Data Security Policy

Investment Services Group

Effective Date:  June 24, 2019

INTRODUCTION

The purpose of this Policy is to describe ISG’s security policy regarding personal information collected and processed by ISG’s online services (“Policy”).  

Specifically, this Policy is intended to identify ISG’s policies, procedures, and auditing and training practices utilized for data security, and our resulting responsibilities to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.

PERSONAL INFORMATION  

ISG collects personal information in accordance with our Privacy Policy.  This information is stored in a secure facility on hardened systems using reasonable and adequate security protocols.  Access to this information is restricted to authorized personnel only.

APPROACH TO SECURITY

The following sections describe ISG’s comprehensive approach to ensuring enterprise-wide compliance with its Policy.  This consists of four (4) major areas: Security, Personnel, Education, Verification and Contracts.

SECURITY

Security of data is the cornerstone of verifying privacy of data.  ISG maintains a rigorous security posture through focused methodology.  It is founded on the implementation of best practices and security policies in five (5) major areas providing enterprise wide coverage including:

Regulatory Controls

Organizational Controls

Service Provider Controls

Standardized Process and Practices

Business Partner Control.

Key policies in place that contribute to the verification and compliance with the Policy are:

Awareness and Training

Personnel Practices

Administrative Roles and Responsibilities

Network and Telecommunications Security

Incident Detection and Reporting

Malicious Code Control (Antivirus)

Portable Computers

Logical and System Access

Physical Access

Remote Access

Firewall Management

Third Party Services

Software Licensing and Appropriate usage

Auditing and Monitoring

Data Classification, Confidentiality, Integrity and Availability

Policy Compliance

Operational procedures demonstrating compliance with the Policy are:

Change Control

Event monitoring

Data backup

System hardening

The above referenced policies and procedures are documented and available for review.

PERSONNEL

Our personnel consist of employees and contractors.

EDUCATION

ISG regularly notifies and reinforces its Privacy Policy with its personnel.  This is done using the following process:

The Privacy Policy is distributed company-wide via email upon employment and when updated.

The Policy is displayed on ISG’s website.

At least once per year, the Policy is presented and discussed at a company-wide meeting.

VERIFICATION

The Policy is self-verified periodically by ISG’s Security Officer.  The Security Officer is responsible for:

Ensuring that the policies, guidelines, internal procedures, personnel training, and other measures necessary to implement the Policy are developed and put into practice,

Working with ISG’s legal counsel to ensure ISG’s ongoing compliance with applicable privacy laws and agreements, as well as any of ISG’s other related legal obligations, and 

Overseeing annual assessments of ISG’s internal and external practices to ensure that they conform to the Policy and related company obligations.

In addition, ISG, through its internal audit processes, conducts an audit of its security controls a minimum of once per year.  This independent review assesses the physical security, network security and operational policies and controls in place to protect customer data.  

CONTRACTS

As a condition of employment, all ISG personnel must sign a IP Confidentiality Agreement.  This agreement includes a provision that addresses personnel responsibility regarding compliance with privacy-related matters.

IN WITNESS WHEREOF, the undersigned Security Officer hereby accepts this Data Security Policy and agrees to implement all terms and conditions thereof.

_____________________________

Janis Kidd, Security Officer