Information Security Program
Cybersoft, Inc. (“Cybersoft”) has developed, and implements and maintains reasonable administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of Customer Information comprised of Nonpublic Personal Information as defined in 16 CFR 313(n) whether in paper, electronic or other form that is received and processed through SafeboxIQ or otherwise permitted access to through its provision of services directly to a Client-Originating Financial Institution; to protect against any anticipated threats or hazards to the security or integrity of such information; and, to protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any Customer-Borrower.
​​
​
Program Coordinator
Cybersoft has designated an employee to coordinate its Information Security Program.
​
​
Designation of Program Coordinator
Cybersoft designates Dave Bernard Valdez as the Program Coordinator of Information Security Program. The Program Coordinator will report directly to Andrew Angelo Ang, the Chief Technology Officer of Cybersoft.​
In the event the Program Coordinator ceases to be employed by Cybersoft or is unable to perform his/her responsibilities, Margarita Paz shall take over the responsibilities of the Program Coordinator until a new permanent Program Coordinator is appointed.
​
​
Duties and Responsibilities of Program Director
It is the Program Coordinator’s responsibility to develop, implement and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Customer Information.
​
Specific duties and responsibilities that have been assigned to the Program Coordinator include:
​
-
Devise a reasonable comprehensive Information Security Program setting forth in writing the administrative, technical, and physical safeguards that are appropriate to Cybersoft’s size and complexity, the nature and scope of SafeboxIQ, and the sensitivity of any Customer Information at issue.
-
Train and manage employees who have access to and handling of Customer Information to abide by Cybersoft’s Information Security Program in the performance of their work assignments.
-
Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Customer Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.
-
Assist in the selection of appropriate service providers that demonstrate the capability of maintaining safeguards to protect Customer Information set forth in Cybersoft’s Information Security Program and require each service provider contracts impose the obligation to implement and maintain such safeguards.
-
Monitor and assess on a continuing basis the efficiency and sufficiency of Customer Information safeguards’ key controls, systems and procedures installed to address identifiable as well as foreseeable risks with a view of making appropriate adjustments and adaptations when circumstances arising from enhancements to SafeboxIQ, changes to the Cybersoft’s operations, business relationships and technological advancements that may have a material impact on Cybersoft’s Information Security Program occur.
​​
​
Risk Assessment
In each relevant area of its operations, Cybersoft shall identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Customer Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.
​
Employee Training and Management
Cybersoft has determined that an Information Security Program is only as strong as the employees who implement it. A well-trained select workforce is the best defense against identity theft and data breaches.
​
To achieve this, Cybersoft undertakes the following:
​
-
Check references and do updated background checks, and where appropriate, consumer/criminal report investigations of current employees and new hires who have or will have access to Customer Information.
-
Ask every employee who will have access to Customer Information to sign an agreement to follow Cybersoft’s confidentiality and security standards for handling Customer Information. Make sure such employee understands and is regularly reminded that abiding by Cybersoft’s Information Security Standards is an essential part of his/her duties and a condition for continued employment.
-
Know which employees have access to Customer Information; and, limit access solely for the purpose an employee’s work assignment “on a need to know” basis. Employees will have access only to that Customer Information which is necessary to complete their designated responsibilities. Employees shall not provide any other unauthorized person access to Customer Information that is obtained during the course of employment. Requests for Customer Information that are outside the field of Cybersoft’s ordinary business or beyond the scope of an employee’s authority must be directed to the Program Coordinator.
-
Prohibit employees from posting passwords near employees’ computers or sharing passwords with any other person.
-
Create a “culture of security” by implementing a regular schedule of employee training. Any employee who unjustifiably fails to attend is blocked from access to the network.
-
Train employees to recognize security threats and vulnerabilities that could affect Customer Information and Cybersoft as a whole, along with practical guidance on how to reduce data security risks. Promptly update employees about new risks and vulnerabilities. Instruct them how to report suspicious activity and publicly reward employees who alert Cybersoft to vulnerabilities.
-
Post reminders of Cybersoft’s Information Security Standards in areas where Customer Information is processed, as well as where employees congregate; including reminders to employees who telecommute or access Customer Information from home or an offsite location
-
Employees will be instructed to log off of all Internet, e-mail and other accounts when they are not being used. Employees will not be permitted to download any software or applications to Cybersoft’s computers or open e-mail attachments from unknown sources. Electronic records may not be downloaded to a disk or individual computer without explicit authorization from the Program Coordinator.
​ -
Educate employees about the dangers of spear phishing—emails containing information that makes the emails look legitimate. These emails may appear to come from someone within Cybersoft, generally someone in a position of authority. Employees are instructed to verify with the Program Coordinator any email requesting Customer Information; and while verifying, not reply to the email and not use links, phone numbers, or websites contained in the email.
-
Warn employees about phone phishing. Instruct them to be suspicious of unknown callers claiming to need account numbers to process an order or asking for customer or employee contact information. Refer telephone calls or other requests for Customer Information to the Program Coordinator when such requests are not received within the ordinary course of Cybersoft’s business or are for information that the employee is not authorized to provide.
-
Require employees to notify the Program Coordinator of any attempt by unauthorized persons to obtain access to Customer Information and/or if any password or Customer Information is subject to unauthorized access.
-
Require employees to notify immediately if there is a potential security breach, such as a lost or stolen laptop.
-
Disclose Customer Information only when necessary to complete a transaction initiated by the Client and/or as permitted by law. If an employee is unsure as to whether a specific disclosure is permitted, he or she must check with the Program Coordinator to verify whether it is acceptable to release the information before doing so.
-
Follow the procedure in place for workers who transfer to another unit of Cybersoft which will no longer have access to Customer Information. Terminate such employees’ passwords, and collect keys and identification cards as part of the check-out routine.
-
When an employee ceases to be employed by Cybersoft, he/she will be required to turn in any keys in his/her possession that provide access to Cybersoft and file cabinets, desks, and offices in Cybersoft; passwords and security codes, if applicable, will be deleted; and, employees will not be permitted access that would result in taking any Customer Information from Cybersoft.
-
Neither current nor former employees will be permitted to remove any Customer Information from Cybersoft, whether contained in paper records or electronic records, or to disclose our information security standards to any person without authorization from the Program Coordinator.
-
Any employee that fails to abide by Cybersoft’s Information Security Standards, whether such failure is intentional or unintentional, will be subject to appropriate disciplinary action, which may include termination of employment.
​
​
Information Systems
Cybersoft conducts risk assessments of its information systems, including network and software design of SafeboxIQ, as well as information processing, storage, transmission and disposal areas of its operation.
​
-
Inventory all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment to ascertain where Cybersoft stores Customer Information. Also, inventory any other information along with Customer Information that Cybersoft possesses by type and location.
-
Know how Cybersoft handles Customer Information using SafeboxIQ, observe for possible security issues in each phase of service and fix any vulnerability.​​​
-
Who sends Customer Information to Cybersoft and how?
Client-Originating Financial Institution? Customer? Third Party Authorized by Client?
By upload by Client-Originating Financial Institution to a cloud computing storage service? By email attachment? By fax?
-
Who receives Customer Information for Cybersoft and how?
By download from a cloud computing storage service owned and maintained by Client- Originating Financial Institution? By email attachment? By fax?
-
How does Customer Information move through and out of Cybersoft using SafeboxIQ?
​
-
Where and how does Cybersoft store the Customer Information collected at each entry point?
On a cloud computing service? In a central computer database? In individual laptops? On disks or tapes? In branch offices? In file cabinets? With employees at home?
-
Impose proper information systems and equipment disposal practices
-
All data will be erased from computers, disks, hard drives or any other electronic media that contain Customer Information before disposing of them and, where appropriate, hard drives will be removed and destroyed. Any paper records will be shredded and stored in a secure area until an authorized disposal/recycling service picks it up.
-
When disposing of old computers and portable storage devices, use software for securely erasing data, usually called wipe utility programs. They’re inexpensive and can provide better results by overwriting the entire hard drive so that the files are no longer recoverable. Deleting files using the keyboard or mouse commands usually isn’t sufficient because the files may continue to exist on the computer’s hard drive and could be retrieved easily.
-
Make sure employees who work from home follow the same procedures for disposing of records of Customer Information and old computers and portable storage devices.
Prevention, detection and response to attacks, intrusions, or other systems failures
-
Physical Security
Many data compromises happen the old-fashioned way—through lost or stolen paper documents.
-
Store paper documents or files, as well as thumb drives and backups containing Customer Information in a locked room or in a locked file cabinet.
Limit access to employees with a legitimate business need. Control who has a key, and the number of keys.
-
General Network Security
-
Identify the computers or servers where Customer Information is stored.
-
Identify all connections to the computers where Customer Information is stored. These may include the cloud storage services, internet, computers at branch offices, computers used by service providers to support network, digital copiers, and wireless devices like smartphones, tablets, or inventory scanners.
-
Identify all connections to the computers where Customer Information is stored. These may include the cloud storage services, internet, computers at branch offices, computers used by service providers to support network, digital copiers, and wireless devices like smartphones, tablets, or inventory scanners.
-
Detecting Data Breaches
-
To detect network breaches when they occur, use an intrusion detection system.
Update frequently to address new types of hacking.
-
Maintain central log files of security-related information to monitor activity on Cybersoft’s network to spot and respond to attacks. If there is an attack on the network, the log will provide information that can identify the computers that have been compromised.
-
Monitor incoming traffic for signs that someone is trying to hack in. Keep an eye out for activity from new users, multiple log-in attempts from unknown users or computers, and higher-than-average traffic at unusual times of the day.
-
Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from Cybersoft’s system to an unknown user. If large amounts of information are being transmitted from Cybersoft’s network, investigate to make sure the transmission is authorized.
-
Data Breach Response Plan
In the event of unauthorized disclosure, misuse, alteration, destruction or other compromise of Customer Information, take the following steps:
-
The Program Coordinator must immediately inform Andrew Angelo Ang, the Chief Technology Officer of Cybersoft.
-
Assemble a team of experts to conduct a comprehensive breach response.
-
Contact local police department immediately. If unfamiliar with investigating information compromises, contact local FBI or U.S. Secret Service.
-
Take steps to close off existing vulnerabilities or threats to Customer Information.
Secure physical areas related to breach. Lock them and change access codes.
Move quickly to secure all systems and fix vulnerabilities that may have caused the breach.
-
Mobilize Cybersoft’s breach response team right away to prevent additional data loss.
Take all affected equipment offline immediately – but do not turn any machine off until forensic experts arrive. If possible, put clean machines online in place of affected ones. In addition, update credentials and passwords of authorized users.
-
Investigate data breach and security incidents immediately.
Lead and alternate investigating personnel will immediately mobilize.
Interview people who discovered the breach or anyone who may know about it. Document the investigation. Do not destroy evidence. Analyze backup or preserved data. Review logs to determine who had access to the data at the time of the breach.
-
Hire independent forensic investigators to determine the source and scope of the breach.
-
Remove improperly posted information from the Web. Contacting the search engine will ensure they do not archive Customer Information posted in error.
-
Have a communications plan. Designate a point person within Cybersoft for releasing information. Reach all affected audiences – employees, customers, clients, investors, business partners, other stakeholders. Do not make misleading statements. Do not withhold key details that might help customers protect themselves. Do not publicly share information that might put customers at further risk.
-
Write each customer whose Customer Information has been stolen a letter notifying them of the occurrence and advising them to place a free fraud alert on their credit reports. A fraud alert may hinder identity thieves from getting credit with the stolen information because it sends signal to creditors to contact the customer before opening new accounts or changing existing accounts. Also, advise customers to consider placing a credit freeze on their file. The cost to place and lift a freeze depends on state law. A Model Letter is attached to this Information Security Program as Exhibit “A” hereof.
-
Consult with legal counsel.
Comply with state and federal laws.
Customer Information Safeguards
Cybersoft has designed Customer Information safeguards that it implements to control the risks identified through its risk assessment procedure, and which it regular tests and monitors for efficiency and effectiveness of such safeguards’ key controls, systems, and procedures.
-
Physical Safeguards
-
Cybersoft’s physical plants are situated in commercial buildings within the metropolitan city with security guards posted at the buildings’ main entrances and floor lobbies which are monitored by CCTV cameras along with the rest of Cybersoft’s premises. Employees as well as visitors are screened, made to sign in and given ID badges for access to unrestricted areas. Equipment and objects requiring heightened security treatment are located restricted areas.
-
All paper and electronic records will be stored in secure locations to which only authorized employees will have access. Any paper records containing Customer Information must be stored in a deal jacket or folder. Paper records must be stored in an office, desk, or file cabinet that is locked when unattended.
-
Require that files containing Customer Information be kept in locked file cabinets except when an employee is working on the file. Remind employees not to leave sensitive papers out on their desks when they are away from their workstations.
-
Require employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
-
Implement appropriate access controls for Cybersoft’s physical plant.
Instruct employees what to do and whom to call if they see an unfamiliar person on the premises.
-
When maintaining offsite storage facilities, limit employee access to those with a legitimate business need. Know if and when someone accesses the storage site.
-
Electronic and System Safeguards
-
Access to electronic Customer Information will be password controlled. Every employee with access to Cybersoft’s computer system and electronic records will have a unique password consisting of at least 10 characters, including numbers and letters. Only employees that need to access electronic records will be provided with passwords.
-
Electronic records will be stored on a secure server that is located in a locked room and is accessible only with a password. Where appropriate, records will be maintained in a fireproof file cabinet and/or at an offsite location. Customers, vendors and service providers shall not be left in an area with unsecure Customer Information records.
-
Don’t store Customer Information on any computer with an Internet connection unless it is essential for performing service product.
-
Encrypt Customer Information when sending to third parties over public networks (like the internet), and encrypt Customer Information that is stored on Cybersoft’s computer network, laptops, or portable storage devices used by employees. Encrypt email transmissions within Cybersoft.
-
Regularly run up-to-date anti-malware programs on individual computers and on servers on Cybersoft’s network.
-
Virus protection software has been installed on the computers and new virus updates will be checked at regular intervals. All computer files will be scanned at least once each month, or at more frequent intervals as deemed necessary.
-
Check expert websites (such as www.us-cert.gov) and software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches to correct problems.
-
Restrict employees’ ability to download unauthorized software. Software downloaded to devices that connect to Cybersot’s network (computers, smartphones, and tablets) could be used to distribute malware.
-
Scan computers on Cybersoft’s network to identify and profile the operating system and open network services. If there are services that are not needed, disable them to prevent hacks or other potential security problems. For example, if email service or an internet connection is not necessary on a certain computer, consider closing the ports to those services on that computer to prevent unauthorized access to that machine.
-
Pay particular attention to the security of Web applications—the software used to give information to visitors to Cybersoft’s Website and to retrieve information from them. Web applications may be particularly vulnerable to a variety of hack attacks. In one variation called an “injection attack,” a hacker inserts malicious commands into what looks like a legitimate request for information. Once in the system, hackers may be able transfer sensitive information from Cybersoft’s network to their computers. Relatively simple defenses against these attacks are available from a variety of sources.
-
When shipping Customer Information using outside couriers or contractors, encrypt the information and keep an inventory of the information being shipped. Also use an overnight shipping service that will allow Cybersoft to track the delivery of Cybersoft’s information.
-
When using devices that collect Customer Information, like PIN pads, secure them so that identity thieves can’t tamper with them. Also, inventory those items to ensure that they have not been switched.
-
Backups of the computers and/or server will be made at least once each day, or at more frequent intervals as deemed necessary. At least once each month the backup information will be verified. Backup disks will be stored in a locked file cabinet.
-
Control access to Customer Information by requiring that employees use “strong” passwords. Tech security experts say the longer the password, the better. Because simple passwords—like common dictionary words—can be guessed easily, insist that employees choose passwords with a mix of letters, numbers, and characters. Require an employee’s user name and password to be different. Require password changes when appropriate, for example following a breach.
-
Authentication
-
Warn employees about possible calls from identity thieves attempting to deceive them into giving out their passwords by impersonating members of IT staff. Let employees know that calls like this are always fraudulent, and that no one should be asking them to reveal their passwords.
-
When installing new software, immediately change vendor-supplied default passwords to a more secure strong password.
-
Firewalls
-
Firewalls and security patches from software vendors will be downloaded on a regular basis.
-
Use firewalls to protect computers from hacker attacks while it is connected to a network, especially the Internet. A firewall is software or hardware designed to block hackers from accessing computer. A properly configured firewall makes it tougher for hackers to locate a computer and get into Cybersoft’s programs and files.
-
Install a “border” firewall where Cybersoft’s network connects to the Internet. A border firewall separates the network from the Internet and may prevent an attacker from gaining access to a computer on the network where Customer Information is stored. Set “access controls”—settings that determine which devices and traffic get through the firewall—to allow only trusted devices with a legitimate business need to access the network. Since the protection a firewall provides is only as effective as its access controls, review them periodically.
-
Wireless and Remote Access Safeguards
-
Determine whether wireless devices like smartphones, tablets, or inventory scanners or cell phones are or will be used to connect to Cybersoft’s computer network or to transmit Customer Information. If so, consider limiting who can use a wireless connection to access the computer network. It is harder for an intruder to access the network when the wireless devices that can connect to the network are limited.
-
If Customer Information is transmitted electronically over external networks, employees will be instructed to encrypt the information at the time of transmittal.
-
Encrypt the Customer Information when sending over Cybersoft’s wireless network, so that nearby attackers can’t eavesdrop on these communications. Use a wireless router that has Wi-Fi Protected Access 2 (WPA2) capability and devices that support WPA2.
-
Use encryption for remote access to Cybersoft’s computer network by employees or by service providers. Implement multi-factor authentication for access to Cybersoft’s network.
Selection and Oversight of Service Providers
In order to protect the Customer Information, Cybersoft takes steps to evaluate, select and oversee its service providers.
​
-
Evaluate the willingness of a service provider to comply with Cybersoft’s Information Security Program and the compatibility of its own data security program with Cybersoft’s.
-
Verify records to be maintained by the service provider regarding Customer Information and whether Cybersoft will have access to such records maintained by the service provider.
-
Assess service provider’s knowledge of and attitude towards regulations that are relevant to the services being provided, particularly the Safeguard Rule.
-
Research service provider’s experience, financial stability and reputation with industry groups and trade associations in addition to its ability to provide the necessary services and supporting technology for current and anticipated needs.
-
Examine functionality of any service or system proposed and policies concerning maintaining secure systems, intrusion detection and reporting systems, customer authentication, verification, and authorization, and ability to respond to service disruptions.
-
Review service provider’s contractual obligations and requirements, such as the term of the contract; prices; software support and maintenance; training of employees; customer service; rights to modify existing services performed under the contract; warranty, confidentiality, indemnification, limitation of liability and exit clauses; guidelines for adding new or different services and for contract re-negotiation; compliance with applicable regulatory requirements; records to be maintained by the service provider; notification of material changes to services, systems, controls and new service locations; insurance coverage to be maintained by the service provider; and use of Cybersoft’s data, equipment, and system and application software.
-
Ensure Cybersoft’s right to audit the service provider’s records, to obtain documentation regarding the resolution of disclosed deficiencies, and to inspect the service provider’s facilities.
-
Require Service Provider to contractually be responsible for securing and maintaining the confidentiality of Customer Information, including agreement to refrain from using or disclosing Cybersoft’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use or disclosure of Customer Information and Cybersoft’s confidential information, to comply with applicable privacy regulations, and to fully disclose breaches in security resulting in unauthorized access to information that may materially affect Cybersoft or its customers and to notify Cybersoft of the services provider’s corrective action.
-
Contracted service providers will be monitored to ensure that the selection criteria, performance and financial conditions, and contract terms are met by them.
​
​
Efficiency of Cybersoft’s Information Security Program
Cybersoft monitors, tests and evaluates the efficiency and effectiveness of the safeguards’ key controls, systems and procedures of its Information Security Program; and accordingly, makes such adjustments to it, or effect material changes to Cybersoft’s operations or business arrangements, or causes any other modification brought about by circumstances known or have reason to know may have a material impact on its Information Security Program.
​
​
​
Exhibit “A”
MODEL LETTER
Page 1 of 2
[MODEL LETTER]
Cybersoft, Inc.
100 Pine Street, Suite 1250 San Francisco, CA 94111
[Date]
[Name of Customer]
[Street Address]
[City, State, Zip Code]
​
​
Subject: NOTICE OF DATA BREACH
​
​
Dear [Name of Customer]:
​
We are contacting you about a data breach that has occurred at Cybersoft, Inc.
What Happened?
[Describe how the data breach happened, the date of the breach, and how the stolen information has been misused (if you know)]
​
What Information Is Involved?
This incident involved your Customer Information particularly, [describe the type of Customer Information that may have been exposed due to the breach]
​
What We Are Doing?
[Describe how you are responding to the data breach, including: what actions you’ve taken to remedy the situation; what steps you are taking to protect individuals whose information has been breached; and what services you are offering (like credit monitoring or identity theft restoration services)]
​
What You Can Do?
We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. The initial fraud alert stays on your credit report for 90 days. You can renew it after 90 days.
​​
​
Equifax: equifax.com or 1-800-525-6285 Experian:
experian.com or 1-888-397-3742 TransUnion:
transunion.com or 1-800-680 7289
​
​
Request that all three credit reports be sent to you, free of charge, for your review. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Thieves may hold stolen information to use at different times. Checking your credit reports periodically can help you spot problems and address them quickly.
​
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, file a police report and call [insert contact information for law enforcement if authorized to do so]. Get a copy of the police report; you may need it to clear up the fraudulent debts.
​
If your personal information has been misused, visit the FTC’s site at IdentityTheft.gov to get recovery steps and to file an identity theft complaint. Your complaint will be added to the FTC’s Consumer Sentinel Network, where it will be accessible to law enforcers for their investigations.
​
You also may want to consider contacting the major credit bureaus at the telephone numbers above to place a credit freeze on your credit file. A credit freeze means potential creditors cannot get your credit report. That makes it less likely that an identify thief can open new accounts in your name. The cost to place and lift a freeze depends on state law. Find your state Attorney General’s office at naag.org to learn more.
​
You may also obtain a copy of Identity Theft: A Recovery Plan, a comprehensive guide from the FTC at FTC’s site at IdentityTheft.gov to help you protect yourself from identity theft, depending on the type of information exposed.
​
[Insert Closing]
Sincerely,
[Name of Cybersoft Representative]
​
​
ACKNOWLEDGMENT OF COMPLIANCE
​
This written Information Security Program of Cybersoft, Inc. pursuant to Section 5.4 of the Agreement is in compliance with the Safeguards Rule under 16 CFR § 314.3.
​
​
CYBERSOFT, INC.
Information Security Program
Cybersoft, Inc. (“Cybersoft”) has developed, and implements and maintains reasonable administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of Customer Information comprised of Nonpublic Personal Information as defined in 16 CFR 313(n) whether in paper, electronic or other form that is received and processed through SafeboxIQ or otherwise permitted access to through its provision of services directly to a Client-Originating Financial Institution; to protect against any anticipated threats or hazards to the security or integrity of such information; and, to protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any Customer-Borrower.
​​
​
Program Coordinator
Cybersoft has designated an employee to coordinate its Information Security Program.
​
​
Designation of Program Coordinator
Cybersoft designates Dave Bernard Valdez as the Program Coordinator of Information Security Program. The Program Coordinator will report directly to Andrew Angelo Ang, the Chief Technology Officer of Cybersoft.​
In the event the Program Coordinator ceases to be employed by Cybersoft or is unable to perform his/her responsibilities, Margarita Paz shall take over the responsibilities of the Program Coordinator until a new permanent Program Coordinator is appointed.
​
​
Duties and Responsibilities of Program Director
It is the Program Coordinator’s responsibility to develop, implement and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Customer Information.
​
Specific duties and responsibilities that have been assigned to the Program Coordinator include:
​
-
Devise a reasonable comprehensive Information Security Program setting forth in writing the administrative, technical, and physical safeguards that are appropriate to Cybersoft’s size and complexity, the nature and scope of SafeboxIQ, and the sensitivity of any Customer Information at issue.
-
Train and manage employees who have access to and handling of Customer Information to abide by Cybersoft’s Information Security Program in the performance of their work assignments.
-
Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Customer Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.
-
Assist in the selection of appropriate service providers that demonstrate the capability of maintaining safeguards to protect Customer Information set forth in Cybersoft’s Information Security Program and require each service provider contracts impose the obligation to implement and maintain such safeguards.
-
Monitor and assess on a continuing basis the efficiency and sufficiency of Customer Information safeguards’ key controls, systems and procedures installed to address identifiable as well as foreseeable risks with a view of making appropriate adjustments and adaptations when circumstances arising from enhancements to SafeboxIQ, changes to the Cybersoft’s operations, business relationships and technological advancements that may have a material impact on Cybersoft’s Information Security Program occur.
​​
​
Risk Assessment
In each relevant area of its operations, Cybersoft shall identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Customer Information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.
​
Employee Training and Management
Cybersoft has determined that an Information Security Program is only as strong as the employees who implement it. A well-trained select workforce is the best defense against identity theft and data breaches.
​
To achieve this, Cybersoft undertakes the following:
​
-
Check references and do updated background checks, and where appropriate, consumer/criminal report investigations of current employees and new hires who have or will have access to Customer Information.
-
Ask every employee who will have access to Customer Information to sign an agreement to follow Cybersoft’s confidentiality and security standards for handling Customer Information. Make sure such employee understands and is regularly reminded that abiding by Cybersoft’s Information Security Standards is an essential part of his/her duties and a condition for continued employment.
-
Know which employees have access to Customer Information; and, limit access solely for the purpose an employee’s work assignment “on a need to know” basis. Employees will have access only to that Customer Information which is necessary to complete their designated responsibilities. Employees shall not provide any other unauthorized person access to Customer Information that is obtained during the course of employment. Requests for Customer Information that are outside the field of Cybersoft’s ordinary business or beyond the scope of an employee’s authority must be directed to the Program Coordinator.
-
Prohibit employees from posting passwords near employees’ computers or sharing passwords with any other person.
-
Create a “culture of security” by implementing a regular schedule of employee training. Any employee who unjustifiably fails to attend is blocked from access to the network.
-
Train employees to recognize security threats and vulnerabilities that could affect Customer Information and Cybersoft as a whole, along with practical guidance on how to reduce data security risks. Promptly update employees about new risks and vulnerabilities. Instruct them how to report suspicious activity and publicly reward employees who alert Cybersoft to vulnerabilities.
-
Post reminders of Cybersoft’s Information Security Standards in areas where Customer Information is processed, as well as where employees congregate; including reminders to employees who telecommute or access Customer Information from home or an offsite location
-
Employees will be instructed to log off of all Internet, e-mail and other accounts when they are not being used. Employees will not be permitted to download any software or applications to Cybersoft’s computers or open e-mail attachments from unknown sources. Electronic records may not be downloaded to a disk or individual computer without explicit authorization from the Program Coordinator.
​ -
Educate employees about the dangers of spear phishing—emails containing information that makes the emails look legitimate. These emails may appear to come from someone within Cybersoft, generally someone in a position of authority. Employees are instructed to verify with the Program Coordinator any email requesting Customer Information; and while verifying, not reply to the email and not use links, phone numbers, or websites contained in the email.
-
Warn employees about phone phishing. Instruct them to be suspicious of unknown callers claiming to need account numbers to process an order or asking for customer or employee contact information. Refer telephone calls or other requests for Customer Information to the Program Coordinator when such requests are not received within the ordinary course of Cybersoft’s business or are for information that the employee is not authorized to provide.
-
Require employees to notify the Program Coordinator of any attempt by unauthorized persons to obtain access to Customer Information and/or if any password or Customer Information is subject to unauthorized access.
-
Require employees to notify immediately if there is a potential security breach, such as a lost or stolen laptop.
-
Disclose Customer Information only when necessary to complete a transaction initiated by the Client and/or as permitted by law. If an employee is unsure as to whether a specific disclosure is permitted, he or she must check with the Program Coordinator to verify whether it is acceptable to release the information before doing so.
-
Follow the procedure in place for workers who transfer to another unit of Cybersoft which will no longer have access to Customer Information. Terminate such employees’ passwords, and collect keys and identification cards as part of the check-out routine.
-
When an employee ceases to be employed by Cybersoft, he/she will be required to turn in any keys in his/her possession that provide access to Cybersoft and file cabinets, desks, and offices in Cybersoft; passwords and security codes, if applicable, will be deleted; and, employees will not be permitted access that would result in taking any Customer Information from Cybersoft.
-
Neither current nor former employees will be permitted to remove any Customer Information from Cybersoft, whether contained in paper records or electronic records, or to disclose our information security standards to any person without authorization from the Program Coordinator.
-
Any employee that fails to abide by Cybersoft’s Information Security Standards, whether such failure is intentional or unintentional, will be subject to appropriate disciplinary action, which may include termination of employment.
​
​
Information Systems
Cybersoft conducts risk assessments of its information systems, including network and software design of SafeboxIQ, as well as information processing, storage, transmission and disposal areas of its operation.
​
-
Inventory all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment to ascertain where Cybersoft stores Customer Information. Also, inventory any other information along with Customer Information that Cybersoft possesses by type and location.
-
Know how Cybersoft handles Customer Information using SafeboxIQ, observe for possible security issues in each phase of service and fix any vulnerability.​​​
-
Who sends Customer Information to Cybersoft and how?
Client-Originating Financial Institution? Customer? Third Party Authorized by Client?
By upload by Client-Originating Financial Institution to a cloud computing storage service? By email attachment? By fax?
-
Who receives Customer Information for Cybersoft and how?
By download from a cloud computing storage service owned and maintained by Client- Originating Financial Institution? By email attachment? By fax?
-
How does Customer Information move through and out of Cybersoft using SafeboxIQ?
​
-
Where and how does Cybersoft store the Customer Information collected at each entry point?
On a cloud computing service? In a central computer database? In individual laptops? On disks or tapes? In branch offices? In file cabinets? With employees at home?
-
Impose proper information systems and equipment disposal practices
-
All data will be erased from computers, disks, hard drives or any other electronic media that contain Customer Information before disposing of them and, where appropriate, hard drives will be removed and destroyed. Any paper records will be shredded and stored in a secure area until an authorized disposal/recycling service picks it up.
-
When disposing of old computers and portable storage devices, use software for securely erasing data, usually called wipe utility programs. They’re inexpensive and can provide better results by overwriting the entire hard drive so that the files are no longer recoverable. Deleting files using the keyboard or mouse commands usually isn’t sufficient because the files may continue to exist on the computer’s hard drive and could be retrieved easily.
-
Make sure employees who work from home follow the same procedures for disposing of records of Customer Information and old computers and portable storage devices.
Prevention, detection and response to attacks, intrusions, or other systems failures
-
Physical Security
Many data compromises happen the old-fashioned way—through lost or stolen paper documents.
-
Store paper documents or files, as well as thumb drives and backups containing Customer Information in a locked room or in a locked file cabinet.
Limit access to employees with a legitimate business need. Control who has a key, and the number of keys.
-
General Network Security
-
Identify the computers or servers where Customer Information is stored.
-
Identify all connections to the computers where Customer Information is stored. These may include the cloud storage services, internet, computers at branch offices, computers used by service providers to support network, digital copiers, and wireless devices like smartphones, tablets, or inventory scanners.
-
Identify all connections to the computers where Customer Information is stored. These may include the cloud storage services, internet, computers at branch offices, computers used by service providers to support network, digital copiers, and wireless devices like smartphones, tablets, or inventory scanners.
-
Detecting Data Breaches
-
To detect network breaches when they occur, use an intrusion detection system.
Update frequently to address new types of hacking.
-
Maintain central log files of security-related information to monitor activity on Cybersoft’s network to spot and respond to attacks. If there is an attack on the network, the log will provide information that can identify the computers that have been compromised.
-
Monitor incoming traffic for signs that someone is trying to hack in. Keep an eye out for activity from new users, multiple log-in attempts from unknown users or computers, and higher-than-average traffic at unusual times of the day.
-
Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from Cybersoft’s system to an unknown user. If large amounts of information are being transmitted from Cybersoft’s network, investigate to make sure the transmission is authorized.
-
Data Breach Response Plan
In the event of unauthorized disclosure, misuse, alteration, destruction or other compromise of Customer Information, take the following steps:
-
The Program Coordinator must immediately inform Andrew Angelo Ang, the Chief Technology Officer of Cybersoft.
-
Assemble a team of experts to conduct a comprehensive breach response.
-
Contact local police department immediately. If unfamiliar with investigating information compromises, contact local FBI or U.S. Secret Service.
-
Take steps to close off existing vulnerabilities or threats to Customer Information.
Secure physical areas related to breach. Lock them and change access codes.
Move quickly to secure all systems and fix vulnerabilities that may have caused the breach.
-
Mobilize Cybersoft’s breach response team right away to prevent additional data loss.
Take all affected equipment offline immediately – but do not turn any machine off until forensic experts arrive. If possible, put clean machines online in place of affected ones. In addition, update credentials and passwords of authorized users.
-
Investigate data breach and security incidents immediately.
Lead and alternate investigating personnel will immediately mobilize.
Interview people who discovered the breach or anyone who may know about it. Document the investigation. Do not destroy evidence. Analyze backup or preserved data. Review logs to determine who had access to the data at the time of the breach.
-
Hire independent forensic investigators to determine the source and scope of the breach.
-
Remove improperly posted information from the Web. Contacting the search engine will ensure they do not archive Customer Information posted in error.
-
Have a communications plan. Designate a point person within Cybersoft for releasing information. Reach all affected audiences – employees, customers, clients, investors, business partners, other stakeholders. Do not make misleading statements. Do not withhold key details that might help customers protect themselves. Do not publicly share information that might put customers at further risk.
-
Write each customer whose Customer Information has been stolen a letter notifying them of the occurrence and advising them to place a free fraud alert on their credit reports. A fraud alert may hinder identity thieves from getting credit with the stolen information because it sends signal to creditors to contact the customer before opening new accounts or changing existing accounts. Also, advise customers to consider placing a credit freeze on their file. The cost to place and lift a freeze depends on state law. A Model Letter is attached to this Information Security Program as Exhibit “A” hereof.
-
Consult with legal counsel.
Comply with state and federal laws.
Customer Information Safeguards
Cybersoft has designed Customer Information safeguards that it implements to control the risks identified through its risk assessment procedure, and which it regular tests and monitors for efficiency and effectiveness of such safeguards’ key controls, systems, and procedures.
-
Physical Safeguards
-
Cybersoft’s physical plants are situated in commercial buildings within the metropolitan city with security guards posted at the buildings’ main entrances and floor lobbies which are monitored by CCTV cameras along with the rest of Cybersoft’s premises. Employees as well as visitors are screened, made to sign in and given ID badges for access to unrestricted areas. Equipment and objects requiring heightened security treatment are located restricted areas.
-
All paper and electronic records will be stored in secure locations to which only authorized employees will have access. Any paper records containing Customer Information must be stored in a deal jacket or folder. Paper records must be stored in an office, desk, or file cabinet that is locked when unattended.
-
Require that files containing Customer Information be kept in locked file cabinets except when an employee is working on the file. Remind employees not to leave sensitive papers out on their desks when they are away from their workstations.
-
Require employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
-
Implement appropriate access controls for Cybersoft’s physical plant.
Instruct employees what to do and whom to call if they see an unfamiliar person on the premises.
-
When maintaining offsite storage facilities, limit employee access to those with a legitimate business need. Know if and when someone accesses the storage site.
-
Electronic and System Safeguards
-
Access to electronic Customer Information will be password controlled. Every employee with access to Cybersoft’s computer system and electronic records will have a unique password consisting of at least 10 characters, including numbers and letters. Only employees that need to access electronic records will be provided with passwords.
-
Electronic records will be stored on a secure server that is located in a locked room and is accessible only with a password. Where appropriate, records will be maintained in a fireproof file cabinet and/or at an offsite location. Customers, vendors and service providers shall not be left in an area with unsecure Customer Information records.
-
Don’t store Customer Information on any computer with an Internet connection unless it is essential for performing service product.
-
Encrypt Customer Information when sending to third parties over public networks (like the internet), and encrypt Customer Information that is stored on Cybersoft’s computer network, laptops, or portable storage devices used by employees. Encrypt email transmissions within Cybersoft.
-
Regularly run up-to-date anti-malware programs on individual computers and on servers on Cybersoft’s network.
-
Virus protection software has been installed on the computers and new virus updates will be checked at regular intervals. All computer files will be scanned at least once each month, or at more frequent intervals as deemed necessary.
-
Check expert websites (such as www.us-cert.gov) and software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches to correct problems.
-
Restrict employees’ ability to download unauthorized software. Software downloaded to devices that connect to Cybersot’s network (computers, smartphones, and tablets) could be used to distribute malware.
-
Scan computers on Cybersoft’s network to identify and profile the operating system and open network services. If there are services that are not needed, disable them to prevent hacks or other potential security problems. For example, if email service or an internet connection is not necessary on a certain computer, consider closing the ports to those services on that computer to prevent unauthorized access to that machine.
-
Pay particular attention to the security of Web applications—the software used to give information to visitors to Cybersoft’s Website and to retrieve information from them. Web applications may be particularly vulnerable to a variety of hack attacks. In one variation called an “injection attack,” a hacker inserts malicious commands into what looks like a legitimate request for information. Once in the system, hackers may be able transfer sensitive information from Cybersoft’s network to their computers. Relatively simple defenses against these attacks are available from a variety of sources.
-
When shipping Customer Information using outside couriers or contractors, encrypt the information and keep an inventory of the information being shipped. Also use an overnight shipping service that will allow Cybersoft to track the delivery of Cybersoft’s information.
-
When using devices that collect Customer Information, like PIN pads, secure them so that identity thieves can’t tamper with them. Also, inventory those items to ensure that they have not been switched.
-
Backups of the computers and/or server will be made at least once each day, or at more frequent intervals as deemed necessary. At least once each month the backup information will be verified. Backup disks will be stored in a locked file cabinet.
-
Control access to Customer Information by requiring that employees use “strong” passwords. Tech security experts say the longer the password, the better. Because simple passwords—like common dictionary words—can be guessed easily, insist that employees choose passwords with a mix of letters, numbers, and characters. Require an employee’s user name and password to be different. Require password changes when appropriate, for example following a breach.
-
Authentication
-
Warn employees about possible calls from identity thieves attempting to deceive them into giving out their passwords by impersonating members of IT staff. Let employees know that calls like this are always fraudulent, and that no one should be asking them to reveal their passwords.
-
Firewalls
-
Firewalls and security patches from software vendors will be downloaded on a regular basis.
-
Use firewalls to protect computers from hacker attacks while it is connected to a network, especially the Internet. A firewall is software or hardware designed to block hackers from accessing computer. A properly configured firewall makes it tougher for hackers to locate a computer and get into Cybersoft’s programs and files.
-
Install a “border” firewall where Cybersoft’s network connects to the Internet. A border firewall separates the network from the Internet and may prevent an attacker from gaining access to a computer on the network where Customer Information is stored. Set “access controls”—settings that determine which devices and traffic get through the firewall—to allow only trusted devices with a legitimate business need to access the network. Since the protection a firewall provides is only as effective as its access controls, review them periodically.
-
Wireless and Remote Access Safeguards
-
Determine whether wireless devices like smartphones, tablets, or inventory scanners or cell phones are or will be used to connect to Cybersoft’s computer network or to transmit Customer Information. If so, consider limiting who can use a wireless connection to access the computer network. It is harder for an intruder to access the network when the wireless devices that can connect to the network are limited.
-
If Customer Information is transmitted electronically over external networks, employees will be instructed to encrypt the information at the time of transmittal.
-
Encrypt the Customer Information when sending over Cybersoft’s wireless network, so that nearby attackers can’t eavesdrop on these communications. Use a wireless router that has Wi-Fi Protected Access 2 (WPA2) capability and devices that support WPA2.
-
Use encryption for remote access to Cybersoft’s computer network by employees or by service providers. Implement multi-factor authentication for access to Cybersoft’s network.
Selection and Oversight of Service Providers
In order to protect the Customer Information, Cybersoft takes steps to evaluate, select and oversee its service providers.
​
-
Evaluate the willingness of a service provider to comply with Cybersoft’s Information Security Program and the compatibility of its own data security program with Cybersoft’s.
-
Verify records to be maintained by the service provider regarding Customer Information and whether Cybersoft will have access to such records maintained by the service provider.
-
Assess service provider’s knowledge of and attitude towards regulations that are relevant to the services being provided, particularly the Safeguard Rule.
-
Research service provider’s experience, financial stability and reputation with industry groups and trade associations in addition to its ability to provide the necessary services and supporting technology for current and anticipated needs.
-
Examine functionality of any service or system proposed and policies concerning maintaining secure systems, intrusion detection and reporting systems, customer authentication, verification, and authorization, and ability to respond to service disruptions.
-
Review service provider’s contractual obligations and requirements, such as the term of the contract; prices; software support and maintenance; training of employees; customer service; rights to modify existing services performed under the contract; warranty, confidentiality, indemnification, limitation of liability and exit clauses; guidelines for adding new or different services and for contract re-negotiation; compliance with applicable regulatory requirements; records to be maintained by the service provider; notification of material changes to services, systems, controls and new service locations; insurance coverage to be maintained by the service provider; and use of Cybersoft’s data, equipment, and system and application software.
-
Ensure Cybersoft’s right to audit the service provider’s records, to obtain documentation regarding the resolution of disclosed deficiencies, and to inspect the service provider’s facilities.
-
Require Service Provider to contractually be responsible for securing and maintaining the confidentiality of Customer Information, including agreement to refrain from using or disclosing Cybersoft’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use or disclosure of Customer Information and Cybersoft’s confidential information, to comply with applicable privacy regulations, and to fully disclose breaches in security resulting in unauthorized access to information that may materially affect Cybersoft or its customers and to notify Cybersoft of the services provider’s corrective action.
-
Contracted service providers will be monitored to ensure that the selection criteria, performance and financial conditions, and contract terms are met by them.
​
​
Efficiency of Cybersoft’s Information Security Program
Cybersoft monitors, tests and evaluates the efficiency and effectiveness of the safeguards’ key controls, systems and procedures of its Information Security Program; and accordingly, makes such adjustments to it, or effect material changes to Cybersoft’s operations or business arrangements, or causes any other modification brought about by circumstances known or have reason to know may have a material impact on its Information Security Program.
​
​
​
Exhibit “A”
MODEL LETTER
Page 1 of 2
[MODEL LETTER]
Cybersoft, Inc.
100 Pine Street, Suite 1250 San Francisco, CA 94111
[Date]
[Name of Customer]
[Street Address]
[City, State, Zip Code]
​
​
Subject: NOTICE OF DATA BREACH
​
​
Dear [Name of Customer]:
​
We are contacting you about a data breach that has occurred at Cybersoft, Inc.
What Happened?
[Describe how the data breach happened, the date of the breach, and how the stolen information has been misused (if you know)]
​
What Information Is Involved?
This incident involved your Customer Information particularly, [describe the type of Customer Information that may have been exposed due to the breach]
​
What We Are Doing?
[Describe how you are responding to the data breach, including: what actions you’ve taken to remedy the situation; what steps you are taking to protect individuals whose information has been breached; and what services you are offering (like credit monitoring or identity theft restoration services)]
​
What You Can Do?
We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. The initial fraud alert stays on your credit report for 90 days. You can renew it after 90 days.
​​
​
Equifax: equifax.com or 1-800-525-6285 Experian:
experian.com or 1-888-397-3742 TransUnion:
transunion.com or 1-800-680 7289
​
​
Request that all three credit reports be sent to you, free of charge, for your review. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Thieves may hold stolen information to use at different times. Checking your credit reports periodically can help you spot problems and address them quickly.
​
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, file a police report and call [insert contact information for law enforcement if authorized to do so]. Get a copy of the police report; you may need it to clear up the fraudulent debts.
​
If your personal information has been misused, visit the FTC’s site at IdentityTheft.gov to get recovery steps and to file an identity theft complaint. Your complaint will be added to the FTC’s Consumer Sentinel Network, where it will be accessible to law enforcers for their investigations.
​
You also may want to consider contacting the major credit bureaus at the telephone numbers above to place a credit freeze on your credit file. A credit freeze means potential creditors cannot get your credit report. That makes it less likely that an identify thief can open new accounts in your name. The cost to place and lift a freeze depends on state law. Find your state Attorney General’s office at naag.org to learn more.
​
You may also obtain a copy of Identity Theft: A Recovery Plan, a comprehensive guide from the FTC at FTC’s site at IdentityTheft.gov to help you protect yourself from identity theft, depending on the type of information exposed.
​
[Insert Closing]
Sincerely,
[Name of Cybersoft Representative]
​
​
ACKNOWLEDGMENT OF COMPLIANCE
​
This written Information Security Program of Cybersoft, Inc. pursuant to Section 5.4 of the Agreement is in compliance with the Safeguards Rule under 16 CFR § 314.3.
​
​
CYBERSOFT, INC.