Information Security Program Maintenance
- Intersection Technologies Inc. (ITI) will maintain an information security program consistent with industry standards and will maintain SOC2 or equivalent for the duration of this Agreement.
- The production and disaster recovery environments used by ITI to provide services to Lender will be hosted at AWS. For more information on AWS compliance and security, visit the following website: https://aws.amazon.com/compliance/.
- ITI will maintain policies and procedures designed to subject all employees, subcontractors’ employees, and temporary staff that have access to Lender Customer Information to appropriate background checks at time of most recent hire date.
- The criminal background checks currently conducted with respect to individuals located in the USA include the current and past places of residence of ITI’s personnel for the previous seven (7) years.
- The background checks for individuals located outside of the USA will be reasonable in scope and subject to applicable law and custom.
- Upon request, ITI will provide Lender with an executive summary of the then- current background check procedures.
- Subject to applicable law, ITI will not assign any personnel to perform services under this Agreement if the background check reveals a criminal conviction or pretrial diversion for crimes involving fraud, financial dishonesty, breach of trust, or theft.
- ITI will only provide its employees and subcontractors with levels of access required to fulfill their job duties.
- ITI will maintain Confidentiality or Non-Disclosure Agreements with its employees and contractors for the protection of confidential information, including Lender’s Confidential Information.
- ITI will maintain a new hire and annual security awareness training program for all employees and subcontractors with access to Lender Customer Information. Upon request, during Lender’s audits conducted in accordance with this Agreement, ITI will allow Lender to review ITI’s security awareness training materials.
- ITI will maintain a due diligence program to monitor and manage subcontractors.
- If ITI uses Material Subcontractors under this Agreement, ITI will have appropriate controls in place designed to ensure that such Material Subcontractors meet the objectives of this SOW and will exercise reasonable oversight over them for the purpose of monitoring their compliance with this Agreement.
- ITI will assign individual accounts to users of systems that access, transmit or store Lender’s Confidential Information to provide accountability.
- ITI will follow formal processes to approve and track system access that is granted. ITI will follow similar formal processes for the removal of access upon separation, or reassignment of job responsibilities.
- ITI will periodically review employee access to verify appropriate access assignments.
- ITI will use a granular role-based permission system. This provides a detailed level of access controls built upon the principles of “least privilege” and “need to know.” Roles allow the lender administrator to manage user permissions based on a particular user’s role.
- ITI will maintain appropriate password parameters for systems that access, transmit or store Lender’s Confidential Information. These password parameters will include at a minimum:
- Password length must be at least 8 characters.
- Password must have at least 1 alpha character and 1 numeric character.
- Password history of 5 must be enforced.
- Password cannot be the same as the user’s Login ID.
- Password must be case-sensitive.
- Password must expire every 90 days.
- Users must be locked out after no more than 5 incorrect attempts.
- To safeguard user passwords, all client-server communication is exchanged via the TLS encrypted protocol and all passwords subsequently stored are encrypted with a strong hashing algorithm in the database.
- ITI will maintain data-masking technology to protect Nonpublic Personal Information from inappropriate or unauthorized disclosure.
- ITI will implement data at rest encryption technology of select sensitive data elements within the database.
- ITI will maintain a vulnerability assessment program and perform application security assessments on an annual (or more frequent) basis. ITI will review and remediate material vulnerabilities that are discovered.
- ITI’s website will maintain https/TLS 128-bit encryption to secure confidential information as it traverses public networks.
- ITI will maintain and archive website audit logs that monitor and record information from the ITI production systems for a minimum period of 1 year. The audit logs will include information to identify the user, the date-time stamp of activity, the source IP address of the user and summary of activity performed.
Physical & Environmental Security
- ITI will implement physical security policies and procedures, systems, technology and staff, including access control mechanisms designed to prevent unauthorized access to ITI facilities hosting or processing Lender’s Confidential Information.
- The Data Center physical and environmental controls are provided by AWS. For more information on AWS physical and environmental controls of an AWS data center, visit the following website: https://aws.amazon.com/compliance/data-center/controls/.
Infrastructure & Network Controls
- ITI will maintain system hardening procedures to restrict services on devices and servers to only those services needed for the system or device to function.
- ITI will maintain appropriate network perimeter controls such as firewalls at all perimeter connections and Intrusion Detection Systems. Intrusion Detection System and firewall traffic will be monitored for abnormal behavior. Storage of Lender Information will be secured behind multi-tiered firewalls.
- ITI will implement critical security–related software patches on a timely basis.
- ITI will maintain an anti-virus solution to protect its servers and workstations against viruses, worms, Trojan horses and other forms of malware that may cause damage. ITI will install and maintain malware detection software, to include virus detection and malware detectors, on systems used to access, process or store Lender information. In addition, definition files will be updated regularly.
- ITI will perform external and internal network vulnerability assessments on an annual (or more frequent) basis to test for security vulnerabilities. ITI will review and remediate material vulnerabilities that are discovered.
- ITI will utilize a data loss prevention tool to monitor and/or prevent sensitive and personal data from being transmitted outside the organization.
- ITI production systems will follow a formal and documented change control process that provides for distinct roles and segregation of duties.
- ITI will maintain physically and logically segregated distinct environments for Production, Disaster Recovery and pre-Production environments.
- ITI’s environment will have changes executed within documented maintenance windows, and only after obtaining appropriate authorizations from technical and business approvers to maintain the segregation of duties principle.
- ITI will utilize code management software for its developers to develop code and maintain version control.
- ITI will maintain software to monitor and audit the change control process so that unauthorized code changes are not promoted to the production environment.
Business Continuity & Disaster Recovery
- ITI will maintain a documented Business Continuity and Disaster Recovery plan for the duration of this Agreement.
- The Business Continuity plan will include a periodic business impact analysis; procedures for the identified contingencies; and documented testing of the plan.
- The Disaster Recovery plan will include all locations hosting the systems providing services as per this Agreement. At a minimum, the plan will be updated annually and testing of the plan will be documented and shared with Lender upon request.
Incident Response and Management
- ITI will maintain an Incident Response plan that will be updated at least annually and will document at a minimum, procedures and response actions; responsibilities of personnel; and identify relevant notification procedures and timelines.
Compliance & Right to Audit
- ITI will perform periodic internal control testing to test the effectiveness of security controls and verify that it is in compliance with the requirements set forth in this Exhibit and all applicable regulatory, legal and contractual requirements.
- Lender will have the right to audit ITI as specified in this Agreement.