meets with industry best practices.
Business Continuity Management
The CEO is responsible for business continuity management along with the executive management team. We have undertaken steps to document and plan for the continuation of our business and the services we provide our clients in the event of local or regional disasters. No disaster recovery events have occurred to date. Clients would be notified via email, mail or telephone should any disaster recovery plans be initiated.
B. Employee Access; Confidentiality
Employee Confidentiality and Awareness
All employees are required to sign and adhere to WealthEngine’s confidentiality policy. This policy states, in part “Employee shall not at any time or in any manner, either directly or indirectly, divulge, disclose or communicate to any person, firm, corporation, or other entity in any manner whatsoever any information concerning any matters affecting or relating to the business of employer, including but not limited to any of its clients…”
All employees are given a copy of this Security Policy and are aware of the procedures used to ensure a secure environment. All employees are instructed to report security incidents and technical malfunctions to the IT team immediately. All employees are reminded via a login splash screen on their computer of our
confidentiality policy and the need to adhere to our data protection policies every time they log into any WealthEngine system.
All new employees are subject to a background check prior to joining WealthEngine.
Operational Procedures and Responsibilities
WealthEngine maintains its own IT and development staff. On an as needed basis, these employees are trained on new systems, or upgrades to existing systems. There is an average of 13 years experience by the systems and network management personnel.
Additionally, WealthEngine has a service contract with a third party vendor to perform remote round-the-clock
monitoring and management of our network. Their engineers have limited access to the WealthEngine
wealthengine.com Page 5
Each server build is configured according to our security standards and updated to provide new security patches as available. All servers are hardened during the build process and updated as needed. We follow best practice guidelines published by the SANS Institute, Center for Internet Security, and the National Institute for Standards and Technology. There is a segregation of duties to ensure that operational personnel do not have excessive network access. Only IT administrators have access to secured servers. WealthEngine has a separate Client Service team that provides support to both internal and external inquiries about access to and use of our services.
WealthEngine maintains a detailed inventory of all physical and logical assets (e.g. hardware, software, databases, and applications).
Employee Access Control
Authorization functionality enables administrators to group employees into roles, and defines specific permissions for each role based on least required privilege. User access privileges are reviewed for
appropriateness as needed. IT administrators are responsible for password management (e.g. creation, resets) on system resources.
All servers are protected from use by employees other than those on the technical development team needing access for production purposes. Servers use the enhanced password requirements that include minimum length, change intervals, history, etc. Enforced paths are used to keep users from accessing unnecessary network devices. All operating system events are logged in the server event logs. Remote employees whose job function requires access to client data gain access to WealthEngine’s internal network via VPN that uses Windows Active Directory authentication.
Application Access and Security
