Vendor Information and Qualification Form

Transcription

1 P.O. Box 8370, Columbus, MS Phone (662) Fax (662) Vendor Information and Qualification Form August 20, 2012 BankTEL s office in Columbus, MS 1 P a g e

2 Table of Contents 1. Executive Summary Mission Company History Company Information Management Summary Key Personnel Company Policies/Internal Procedures Policies Acceptable Use Policy Backup Policy Confidential Data Policy Data Classification Policy Policy Encryption Policy Guest Access Policy Incident Response Policy Mobile Device Policy Network Access and Authentication Policy Network Security Policy Outsourcing Policy Password Policy Physical Security Policy Remote Access Policy Retention Policy Third Party Connection Policy VPN Policy Wireless Access Policy Forms Policy Acknowledgement Form Guest Network Access Request Security Incident Report Notice of Policy Noncompliance Policy Amendment Account Setup Request Request for Policy Exception Visitor Log Employee Non-Disclosure Agreement BankTEL License Agreement Disaster Recovery / Business Continuity BankTEL Disaster Recovery Plan Product Information Financial Information (unaudited) Exhibit A Sales & Recurring Revenue Growth Exhibit B Financial History Graph 2003 to 2011 projections to Exhibit D Balance sheet as of December 31, Exhibit E Profit & Loss Exhibit F Workers Compensation & Employers Liability/General Liability Insurance binder certificate P a g e

3 1. Executive Summary BankTEL Systems, a division of BTS Alliance, LLC develops and markets specific financial software systems for use in financial institutions. BankTEL maintains its headquarters in Columbus, Mississippi. The products known as BankTEL Systems consist of over a dozen different products and services. BankTEL currently serves over 1,000 financial institutions in all 50 states in the US, Canada, and the Caribbean. These systems are designed to assists our clients in improving operational efficiency, generating deposits and increasing non-interest income. The BankTEL Systems product offerings are comprised of two distinct lines: Cash Management Applications: Lockbox Scanning & Billing Systems, Lockbox Processing, ACH Origination (Manager & Client), Deposit Security Management, Attorney Escrow Management, and FedBlock OFAC. Auxiliary Financial Applications: Account Payable, Invoice Approval workflow, Branch Scanning, Expense Reports, Management Reports, Pre-Paid & Accruals, Fixed Asset Management, Vendor Management and Shareholder Management 2. Mission Corporately, BankTEL Systems strives to maintain the following core competencies and values: Providing premium software systems that are cost effective, easy to implement, and user-friendly. As a unique core competency, maintaining a seamless interface to every major core vendor in the marketplace. Dealing with clients and business partners in an honest and up-front manner. Endeavoring to offer customer service/support that is second to none in the industry. Developing long-term relationships with customers; as evidenced by numerous existing clients, who have utilized BankTEL software systems for over 20 years. 3. Company History 2012 marks the 20 th year BankTEL has been serving the needs of financial institutions. BankTEL s parent company, BTS Alliance, LLC, was formed in May of 2006 to purchase all of the assets of BankTEL Systems, Inc. ( BankTEL ). Boyce Adams, cofounder of BankTEL Systems, led the acquisition, and the purchase was finalized on June 1, All historical information provided here-in is based on the operation of BankTEL Systems during the following periods: The formation of the company in 1991 under T.E. Lott & Company in Columbus, MS. A wholly owned subsidiary of SPFS, Inc., Lubbock, TX, 1998 to May 2006 as BankTEL Systems, Inc. 3 P a g e

4 The current company, BankTEL Systems, a subsidiary of BTS Alliance, LLC. All current management, employees, part-time employees and client base remained intact after the asset acquisition. 4. Company Information Company Name and Contact Information: BankTEL Systems, a division of BTS Alliance, LLC P.O. Box 8370, Columbus, MS Telephone: Support: Fax: Street address: 319 Park Creek Drive, Columbus, MS (Overnight only) Support hours: 7:00 am 7:00 pm CST Monday thru Friday Web site: Company Officers: Boyce Adams, President & CEO years with company 21 John Bowen, CPA, CFP, CFF, CFO - years with company 6 / association with 19 years Richard Hunt, Vice President years with company 13 Nathan Turner, Vice President years with company 12 Boyce Adams, Jr., Vice President years with company 7 Contact for Insurance Information: Galloway-Chandler-McKinney Insurance Jimmy Galloway, President Phone: Fax: Insurance Carrier: CNA Insurance Company Insurance Policy: General Liability 2m; Aggregate 2m; Workers comp. Policy Numbers: B ; WC *NOTE: PDF copy of certificate is available for download; contact request@banktel.com and we will you a username and password for download or See Exhibit F. W9 Tax Form: *NOTE: PDF copy of executed W9 is available for download; contact request@banktel.com to receive a username and password for download. (See Exhibit G) Consumer Privacy Letter of Agreement: *NOTE: A Consumer Privacy Letter of Agreement from BankTEL is available. Contact request@banktel.com to receive a copy via . BankTEL Company ownership: BankTEL is a privately held company consisting mainly of management and employee ownership. Boyce Adams is the largest shareholder in conjunction with existing officers and employees totaling over 93% of ownership. 4 P a g e

5 5. Management Summary Key Personnel BankTEL Systems currently has fifteen full-time employees and six part-time employees working in Lockbox processing and telephone service areas. BankTEL develops and supports each product internally. Three of BankTEL s fifteen employees are programmer/developers while the remaining personnel work in support, implementation, and marketing. Below is a detail of our key employees. Boyce Adams, Sr., President & CEO Boyce Adams, Sr. co-founded BankTEL Systems in 1992 with only an idea and a conviction to develop software that uses automation to increase efficiencies and reduce costs for financial institutions. Now celebrating their 20th year, BankTEL has grown to over 1,000 financial institutions in all 50 states, as well as in Canada and the Caribbean. Before BankTEL, Boyce worked in the oil industry developing software to improve operations from the field to the front office. It was there he saw the importance of automation with the emerging development of the early pc systems. He later worked as a consultant to a CPA firm where he brought the same keen vision to the accounting profession during a time when technological advances were changing the way financial institutions do business. Boyce recognized the need for software solutions that not only interfaced with core banking systems but could work simultaneously on different platforms to more fully automate financial accounting. From there, BankTEL was born. Under Boyce s leadership, BankTEL has become a leading supplier of auxiliary financial software products that are reliable, innovative and backed by exceptional customer service and support. Boyce has continued to be involved in the design, testing and implementation of BankTEL s products and still insists on doing an installation and training session from time to time, to get his hands on the product in a live environment. John Bowen, CPA, CFP, CFF, Chief Financial Officer John Bowen joined BankTEL as the Chief Financial Officer in June, As a former customer twice, once as the CFO of a community bank and again as CFO of a regional utility company he has had the opportunity to use both our Financial Products as well as the Cash Management Products. John graduated from the University of Southern Mississippi in 1980 with a BS in Accounting. He has since spent four years in public accounting, ten years in banking and ten years working for a regional utility company. At 5 P a g e

6 BankTEL his responsibilities include all aspects of accounting and finance also serves as a consultant to our program enhancement team and assist in the sales and marketing efforts. John and his wife Kathy have two boys, Brook and Brennen. He enjoys sporting events and golf. Boyce E. Adams, Jr., Vice President Marketing and Sales Boyce currently serves as Vice President of Marketing and Sales for BankTEL Systems, LLC, and joined the team full-time in February At BankTEL, he is responsible for leading marketing and sales effort as well as strategic partnerships. Boyce most recently served in advisory capacity for the Administrator of the Federal Aviation Administration as a political appointee. Prior to this, he served in the White House, Office of Presidential Personnel focusing on Presidential appointments to financial and regulatory institutions, which include the Federal Reserve, Treasury Department, amongst others. Earlier in his career, he served in a variety of capacities for American Airlines in marketing and sales. Boyce is also a Commercial Pilot and Certified Flight Instructor. Boyce holds a bachelor's degree in International Economics and Political Science from Vanderbilt University. Richard Hunt, Vice President - Development Richard Hunt joined BankTEL as Vice President in June, He brings with him twenty years of banking experience. Richard has worked in all areas of operations from operator, programmer to DP Manager. Those years include ten years of programming and development in banking plus four years as a part time consultant in the hospital industry. He has attended numerous programming and computer classes and is a 1998 graduate of the Mississippi School of Banking. He has been a member of the Outstanding Young Men of America, President of the Louisville Kiwanis Club and has chaired many civic activities from Coats for Kids to American Heart Association fundraisers. Richard enjoys spending time with his wife Brenda and their two daughters, Mary Catherine and Julie. He enjoys outdoor activities and is an avid golfer. 6 P a g e

7 Nathan Turner, Vice President Support & Implementations Nathan grew up in Level land, Texas, a small town west of Lubbock. He attended Texas Tech University and earned a BBA in Finance in December of While attending Texas Tech, Nathan was employed by a community bank, working in numerous areas of operations from ATM service, to cash management. Nathan joined the BankTEL team in February of 2001, and relocated to the office in Columbus, Mississippi. In his current role Nathan manages the Support and Implementation team as well as managing on-going special projects for BankTEL clients. In addition to being a die-hard Texas Tech Red Raider fan, Nathan enjoys golf, fishing, basketball, and spending time with his wife, Beth. Bonnie Baker, Technical Operations Director Bonnie is originally from Vallejo, California, a suburb of San Francisco. She's a graduate of MTI College of Business & Technology in Sacramento where she studied Programming and Accounting. She also attended Mississippi State University. Before coming to BankTEL in February of 2004, she was a Computer Networking Specialist for the Golden Triangle Planning & Development District where she supported computer systems in local government offices for seven surrounding counties. She is CIW and i- Net+ certified and has 20 years of experience in the computer field including hardware repair, network administration, technical support, user training, desktop publishing and website design. She also has 10 years of experience in accounting. When Bonnie's not spending time with her family, she enjoys oil painting and playing in her church orchestra. 7 P a g e

8 6. Company Policies/Internal Procedures 6.1. Policies Acceptable Use Policy Backup Policy Confidential Data Policy Data Classification Policy Policy Encryption Policy Guest Access Policy Incident Response Policy Mobile Device Policy Network Access and Authentication Policy Network Security Policy Outsourcing Policy Password Policy Physical Security Policy Remote Access Policy Third Party Connection Policy VPN Policy Wireless Access Policy 6.2. Forms Policy Acknowledgement Form Guest Network Access Request Security Incident Report Notice of Policy Noncompliance Policy Amendment Form Account Setup Request Request for Policy Exception Visitor Log 6.3. Disaster Recovery / Business Continuity Disaster Recovery Plan Background checks: BankTEL performs pre-employment screening to including criminal and financial background checks, as well as periodic on-going financial checks for all employees. Every effort is made to address the integrity of our staff. Development Process: Development oversight includes clear separation of duties across the disciplines of innovation, documentation of new features and products, design, coding, and testing. Only after appropriate testing is completed are changes moved to production, and then 8 P a g e

9 under the careful oversight of staff members who were not involved in the coding process. In-House System Oversight: Our internal network and related computer systems are carefully controlled via physical and virtual access security. Periodic penetration testing of our network environment is conducted, and the results discussed and addressed by management. Data Protection: all customer data is protected by appropriate levels of encryption commensurate with the activities performed on such data. BankTEL does not perform processing duties on behalf of our customers, so the only need we have for access to data is during the initial conversion period, and at any point where such data might be needed for troubleshooting or support. We store, in an encrypted fashion, all conversion related data to ensure that any issues that arise later can be addressed by comparison to the original converted data. No other data is stored. 9 P a g e

10 Acceptable Use Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 7 Pages Acceptable Use Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Though there are a number of reasons to provide a user network access, by far the most common is granting access to employees for performance of their job functions. This access carries certain responsibilities and obligations as to what constitutes acceptable use of the corporate network. This policy explains how corporate information technology resources are to be used and specifies what actions are prohibited. While this policy is as complete as possible, no policy can cover every situation, and thus the user is asked additionally to use common sense when using company resources. Questions on what constitutes acceptable use should be directed to the user's supervisor. 2.0 Purpose Since inappropriate use of corporate systems exposes the company to risk, it is important to specify exactly what is permitted and what is prohibited. The purpose of this policy is to detail the acceptable use of corporate information technology resources for the protection of all parties involved. 3.0 Scope The scope of this policy includes any and all use of corporate IT resources, including but not limited to, computer systems, , the network, and the corporate Internet connection. 4.0 Policy 4.1 Use Personal usage of company systems is permitted as long as A) such usage does not negatively impact the corporate computer network, and B) such usage does not negatively impact the user's job performance. The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are prohibited. 10 P a g e

11 Acceptable Use Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 7 Pages The user is prohibited from forging header information or attempting to impersonate another person. is an insecure method of communication, and thus information that is considered confidential or proprietary to the company may not be sent via , regardless of the recipient, without proper encryption. It is company policy not to open attachments from unknown senders, or when such attachments are unexpected. systems were not designed to transfer large files and as such s should not contain attachments of excessive file size. Please note that detailed information about the use of may be covered in the company's Policy. 4.2 Confidentiality Confidential data must not be A) shared or disclosed in any manner to non-employees of the company, B) should not be posted on the Internet or any publicly accessible systems, and C) should not be transferred in any insecure manner. Please note that this is only a brief overview of how to handle confidential information, and that other policies may refer to the proper use of this information in more detail. 4.3 Network Access The user should take reasonable efforts to avoid accessing network data, files, and information that are not directly related to his or her job function. Existence of access capabilities does not imply permission to use this access. 4.4 Unacceptable Use The following actions shall constitute unacceptable use of the corporate network. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable. The user may not use the corporate network and/or systems to: Engage in activity that is illegal under local, state, federal, or international law. Engage in any activities that may cause embarrassment, loss of reputation, or other harm to the company. Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media. 11 P a g e

12 Acceptable Use Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 7 Pages Engage in activities that cause an invasion of privacy. Engage in activities that cause disruption to the workplace environment or create a hostile workplace. Make fraudulent offers for products or services. Perform any of the following: port scanning, security scanning, network sniffing, keystroke logging, or other IT information gathering techniques when not part of employee's job function. Install or distribute unlicensed or "pirated" software. Reveal personal or network passwords to others, including family, friends, or other members of the household when working from home or remote locations. 4.5 Blogging and Social Networking Blogging and social networking by the company's employees are subject to the terms of this policy, whether performed from the corporate network or from personal systems. Blogging and social networking is never allowed from the corporate computer network. In no blog or website, including blogs or sites published from personal or public systems, shall the company be identified, company business matters discussed, or material detrimental to the company published. The user must not identify himself or herself as an employee of the company in a blog or on a social networking site. The user assumes all risks associated with blogging and/or social networking. 4.6 Instant Messaging Instant Messaging is allowed for corporate communications only. The user should recognize that Instant Messaging may be an insecure medium and should take any necessary steps to follow guidelines on disclosure of confidential data. 4.7 Overuse Actions detrimental to the computer network or other corporate resources, or that negatively affect job performance are not permitted. 4.8 Web Browsing The Internet is a network of interconnected computers of which the company has very little control. The user should recognize this when using the Internet, and understand that it is a public domain and he or she can come into contact with information, even inadvertently, that he or she 12 P a g e

13 Acceptable Use Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 7 Pages may find offensive, sexually explicit, or inappropriate. The user must use the Internet at his or her own risk. The company is specifically not responsible for any information that the user views, reads, or downloads from the Internet. Personal Use. The company recognizes that the Internet can be a tool that is useful for both personal and professional purposes. Personal usage of company computer systems to access the Internet is permitted as long as such usage follows pertinent guidelines elsewhere in this document and does not have a detrimental effect on the company or on the user's job performance. 4.9 Copyright Infringement The company's computer systems and networks must not be used to download, upload, or otherwise handle illegal and/or unauthorized copyrighted content. Any of the following activities constitute violations of acceptable use policy, if done without permission of the copyright owner: A) copying and sharing images, music, movies, or other copyrighted material using P2P file sharing or unlicensed CD's and DVD's; B) posting or plagiarizing copyrighted material; and C) downloading copyrighted files which employee has not already legally procured. This list is not meant to be exhaustive, copyright law applies to a wide variety of works and applies to much more than is listed above Peer-to-Peer File Sharing Peer-to-Peer (P2P) networking is not allowed on the corporate network under any circumstance Streaming Media Streaming media can use a great deal of network resources and thus must be used carefully. Reasonable use of streaming media is permitted as long as it does not negatively impact the computer network or the user's job performance Monitoring and Privacy Users should expect no privacy when using the corporate network or company resources. Such use may include but is not limited to: transmission and storage of files, data, and messages. The company reserves the right to monitor any and all use of the computer network. To ensure compliance with company policies this may include the interception and review of any s, or other messages sent or received, inspection of data stored on personal file directories, hard disks, and removable media Bandwidth Usage Excessive use of company bandwidth or other computer resources is not permitted. Large file downloads or other bandwidth-intensive tasks that may degrade network capacity or performance must be performed during times of low company-wide usage. 13 P a g e

14 Acceptable Use Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 7 Pages 4.14 Personal Usage Personal usage of company computer systems is permitted as long as such usage follows pertinent guidelines elsewhere in this document and does not have a detrimental effect on the company or on the user's job performance Remote Desktop Access Use of remote desktop software and/or services is allowable as long as it is provided by the company. Remote access to the network must conform to the company's Remote Access Policy Circumvention of Security Using company-owned or company-provided computer systems to circumvent any security systems, authentication systems, user-based systems, or escalating privileges is expressly prohibited. Knowingly taking any actions to bypass or circumvent security is expressly prohibited Use for Illegal Activities No company-owned or company-provided computer systems may be knowingly used for activities that are considered illegal under local, state, federal, or international law. Such actions may include, but are not limited to, the following: Unauthorized Port Scanning Unauthorized Network Hacking Unauthorized Packet Sniffing Unauthorized Packet Spoofing Unauthorized Denial of Service Unauthorized Wireless Hacking Any act that may be considered an attempt to gain unauthorized access to or escalate privileges on a computer or other electronic system Acts of Terrorism Identity Theft 14 P a g e

15 Acceptable Use Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 7 Pages Spying Downloading, storing, or distributing violent, perverse, obscene, lewd, or offensive material as deemed by applicable statues Downloading, storing, or distributing copyrighted material The company will take all necessary steps to report and prosecute any violations of this policy Non-Company-Owned Equipment Non-company-provided equipment is expressly prohibited on the company's network Personal Storage Media The company does not restrict the use personal storage media, which includes but is not limited to: USB or flash drives, external hard drives, personal music/media players, and CD/DVD writers, on the corporate network provided that guidelines for data confidentiality are followed. The user must take reasonable precautions to ensure viruses, Trojans, worms, malware, spyware, and other undesirable security risks are not introduced onto the company network. Use of personal storage media must conform to the company's Mobile Device Policy Software Installation No non-company-supplied software is to be installed without written permission of the IT Manager. Numerous security threats can masquerade as innocuous software - malware, spyware, and Trojans can all be installed inadvertently through games or other programs. Alternatively, software can cause conflicts or have a negative impact on system performance. For these reasons, installation of non-company-supplied programs is strongly discouraged. If a certain program is required for his or her job function, the user should contact the IT Department to request permission Reporting of Security Incident If a security incident or breach of any security policies is discovered or suspected, the user must immediately notify his or her supervisor and/or follow any applicable guidelines as detailed in the corporate Incident Response Policy. Examples of incidents that require notification include: Suspected compromise of login credentials (username, password, etc.). Suspected virus/malware/trojan infection. Loss or theft of any device that contains company information. 15 P a g e

16 Acceptable Use Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 7 Pages Loss or theft of ID badge or keycard. Any attempt by any person to obtain a user's password over the telephone or by . Any other suspicious event that may impact the company's information security. Users must treat a suspected security incident as confidential information, and report the incident only to his or her supervisor. Users must not withhold information relating to a security incident or interfere with an investigation Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Blogging The process of writing or updating a "blog," which is an online, user-created journal (short for "web log"). Instant Messaging A text-based computer application that allows two or more Internetconnected users to "chat" in real time. Peer-to-Peer (P2P) File Sharing A distributed network of users who share files by directly connecting to the users' computers over the Internet rather than through a central server. Remote Desktop Access Remote control software that allows users to connect to, interact with, and control a computer over the Internet just as if they were sitting in front of that computer. Streaming Media Information, typically audio and/or video, that can be heard or viewed as it is 16 P a g e

17 Acceptable Use Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 7 Pages being delivered, which allows the user to start playing a clip before the entire download has completed. 7.0 Revision History Revision 1.0, 8/23/ P a g e

18 6.1.2 Backup Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Backup Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview A backup policy is similar to an insurance policy - it provides the last line of defense against data loss and is sometimes the only way to recover from a hardware failure, data corruption, or a security incident. A backup policy is related closely to a disaster recovery policy, but since it protects against events that are relatively likely to occur, in practice it will be used more frequently than a contingency planning document. A company's backup policy is among its most important policies. 2.0 Purpose The purpose of this policy is to provide a consistent framework to apply to the backup process. The policy will provide specific information to ensure backups are available and useful when needed - whether to simply recover a specific file or when a larger-scale recovery effort is needed. 3.0 Scope This policy applies to all data stored on corporate systems. The policy covers such specifics as the type of data to be backed up, frequency of backups, storage of backups, retention of backups, and restoration procedures. 4.0 Policy 4.1 Identification of Critical Data The company must identify what data is most critical to its organization. This can be done through a formal data classification process or through an informal review of information assets. Regardless of the method, critical data should be identified so that it can be given the highest priority during the backup process. 4.2 Data to be Backed Up A backup policy must balance the importance of the data to be backed up with the burden such backups place on the users, network resources, and the backup administrator. Data to be backed 18 P a g e

19 6.1.2 Backup Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages up will include: All data determined to be critical to company operation and/or employee job function. All information stored on the corporate file server(s) and server(s). It is the user's responsibility to ensure any data of importance is moved to the file server. 4.3 Backup Frequency Backup frequency is critical to successful data recovery. The company has determined that the following backup schedule will allow for sufficient data recovery in the event of an incident, while avoiding an undue burden on the users, network, and backup administrator. Incremental: every day 4.4 Off-Site Rotation Geographic separation from the backups must be maintained, to some degree, in order to protect from fire, flood, or other regional or large-scale catastrophes. Offsite storage must be balanced with the time required to recover the data, which must meet the company's uptime requirements. The company has determined that backup media must be rotated off-site at least once per day. 4.5 Backup Storage Storage of backups is a serious issue and one that requires careful consideration. Since backups contain critical, and often confidential, company data, precautions must be taken that are commensurate to the type of data being stored. The company has set the following guidelines for backup storage. When stored onsite, backups should be kept in an access-controlled area. When shipped off-site, a hardened facility (i.e., commercial backup service or safe deposit box) that uses accepted methods of environmental controls, including fire suppression, and security processes must be used to ensure the integrity of the backup media. Online backups are allowable if the service meets the criteria specified herein. 4.6 Backup Retention When determining the time required for backup retention, the company must determine what number of stored copies of backup-up data is sufficient to effectively mitigate risk while preserving required data. The company has determined that the following will meet all requirements (note that the backup retention policy must confirm to the company's data retention policy and any industry regulations, if applicable): Daily Revisions must be saved for two weeks. 19 P a g e

20 6.1.2 Backup Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Weekly Revisions must be saved for one month. Removed Files (file shares only) must be saved for 90 days. 4.7 Restoration Procedures & Documentation The data restoration procedures must be tested and documented. Documentation should include exactly who is responsible for the restore, how it is performed, under what circumstances it is to be performed, and how long it should take from request to restoration. It is extremely important that the procedures are clear and concise such that they are not A) misinterpreted by readers other than the backup administrator, and B) confusing during a time of crisis. 4.8 Restoration Testing Since a backup policy does no good if the restoration process fails it is important to periodically test the restore procedures to eliminate potential problems. Backup restores must be tested when any change is made that may affect the backup system, as well as twice per year. 4.9 Expiration of Backup Media Certain types of backup media, such as magnetic tapes, have a limited functional lifespan. After a certain time in service the media can no longer be considered dependable. When backup media is put into service the date must be recorded on the media. The media must then be retired from service after its time in use exceeds manufacturer specifications Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions 20 P a g e

21 6.1.2 Backup Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Backup To copy data to a second location, solely for the purpose of safe keeping of that data. Backup Media Any storage devices that are used to maintain data for backup purposes. These are often magnetic tapes, CDs, DVDs, or hard drives. Full Backup A backup that makes a complete copy of the target data. Incremental Backup A backup that only backs up files that have changed in a designated time period, typically since the last backup was run. Restoration Also called "recovery." The process of restoring the data from its backup-up state to its normal state so that it can be used and accessed in a regular manner. 7.0 Revision History Revision 1.0, 8/23/ P a g e

22 Confidential Data Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 5 Pages Confidential Data Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Confidential data is typically the data that holds the most value to a company. Often, confidential data is valuable to others as well, and thus can carry greater risk than general company data. For these reasons, it is good practice to dictate security standards that relate specifically to confidential data. 2.0 Purpose The purpose of this policy is to detail how confidential data, as identified by the Data Classification Policy, should be handled. This policy lays out standards for the use of confidential data, and outlines specific security controls to protect this data. 3.0 Scope The scope of this policy covers all company-confidential data, regardless of location. Also covered by the policy are hardcopies of company data, such as printouts, faxes, notes, etc. 4.0 Policy 4.1 Treatment of Confidential Data For clarity, the following sections on storage, transmission, and destruction of confidential data are restated from the Data Classification Policy Storage Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured Transmission Strong encryption must be used when transmitting confidential data, regardless of whether such transmission takes place inside or outside the company's network. Confidential data must not be left on voic systems, either inside or outside the company's network, or otherwise recorded. 22 P a g e

23 Confidential Data Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 5 Pages Destruction Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply: Paper/documents: cross cut shredding is required. Storage media (CD's, DVD's): physical destruction is required. Hard Drives/Systems/Mobile Storage Media: physical destruction is required. If physical destruction is not possible, the IT Manager must be notified. 4.2 Use of Confidential Data A successful confidential data policy is dependent on the users knowing and adhering to the company's standards involving the treatment of confidential data. The following applies to how users must interact with confidential data: Users must be advised of any confidential data they have been granted access. Such data must be marked or otherwise designated "confidential." Users must only access confidential data to perform his/her job function. Users must not seek personal benefit, or assist others in seeking personal benefit, from the use of confidential information. Users must protect any confidential information to which they have been granted access and not reveal, release, share, unencrypted, exhibit, display, distribute, or discuss the information unless necessary to do his or her job or the action is approved by his or her supervisor. Users must report any suspected misuse or unauthorized disclosure of confidential information immediately to his or her supervisor. If confidential information is shared with third parties, such as contractors or vendors, a confidential information or non-disclosure agreement must govern the third parties' use of confidential information. Refer to the company's outsourcing policy for additional guidance. If confidential information is shared with a third party, the company must indicate to the third party how the data should be used, secured, and, destroyed. Refer to the company's outsourcing policy for additional guidance. 23 P a g e

24 Confidential Data Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 5 Pages 4.3 Security Controls for Confidential Data Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed: Strong Encryption. Strong encryption must be used for confidential data transmitted internal or external to the company. Confidential data must always be stored in encrypted form, whether such storage occurs on a user machine, server, laptop, or any other device that allows for data storage. Network Segmentation. The company must use firewalls, access control lists, or other security controls to separate the confidential data from the rest of the corporate network. Authentication. Two-factor authentication must be used for access to confidential data. Physical Security. Systems that contain confidential data, as well as confidential data in hardcopy form, should be stored in secured areas. Special thought should be given to the security of the keys and access controls that secure this data. Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas. Faxing. When faxing confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas. ing. Confidential data must not be ed inside or outside the company without the use of strong encryption. Mailing. If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information. When sent inside the company, confidential data must be transported in sealed security envelopes marked "confidential." Discussion. When confidential information is discussed it should be done in non-public places, and where the discussion cannot be overheard. Confidential data must be removed from documents unless its inclusion is absolutely necessary. 24 P a g e

25 Confidential Data Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 5 Pages Confidential data must never be stored on non-company-provided machines (i.e., home computers). If confidential data is written on a whiteboard or other physical presentation tool, the data must be erased after the meeting is concluded. 4.4 Examples of Confidential Data The following list is not intended to be exhaustive, but should provide the company with guidelines on what type of information is typically considered confidential. Confidential data can include: Employee or customer social security numbers or personal information Medical and healthcare information Electronic Protected Health Information (EPHI) Customer data Company financial data (if company is closely held) Sales forecasts Product and/or service plans, details, and schematics Network diagrams and security configurations Communications about corporate legal matters Passwords Bank account information and routing numbers Payroll information Credit card information Any confidential data held for a third party (be sure to adhere to any confidential data agreement covering such information) 4.5 Emergency Access to Data A procedure for accessing confidential and critical data during an emergency is often a good idea if the company handles information that is integral to the health, well-being, or protection of other persons or entities. If the company maintains this type of data, it should consider establishing such a procedure in case the normal mechanism for access to the data becomes unavailable or disabled due to system or network problems. 4.6 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 25 P a g e

26 Confidential Data Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 5 Pages 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Authentication A security method used to verify the identity of a user and authorize access to a system or network. Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored. Mobile Data Device A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive. Two-Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password. 7.0 Revision History Revision 1.0, 8/23/ P a g e

27 Data Classification Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 4 Pages Data Classification Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Information assets are assets to the company just like physical property. In order to determine the value of the asset and how it should be handled, data must be classified according to its importance to company operations and the confidentiality of its contents. Once this has been determined, the company can take steps to ensure that data is treated appropriately. 2.0 Purpose The purpose of this policy is to detail a method for classifying data and to specify how to handle this data once it has been classified. 3.0 Scope The scope of this policy covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location. Also covered by the policy are hardcopies of company data, such as printouts, faxes, notes, etc. 4.0 Policy 4.1 Data Classification Data residing on corporate systems must be continually evaluated and classified into the following categories: 1. Personal: includes user's personal data, s, documents, etc. This policy excludes personal information, so no further guidelines apply. 2. Public: includes already-released marketing material, commonly known information, etc. There are no requirements for public information. 3. Operational: includes data for basic business operations, communications with vendors, employees, etc. (non-confidential). The majority of data will fall into this category. 4. Critical: any information deemed critical to business operations (often this data is operational 27 P a g e

28 Data Classification Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 4 Pages or confidential as well). It is extremely important to identify critical data for security and backup purposes. 5. Confidential: any information deemed proprietary to the business. See the Confidential Data Policy for more detailed information about how to handle confidential data. 4.2 Data Storage The following guidelines apply to storage of the different types of company data Personal There are no requirements for personal information Public There are no requirements for public information Operational Operational data must be stored where the backup schedule is appropriate to the importance of the data, at the discretion of the user Critical Critical data must be stored on a server that gets the most frequent backups (refer to the Backup Policy for additional information). System- or disk-level redundancy is required Confidential Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured. 4.3 Data Transmission The following guidelines apply to transmission of the different types of company data Personal There are no requirements for personal information Public There are no requirements for public information Operational No specific requirements apply to transmission of Operational Data, however, as a general rule, the data should not be transmitted unless necessary for business purposes. 28 P a g e

29 Data Classification Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 4 Pages Critical There are no requirements on transmission of critical data, unless the data in question is also considered operational or confidential, in which case the applicable policy statements would apply Confidential Strong encryption must be used when transmitting confidential data, regardless of whether such transmission takes place inside or outside the company's network. Confidential data must not be left on voic systems, either inside or outside the company's network, or otherwise recorded. 4.4 Data Destruction The following guidelines apply to the destruction of the different types of company data Personal There are no requirements for personal information Public There are no requirements for public information Operational There are no requirements for the destruction of Operational Data, though shredding is encouraged Critical There are no requirements for the destruction of Critical Data, though shredding is encouraged. If the data in question is also considered operational or confidential, the applicable policy statements would apply Confidential Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply: Paper/documents: cross cut shredding is required. Storage media (CD's, DVD's): physical destruction is required. Hard Drives/Systems/Mobile Storage Media: physical destruction is required. If physical destruction is not possible, the IT Manager must be notified. 4.5 Applicability of Other Policies 29 P a g e

30 Data Classification Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 4 Pages This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Authentication A security method used to verify the identity of a user and authorize access to a system or network. Backup To copy data to a second location, solely for the purpose of safe keeping of that data. Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored. Mobile Data Device A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive. Two-Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password. 7.0 Revision History Revision 1.0, 8/23/ P a g e

31 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview is an essential component of business communication; however it presents a particular set of challenges due to its potential to introduce a security threat to the network. can also have an effect on the company's liability by providing a written record of communications, so having a well thought out policy is essential. This policy outlines expectations for appropriate, safe, and effective use. 2.0 Purpose The purpose of this policy is to detail the company's usage guidelines for the system. This policy will help the company reduce risk of an -related security incident, foster good business communications both internal and external to the company, and provide for consistent and professional application of the company's principles. 3.0 Scope The scope of this policy includes the company's system in its entirety, including desktop and/or web-based applications, server-side applications, relays, and associated hardware. It covers all electronic mail sent from the system, as well as any external accounts accessed from the company network. 4.0 Policy 4.1 Proper Use of Company Systems Users are asked to exercise common sense when sending or receiving from company accounts. Additionally, the following applies to the proper use of the company system Sending When using a company account, must be addressed and sent carefully. Users should keep in mind that the company loses any control of once it is sent external to the company network. Users must take extreme care when typing in addresses, particularly when address auto-complete features are enabled; using the "reply all" function; or using distribution 31 P a g e

32 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages lists in order to avoid inadvertent information disclosure to an unintended recipient. Careful use of will help the company avoid the unintentional disclosure of sensitive or non-public information Personal Use and General Guidelines Personal usage of company systems is permitted as long as A) such usage does not negatively impact the corporate computer network, and B) such usage does not negatively impact the user's job performance. The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are prohibited. The user is prohibited from forging header information or attempting to impersonate another person. is an insecure method of communication, and thus information that is considered confidential or proprietary to the company may not be sent via , regardless of the recipient, without proper encryption. It is company policy not to open attachments from unknown senders, or when such attachments are unexpected. systems were not designed to transfer large files and as such s should not contain attachments of excessive file size. Please note that the topics above may be covered in more detail in other sections of this policy Business Communications and The company uses as an important communication medium for business operations. Users of the corporate system are expected to check and respond to in a consistent and timely manner during business hours. Additionally, users are asked to recognize that sent from a company account reflects on the company, and, as such, must be used with professionalism and courtesy Signature An signature (contact information appended to the bottom of each outgoing ) is required for all s sent from the company system. At a minimum the signature should include the user's: Title 32 P a g e

33 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages Company name Phone number(s) Fax number if applicable URL for corporate website signatures may not include personal messages (political, humorous, etc.). The IT department is able to assist in signature setup if necessary Auto-Responders The company recommends the use of an auto-responder (if the system is equipped with such a feature) if the user will be out of the office for an entire business day or more. The autoresponse should notify the sender that the user is out of the office, the date of the user's return, and who the sender should contact if immediate assistance is required Mass ing The company makes the distinction between the sending of mass s and the sending of unsolicited (spam). Mass s may be useful for both sales and non-sales purposes (such as when communicating with the company's employees or customer base), and is allowed as the situation dictates. The sending of spam, on the other hand, is strictly prohibited. It is the company's intention to comply with applicable laws governing the sending of mass s. For this reason, as well as in order to be consistent with good business practices, the company requires that sent to more than twenty (20) recipients external to the company have the following characteristics: 1. The must contain instructions on how to unsubscribe from receiving future s (a simple "reply to this message with UNSUBSCRIBE in the subject line" will do). Unsubscribe requests must be honored immediately. 2. The must contain a subject line relevant to the content. 3. The must contain contact information, including the full physical address, of the sender. 4. The must contain no intentionally misleading information (including the header), blind redirects, or deceptive links. Note that s sent to company employees, existing customers, or persons who have already inquired about the company's services are exempt from the above requirements. 33 P a g e

34 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages Opening Attachments Users must use care when opening attachments. Viruses, Trojans, and other malware can be easily delivered as an attachment. Users should: Never open unexpected attachments. Never open attachments from unknown sources. Never click links within messages unless he or she is certain of the link's safety. It is often best to copy and paste the link into your web browser, or retype the URL, as speciallyformatted s can hide a malicious URL. The company may use methods to block what it considers to be dangerous or s or strip potentially harmful attachments as it deems necessary Monitoring and Privacy Users should expect no privacy when using the corporate network or company resources. Such use may include but is not limited to: transmission and storage of files, data, and messages. The company reserves the right to monitor any and all use of the computer network. To ensure compliance with company policies this may include the interception and review of any s, or other messages sent or received, inspection of data stored on personal file directories, hard disks, and removable media Company Ownership of Users should be advised that the company owns and maintains all legal rights to its systems and network, and thus any passing through these systems is owned by the company and it may be subject to use for purposes not be anticipated by the user. Keep in mind that may be backed up, otherwise copied, retained, or used for legal, disciplinary, or other reasons. Additionally, the user should be advised that sent to or from certain public or governmental entities may be considered public record Contents of Received s Users must understand that the company has little control over the contents of inbound , and that this may contain material that the user finds offensive. If unsolicited becomes a problem, the company may attempt to reduce the amount of this that the users receive, however no solution will be 100 percent effective. The best course of action is to not open s that, in the user's opinion, seem suspicious. If the user is particularly concerned about an , or believes that it contains illegal content, he or she should notify his or her supervisor Access to from Mobile Phones 34 P a g e

35 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages Many mobile phones or other devices, often called smartphones, provide the capability to send and receive . The company permits users to access the company system from a mobile phone. Refer to the Mobile Device Policy for more information Regulations Any specific regulations (industry, governmental, legal, etc.) relating to the company's use or retention of communications must be listed here or appended to this policy. 4.2 External and/or Personal Accounts The company recognizes that users may have personal accounts in addition to their company-provided account. The following sections apply to non-company provided accounts: Use for Company Business Users of the company's systems are given the flexibility to use either the corporate system, or personal accounts, whichever is more convenient to the user. Users should ensure that, when using non-company-provided accounts for company business, the applicable policies are followed Access from the Company Network Users are permitted to access external or personal accounts from the corporate network, as long as such access uses no more than a trivial amount of the users' time and company resources Use for Personal Reasons Users are strongly encouraged to use a non-company-provided (personal) account for any non-business communications. Users must follow applicable policies regarding the access of non-company-provided accounts from the company network. 4.3 Confidential Data and The following sections relate to confidential data and Passwords As with any company passwords, passwords used to access accounts must be kept confidential and used in adherence with the Password Policy. At the discretion of the IT Manager, the company may further secure with certificates, two factor authentication, or another security mechanism ing Confidential Data is an insecure means of communication. Users should think of as they would a postcard, which, like , can be intercepted and read on the way to its intended recipient. 35 P a g e

36 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages The company requires that any containing confidential information sent external to the company be encrypted using commercial-grade, strong encryption. Encryption is encouraged, but not required, for s containing confidential information sent internal to the company. When in doubt, encryption should be used. Further guidance on the treatment of confidential information exists in the company's Confidential Data Policy. If information contained in the Confidential Data Policy conflicts with this policy, the Confidential Data Policy will apply. 4.4 Company Administration of The company will use its best effort to administer the company's system in a manner that allows the user to both be productive while working as well as reduce the risk of an -related security incident Filtering of A good way to mitigate risk from is to filter it before it reaches the user so that the user receives only safe, business-related messages. For this reason, the company will filter at the Internet gateway and/or the mail server, in an attempt to filter out spam, viruses, or other messages that may be deemed A) contrary to this policy, or B) a potential risk to the company's IT security. No method of filtering is 100 percent effective, so the user is asked additionally to be cognizant of this policy and use common sense when opening s. Additionally, many and/or anti-malware programs will identify and quarantine s that it deems suspicious. This functionality may or may not be used at the discretion of the IT Manager Disclaimers The use of an disclaimer, usually text appended to the end of every outgoing message, is an important component in the company's risk reduction efforts. The company requires the use of disclaimers on every outgoing , which must contain the following notices: The is for the intended recipient only The may contain private information If the is received in error, the sender should be notified and any copies of the destroyed Any unauthorized review, use, or disclosure of the contents is prohibited 36 P a g e

37 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages An example of such a disclaimer is: NOTE: This message and any attachments are for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by replying to this , and destroy all copies of the original message. The company should review any applicable regulations relating to its electronic communication to ensure that its disclaimer includes all required information Deletion Users are encouraged to delete periodically when the is no longer needed for business purposes. The goal of this policy is to keep the size of the user's account manageable, and reduce the burden on the company to store and backup unnecessary messages. However, users are strictly forbidden from deleting in an attempt to hide a violation of this or another company policy. Further, must not be deleted when there is an active investigation or litigation where that may be relevant. The company must note and document here any applicable regulations or statutes that apply to deletion Retention and Backup should be retained and backed up in accordance with the applicable policies, which may include but are not limited to the: Data Classification Policy, Confidential Data Policy, Backup Policy, and Retention Policy. Unless otherwise indicated, for the purposes of backup and retention, should be considered operational data Address Format addresses must be constructed in a standard format in order to maintain consistency across the company. Some recommended formats are: Firstname.lastname@companydomain.com Firstinitial.lastname@companydomain.com Firstname-lastname@companydomain.com FirstnameLastname@companydomain.com The company can choose virtually any format, as long as it can be applied consistently 37 P a g e

38 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages throughout the organization. The intent of this policy is to simplify communication as well as provide a professional appearance Aliases Often the use of an alias, which is a generic address that forwards to a user account, is a good idea when the address needs to be in the public domain, such as on the Internet. Aliases reduce the exposure of unnecessary information, such as the address format for company , as well as (often) the names of company employees who handle certain functions. Keeping this information private can decrease risk by reducing the chances of a social engineering attack. A few examples of commonly used aliases are: sales@companydomain.com techsupport@companydomain.com pr@companydomain.com info@companydomain.com The company may or may not use aliases, as deemed appropriate by the IT Manager and/or executive team. Aliases may be used inconsistently, meaning: the company may decide that aliases are appropriate in some situations but not others depending on the perceived level of risk Account Activation accounts will be set up for each user determined to have a business need to send and receive company . Accounts will be set up at the time a new hire starts with the company, or when a promotion or change in work responsibilities for an existing employee creates the need to send and receive . At times, accounts may be given to non-employees, contractors, or other individuals authorized to conduct certain aspects of the company's business. In these cases, the company should consider designating the temporary or non-employee status of the account in the account name, such as: firstname.lastname@temporary.companydomain.com firstname.lastname@contractor.companydomain.com. firstname.lastname@consultant.companydomain.com Account Termination When a user leaves the company, or his or her access is officially terminated for another reason, the company will disable the user's access to the account by password change, disabling the account, or another method. The company is under no obligation to block the account from 38 P a g e

39 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages receiving , and may continue to forward inbound sent to that account to another user, or set up an auto-response to notify the sender that the user is no longer employed by the company Storage Limits As part of the service, storage may be provided on company servers or other devices. The account storage size must be limited to what is reasonable for each employee, at the determination of the IT Manager. Storage limits may vary by employee or position within the company. 4.5 Prohibited Actions The following actions shall constitute unacceptable use of the corporate system. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable. The user may not use the corporate system to: Send any information that is illegal under applicable laws. Access another user's account without A) the knowledge or permission of that user - which should only occur in extreme circumstances, or B) the approval of company executives in the case of an investigation, or C) when such access constitutes a function of the employee's normal job responsibilities. Send any s that may cause embarrassment, damage to reputation, or other harm to the company. Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, harassing, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media. Send s that cause disruption to the workplace environment or create a hostile workplace. This includes sending s that are intentionally inflammatory, or that include information not conducive to a professional working atmosphere. Make fraudulent offers for products or services. Attempt to impersonate another person or forge an header. Send spam, solicitations, chain letters, or pyramid schemes. Knowingly misrepresent the company's capabilities, business practices, warranties, pricing, or policies. 39 P a g e

40 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages Conduct non-company-related business. The company may take steps to report and prosecute violations of this policy, in accordance with company standards and applicable laws Data Leakage Data can leave the network in a number of ways. Often this occurs unintentionally by a user with good intentions. For this reason, poses a particular challenge to the company's control of its data. Unauthorized ing of company data, confidential or otherwise, to external accounts for the purpose of saving this data external to company systems is prohibited. If a user needs access to information from external systems (such as from home or while traveling), that user should notify his or her supervisor rather than ing the data to a personal account or otherwise removing it from company systems. The company may employ data loss prevention techniques to protect against leakage of confidential data at the discretion of the IT Manager Sending Large s systems were not designed to transfer large files and as such s should not contain attachments of excessive file size. The company asks that the user limit attachments to 10Mb or less. The user is further asked to recognize the additive effect of large attachments when sent to multiple recipients, and use restraint when sending large files to more than one person. 4.6 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or executive team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities are suspected, the company may report such activities to the applicable authorities. If any provision of this policy is found to be unenforceable or voided for any reason, such invalidation will not affect any remaining provisions, which will remain in force. 40 P a g e

41 Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 12 Pages 6.0 Definitions Auto Responder An function that sends a predetermined response to anyone who sends an to a certain address. Often used by employees who will not have access to for an extended period of time, to notify senders of their absence. Certificate Also called a "Digital Certificate." A file that confirms the identity of an entity, such as a company or person. Often used in VPN and encryption management to establish trust of the remote entity. Data Leakage Also called Data Loss, data leakage refers to data or intellectual property that is pilfered in small amounts or otherwise removed from the network or computer systems. Data leakage is sometimes malicious and sometimes inadvertent by users with good intentions. Short for electronic mail, refers to electronic letters and other communication sent between networked computer users, either within a company or between companies. Encryption The process of encoding data with an algorithm so that it is unintelligible and secure without the key. Used to protect data during transmission or while stored. Mobile Device A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones. Password A sequence of characters that is used to authenticate a user to a file, computer, network, or other device. Also known as a passphrase or passcode. Spam Unsolicited bulk . Spam often includes advertisements, but can include malware, links to infected websites, or other malicious or objectionable content. Smartphone A mobile telephone that offers additional applications, such as PDA functions and . Two Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password. 7.0 Revision History Revision 1.0, 8/23/ P a g e

42 Encryption Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Encryption Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Encryption, also known as cryptography, can be used to secure data while it is stored or being transmitted. It is a powerful tool when applied and managed correctly. As the amount of data the company must store digitally increases, the use of encryption must be defined and consistently implemented in order ensure that the security potential of this technology is realized. 2.0 Purpose The purpose of this policy is to outline the company's standards for use of encryption technology so that it is used securely and managed appropriately. Many policies touch on encryption of data so this policy does not cover what data is to be encrypted, but rather how encryption is to be implemented and controlled. 3.0 Scope This policy covers all data stored on or transmitted across corporate systems. 4.0 Policy 4.1 Applicability of Encryption 1. Data while stored. This includes any data located on company-owned or company-provided systems, devices, media, etc. Examples of encryption options for stored data include: Whole disk encryption Encryption of partitions/files Encryption of disk drives Encryption of personal storage media/usb drives Encryption of backups Encryption of data generated by applications 2. Data while transmitted. This includes any data sent across the company network, or any data sent to or from a company-owned or company-provided system. Types of transmitted data that can be encrypted include: 42 P a g e

43 Encryption Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages VPN tunnels Remote access sessions Web applications and attachments Remote desktop access Communications with applications/databases 4.2 Encryption Key Management Key management is critical to the success of an implementation of encryption technology. The following guidelines apply to the company's encryption keys and key management: Management of keys must ensure that data is available for decryption when needed Keys must be backed up Keys must be locked up Keys must never be transmitted in clear text Keys are confidential data Keys must not be shared Physical key generation materials must be destroyed within 5 business days. Keys must be used and changed in accordance with the password policy. When user encryption is employed, minimum key length is 10 characters. 4.3 Acceptable Encryption Algorithms Only the strongest types of generally-accepted, non-proprietary encryption algorithms are allowed, such as AES or 3DES. Acceptable algorithms should be reevaluated as encryption technology changes. Use of proprietary encryption is specifically forbidden since it has not been subjected to public inspection and its security cannot be assured. 4.4 Legal Use Some governments have regulations applying to the use and import/export of encryption technology. The company must conform with encryption regulations of the local or applicable government. The company specifically forbids the use of encryption to hide illegal, immoral, or unethical acts. Anyone doing so is in violation of this policy and will face immediate consequences per the Enforcement section of this document. 43 P a g e

44 Encryption Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages 4.5 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored. Encryption Key An alphanumeric series of characters that enables data to be encrypted and decrypted. Mobile Storage Media A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive. Password A sequence of characters that is used to authenticate a user to a file, computer, or network. Also known as a passphrase or passcode. Remote Access The act of communicating with a computer or network from an off-site location. Often performed by home-based or traveling users to access documents, , or other resources at a main site. Remote Desktop Access Remote control software that allows users to connect to, interact with, and control a computer over the Internet just as if they were sitting in front of that computer. Virtual Private Network (VPN) A secure network implemented over an insecure medium, created by using encrypted tunnels for communication between endpoints. 44 P a g e

45 Encryption Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Whole Disk Encryption A method of encryption that encrypts all data on a particular drive or volume, including swap space and temporary files. 7.0 Revision History Revision 1.0, 8/23/ P a g e

46 Guest Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages Guest Access Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Guest access to the company's network is often necessary for customers, consultants, or vendors who are visiting the company's offices. This can be simply in the form of outbound Internet access, or the guest may require access to specific resources on the company's network. Guest access to the company's network must be tightly controlled. 2.0 Purpose The company may wish to provide network access as a courtesy to guests wishing to access the Internet, or by necessity to visitors with a business need to access the company's resources. This policy outlines the company's procedures for securing guest access. 3.0 Scope The scope of this policy includes any visitor to the company wishing to access the network or Internet through the company's infrastructure, and covers both wired and wireless connections. This scope excludes guests accessing wireless broadband accounts directly through a cellular carrier or third party where the traffic does not traverse the company's network. 4.0 Policy 4.1 Granting Guest Access Guest access will be provided on a case-by-case basis to any person who can demonstrate a reasonable business need to access the network, or access the Internet from the company network AUP Acceptance Guests must agree to and sign the company's Acceptable Use Policy (AUP) before being granted access Approval 46 P a g e

47 Guest Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages Guest need for access will be evaluated and provided on a case-by-case basis. This should involve management approval if the request is non-standard Account Use Guest accounts, if offered, are only to be used by guests. Users with network accounts must use their accounts for network access. Guest accounts must be set up for each guest accessing the company's network. Guest accounts must have specific expiration dates that correlate to the business need for the individual guest's access. The account expiration date is not to exceed thirty days Security of Guest Machines Guests are expected to be responsible for maintaining the security of his or her machine, and to ensure that it is free of viruses, Trojans, malware, etc. The company reserves the right to inspect the machine if a security problem is suspected, but will not inspect each guest's system prior to accessing the network. 4.2 Guest Access Infrastructure Requirements Best practices dictate that guest access be kept separate, either logically or physically, from corporate the network, since guests have typically not undergone the same amount of scrutiny as the company's employees. At a minimum, guest access must be logically separated from the company's network via a demilitarized zone (DMZ), firewall, or other access controls. Guest access should be provided prudently and monitored for appropriateness of use. 4.3 Restrictions on Guest Access Guest access will be restricted to the minimum amount necessary. Depending on the guest needing access, this can often be limited to outbound Internet access only. The company will evaluate the need of each guest and provide further access if there is a business need to do so. 4.4 Monitoring of Guest Access Since guests are not employees of the company they are not considered trusted users. As such, the company will monitor guest access to ensure that the company's interests are protected and the Acceptable Use Policy is being adhered to. 4.5 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement 47 P a g e

48 Guest Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Account A combination of username and password that allows access to computer or network resources. Guest A visitor to the company premises who is not an employee. 7.0 Revision History Revision 1.0, 8/23/ P a g e

49 Incident Response Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 6 Pages Incident Response Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview A security incident can come in many forms: a malicious attacker gaining access to the network, a virus or other malware infecting computers, or even a stolen laptop containing confidential data. A well-thought-out Incident Response Policy is critical to successful recovery from an incident. This policy covers all incidents that may affect the security and integrity of the company's information assets, and outlines steps to take in the event of such an incident. 2.0 Purpose This policy is intended to ensure that the company is prepared if a security incident were to occur. It details exactly what must occur if an incident is suspected, covering both electronic and physical security incidents. Note that this policy is not intended to provide a substitute for legal advice, and approaches the topic from a security practices perspective. 3.0 Scope The scope of this policy covers all information assets owned or provided by the company, whether they reside on the corporate network or elsewhere. 4.0 Policy 4.1 Types of Incidents A security incident, as it relates to the company's information assets, can take one of two forms. For the purposes of this policy a security incident is defined as one of the following: Electronic: This type of incident can range from an attacker or user accessing the network for unauthorized/malicious purposes, to a virus outbreak, to a suspected Trojan or malware infection. Physical: A physical IT security incident involves the loss or theft of a laptop, mobile device, PDA/Smartphone, portable storage device, or other digital apparatus that may contain company information. 49 P a g e

50 Incident Response Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 6 Pages 4.2 Preparation Work done prior to a security incident is arguably more important than work done after an incident is discovered. The most important preparation work, obviously, is maintaining good security controls that will prevent or limit damage in the event of an incident. This includes technical tools such as firewalls, intrusion detection systems, authentication, and encryption; and non-technical tools such as good physical security for laptops and mobile devices. Additionally, prior to an incident, the company must ensure that the following is clear to IT personnel: What actions to take when an incident is suspected. Who is responsible for responding to an incident. The company must have discussions with an IT Security company that offers incident response services before such an incident occurs in order to prepare an emergency service contract. This will ensure that high-end resources are quickly available during an incident. Finally, the company should review any industry or governmental regulations that dictate how it must respond to a security incident (specifically, loss of customer data), and ensure that its incident response plans adhere to these regulations. 4.3 Confidentiality All information related to an electronic or physical security incident must be treated as confidential information until the incident is fully contained. This will serve both to protect employees' reputations (if an incident is due to an error, negligence, or carelessness), and to control the release of information to the media and/or customers. 4.4 Electronic Incidents When an electronic incident is suspected, the company's goal is to recover as quickly as possible, limit the damage done, and secure the network. The following steps should be taken in order: 1. Remove the compromised device from the network by unplugging or disabling network connection. Do not power down the machine. 2. Disable the compromised account(s) as appropriate. 3. Report the incident to the IT Manager. 4. Backup all data and logs on the machine, or copy/image the machine to another system. 50 P a g e

51 Incident Response Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 6 Pages 5. Determine exactly what happened and the scope of the incident. Was it an accident? An attack? A Virus? Was confidential data involved? Was it limited to only the system in question or was it more widespread? 6. Notify company management/executives as appropriate. 7. Contact an IT Security consultant as needed. 8. Determine how the attacker gained access and disable this access. 9. Rebuild the system, including a complete operating system reinstall. 10. Restore any needed data from the last known good backup and put the system back online. 11. Take actions, as possible, to ensure that the vulnerability (or similar vulnerabilities) will not reappear. 12. Reflect on the incident. What can be learned? How did the Incident Response team perform? Was the policy adequate? What could be done differently? 13. Consider a vulnerability assessment as a way to spot any other vulnerabilities before they can be exploited. 4.5 Physical Incidents Physical security incidents are challenging, since often the only actions that can be taken to mitigate the incident must be done in advance. This makes preparation critical. One of the best ways to prepare is to mandate the use of strong encryption to secure data on mobile devices. Applicable policies, such as those covering encryption and confidential data, should be reviewed. Physical security incidents are most likely the result of a random theft or inadvertent loss by a user, but they must be treated as if they were targeted at the company. The company must assume that such a loss will occur at some point, and periodically survey a random sampling of laptops and mobile devices to determine the risk if one were to be lost or stolen Response Establish the severity of the incident by determining the data stored on the missing device. This can often be done by referring to a recent backup of the device. Two important questions must be answered: 51 P a g e

52 Incident Response Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 6 Pages 1. Was confidential data involved? a. If not, refer to "Loss Contained" below. b. If confidential data was involved, refer to "Data Loss Suspected" below. 2. Was strong encryption used? a. If strong encryption was used, refer to "Loss Contained" below. b. If not, refer to "Data Loss Suspected" below Loss Contained First, change any usernames, passwords, account information, WEP/WPA keys, passphrases, etc., that were stored on the system. Notify the IT Manager. Replace the lost hardware and restore data from the last backup. Notify the applicable authorities if a theft has occurred Data Loss Suspected First, notify the executive team, legal counsel, and/or public relations group so that each team can evaluate and prepare a response in their area. Change any usernames, passwords, account information, WEP/WPA keys, passphrases, etc., that were stored on the system. Replace the lost hardware and restore data from the last backup. Notify the applicable authorities as needed if a theft has occurred and follow disclosure guidelines specified in the notification section. Review procedures to ensure that risk of future incidents is reduced by implementing stronger physical security controls. 4.6 Notification If an electronic or physical security incident is suspected to have resulted in the loss of thirdparty or customer data, follow applicable regulations and/or industry breach disclosure laws and append the regulations to this policy. 4.7 Managing Risk Managing risk of a security incident or data loss is the primary reason to create and maintain a comprehensive security policy. Risks can come in many forms: electronic risks like data corruption, computer viruses, hackers, or malicious users; or physical risks such as loss/theft of a device, hardware failure, fire, or a natural disaster. Protecting critical data and systems from these risks is of paramount importance to the company Risk Assessment As part of the risk management process, the company must conduct an accurate and thorough assessment of the potential risks (man-made and natural) and any vulnerabilities to the confidentiality, integrity, and availability of the company's critical or confidential information. 52 P a g e

53 Incident Response Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 6 Pages An assessment must be thorough, can be performed by company personnel or external consultants (or both), and must be well documented Risk Management Program A formal risk management program must be implemented to cover any risks known to the company (which should be identified through a risk assessment), and insure that reasonable security measures are in place to mitigate any identified risks to a level that will ensure the continued security of the company's confidential and critical data. 4.8 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored. Malware Short for "malicious software." A software application designed with malicious intent. Viruses and Trojans are common examples of malware. Mobile Device A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones. PDA Stands for Personal Digital Assistant. A portable device that stores and organizes personal information, such as contact information, calendar, and notes. Smartphone A mobile telephone that offers additional applications, such as PDA functions and . Trojan Also called a "Trojan Horse." An application that is disguised as something innocuous 53 P a g e

54 Incident Response Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 6 Pages or legitimate, but harbors a malicious payload. Trojans can be used to covertly and remotely gain access to a computer, log keystrokes, or perform other malicious or destructive acts. Virus Also called a "Computer Virus." A replicating application that attaches itself to other data, infecting files similar to how a virus infects cells. Viruses can be spread through or via network-connected computers and file systems. WEP Stands for Wired Equivalency Privacy. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. WEP can be cryptographically broken with relative ease. WPA Stands for WiFi Protected Access. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. Newer and considered more secure than WEP. 7.0 Revision History Revision 1.0, 8/23/ P a g e

55 6.1.9 Mobile Device Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 4 Pages Mobile Device Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Generally speaking, a more mobile workforce is a more flexible and productive workforce. For this reason, business use of mobile devices is growing. However, as these devices become vital tools to the workforce, more and more sensitive data is stored on them, and thus the risk associated with their use is growing. Special consideration must be given to the security of mobile devices. 2.0 Purpose The purpose of this policy is to specify company standards for the use and security of mobile devices. 3.0 Scope This policy applies to company data as it relates to mobile devices that are capable of storing such data, including, but not limited to, laptops, notebooks, PDAs, smart phones, and USB drives. Since the policy covers the data itself, ownership of the mobile device is irrelevant. This policy covers any mobile device capable of coming into contact with company data. 4.0 Policy 4.1 Physical Security By nature, a mobile device is more susceptible to loss or theft than a non-mobile system. The company should carefully consider the physical security of its mobile devices and take appropriate protective measures, including the following: Laptop locks and cables can be used to secure laptops when in the office or other fixed locations. Mobile devices should be kept out of sight when not in use. Care should be given when using or transporting mobile devices in busy areas. 55 P a g e

56 6.1.9 Mobile Device Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 4 Pages As a general rule, mobile devices must not be stored in cars. If the situation leaves no other viable alternatives, the device must be stored in the trunk, with the interior trunk release locked; or in a lockable compartment such as a glove box. The company should evaluate the data that will be stored on mobile devices and consider remote wipe/remote delete technology. This technology allows a user or administrator to make the data on the mobile device unrecoverable. The company should continue to monitor the market for physical security products for mobile devices, as it is constantly evolving. 4.2 Data Security If a mobile device is lost or stolen, the data security controls that were implemented on the device are the last line of defense for protecting company data. The following sections specify the company's requirements for data security as it relates to mobile devices Laptops At a minimum, company data must be stored on an encrypted partition. Whole disk encryption should be considered if the data is especially sensitive. Laptops must require a username and password or biometrics for login PDAs/Smart Phones Use of encryption is not required on PDAs/smart phones but it is encouraged if data stored on the device is especially sensitive. PDAs/smart phones must require a password for login Mobile Storage Media This section covers any USB drive, flash drive, memory stick or other personal data storage media. Storing company data on such devices is not permitted under any circumstance Portable Media Players No company data can be stored on personal media players Other Mobile Devices Unless specifically addressed by this policy, storing company data on other mobile devices, or connecting such devices to company systems, is expressly prohibited. Questions or requests for clarification on what is and is not covered should be directed to the IT Manager. 4.3 Connecting to Unsecured Networks Users must not connect to any outside network without a secure, up-to-date software firewall configured on the mobile computer. Examples of unsecured networks would typically, but not always, relate to Internet access, such as access provided from a home network, access provided 56 P a g e

57 6.1.9 Mobile Device Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 4 Pages by a hotel, an open or for-pay wireless hotspot, a convention network, or any other network not under direct control of the company. 4.4 General Guidelines The following guidelines apply to the use of mobile devices: Loss, Theft, or other security incident related to a company-provided mobile device must be reported promptly. Confidential data should not be stored on mobile devices unless it is absolutely necessary. If confidential data is stored on a mobile device it must be appropriately secured and comply with the Confidential Data policy. Data stored on mobile devices must be securely disposed of in accordance with the Data Classification Policy. Users are not to store company data on non-company-provided mobile equipment. This does not include simple contact information, such as phone numbers and addresses, stored in an address book on a personal phone or PDA. 4.5 Audits The company must conduct periodic reviews to ensure policy compliance. A sampling of mobile devices must be taken and audited against this policy on a yearly basis. 4.6 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions 57 P a g e

58 6.1.9 Mobile Device Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 4 Pages Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored. Mobile Devices A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones. Mobile Storage Media A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive. Password A sequence of characters that is used to authenticate a user to a file, computer, or network. Also known as a passphrase or passcode. PDA Stands for Personal Digital Assistant. A portable device that stores and organizes personal information, such as contact information, calendar, and notes. Portable Media Player A mobile entertainment device used to play audio and video files. Examples are mp3 players and video players. Smartphone A mobile telephone that offers additional applications, such as PDA functions and Revision History Revision 1.0, 8/23/ P a g e

59 Network Access and Authentication Policy Section of: Corporate Security Policies Created: 8/23/2012 Target Audience: Technical 5 Pages Network Access and Authentication Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Consistent standards for network access and authentication are critical to the company's information security and are often required by regulations or third-party agreements. Any user accessing the company's computer systems has the ability to affect the security of all users of the network. An appropriate Network Access and Authentication Policy reduces risk of a security incident by requiring consistent application of authentication and access standards across the network. 2.0 Purpose The purpose of this policy is to describe what steps must be taken to ensure that users connecting to the corporate network are authenticated in an appropriate manner, in compliance with company standards, and are given the least amount of access required to perform their job function. This policy specifies what constitutes appropriate use of network accounts and authentication standards. 3.0 Scope The scope of this policy includes all users who have access to company-owned or companyprovided computers or require access to the corporate network and/or systems. This policy applies not only to employees, but also to guests, contractors, and anyone requiring access to the corporate network. Public access to the company's externally-reachable systems, such as its corporate website or public web applications, are specifically excluded from this policy. 4.0 Policy 4.1 Account Setup During initial account setup, certain checks must be performed in order to ensure the integrity of the process. The following policies apply to account setup: Positive ID and coordination with Human Resources is required. 59 P a g e

60 Network Access and Authentication Policy Section of: Corporate Security Policies Created: 8/23/2012 Target Audience: Technical 5 Pages Users will be granted least amount of network access required to perform his or her job function. Users will be granted access only if he or she accepts the Acceptable Use Policy. Access to the network will be granted in accordance with the Acceptable Use Policy. 4.2 Account Use Network accounts must be implemented in a standard fashion and utilized consistently across the organization. The following policies apply to account use: Accounts must be created using a standard format (i.e., firstname-lastname, or firstinitial-lastname, etc.) Accounts must be password protected (refer to the Password Policy for more detailed information). Accounts must be for individuals only. Account sharing and group accounts are not permitted. User accounts must not be given administrator or 'root' access unless this is necessary to perform his or her job function. Occasionally guests will have a legitimate business need for access to the corporate network. When a reasonable need is demonstrated, temporary guest access is allowed. Individuals requiring access to confidential data must have an individual, distinct account. This account may be subject to additional monitoring or auditing at the discretion of the IT Manager or executive team, or as required by applicable regulations or third-party agreements. 4.3 Account Termination When managing network and user accounts, it is important to stay in communication with the Human Resources department so that when an employee no longer works at the company, that employee's account can be disabled. Human Resources must create a process to notify the IT Manager in the event of a staffing change, which includes employment termination, employment suspension, or a change of job function (promotion, demotion, suspension, etc.). 4.4 Authentication User machines must be configured to request authentication against the domain at startup. If the 60 P a g e

61 Network Access and Authentication Policy Section of: Corporate Security Policies Created: 8/23/2012 Target Audience: Technical 5 Pages domain is not available or authentication for some reason cannot occur, then the machine should not be permitted to access the network. 4.5 Use of Passwords When accessing the network locally, username and password is an acceptable means of authentication. Usernames must be consistent with the requirements set forth in this document, and passwords must conform to the company's Password Policy. 4.6 Remote Network Access Remote access to the network can be provided for convenience to users but this comes at some risk to security. For that reason, the company encourages additional scrutiny of users remotely accessing the network. The company's standards dictate that username and password is an acceptable means of authentication as long as appropriate policies are followed. Remote access must adhere to the Remote Access Policy. 4.7 Screensaver Passwords Screensaver passwords offer an easy way to strengthen security by removing the opportunity for a malicious user, curious employee, or intruder to access network resources through an idle computer. For this reason screensaver passwords are required to be activated after 5 minutes of inactivity. 4.8 Minimum Configuration for Access Any system connecting to the network can have a serious impact on the security of the entire network. A vulnerability, virus, or other malware may be inadvertently introduced in this manner. For this reason, users should update their antivirus software, as well as other critical software, to the latest versions before accessing the network. 4.9 Encryption Industry best practices state that username and password combinations must never be sent as plain text. If this information were intercepted, it could result in a serious security incident. Therefore, authentication credentials must be encrypted during transmission across any network, whether the transmission occurs internal to the company network or across a public network such as the Internet Failed Logons Repeated logon failures can indicate an attempt to 'crack' a password and surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, the company must lock a user's account after 5 unsuccessful logins. This can be implemented as a time-based lockout or require a manual reset, at the discretion of the IT Manager. 61 P a g e

62 Network Access and Authentication Policy Section of: Corporate Security Policies Created: 8/23/2012 Target Audience: Technical 5 Pages In order to protect against account guessing, when logon failures occur the error message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as "the username and/or password you supplied were incorrect." 4.11 Non-Business Hours While some security can be gained by removing account access capabilities during non-business hours, the company does not mandate time-of-day lockouts. This may be either to encourage working remotely, or because the company's business requires all-hours access Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Antivirus Software An application used to protect a computer from viruses, typically through real time defenses and periodic scanning. Antivirus software has evolved to cover other threats, including Trojans, spyware, and other malware. Authentication A security method used to verify the identity of a user and authorize access to a system or network. Biometrics The process of using a person's unique physical characteristics to prove that person's identity. Commonly used are fingerprints, retinal patterns, and hand geometry. Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored. 62 P a g e

63 Network Access and Authentication Policy Section of: Corporate Security Policies Created: 8/23/2012 Target Audience: Technical 5 Pages Password A sequence of characters that is used to authenticate a user to a file, computer, or network. Also known as a passphrase or passcode. Smart Card A plastic card containing a computer chip capable of storing information, typically to prove the identity of the user. A card-reader is required to access the information. Token A small hardware device used to access a computer or network. Tokens are typically in the form of an electronic card or key fob with a regularly changing code on its display. 7.0 Revision History Revision 1.0, 8/23/ P a g e

64 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages Network Security Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview The company wishes to provide a secure network infrastructure in order to protect the integrity of corporate data and mitigate risk of a security incident. While security policies typically avoid providing overly technical guidelines, this policy is necessarily a more technical document than most. 2.0 Purpose The purpose of this policy is to establish the technical guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support the company's comprehensive set of security policies. However, this policy purposely avoids being overly-specific in order to provide some latitude in implementation and management strategies. 3.0 Scope This policy covers all IT systems and devices that comprise the corporate network or that are otherwise controlled by the company. 4.0 Policy 4.1 Network Device Passwords A compromised password on a network device could have devastating, network-wide consequences. Passwords that are used to secure these devices, such as routers, switches, and servers, must be held to higher standards than standard user-level or desktop system passwords Password Construction The following statements apply to the construction of passwords for network devices: Passwords should be at least 8 characters Passwords should be comprised of a mix of letters, numbers and special characters 64 P a g e

65 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages (punctuation marks and symbols) Passwords should be comprised of a mix of upper and lower case characters Passwords should not be comprised of, or otherwise utilize, words that can be found in a dictionary Passwords should not be comprised of an obvious keyboard sequence (i.e., qwerty) Passwords should not include "guessable" data such as personal information like birthdays, addresses, phone numbers, locations, etc Failed Logons Repeated logon failures can indicate an attempt to 'crack' a password and surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, the company must lock a user's account after 5 unsuccessful logins. This can be implemented as a time-based lockout or require a manual reset, at the discretion of the IT Manager. In order to protect against account guessing, when logon failures occur the error message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as "the username and/or password you supplied were incorrect." Change Requirements Passwords must be changed according to the company's Password Policy. Additionally, the following requirements apply to changing network device passwords: If any network device password is suspected to have been compromised, all network device passwords must be changed immediately. If a company network or system administrator leaves the company, all passwords to which the administrator could have had access must be changed immediately. This statement also applies to any consultant or contractor who has access to administrative passwords. Vendor default passwords must be changed when new devices are put into service Password Policy Enforcement Where passwords are used an application must be implemented that enforces the company's password policies on construction, changes, re-use, lockout, etc Administrative Password Guidelines As a general rule, administrative (also known as "root") access to systems should be limited to 65 P a g e

66 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages only those who have a legitimate business need for this type of access. This is particularly important for network devices, since administrative changes can have a major effect on the network, and, as such, network security. Additionally, administrative access to network devices should be logged. 4.2 Logging The logging of certain events is an important component of good network management practices. Logging needs vary depending on the type of network system, and the type of data the system holds. The following sections detail the company's requirements for logging and log review Application Servers Logs from application servers are of interest since these servers often allow connections from a large number of internal and/or external sources. These devices are often integral to smooth business operations. Examples: Web, , database servers Requirement: Logging of at least errors, faults, and login failures is encouraged but not required. No passwords should be contained in logs Network Devices Logs from network devices are of interest since these devices control all network traffic, and can have a huge impact on the company's security. Examples: Firewalls, network switches, routers Requirement: Logging of at least errors, faults, and login failures is encouraged but not required. No passwords should be contained in logs Critical Devices Critical devices are any systems that are critically important to business operations. These systems may also fall under other categories above - in any cases where this occurs, this section shall supersede. Examples: File servers, lab or manufacturing machines, systems storing intellectual property Requirements: Logging of at least errors, faults, and login failures is encouraged but not required. No passwords should be contained in logs Log Management While logging is important to the company's network security, log management can become 66 P a g e

67 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages burdensome if not implemented appropriately. As logs grow, so does the time required to review the logs. For this reason, the company recommends that a log management application be considered Log Review Device logs do little good if they are not reviewed on a regular basis. Log management applications can assist in highlighting important events, however, a member of the company's IT team must still review the logs at least once per month Log Retention Logs should be retained in accordance with the company's Retention Policy. Unless otherwise determined by the IT manager, logs should be considered operational data. 4.3 Firewalls Firewalls are arguably the most important component of a sound security strategy. Internet connections and other unsecured networks must be separated from the company network through the use of a firewall Configuration The following statements apply to the company's implementation of firewall technology: Firewalls must provide secure administrative access (through the use of encryption) with management access limited, if possible, to only networks where management connections would be expected to originate. No unnecessary services or applications should be enabled on firewalls. The company should use 'hardened' systems for firewall platforms, or appliances. Clocks on firewalls should be synchronized with the company's other networking hardware using NTP or another means. Among other benefits, this will aid in problem resolution and security incident investigation. The firewall ruleset must be documented and audited quarterly. Audits must cover each rule, what it is for, if it is still necessary, and if it can be improved. For its own protection, the firewall ruleset must include a "stealth rule," which forbids connections to the firewall itself. The firewall must log dropped or rejected packets Outbound Traffic Filtering 67 P a g e

68 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages Firewalls are often configured to block only inbound connections from external sources; however, by filtering outbound connections from the network, security can be greatly improved. This practice is also referred to as "Egress Traffic Filtering." Blocking outbound traffic prevents users from accessing unnecessary, and many times, dangerous services. By specifying exactly what outbound traffic to allow, all other outbound traffic is blocked. This type of filtering would block root kits, viruses, and other malicious tools if a host were to become compromised. The company requires that permitted outbound traffic be limited to only known "good" services, which are the following ports: 21, 22, 23, 25, 53, 80, 110, 443, and 995. All other outbound traffic must be blocked at the firewall unless an exception is granted from the IT Manager. 4.4 Networking Hardware Networking hardware, such as routers, switches, hubs, bridges, and access points, should be implemented in a consistent manner. The following statements apply to the company's implementation of networking hardware: Networking hardware must provide secure administrative access (through the use of encryption) with management access limited, if possible, to only networks where management connections would be expected to originate. Clocks on all network hardware should be synchronized using NTP or another means. Among other benefits, this will aid in problem resolution and security incident investigation. If possible for the application, switches are preferred over hubs. When using switches the company should use VLANs to separate networks if it is reasonable and possible to do so. Access control lists should be implemented on network devices that prohibit direct connections to the devices. Exceptions to this are management connections that can be limited to known sources. Unused services and ports should be disabled on networking hardware. Access to administrative ports on networking hardware should be restricted to known management hosts and otherwise blocked with a firewall or access control list. 4.5 Network Servers Servers typically accept connections from a number of sources, both internal and external. As a general rule, the more sources that connect to a system, the more risk that is associated with that system, so it is particularly important to secure network servers. The following statements apply 68 P a g e

69 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages to the company's use of network servers: Unnecessary files, services, and ports should be removed or blocked. If possible, follow a server-hardening guide, which is available from the leading operating system manufacturers. Network servers, even those meant to accept public connections, must be protected by a firewall or access control list. If possible, a standard installation process should be developed for the company's network servers. This will provide consistency across servers no matter what employee or contractor handles the installation. Clocks on network servers should be synchronized with the company's other networking hardware using NTP or another means. Among other benefits, this will aid in problem resolution and security incident investigation. 4.6 Intrusion Detection/Intrusion Prevention Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) technology can be useful in network monitoring and security. The tools differ in that an IDS alerts to suspicious activity whereas an IPS blocks the activity. When tuned correctly, IDSs are useful but can generate a large amount of data that must be evaluated for the system to be of any use. IPSs automatically take action when they see suspicious events, which can be both good and bad, since legitimate network traffic can be blocked along with malicious traffic. The company neither requires nor prohibits the use of IDS or IPS systems. The decision to use IDS/IPS systems is left to the discretion of the IT Manager. 4.7 Security Testing Security testing, also known as a vulnerability assessment, a security audit, or penetration testing, is an important part of maintaining the company's network security. Security testing can be provided by IT Staff members, but is often more effective when performed by a third party with no connection to the company's day-to-day Information Technology activities. The following sections detail the company's requirements for security testing Internal Security Testing Internal security testing does not necessarily refer to testing of the internal network, but rather testing performed by members of the company's IT team. Internal testing should not replace external testing; however, when external testing is not practical for any reason, or as a supplement to external testing, internal testing can be helpful in assessing the security of the network. 69 P a g e

70 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages Internal security testing is allowable, but only by employees whose job functions are to assess security, and only with permission of the IT Manager. Internal testing should have no measurable negative impact on the company's systems or network performance External Security Testing External security testing, which is testing by a third party entity, is an excellent way to audit the company's security controls. The IT Manager must determine to what extent this testing should be performed, and what systems/applications it should cover. External testing must not negatively affect network performance during business hours or network security at any time. As a rule, "penetration testing," which is the active exploitation of company vulnerabilities, should be discouraged. If penetration testing is performed, it must not negatively impact company systems or data. The company encourages external security testing, but does not provide rigid guidelines regarding at what intervals the testing should occur. Testing should be performed as often as is necessary, as determined by the IT Manager. 4.8 Disposal of Information Technology Assets IT assets, such as network servers and routers, often contain sensitive data about the company's network communications. When such assets are decommissioned, the following guidelines must be followed: Any asset tags or stickers that identify the company must be removed before disposal. Any configuration information must be removed by deletion or, if applicable, resetting the device to factory defaults. Physical destruction of the device's data storage mechanism (such as its hard drive or solid state memory) is required. If physical destruction is not possible, the IT Manager must be notified. 4.9 Network Compartmentalization Good network design is integral to network security. By implementing network compartmentalization, which is separating the network into different segments, the company will reduce its network-wide risk from an attack or virus outbreak. Further, security can be increased if traffic must traverse additional enforcement/inspection points. The company requires the following with regard to network compartmentalization: 70 P a g e

71 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages Higher Risk Networks Examples: Guest network, wireless network Requirements: Segmentation of higher risk networks from the company's internal network is required, and must be enforced with a firewall or router that provides access controls Externally-Accessible Systems Examples: servers, web servers Requirements: Segmentation of externally-accessible systems from the company's internal network is required, and must be enforced with a firewall or router that provides access controls Internal Networks Examples: Sales, Finance, Human Resources Requirements: Segmentation of internal networks from one another can improve security as well as reduce chances that a user will access data that he or she has no right to access. The company requires that networks be segmented to the fullest reasonable extent Network Documentation Network documentation, specifically as it relates to security, is important for efficient and successful network management. Further, the process of regularly documenting the network ensures that the company's IT Staff has a firm understanding of the network architecture at any given time. The intangible benefits of this are immeasurable. At a minimum, network documentation must include: Network diagram(s) System configurations Firewall ruleset IP Addresses Access Control Lists The company requires that network documentation be performed and updated on a quarterly basis. 71 P a g e

72 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages 4.11 Antivirus/Anti-Malware Computer viruses and malware are pressing concerns in today's threat landscape. If a machine or network is not properly protected, a virus outbreak can have devastating effects on the machine, the network, and the entire company. The company provides the following guidelines on the use of antivirus/anti-malware software: All company-provided user workstations must have antivirus/anti-malware software installed. Workstation software must maintain a current "subscription" to receive patches and virus signature/definition file updates. Patches, updates, and antivirus signature file updates must be installed in a timely manner, either automatically or manually In addition to the workstation requirements, virus and malware scanning must be implemented at the Internet gateway to protect the entire network from inbound threats Software Use Policy Software applications can create risk in a number of ways, and thus certain aspects of software use must be covered by this policy. The company provides the following requirements for the use of software applications: Only legally licensed software may be used. Licenses for the company's software must be stored in a secure location. Open source and/or public domain software can only be used with the permission of the IT Manager. Software should be kept reasonably up-to-date by installing new patches and releases from the manufacturer. Vulnerability alerts should be monitored for all software products that the company uses. Any patches that fix vulnerabilities or security holes must be installed expediently Maintenance Windows and Scheduled Downtime Certain tasks require that network devices be taken offline, either for a simple re-boot, an upgrade, or other maintenance. When this occurs, the IT Staff must perform the tasks before and after normal business hours. Tasks that are deemed "emergency support," as determined by the IT Manager, can be performed at any time. 72 P a g e

73 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages 4.14 Change Management Documenting changes to network devices is a good management practice and can help speed resolution in the event of an incident. The IT Staff must document hardware and/or configuration changes to network devices in a "change log." Network devices must bear a sticker or tag indicating essential information, such as the device name, IP address, Mac address, asset information, and any additional data that may be helpful, such as information about cabling Suspected Security Incidents When a security incident is suspected that may impact a network device, the IT Staff should refer to the company's Incident Response policy for guidance Redundancy Redundancy can be implemented on many levels, from redundancy of individual components to full site-redundancy. As a general rule, the more redundancy implemented, the higher the availability of the device or network, and the higher the associated cost. The company wishes to provide the IT Manager with latitude to determine the appropriate level of redundancy for critical systems and network devices. Redundancy should be implemented where it is needed, and should include some or all of the following: Hard drive redundancy, such as mirroring or RAID Server level redundancy, such as clustering or high availability Component level redundancy, such as redundant power supplies or redundant NICs Keeping hot or cold spares onsite 4.17 Manufacturer Support Contracts Outdated products can result in a serious security breach. When purchasing critical hardware or software, the company must purchase a maintenance plan, support agreement, or software subscription that will allow the company to receive updates to the software and/or firmware for a specified period of time. The plan must meet the following minimum requirements: Hardware: The arrangement must allow for repair/replacement of the device within an acceptable time period, as determined by the IT Manager, as well as firmware or embedded software updates. 73 P a g e

74 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages Software: The arrangement must allow for updates, upgrades, and hotfixes for a specified period of time Security Policy Compliance It is the company's intention to comply with this policy not just on paper but in its everyday processes as well. With that goal in mind the company requires the following: Security Program Manager An employee must be designated as a manager for the company's security program. He or she will be responsible for the company's compliance with this security policy and any applicable security regulations. This employee must be responsible for A) the initial implementation of the security policies, B) ensuring that the policies are disseminated to employees, C) training and retraining of employees on the company's information security program (as detailed below), D) any ongoing testing or analysis of the company's security in compliance with this policy, E) updating the policy as needed to adhere with applicable regulations and the changing information security landscape Security Training A training program must be implemented that will detail the company's information security program to all users and/or employees covered by the policy, as well as the importance of data security. Employees must sign off on the receipt of, and in agreement to, the user-oriented policies. Re-training should be performed at least annually Security Policy Review The company's security policies should be reviewed at least annually. Additionally, the policies should be reviewed when there is an information security incident or a material change to the company's security policies. As part of this evaluation the company should review: Any applicable regulations for changes that would affect the company's compliance or the effectiveness of any deployed security controls. If the company's deployed security controls are still capable of performing their intended functions. If technology or other changes may have an effect on the company's security strategy. If any changes need to be made to accommodate future IT security needs Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may 74 P a g e

75 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions ACL A list that defines the permissions for use of, and restricts access to, network resources. This is typically done by port and IP address. Antivirus Software An application used to protect a computer from viruses, typically through real time defenses and periodic scanning. Antivirus software has evolved to cover other threats, including Trojans, spyware, and other malware. Firewall A security system that secures the network by enforcing boundaries between secure and insecure areas. Firewalls are often implemented at the network perimeter as well as in highsecurity or high-risk areas. Hub A network device that is used to connect multiple devices together on a network. IDS Stands for Intrusion Detection System. A network monitoring system that detects and alerts to suspicious activities. IPS Stands for Intrusion Prevention System. A networking monitoring system that detects and automatically blocks suspicious activities. NTP Stands for Network Time Protocol. A protocol used to synchronize the clocks on networked devices. Password A sequence of characters that is used to authenticate a user to a file, computer, network, or other device. Also known as a passphrase or passcode. RAID Stands for Redundant Array of Inexpensive Disks. A storage system that spreads data across multiple hard drives, reducing or eliminating the impact of the failure of any one drive. 75 P a g e

76 Network Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 13 Pages Switch A network device that is used to connect devices together on a network. Differs from a hub by segmenting computers and sending data to only the device for which that data was intended. VLAN Stands for Virtual LAN (Local Area Network). A logical grouping of devices within a network that act as if they are on the same physical LAN segment. Virus Also called a "Computer Virus." A replicating application that attaches itself to other data, infecting files similar to how a virus infects cells. Viruses can be spread through or via network-connected computers and file systems. 7.0 Revision History Revision 1.0, 8/23/ P a g e

77 Outsourcing Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Outsourcing Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Outsourcing is a logical practice when specialized expertise is required, which happens frequently in the field of Information Technology (IT). Trust is necessary for a successful outsourcing relationship, however, the company must be protected by a policy that details and enforces the terms of the outsourcing relationship. 2.0 Purpose The purpose of this policy is to specify actions to take when selecting a provider of outsourced IT services, standards for secure communications with the provider, and what contractual terms should be in place to protect the company. 3.0 Scope This policy covers any IT services being considered for outsourcing. 4.0 Policy 4.1 Deciding to Outsource Outsourcing IT services is often necessary but should be carefully considered, since by nature a certain amount of control will be lost by doing so. The following questions must be affirmatively answered before outsourcing is considered: Can the service be performed better or less expensively by a third party provider? Would it be cost-prohibitive or otherwise unreasonable to perform this service in-house? Will outsourcing the service positively affect the quality of this service? Is the cost of this service worth the benefit? Are any risks associated with outsourcing the service worth the benefit? 4.2 Outsourcing Core Functions The company permits the outsourcing of critical and/or core functions of the company's 77 P a g e

78 Outsourcing Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Information Technology infrastructure as long as this policy is followed. Examples of these types of functions are data backups, remote access, security, and network management. 4.3 Evaluating a Provider Once the decision to outsource an Information Technology function has been made, selecting the appropriate provider is critical to the success of the endeavor. Due diligence must be performed after the potential providers have been pared to a short list of two to three companies. Due diligence must always be performed prior to a provider being selected. Due diligence should include an evaluation of the provider's ability to perform the requested services, and must specifically cover the following areas: Technical ability of the provider Ability to deliver the service Experience of the provider Reputation of the provider Policies and procedures related to the service Financial strength of the provider Service Level Agreements related to the service If the outsourced service will involve the provider having access to, or storing the company's confidential information, due diligence must cover the provider's security controls for access to the confidential information. 4.4 Security Controls The outsourcing contract must provide a mechanism for secure information exchange with the service provider. This will vary with the type of service being outsourced, but may include remote access, VPN, or encrypted file exchange. The company and provider must also maintain a mechanism for verifying the identity of the other party and confirming changes to the service. This will prevent an attacker from using social engineering tactics to gain access to company data. 4.5 Outsourcing Contracts All outsourced Information Technology services must be governed by a legal contract, with an original of the executed contract maintained by the company. Contracts must: Cover a specified time period Specify exact pricing for the services 78 P a g e

79 Outsourcing Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Specify how the provider will treat confidential information Include a non-disclosure agreement Specify services to be provided, including Service Level Agreements and penalties for missing the levels Allow for cancellation if contractual terms are not met Specify standards for subcontracting of the services and reassignment of contract Cover liability issues Describe how and where to handle contractual disputes 4.6 Access to Information The provider must be given the least amount of network, system, and/or data access required to perform the contracted services. This access must follow applicable policies and be periodically audited. 4.7 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Backup To copy data to a second location, solely for the purpose of safe keeping of that data. Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored. Network Management A far-reaching term that refers to the process of maintaining and administering a network to ensure its availability, performance, and security. Remote Access The act of communicating with a computer or network from an off-site location. Often performed by home-based or traveling users to access documents, , or other 79 P a g e

80 Outsourcing Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages resources at a main site. VPN A secure network implemented over an insecure medium, created by using encrypted tunnels for communication between endpoints. 7.0 Revision History Revision 1.0, 8/23/ P a g e

81 Password Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages Password Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview A solid password policy is perhaps the most important security control an organization can employ. Since the responsibility for choosing good passwords falls on the users, a detailed and easy-to-understand policy is essential. 2.0 Purpose The purpose of this policy is to specify guidelines for use of passwords. Most importantly, this policy will help users understand why strong passwords are a necessity, and help them create passwords that are both secure and useable. Lastly, this policy will educate users on the secure use of passwords. 3.0 Scope This policy applies to any person who is provided an account on the organization's network or systems, including: employees, guests, contractors, partners, vendors, etc. 4.0 Policy 4.1 Construction The best security against a password incident is simple: following a sound password construction strategy. The organization mandates that users adhere to the following guidelines on password construction: Passwords should be at least 8 characters Passwords should be comprised of a mix of letters, numbers and special characters (punctuation marks and symbols) Passwords should be comprised of a mix of upper and lower case characters Passwords should not be comprised of, or otherwise utilize, words that can be found in a dictionary 81 P a g e

82 Password Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages Passwords should not be comprised of an obvious keyboard sequence (i.e., qwerty) Passwords should not include "guessable" data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc. Creating and remembering strong passwords does not have to be difficult. Substituting numbers for letters is a common way to introduce extra characters - a '3' can be used for an 'E,' a '4' can be used for an 'A,' or a '0' for an 'O.' Symbols can be introduced this way as well, for example an 'i' can be changed to a '!.' Another way to create an easy-to-remember strong password is to think of a sentence, and then use the first letter of each word as a password. The sentence: 'The quick brown fox jumps over the lazy dog!' easily becomes the password 'Tqbfjotld!'. Of course, users may need to add additional characters and symbols required by the Password Policy, but this technique will help make strong passwords easier for users to remember. 4.2 Confidentiality Passwords should be considered confidential data and treated with the same discretion as any of the organization's proprietary information. The following guidelines apply to the confidentiality of organization passwords: Users must not disclose their passwords to anyone Users must not share their passwords with others (co-workers, supervisors, family, etc.) Users must not write down their passwords and leave them unsecured Users must not check the "save password" box when authenticating to applications Users must not use the same password for different systems and/or accounts Users must not send passwords via Users must not re-use passwords 4.3 Change Frequency In order to maintain good security, passwords should be periodically changed. This limits the damage an attacker can do as well as helps to frustrate brute force attempts. At a minimum, users must change passwords every 90 days. The organization may use software that enforces this policy by expiring users' passwords after this time period. 4.4 Incident Reporting Since compromise of a single password can have a catastrophic impact on network security, it is the user s responsibility to immediately report any suspicious activity involving his or her passwords to the IT Manager. Any request for passwords over the phone or , whether the request came from organization personnel or not, should be expediently reported. When a 82 P a g e

83 Password Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages password is suspected to have been compromised the IT Manager will request that the user, or users, change all his or her passwords. 4.5 Applicability of Other Policies This document is part of the organization's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Authentication A security method used to verify the identity of a user and authorize access to a system or network. Password A sequence of characters that is used to authenticate a user to a file, computer, network, or other device. Also known as a passphrase or passcode. Two Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password. 7.0 Revision History Revision 1.0, 8/23/ P a g e

84 Physical Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 7 Pages Physical Security Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Information assets are necessarily associated with the physical devices on which they reside. Information is stored on workstations and servers and transmitted on the company's physical network infrastructure. In order to secure the company data, thought must be given to the security of the company's physical Information Technology (IT) resources to ensure that they are protected from standard risks. 2.0 Purpose The purpose of this policy is to protect the company's physical information systems by setting standards for secure operations. 3.0 Scope This policy applies to the physical security of the company's information systems, including, but not limited to, all company-owned or company-provided network devices, servers, personal computers, mobile devices, and storage media. Additionally, any person working in or visiting the company's office is covered by this policy. Please note that this policy covers the physical security of the company's Information Technology infrastructure, and does not cover the security of non-it items or the important topic of employee security. While there will always be overlap, care must taken to ensure that this policy is consistent with any existing physical security policies. 4.0 Policy 4.1 Choosing a Site When possible, thought should be given to selecting a site for IT Operations that is secure and free of unnecessary environmental challenges. This is especially true when selecting a datacenter or a site for centralized IT operations. At a minimum, the company's site should meet the following criteria: A site should not be particularly susceptible to fire, flood, earthquake, or other natural 84 P a g e

85 Physical Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 7 Pages disasters. A site should not be located in an area where the crime rate and/or risk of theft is higher than average. A site should have the fewest number of entry points possible. If these criteria cannot be effectively met for any reason, the company should consider outsourcing its data in whole or in part to a third-party datacenter or hosting provider, provided that such a company can cost effectively meet or exceed the company's requirements. 4.2 Security Zones At a minimum, the company will maintain standard security controls, such as locks on exterior doors and/or an alarm system, to secure the company's assets. In addition to this the company must provide security in layers by designating different security zones within the building. Security zones should include: Public This includes areas of the building or office that are intended for public access. Access Restrictions: None Additional Security Controls: None Examples: Lobby, common areas of building Company This includes areas of the building or office that are used only by employees and other persons for official company business. Access Restrictions: Only company personnel and approved/escorted guests Additional Security Controls: Additional access controls should be used, such as keys, keypads, keycards, or similar devices, with access to these areas logged if possible. Examples: Hallways, private offices, work areas, conference rooms Private This includes areas that are restricted to use by certain persons within the company, such as executives, scientists, engineers, and IT personnel, for security or safety reasons. Access Restrictions: Only specifically approved personnel Additional Security Controls: Additional access controls must be used, such as keys, keypads, keycards, or similar devices, with access to these areas logged. Additionally, an alarm system should be considered for these areas that will alert to unauthorized access. 85 P a g e

86 Physical Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 7 Pages Examples: Executive offices, lab space, network room, manufacturing area, financial offices, and storage areas. 4.3 Access Controls Access controls are necessary to restrict entry to the company premises and security zones to only approved persons. There are a several standard ways to do this, which are outlined in this section, along with the company's guidelines for their use Keys & Keypads The use of keys and keypads is acceptable, as long as keys are marked "do not duplicate" and their distribution is limited. These security mechanisms are the most inexpensive and are the most familiar to users. The disadvantage is that the company has no control, aside from changing the locks or codes, over how and when the access is used. Keys can be copied and keypad codes can be shared or seen during input. However, used in conjunction with another security strategy, such as an alarm system, good security can be obtained with keys and keypads Keycards & Biometrics While keycards and biometrics are allowable forms of access controls, the company does not require their use at this time. Keycards and biometrics have an advantage over keys in that access policies can be tuned to the individual user. Schedules can be set to forbid off-hours access, or forbid users from accessing a security zone where they are not authorized. Perhaps best of all, these methods allow for control over exactly who possesses the credentials. If a keycard is lost or stolen it can be immediately disabled. If an employee is terminated or resigns, that user's access can be disabled. The granular control offered by keycards and biometrics make them appealing access control methods Alarm System A security alarm system is a good way to minimize risk of theft, or reduce loss in the event of a theft. The company mandates the use of professionally monitored alarm system. The system must be monitored 24x7, with company personnel being notified if an alarm is tripped at any time. 4.4 Physical Data Security Certain physical precautions must be taken to ensure the integrity of the company's data. At a minimum, the following guidelines must be followed: Computer screens should be positioned where information on the screens cannot be seen by outsiders. 86 P a g e

87 Physical Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 7 Pages Confidential and sensitive information should not be displayed on a computer screen where the screen can be viewed by those not authorized to view the information. Users must log off or shut down their workstations when leaving for an extended time period, or at the end of the workday. Network cabling should not run through unsecured areas unless the cabling is carrying only public data (i.e., extended wiring for an Internet circuit). The company recommends disabling network ports that are not in use. 4.5 Physical System Security In addition to protecting the data on the company's information technology assets, this policy provides the guidelines below on keeping the systems themselves secure from damage or theft Minimizing Risk of Loss and Theft In order to minimize the risk of data loss through loss or theft of company property, the following guidelines must be followed: Unused systems: If a system is not in use for an extended period of time it should be moved to a secure area or otherwise secured. Mobile devices: Special precautions must be taken to prevent loss or theft of mobile devices. Refer to the company's Mobile Device Policy for guidance. Systems that store confidential data: Special precautions must be taken to prevent loss or theft of these systems. Refer to the company's Confidential Data Policy for guidance Minimizing Risk of Damage Systems that store company data are often sensitive electronic devices that are susceptible to being inadvertently damaged. In order to minimize the risk of damage, the following guidelines must be followed: Environmental controls should keep the operating environment of company systems within standards specified by the manufacturer. These standards often involve, but are not limited to, temperature and humidity. Proper grounding procedures must be followed when opening system cases. This may include use of a grounding wrist strap or other means to ensure that the danger from static electricity is minimized. 87 P a g e

88 Physical Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 7 Pages Strong magnets must not be used in proximity to company systems or media. Except in the case of a fire suppression system, open liquids must not be located above company systems. Technicians working on or near company systems should never use the systems as tables for beverages. Beverages must never be placed where they can be spilled onto company systems. Uninterruptible Power Supplies (UPSs) and/or surge-protectors are required for important systems and encouraged for all systems. These devices must carry a warranty that covers the value of the systems if the systems were to be damaged by a power surge. 4.6 Fire Prevention It is the company's policy to provide a safe workplace that minimizes the risk of fire. In addition to the danger to employees, even a small fire can be catastrophic to computer systems. Further, due to the electrical components of IT systems, the fire danger in these areas is typically higher than other areas of the company's office. The guidelines below are intended to be specific to the company's information technology assets and should conform to the company's overall fire safety policy. Fire, smoke alarms, and/or suppression systems must be used, and must conform to local fire codes and applicable ordinances. Electrical outlets must not be overloaded. Users must not chain multiple power strips, extension cords, or surge protectors together. Extension cords, surge protectors, power strips, and uninterruptible power supplies must be of the three-wire/three-prong variety. Only electrical equipment that has been approved by Underwriters Laboratories and bears the UL seal of approval must be used. Unused electrical equipment should be turned off when not in use for extended periods of time (i.e., during non-business hours) if possible. Periodic inspection of electrical equipment must be performed. Power cords, cabling, and other electrical devices must be checked for excessive wear or cracks. If overly-worn equipment is found, the equipment must be replaced or taken out of service immediately depending on the degree of wear. 88 P a g e

89 Physical Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 7 Pages A smoke alarm monitoring service must be used that will alert a designated company employee if an alarm is tripped during non-business hours. 4.7 Entry Security It is the company's policy to provide a safe workplace for employees. Monitoring those who enter and exit the premises is a good security practice in general, but is particularly true for minimizing risk to company systems and data. The guidelines below are intended to be specific to the company's information technology assets and should conform to the company's overall security policy Use of Identification Badges Identification (ID) badges are useful to identify authorized persons on the company premises. The company has established the following guidelines for the use of ID badges. Employees: ID badges are not required. Non-employees/Visitors: Visitor badges are not required, though generic visitor badges are encouraged Sign-in Requirements The company must maintain a sign-in log (or similar device) in the lobby or entry area and visitors must be required to sign in upon arrival. At minimum, the register must include the following information: visitor's name, company name, reason for visit, name of person visiting, sign-in time, and sign-out time Visitor Access Visitors should be given only the level of access to the company premises that is appropriate to the reason for their visit. After checking in, visitors must be escorted unless they are considered "trusted" by the company. Examples of a trusted visitor may be the company's legal counsel, financial advisor, or a courier that frequents the office, and will be decided on a case-by-case basis. 4.8 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in 89 P a g e

90 Physical Security Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 7 Pages disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Biometrics The process of using a person's unique physical characteristics to prove that person's identity. Commonly used are fingerprints, retinal patterns, and hand geometry. Datacenter A location used to house a company's servers or other information technology assets. Typically offers enhanced security, redundancy, and environmental controls. Keycard A plastic card that is swiped, or that contains a proximity device, that is used for identification purposes. Often used to grant and/or track physical access. Keypad A small keyboard or number entry device that allows a user to input a code for authentication purposes. Often used to grant and/or track physical access. Mobile Device A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones. PDA Stands for Personal Digital Assistant. A portable device that stores and organizes personal information, such as contact information, calendar, and notes. Smartphone A mobile telephone that offers additional applications, such as PDA functions and . Uninterruptible Power Supplies (UPSs) A battery system that automatically provides power to electrical devices during a power outage for a certain period of time. Typically also contains power surge protection. 7.0 Revision History Revision 1.0, 8/23/ P a g e

91 Remote Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages Remote Access Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview It is often necessary to provide access to corporate information resources to employees or others working outside the company's network. While this can lead to productivity improvements it can also create certain vulnerabilities if not implemented properly. The goal of this policy is to provide the framework for secure remote access implementation. 2.0 Purpose This policy is provided to define standards for accessing corporate information technology resources from outside the network. This includes access for any reason from the employee's home, remote working locations, while traveling, etc. The purpose is to define how to protect information assets when using an insecure transmission medium. 3.0 Scope The scope of this policy covers all employees, contractors, and external parties that access company resources over a third-party network, whether such access is performed with companyprovided or non-company-provided equipment. 4.0 Policy 4.1 Prohibited Actions Remote access to corporate systems is only to be offered through a company-provided means of remote access in a secure fashion. The following are specifically prohibited: Installing a modem, router, or other remote access device on a company system without the approval of the IT Manager. Remotely accessing corporate systems with a remote desktop tool, such as VNC, Citrix, or GoToMyPC without the written approval from the IT Manager. Use of non-company-provided remote access software. 91 P a g e

92 Remote Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages Split Tunneling to connect to an insecure network in addition to the corporate network, or in order to bypass security restrictions. 4.2 Use of non-company-provided Machines Accessing the corporate network through home or public machines presents a security risk, as the company cannot completely control the security of the system accessing the network. No non-company-provided computers are allowed to access the corporate network for any reason. 4.3 Client Software The company will supply users with remote access software that allows for secure access and enforces the remote access policy. The software will provide traffic encryption in order to protect the data during transmission as well as a firewall that protects the machine from unauthorized access. 4.4 Network Access There are no restrictions on what information or network segments users can access when working remotely, however the level of access should not exceed the access a user receives when working in the office. 4.5 Idle Connections Due to the security risks associated with remote network access, it is a good practice to dictate that idle connections be timed out periodically. Remote connections to the company's network must be timed out after 1 hour of inactivity. 4.6 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions 92 P a g e

93 Remote Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages Modem A hardware device that allows a computer to send and receive digital information over a telephone line. Remote Access The act of communicating with a computer or network from an off-site location. Often performed by home-based or traveling users to access documents, , or other resources at a main site. Split Tunneling A method of accessing a local network and a public network, such as the Internet, using the same connection. Timeout A technique that drops or closes a connection after a certain period of inactivity. Two Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password. 7.0 Revision History Revision 1.0, 8/23/ P a g e

94 Retention Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages Retention Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview The need to retain data varies widely with the type of data. Some data can be immediately deleted and some must be retained until reasonable potential for future need no longer exists. Since this can be somewhat subjective, a retention policy is important to ensure that the company's guidelines on retention are consistently applied throughout the organization. 2.0 Purpose The purpose of this policy is to specify the company's guidelines for retaining different types of data. 3.0 Scope The scope of this policy covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location. Note that the need to retain certain information can be mandated by local, industry, or federal regulations. Where this policy differs from applicable regulations, the policy specified in the regulations will apply. 4.0 Policy 4.1 Reasons for Data Retention The company does not wish to simply adopt a "save everything" mentality. That is not practical or cost-effective, and would place an excessive burden on the IT Staff to manage the constantlygrowing amount of data. Some data, however, must be retained in order to protect the company's interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include: Litigation Accident investigation 94 P a g e

95 Retention Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages Security incident investigation Regulatory requirements Intellectual property preservation 4.2 Data Duplication As data storage increases in size and decreases in cost, companies often err on the side of storing data in several places on the network. A common example of this is where a single file may be stored on a local user's machine, on a central file server, and again on a backup system. When identifying and classifying the company's data, it is important to also understand where that data may be stored, particularly as duplicate copies, so that this policy may be applied to all duplicates of the information. 4.3 Retention Requirements This section sets guidelines for retaining the different types of company data. Personal There are no retention requirements for personal data. In fact, the company requires that it be deleted or destroyed when it is no longer needed. Public Public data must be retained for 3 years. Operational Most company data will fall in this category. Operational data must be retained for 5 years. Critical Critical data must be retained for 7 years. Confidential Confidential data must be retained for 7 years. 4.4 Retention of Encrypted Data If any information retained under this policy is stored in an encrypted format, considerations must be taken for secure storage of the encryption keys. Encryption keys must be retained as long as the data that the keys decrypt is retained. 4.5 Data Destruction Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will not get buried in data, making data management and data retrieval more complicated and expensive than it needs to be. Exactly how certain data should be destroyed is covered in the Data Classification Policy. When the retention timeframe expires, the company must actively destroy the data covered by this policy. If a user feels that certain data should not be destroyed, he or she should identify the 95 P a g e

96 Retention Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Users, Technical 3 Pages data to his or her supervisor so that an exception to the policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of the company's executive team. The company specifically directs users not to destroy data in violation of this policy. Particularly forbidden is destroying data that a user may feel is harmful to himself or herself, or destroying data in an attempt to cover up a violation of law or company policy. 4.6 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Backup To copy data to a second location, solely for the purpose of safe keeping of that data. Encryption The process of encoding data with an algorithm so that it is unintelligible and secure without the key. Used to protect data during transmission or while stored. Encryption Key An alphanumeric series of characters that enables data to be encrypted and decrypted. 7.0 Revision History Revision 1.0, 8/23/ P a g e

97 Third Party Connection Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages Third Party Connection Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Direct connections to external entities are sometimes required for business operations. These connections are typically to provide access to vendors or customers for service delivery. Since the company's security policies and controls do not extend to the users of the third parties' networks, these connections can present a significant risk to the network and thus require careful consideration. 2.0 Purpose The policy is intended to provide guidelines for deploying and securing direct connections to third parties. 3.0 Scope The scope of this policy covers all direct connections to the company's network from noncompany owned networks. This policy excludes remote access and Virtual Private Network (VPN) access, which are covered in separate policies. 4.0 Policy 4.1 Use of Third Party Connections Third party connections are to be discouraged and used only if no other reasonable option is available. When it is necessary to grant access to a third party, the access must be restricted and carefully controlled. A requester of a third party connection must demonstrate a compelling business need for the connection. This request must be approved and implemented by the IT Manager. 4.2 Security of Third Party Access Third party connections require additional scrutiny. The following statements will govern these connections: Connections to third parties must use a firewall or Access Control List (ACL) to separate 97 P a g e

98 Third Party Connection Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages the company's network from the third party's network. Third parties will be provided only the minimum access necessary to perform the function requiring access. If possible this should include time-of-day restrictions to limit access to only the hours when such access is required. Wherever possible, systems requiring third party access should be placed in a public network segment or demilitarized zone (DMZ) in order to protect internal network resources. If a third party connection is deemed to be a serious security risk, the IT Manager will have the authority to prohibit the connection. If the connection is absolutely required for business functions, additional security measures should be taken at the discretion of the IT Manager. 4.3 Restricting Third Party Access Best practices for a third party connection require that the link be held to higher security standards than an intra-company connection. As such, the third party must agree to: Restrict access to the company's network to only those users that have a legitimate business need for access. Supply the company with on-hours and off-hours contact information for the person or persons responsible for the connection. (If confidential data is involved) Provide the company with the names and any other requested information about individuals that will have access to the company's confidential data. The steward or owner of the confidential data will have the right to approve or deny this access. 4.4 Auditing of Connections In order to ensure that third-party connections are in compliance with this policy, they must be audited periodically. 4.5 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in 98 P a g e

99 Third Party Connection Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Access Control List (ACL) A list that defines the permissions for use of, and restricts access to, network resources. This is typically done by port and IP address. Demilitarized Zone (DMZ) A perimeter network, typically inside the firewall but external to the private or protected network, where publicly-accessible machines are located. A DMZ allows higher-risk machines to be segmented from the internal network while still providing security controls. Firewall A security system that secures the network by enforcing boundaries between secure and insecure areas. Firewalls are often implemented at the network perimeter as well as in highsecurity or high-risk areas. Third Party Connection A direct connection to a party external to the company. Examples of third party connections include connections to customers, vendors, partners, or suppliers. 7.0 Revision History Revision 1.0, 8/23/ P a g e

100 VPN Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages VPN Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview A Virtual Private Network, or VPN, provides a method to communicate with remote sites securely over a public medium, such as the Internet. A site-to-site VPN is a dependable and inexpensive substitute for a point-to-point Wide Area Network (WAN). Site-to-site VPNs can be used to connect the LAN to a number of different types of networks: branch or home offices, vendors, partners, customers, etc. As with any external access, these connections need to be carefully controlled through a policy. 2.0 Purpose This policy details the company's standards for site-to-site VPNs. The purpose of this policy is to specify the security standards required for such access, ensuring the integrity of data transmitted and received, and securing the VPN pathways into the network. 3.0 Scope The scope of this policy covers all site-to-site VPNs that are a part of the company's infrastructure, including both sites requiring access to the company's network (inbound) and sites where the company connects to external resources (outbound). Note that remote access VPNs are covered under a separate Remote Access Policy. 4.0 Policy 4.1 Encryption Site-to-site VPNs must utilize strong encryption to protect data during transmission. Encryption algorithms must meet or exceed current minimum industry standards, such as Triple DES or AES. 4.2 Authentication Site-to-site VPNs must utilize a strong password, pre-shared key, certificate, or other means of authentication to verify the identity the remote entity. The strongest authentication method available must be used, which can vary from product-to-product. 100 P a g e

101 VPN Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages 4.3 Implementation When site-to-site VPNs are implemented, they should adhere to the policy of least access, providing access limited to only what is required for business purposes if possible. This should be done on a best-effort basis and is not a requirement. 4.4 Management The company should manage its own VPN gateways, meaning that a third party must not provide and manage both sides of the site-to-site VPN, unless this arrangement is covered under an outsourcing agreement. If an existing VPN is to be changed, the changes must only be performed with the approval of the IT Manager. 4.5 Logging and Monitoring The company does not require logging or monitoring traffic related to the site-to-site VPN. 4.6 Encryption Keys Site-to-site VPNs are created with pre-shared keys. The security of these keys is critical to the security of the VPN, and by extension, the network. Encryption keys should be changed periodically. If certificates are used instead of pre-shared keys, the certificates should expire and be regenerated after three years. 4.7 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions 101 P a g e

102 VPN Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 3 Pages Certificate Also called a "Digital Certificate." A file that confirms the identity of an entity, such as a company or person. Often used in VPN and encryption management to establish trust of the remote entity. Demilitarized Zone (DMZ) A perimeter network, typically inside the firewall but external to the private or protected network, where publicly-accessible machines are located. A DMZ allows higher-risk machines to be segmented from the internal network while still providing security controls. Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored. Remote Access VPN A VPN implementation at the individual user level. Used to provide remote and traveling users secure network access. Site-to-Site VPN A VPN implemented between two static sites, often different locations of a business. Virtual Private Network (VPN) A secure network implemented over an insecure medium, created by using encrypted tunnels for communication between endpoints. 7.0 Revision History Revision 1.0, 8/23/ P a g e

103 Wireless Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Wireless Access Policy BankTEL Systems is hereinafter referred to as "the company." 1.0 Overview Wireless communication is playing an increasingly important role in the workplace. In the past, wireless access was the exception; it has now become the norm in many companies. However, while wireless access can increase mobility and productivity of users, it can also introduce security risks to the network. These risks can be mitigated with a sound Wireless Access Policy. 2.0 Purpose The purpose of this policy is to state the standards for wireless access to the company's network. Wireless access can be done securely if certain steps are taken to mitigate known risks. This policy outlines the steps the company wishes to take to secure its wireless infrastructure. 3.0 Scope This policy covers anyone who accesses the network via a wireless connection. The policy further covers the wireless infrastructure of the network, including access points, routers, wireless network interface cards, and anything else capable of transmitting or receiving a wireless signal. 4.0 Policy 4.1 Physical Guidelines Unless a directional antenna is used, a wireless access point typically broadcasts its signal in all directions. For this reason, access points must be located central to the office space rather than along exterior walls. If it is possible with the technology in use, signal broadcast strength must be reduced to only what is necessary to cover the office space. Directional antennas should be considered in order to focus the signal to areas where it is needed. Physical security of access points must be considered. Access points must not be placed in public or easily accessed areas. Access points must be placed in non-obvious locations (i.e., above ceiling tiles) so that they cannot be seen or accessed without difficulty. 103 P a g e

104 Wireless Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages 4.2 Configuration and Installation The following guidelines apply to the configuration and installation of wireless networks: Security Configuration The Service Set Identifier (SSID) of the access point must be changed from the factory default. The SSID must be changed to something completely nondescript. Specifically, the SSID must not identify the company, the location of the access point, or anything else that may allow a third party to associate the access point's signal to the company. Encryption must be used to secure wireless communications. Stronger algorithms are preferred to weaker ones (i.e., WPA should be implemented rather than WEP). Encryption keys must be changed and redistributed quarterly. Administrative access to wireless access points must utilize strong passwords. All logging features should be enabled on the company's access points Installation Software and/or firmware on the wireless access points and wireless network interface cards (NICs) must be updated prior to deployment. Wireless networking must not be deployed in a manner that will circumvent the company's security controls. Wireless devices must be installed only by the company's IT department. Channels used by wireless devices should be evaluated to ensure that they do not interfere with company equipment. 4.3 Accessing Confidential Data Wireless access to confidential data is permitted as long as the access is consistent with this and other policies that apply to confidential data. 4.4 Inactivity Users should disable their wireless capability when not using the wireless network. This will reduce the chances that their machine could be compromised from the wireless NIC. 104 P a g e

105 Wireless Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Inactive wireless access points should be disabled. If not regularly used and maintained, inactive access points represent an unacceptable risk to the company. 4.5 Audits The wireless network must be audited twice each year to ensure that this policy is being followed. Specific audit points should be: location of access points, signal strength, SSID, and use of strong encryption. 4.6 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities. 6.0 Definitions Mac Address Short for Media Access Control Address. The unique hardware address of a network interface card (wireless or wired). Used for identification purposes when connecting to a computer network. SSID Stands for Service Set Identifier. The name that uniquely identifies a wireless network. WEP Stands for Wired Equivalency Privacy. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. WEP can be cryptographically broken with relative ease. WiFi Short for Wireless Fidelity. Refers to networking protocols that are broadcast wirelessly using the family of standards. Wireless Access Point A central device that broadcasts a wireless signal and allows for user connections. A wireless access point typically connects to a wired network. 105 P a g e

106 Wireless Access Policy Created: 8/23/2012 Section of: Corporate Security Policies Target Audience: Technical 4 Pages Wireless NIC A Network Interface Card (NIC) that connects to wireless, rather than wired, networks. WPA Stands for WiFi Protected Access. A security protocol for wireless networks that encrypts communications between the computer and the wireless access point. Newer and considered more secure than WEP. 7.0 Revision History Revision 1.0, 8/23/ P a g e

107 Policy Acknowledgement Form Company: BankTEL Systems User Name: Department: BankTEL Systems is hereinafter referred to as "the company." I understand that being granted access to computer systems and company information carries a great deal of responsibility. I recognize that I am being granted this access with the understanding that I will use the network resources and company information in a responsible manner. I realize that specific guidelines and expectations of me are detailed in the appropriate policies. Initial below to indicate which policies you have received, read, understand, and to which you agree: Acceptable Use Data Classification Password Confidential Data Remote Access Mobile Device Retention Other (list: ) I UNDERSTAND THAT WHILE THE COMPANY INTENDS TO PROVIDE A SAFE AND POSITIVE EXPERIENCE WHEN USING COMPANY SYSTEMS AND THE INTERNET, THE COMPANY MAKES NO WARRANTIES AS TO THE CONTENT OF THE NETWORK AND THE INTERNET. I AM RESPONSBILE FOR MY OWN ACTIONS AND WILL RELEASE THE COMPANY FROM ANY LIABILITY RELATING TO MY NETWORK USAGE. I AGREE TO USE THE NETWORK AND SYSTEMS IN AN APPROPRIATE MANNER AS SPECIFIED IN THE APPLICABLE POLICIES. I UNDERSTAND THAT MY USE OF THE NETWORK AND SYSTEMS MAY BE MONITORED AT ANY TIME AND I SHOULD HAVE NO EXPECTATION OF PRIVACY IN CONNECTION WITH THIS USE. I UNDERSTAND THAT FAILURE TO USE THE NETWORK IN A RESPONSBILE MANNER MAY RESULT IN LOSS OF NETWORK PRIVELEGES, SUSPENSION, OR TERMINATION. I UNDERSTAND THAT IF ILLEGAL ACTIVITY IS SUSPECTED, THE COMPANY WILL REPORT THE ACTIVITY TO THE APPLICABLE AUTHORITIES. User Name (Print): User Signature: Date: 107 P a g e

108 Guest Network Access Request Guest Name: BankTEL Systems Guest Company: Employee Contact: BankTEL Systems is hereinafter referred to as "the company." The company may wish to provide access to guests on a case-by-case basis in accordance with its Guest Access Policy. Please complete the information below in order to be granted access. Dates Needed: From: To: Reason for Access: Access Needed: Outbound to Internet (check one) Specific Resources on the network (list: ) Specific Ports or Services (list: ) Access Requested: Wired Wireless (check one) The company reserves the right to require Guests to review and accept the corporate Acceptable Use Policy (AUP) before being granted network access. Please initial the statement below that is most accurate: I have read, understand, and agree to the Acceptable Use Policy. I have read and do not agree to the Acceptable Use Policy. I have not been asked to review the Acceptable Use Policy. Please provide any additional information related to your request for access below: Guest Name (Print): Date: Guest Signature: Employee Contact: Employee Signature: 108 P a g e

109 Security Incident Report Company: BankTEL Systems User Name: Department: Date of Incident: Time/Date Incident Detected: Incident Location: Type of Incident: Physical: Loss or theft of device containing company information (circle one) Complete Section 1 Electronic: Suspicious password request, hack attempt, virus infection Complete Section 2 Section 1: Physical Security Incident Media/Device Type: Encryption Used?: Yes No Confidential Data Involved?: Yes No Unsure Section 2: Electronic Security Incident Type of Incident: Hack attempt Denial of Service Malicious Code (Trojan/virus) Unauthorized system access Suspicious password request Misuse of systems Password compromise Other (explain below) Confidential Data Involved?: Yes No Unsure Impact of Incident: Data Loss/Corruption System Damage System/Network Downtime Web Page Defacement Other (explain below) 109 P a g e

110 Section 3: All Incidents Describe Incident: (attach additional pages if needed) Actions Taken: (attach additional pages if needed) By signing below I certify that the information I have provided on this form is true to the best of my knowledge: User Name (Print): User Signature: Date: *** Please give this form immediately to the IT Manager or your supervisor *** 110 P a g e

111 Notice of Policy Noncompliance Company: BankTEL Systems User Name: Supervisor: Department: Policy: Date of Noncompliance: Date of Form Completion: Describe Incident: (attach additional pages if needed) Type of Action: Verbal Warning (Internal Use Only) (circle one) Written Warning Restriction or termination of network/system access (describe below) Suspension: From: To: Termination: Effective: Additional Details About Action: Corrective Action Plan (if applicable): Next Step if Problem Continues: 111 P a g e

112 I acknowledge receipt of this notice of noncompliance with company policy and agree that its contents have been discussed with me. I understand that my signature below does not necessarily indicate agreement with this notice. I understand that I have a right to provide mitigating information to my supervisor regarding the event. User Name (Print): User Signature: Date: Supervisor Name (Print): Supervisor Signature: Date: Copies of this form must be provided to: User Supervisor/Department Head Human Resources 112 P a g e

113 Policy Amendment Policy Amended: Policy Created: Policy Amendment Number: Date of Amendment: Section of: Corporate Security Policies Target Audience: Company Name: BankTEL Systems Page: 1 BankTEL Systems is hereinafter referred to as the company. 1.0 Details of Amendment This document hereby amends the Policy as follows: Section (number and name of section) is changed read: (Cut and paste text from the policy PDF, making the changes required. It is sometimes good practice to highlight the changes with italics). Except as specifically stated above, all other provisions of the company s security policies remain in effect. The changes detailed herein are effective immediately on the authority of the undersigned. Signature: Date: Name: Title: 113 P a g e

114 Account Setup Request Company: BankTEL Systems User Name: Department: BankTEL Systems is hereinafter referred to as "the company." This form is to be used for requesting an account on the company network. It can be completed by a user or the supervisor of a user. Date of Request: Date Account Needed: Supervisor Name: Form Completed By: User Supervisor (check one) Access Needed: General Network Access (check any that apply) Remote Access (list below any specific needs if possible) Other (explain below) Notes/Special Needs: By signing below I certify that the information I have provided on this form is true to the best of my knowledge: Name (Print): Signature: Date: Request is: Accepted Denied Date: Approver Name (Print): Authorized Signature: 114 P a g e

115 Request for Policy Exception Company: BankTEL Systems User Name: Department: This form is to be used for requesting an official exception to a company Security Policy. Policy Affected: Reason for Request: Details of Request: Is this request absolutely necessary for business reasons? Yes No Have alternatives been explored? Yes No By signing below I certify that the information I have provided on this form is true to the best of my knowledge: User Name (Print): User Signature: Date: Request is: Accepted Denied Date: Approver Name (Print): Authorized Signature: 115 P a g e

116 Visitor Log Date Name Company To See Reason for Visit Time In Time Out 116 P a g e

117 Employee Non-Disclosure Agreement NON DISCLOSURE AGREEMENT THIS NON DISCLOSURE AGREEMENT (the Agreement ), is made and entered into this day of, 2012, by and between BTS ALLIANCE, LLC., a Delaware limited liability company (the Employer ), and (the Employee ). WHEREAS, the Employer desires to secure for the term of this Agreement the services of the Employee, and the Employee is willing to be employed by the Employer, upon the terms and subject to the conditions herein set forth. NOW, THEREFORE, intending to be legally bound, the Employer and the Employee hereby agree as follows: ARTICLE I INFORMATION 1.1 The Employee agrees that during the Term and thereafter, he will not disclose or make accessible to any other person, any products, services and technology, both current and under development, promotion and marketing programs, lists, trade secrets and other confidential and proprietary business information of the Employer, its parent, subsidiaries, affiliates, successors, assigns or any of clients thereof which has not otherwise been disclosed to the general public. During such periods, the Employee agrees: (i) not to use any such information for himself or others; and (ii) not to take any such material or reproductions thereof from the Employer s facilities at any time during his employment by the Employer or its parent, subsidiaries or affiliates, except as required in the Employee s duties to such Employer. The Employee agrees to return all such material and reproductions thereof in his possession to the Employer immediately upon request and in any event immediately upon termination of employment. 1.2 Except with prior written authorization by the Employer, the Employee agrees not to disclose or publish any of the confidential, technical or business information or material of the Employer, its parent, subsidiaries, affiliates, successors, assigns or any clients thereof or any other party to whom the Employer owes an obligation of confidence, at any time during the Term and thereafter. ARTICLE II OWNERSHIP OF PROPRIETARY INFORMATION 2.1 The Employee agrees that all information that has been created, discovered or developed by the Employer, its parent, subsidiaries, affiliates, successors or assigns (collectively, the Affiliates ) (including, without limitation, information relating to the development of the Employer s business created, discovered, developed or made known to the Employer or the Affiliates by Employee during the Term and information relating to Employer s customers, suppliers, consultants, and licensees) and/or in which property rights have been assigned or otherwise conveyed to the Employer or the Affiliates, shall be the sole property of the Employer or the Affiliates, as applicable, and the Employer or the Affiliates, as the case may be, shall be the sole owner of all patents, copyrights and other rights in connection therewith, including but not limited to the right to make application for statutory protection. All of the aforementioned 117 P a g e

118 information is hereinafter called Proprietary Information. By way of illustration, but not limitation, Proprietary Information Includes (1) trade secrets, processes, technologies, discoveries, structures, inventions, designs, ideas, works of authorship, copyrightable works, trademarks, copyrights, formulas, data, know-how, show- how, improvements, inventions, product concepts, and techniques; (ii) information or statistics contained in, or relating to, marketing plans, strategies, and forecasts; (iii) blueprints, sketches, records, notes, devices, equipment designs, drawings: customer lists, patent applications, continuation applications, continuation-in-part applications, file wrapper continuation applications and divisional applications; and (iv) information about the Employer s or the Affiliates employees and/or consultants (including, without limitation, the compensation, job responsibilities and job performance of such employees and/or consultants). 2.2 The Employee further agrees that at all times during the Term and thereafter, he will keep in confidence and trust all Proprietary Information, and he will not use or disclose any Proprietary Information or anything directly relating to it without the prior written consent of the Employer or the Affiliates, as appropriate, except as may be necessary in the ordinary course of performing his duties hereunder. Employee acknowledges that the Proprietary Information constitutes a unique and valuable asset of the Employer and each Affiliate acquired at great time and expense, which is secret and confidential and which if communicated to Employee, is deemed to be communicated in confidence in the course of his performance of his duties hereunder, and that any disclosure or other use of the Proprietary Information in breach hereof other than for the sole benefit of the Employer or the Affiliates would be wrongful and could cause irreparable harm to the Employer or the Affiliates, as the case may be. Notwithstanding the foregoing, the parties agree that Proprietary Information shall not include (i) information in the public domain not as a result of a breach of this Agreement, or (ii) information lawfully received, and not known by Employee to be under a duty of confidentiality from a third party. ARTICLE III DISCLOSURE AND OWNERSHIP OF INVENTIONS 3.1 During the Term, Employee agrees that he will promptly disclose to the Employer, or any persons designated by the Employer, all improvements, inventions, designs, ideas, works of authorship, copyrightable works, discoveries, trademarks, copyrights, trade secrets, formulas, processes, structures, product concepts, marketing plans, strategies, customer lists, information about the Employer s or the Affiliates employees and/or consultants (including, without limitation, job performance of such employees and/or consultants), techniques, blueprints, sketches, records, notes, devices, drawings, know-how, data, whether or not patentable, patent applications, continuation applications, continuation-in-part applications, file wrapper continuation applications and divisional applications, made or conceived or reduced to practice or learned by him, either alone or jointly with others, during the Term (all said improvements, inventions, designs, ideas, works of authorship, copyrightable works, discoveries, trademarks, copyrights, trade secrets, formulas, processes, structures, product concepts, marketing plans, strategies, customers lists, information about the Employer s or the Affiliates employees and/or consultants, techniques, blueprints, sketches, records, notes, devices, drawings, know-how, data, patent applications, continuation applications, continuationin-part applications, file wrapper continuation applications and divisional applications shall be collectively hereinafter called Inventions ). 118 P a g e

119 3.2 The Employee agrees that all Inventions shall be the sole property of the Employer to the maximum extent permitted by applicable law and to the extent permitted by law shall be works made for hire as that term is defined in the United States Copyright Act (17 USCA, Section 101). The Employer shall be the sole owner of all patents, copyrights, trade secret rights, and other intellectual property or other rights in connection therewith. Employee hereby assigns to the Employer all right, title and interest he may have or acquire in all Inventions. Employee further agrees to assist the Employer in every proper way (but at the Employer s expense) to obtain and from time to time enforce patents, copyrights or other rights on said Inventions in any and all countries, and to that end the Employee will execute all documents necessary: 119 P a g e (a) to apply for, obtain and vest in the name of the Employer alone (unless the Employer otherwise directs) letters patent, copyrights or other analogous protection in any country throughout the world and when so obtained or vested to renew and restore the same; and (b) to defend any opposition proceedings in respect of such applications and any opposition proceedings or petitions or applications for revocation of such letters patent, copyright or other analogous protection. 3.3 The Employee s obligation to assist the Employer in obtaining and enforcing patents and copyrights for the Inventions in any and all countries shall continue beyond the end of the Term, but the Employer agrees to compensate the Employee at a reasonable rate after the expiration of the Term for time actually spent by the Employee at the Employer s request on such assistance. ARTICLE IV NON-SOLICITATION 4.1 During the Term and thereafter until the first (1 st ) anniversary date following termination of employment with Employer, Employee shall not, directly or indirectly, without the prior written consent of the Employer: (a) solicit or induce any employee of the Employer or any of the Affiliates to leave the employ of the Employer or any of the Affiliates or hire for any purpose any employee of the Employer or any of the Affiliates who has left the employment of the Employer or any of the Affiliates; (b) solicit or accept employment with any party who, at any time during the Term, was a customer or supplier of the Employer or any of the Affiliates where his position will be related to the business of the Employer; (c) solicit or accept the business of any customer or supplier of the Employer or any Affiliate with respect to products similar to those supplied by the Employer; or (d) solicit or accept any direct or indirect relationship, whether contractual or non-contractual, with any party whereby the Employee would, either directly or indirectly, provide to any customer of the Employer any product or service similar to those provided to any customer of the Employer by the Employer, or purchase from any supplier of the Employer any product or service supplied by any supplier of the Employer to the Employer.

120 ARTICLE V PRIVACY OF CONSUMER FINANCIAL INFORMATION All terms used in this section have the meanings given them in the federal Privacy of Consumer Financial Information regulation (12 CFR 332) as amended from time to time. Employer has disclosed, and may disclose in the future, to Employee certain nonpublic business information about Employers consumers and customers. Employee agrees to maintain the confidentiality of all such information to the same extent that Employer is required to maintain it. Employee further agrees not to disclose or use any such information except to carry out the purposes for which Employer provided such information or as otherwise permitted by (12 CFR 332) or any similar state regulation by which Employer is bound. Not withstanding any contrary provision of this agreement, Employee agrees to indemnify Employer against and hold Employer harmless from any loss, cost, judgment, settlement, civil money penalty, or other expenditure, including reasonable attorney fees incurred by Employee if it is caused, by any violation of this agreement. 120 P a g e ARTICLE VI MISCELLANEOUS 6.1 Authorization to Modify Restrictions/Remedies. It is the intention of the parties that the provisions hereof shall be enforceable to the fullest extent permissible under applicable law, but that the unenforceability (or modification to conform to such law) of any provision or provisions hereof shall not render unenforceable, or impair, the remainder of this Agreement. If any provision or provisions hereof shall be deemed invalid or unenforceable, either in whole or in part, this Agreement shall be deemed amended to delete or modify, as necessary, the offending provision or provisions and to alter the bounds thereof in order to render it valid and enforceable. In the event of a breach by the Employee of the terms of this Agreement, the Employer shall be entitled, if it shall so elect, to institute legal proceedings to recover damages for any such breach, or to enforce the specific performance of this Agreement by the Employee and to enjoin the Employee from any further violation of this Agreement and to exercise such remedies cumulatively or in conjunction with all other rights and remedies provided by law. The Employee acknowledges, however, that the remedies at law for any breach by him of the provisions of this Agreement may be inadequate and that the Employer shall be entitled to injunctive relief against him in the event of any breach. 6.2 Entire Agreement. This Agreement represents the entire agreement of the parties with respect to the subject matter hereof and may be amended only by a writing signed by each of them. 6.3 Governing Law. This Agreement shall be governed by and construed in accordance with the internal laws of the State of Mississippi, without regard to its conflict of laws provisions. 6.4 Succession and Assignment. This Agreement shall be binding upon and inure to the benefit of the parties named herein and their respective successors and permitted assigns. No party may assign either this Agreement or any of such party s rights, interests or obligations hereunder without the prior written approval of the other party; provided, however, that the

121 Employer may freely, and without the approval, either written or oral, of any other party to this Agreement (i) assign any or all of its rights and interests hereunder to one or more of its Affiliates and (ii) designate one or more of its Affiliates to perform its obligations hereunder. Such assignment and designation by the Employer shall release the Employer from any further obligation under the terms of this Agreement. 6.5 Counterparts, Section Headings. This Agreement may be executed in any number of counterparts, each of which shall be deemed to be an original, but all of which together shall constitute one and the same instrument. The section headings of this Agreement are for convenience of reference only and shall not affect the construction or interpretation of any of the provisions hereof. 6.6 Notices. All notices, requests, demands and other communications hereunder shall be in writing and shall be deemed to have been duly given if delivered or mailed, registered mail, first class postage paid, return receipt requested, or any other delivery service with proof of delivery: If to the Employer: If to the Employee: BTS Alliance, LLC. P. O. Box 8370 Columbus, MS Notice may be sent to such other address or to such other person as either party hereto shall have last designated by notice to the other party. THE EMPLOYEE ACKNOWLEDGES THAT HE HAS READ AND UNDERSTANDS THE FOREGOING PROVISIONS OF THIS AGREEMENT. IN WITNESS WHEREOF, the parties hereto have executed this Agreement or caused this Agreement to be executed by their duly authorized officers the day and year first above written. THE EMPLOYEE: THE EMPLOYER: BTS ALLIANCE, LLC., a Delaware limited liability company Name: Title: 121 P a g e

122 BankTEL License Agreement SOFTWARE LICENSE AGREEMENT This Software License Agreement ( Agreement ) is entered into this day of 2012, by and between BankTEL Systems, a division of BTS Alliance, LLC whose address is Post Office Box 8370, Columbus, Mississippi ( BankTEL ) and by Customer, name, address (Licensee). 122 P a g e RECITALS WHEREAS, BANKTEL SYSTEMS is the owner of certain computer software as further described in this Agreement; WHEREAS, LICENSEE desires to obtain a nonexclusive license to enable it to utilize such software, along with related documentation, for the purposes contemplated under this Agreement; NOW, THEREFORE, in consideration of the mutual promises and covenants contained in this Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows: ARTICLE 1 Definitions The following words have the following meanings when used in this Agreement; 1.1 Agreement. The term Agreement means this Software License Agreement and all Appendices, Schedules and Exhibits annexed to this Agreement, together with all future written amendments and addenda. 1.2 Critical Error(s). The Term Critical Error means a failure of the Software which severely impacts the Licensee s ability to provide service and which cannot be temporarily eliminated through the use of a Bypass or Work Around. 1.3 Error(s). The term error(s) means a failure of the Software to substantially conform to the user documentation and operating manuals furnished by BankTEL or the specification governing the Software which materially impacts operational performance or functional performance. 1.4 Functional Specifications. The term Functional Specifications means those specifications to which the Software will conform as set forth in each order attached to this Agreement.

123 1.5 License(s). The term License(s) means any personal, nonexclusive, nontransferable, non-assignable license or licenses for Licensee s internal use only granted by BankTEL to Licensee to use the Software or Software Products under this Agreement. 1.6 Object Code. The term Object Code means the binary machine readable version of the Software. 1.7 Program(s) and/or Software. The terms Program(s) or Software mean the object code version of all BankTEL programs, data, routines, etc. licensed to Licensee and the system of computer instructions which will be made available to Licensee in the form of diskettes, tapes, documentation or such other means as BankTEL may prescribe. 1.8 Related Materials. The term Related Materials means all user manuals, handbooks, brochures, literature, instructions and other documentation pertaining to or to be used with the Program and any corrections or additions thereto. 1.9 Site. The term Site means the Licensee s computer facility located in one specific geographic location Software Products. The term Software Products means all physical components, other than Software, that are offered by BankTEL, including but not limited to, documentation, magnetic media, job aids, templates and other similar devices Source Code. The term Source Code means those statements in a computer language, which when processed by a compiler, assembler or interpreter become executable by a computer. 123 P a g e ARTICLE 2 Non-Exclusive Grants of License 2.1 Grant of License. Subject to the provisions of this Agreement as well as the payment of all applicable license fees for the term of such license, BankTEL grants Licensee and Licensee accepts a perpetual, limited, personal, nonexclusive, nontransferable, nonassign-able Object Code License to use the Software and Related Materials in support of the Software, described in the Exhibits for Licensee s internal use only in the United States. 2.2 Software and Software Products. All Software and Software Products used in, for, or in connection with the software, parts, subsystems or derivatives thereof (the System ), in whatever form, including, without limitation, source code, object code, microcode and mask works, including any computer programs, any documentation relating to or describing such Software or Software Products, and the design and user interface of the Software and Software Products, such as, but not limited to logic manuals and flow charts provided by BankTEL, including instructions for use of the Software or Software Products and formulation of theory upon which the Software or Software Products are based, are furnished to Licensee only under a personal, nonexclusive, non-transferable, non-assignable Object Code License solely for Licensee s own internal use. 2.3 No Other License Granted. Except as provided in this Agreement, no license under any patents, copyrights, trademarks, trade secrets or any other intellectual property rights, expressed or implied, are granted by BankTEL to Licensee under this Agreement.

124 2.4 No Modification or Enhancement of Software. Licensee will not and will not permit its Affiliates or any third party to translate, reverse engineer, decompile, recompile, update or modify all or any part of the Software or merge the Software into any other software. 2.5 Patents, Copyrights, Circuit Layouts, Mask Works, Trade Secrets and Other Proprietary Rights. All patents, copyrights, circuit layouts, mask work, trade secrets and other proprietary rights in or related to the Software are and will remain the exclusive property of BankTEL, whether or not specifically recognized or perfected under the laws of the jurisdiction in which the Software is used or licensed. Licensee will not take any action that jeopardizes BankTEL s proprietary rights or acquire any right in the Software, the Software Products or the Confidential Information, as defined in Section 8.2 of this Agreement. Unless otherwise agreed on a case by case basis, BankTEL will own all rights in any copy, translation, modification, adaptation or derivation of the Software or other items of Confidential Information, including any improvement or development of such items. Licensee will obtain, at BankTEL s request, the execution of any instrument that may be appropriate to assign these rights to BankTEL or perfect these rights in BankTEL s name. 2.6 Title. The Title to the Programs and Related Materials will remain with BankTEL as its sole property subject to Licensee s rights specified in this Agreement. Licensee agrees that it will not sell, trade, make available or divulge the Programs supplied by BankTEL under this Agreement, or assign its interest under this Agreement without the prior written consent of BankTEL. 2.7 Third Party Access To Software. Licensee will not allow any third party to have access to the Software or Software Products without BankTEL s prior written consent. 2.8 No Sub-licenses. Licensee will not have any rights to grant any sub-license, subfranchise or lease of or otherwise transfer any of its rights to the Software and Related Materials under this Agreement without the prior written consent of BankTEL. 124 P a g e ARTICLE 3 Term of Agreement and Licenses 3.1 Term of Agreement. The initial term of this Agreement is for a period as selected in the Exhibits which commences upon the execution of this Agreement. Upon the expiration of the initial selected term of this Agreement, the Agreement may be terminated by either party by written notice with (30) days prior written notice given to the other party, or at any time upon the breach of this Agreement or any order by either party as provided in Article Term of Licenses. Subject to the limitations contained in this Agreement, the term of each individual License granted under this Agreement begins on the date of delivery of the Software, and terminates on the date set forth on the order that requested such license, unless earlier terminated as provided in this Agreement. ARTICLE 4 Termination of Agreement and/or License 4.1 BankTEL s Right to Terminate the Agreement. BankTEL has the right to terminate this Agreement or any order and, at its option, take possession of the Software and Software Products on written notice to Licensee, if:

125 (a) In BankTEL s reasonable judgment or If Licensee is deemed insolvent, Licensee s financial condition does not justify the terms of payment specified above, unless Licensee immediately pays for all Software, Software Products and Services which have been delivered, and pays in advance for the balance of Software, Software Products and Services remaining to be delivered during the term of this Agreement; (b) Licensee makes an assignment for the benefit of creditors or a receiver, trustee in bankruptcy or similar officer is appointed to take charge of all or any part of Licensee s property or business; (c) Licensee is adjudicated bankrupt; or (d) Licensee neglects or fails to perform or observe any of its obligations under this Agreement and such condition is not remedied within thirty (30) days after Licensee s receipt of written notice by BankTEL to Licensee setting forth Licensee s breach. Notwithstanding anything contained in this Agreement or any order, BankTEL has the right to immediately terminate this Agreement without notice if Licensee breaches Articles 2, 8, or 9 or otherwise misuses the Software in contravention of this Agreement. 4.2 Licensee s Right to Terminate the Agreement. Licensee has the right to terminate this Agreement or any order on written notice to BankTEL if: (a) BankTEL neglects or fails to perform or observe any of its obligations under this Agreement and such condition is not remedied within thirty (30) days after BankTEL s receipt of written notice by Licensee to BankTEL setting forth BankTEL s breach. 4.3 Events Occurring Upon Termination. Upon termination, cancellation or expiration of this Agreement or any order, Licensee will, without request by BankTEL, immediately return to BankTEL all Software, Related Materials, and all copies of such Programs in the possession of Licensee or any of Licensee s agents or any parties to whom Licensee may have provided copies thereof in the form provided by BankTEL and other papers, materials and property of BankTEL held by Licensee. Licensee will make no further use of the Software and/or Related Materials. In addition, each party will assist the other party in the orderly termination of this Agreement or any order and in the transfer of all property, tangible and intangible, as may be necessary for the orderly, non-disrupted business continuation of each party. 4.4 Certification by Licensee. Within ten (10) days of the termination, cancellation or expiration of any order or License granted under this Agreement, Licensee will, upon BankTEL s request, certify in writing that all copies of the Software, in whole or in part, have been removed from its production libraries. Concurrent with this certification, Licensee will return to BankTEL all Related Materials, Software and Software Products required by BankTEL to be returned or Licensee project manager will certify to BankTEL that such Related Materials, Software and Software Products have been destroyed. 4.5 Other Remedies Existing at Law or in Equity. Any termination under this Article will not affect either party s ability to pursue any other remedy existing at law or in equity. 4.6 Obligations that Survive Termination. The parties recognize and agree that their obligations under Articles 5, 8, 10, 11, and 12 and Section 18.2 of this Agreement survive the cancellation, termination or expiration of this Agreement and any particular order or License. These same Articles and Sections apply for the duration of Licensee s use of Software licensed under the License granted in Section 2 or any order. 125 P a g e

126 ARTICLE 5 License Fees 5.1 License Fees. The fees and terms for the Software, Software Products and Services ordered under this Agreement, including any applicable discount and payment schedules, will be set forth in the Exhibits. 5.2 Taxes. In addition to any other payments made pursuant to this Agreement, Licensee agrees to pay all taxes of a type ordinarily paid by purchaser or Licensee of computer software imposed by federal or state government or any subdivision of federal or state government which are levied or based upon the payments or rights transferred pursuant to this Agreement, and the Maintenance and Support Agreement, including, but not limited to, state and local privilege, sales, use or excise taxes, and any taxes or amounts in lieu thereof paid or payable by Licensee or with respect to the foregoing. ARTICLE 6 Terms of Payment 6.1 Invoicing. BankTEL will invoice Licensee for Software, Software Products and Services based upon the terms described in each particular order. 6.2 Finance Charge. BankTEL may charge Licensee a one and one-half percent (1 ½%) monthly late charge to be calculated monthly with respect to all outstanding amounts not paid within thirty (30) days following the date of BankTEL s invoice(s), but in no event will any late charge exceed the maximum allowed by law. ARTICLE 7 Training 7.1 Training. If requested by Licensee, BankTEL will provide, at BankTEL s then existing price, instructors and the necessary instructional material, at mutually agreed upon locations and times, to train Licensee s personnel in the operation and use of the Software furnished under this Agreement. 126 P a g e ARTICLE 8 Confidential and Proprietary Information 8.1 Confidential Information. Each party acknowledges and agrees that any and all information emanating from the other s business in any form is Confidential Information and each party agrees that it will not, during or after the term of this Agreement, permit the duplication, use or disclosure of any such Confidential Information to any person not authorized by the disclosing party, unless such duplication, use or disclosure is specifically authorized by the other party in writing prior to any disclosure. Each party will use reasonable diligence, and in no event less than that degree of care that such party uses in respect to its own confidential information of like nature, to prevent the unauthorized disclosure or reproduction of such information. Licensee will not remove any designation mark from any supplied materials that identifies such materials as belonging to or developed by BankTEL. Without limiting the generality of the foregoing, to the extent that this Agreement permits the copying of Confidential Information, all such copies must bear the same confidentiality notices, legends and intellectual

127 property rights designations that appear in the original versions and each party will keep detailed records of the location of all Confidential Information. Licensee agrees to take all necessary precautions to protect the Software from unauthorized use, disclosure, possession, examination or publication. Licensee will promptly notify BankTEL of any unauthorized use, disclosure, possession, sale or transfer of the Software upon receiving notice or obtaining knowledge of the above. This Agreement allows the Licensee to install and use the Program on a single computer/server system. 8.2 Definition of Confidential Information. For the purposes of this Agreement, the term Confidential Information does not include: information that is in the public domain; information known to the recipient party as of the date of this Agreement as shown by the recipient s written records, unless the recipient party agreed to keep such information in confidence at the time of its receipt; and information properly obtained hereafter from a source that is not under an obligation of confidentiality with respect to such information. Notwithstanding anything contained in this Agreement, all Software and all Related Materials, whether oral or written, furnished under this Agreement will be considered proprietary and confidential regardless of whether it is marked. The provisions of this Article 8 survive termination or expiration of this Agreement for any reason. 8.3 Privacy of Consumer Financial Information. All terms used in this section have the meanings given them in the federal Privacy of Consumer Financial Information regulation (12 CFR 332) as amended from time to time. Licensee has disclosed, and may disclose in the future, to BankTEL certain nonpublic personal information about Licensee consumers and customers. BankTEL agrees to maintain the confidentiality of all such information to the same extent that Licensee is required to maintain it. BankTEL further agrees not to disclose or use any such information except to carry out the purposes for which Licensee provided such information or as otherwise permitted by (12 CFR 332) or any similar state regulation by which Licensee is bound. Notwithstanding any contrary provision of this agreement, BankTEL agrees to indemnify Licensee against and hold Licensee harmless from any loss, cost, judgment, settlement, civil money penalty, or other expenditure, including reasonable attorney fees incurred by Licensee if it is caused, by any violation of this agreement. 127 P a g e ARTICLE 9 Reproduction of Manuals, Documentation, Object Code and Source Code 9.1 Manuals and Documentation. Licensee has the right, at no additional charge, to reproduce solely for its own internal use, all original manuals and documentation furnished by BankTEL pursuant to this Agreement and any order, regardless of whether such manual or documentation is copyrighted by BankTEL. All copies of manuals or documentation made by Licensee will include any proprietary notice or stamp that has been affixed by BankTEL. BankTEL will furnish for each License purchased by Licensee, and at no additional charge to Licensee, one (1) copy of the relevant documentation sufficient to enable Licensee to operate the Software. All documentation will be in the English language. Object Code. One (1) copy of the Object Code may be reproduced by Licensee, at no additional charge, only for back-up or archival purposes. Licensee will notify BankTEL in writing of its methods and procedures for archiving the Object Code prior to doing so. Source Code. If a Source Code License is purchased, one (1) additional copy of the Source Code may be reproduced by Licensee, at no additional charge, only for back-up or archival

128 purposes. Licensee will notify BankTEL in writing of its methods and procedures for archiving the Source Code prior to doing so. BankTEL agrees to release Source Code to Licensee, upon request by Licensee, in the event that BankTEL stops offering a Maintenance and Support Agreement in support of the products covered under this Agreement. The circumstance of Licensee acquiring new computer hardware and/or software which is not supported or compatible with the BankTEL Software is not covered under this Section 9.3. BankTEL reserves the right to sell or otherwise transfer its rights of the Software and/or its rights under the Maintenance and Support contracts covered under this Agreement. ARTICLE 10 Patent and Other Proprietary Rights Indemnification 10.1 Patent, Trademark, Copyright, Trade Secret or Other Proprietary Interests. The following terms apply to any infringement or claim of infringement of any existing United States patent, trademark, copyright, trade secret or other proprietary interests based on the license, use or sale of any Software, Software Products and/or Services furnished to Licensee under this Agreement or in contemplation of this Agreement. Subject to the limitations contained in this Agreement, BankTEL will indemnify Licensee for any loss, damage, expense or liability, including costs and reasonable attorney s fees, finally awarded, that may result by reason of any such infringement or claim, except where such infringement or claim arises solely from BankTEL s adherence to Licensee s written instructions or directions which involve the use of merchandise or items other than (a) commercial merchandise which is available on the open market or is the same as such merchandise, or (b) items of BankTEL s origin, design or selection; and Licensee will so indemnify BankTEL in such excepted cases. Each party will defend or settle, at its own expense, any action or suit against the other for which it has indemnification obligations under this Agreement. Each party will notify the other promptly of any claim of infringement for which the other is responsible, and will cooperate with the other in every reasonable way to facilitate the defense of any such claim Defense. If the indemnifying party fails to assume the defense of any actual or threatened action covered by this Article 10 within the earlier of (a) any deadline established by a third party in a written demand or by a court and (b) thirty (30) days of notice of the claim, the indemnified party may follow such course of action as it reasonably deems necessary to protect its interest, and will be indemnified for all costs reasonably incurred in such course of action; provided, however, that the indemnified party will not settle a claim without the consent of the indemnifying party Injunction. In the event an injunction or order is obtained against Licensee s use of any item by reason of any such infringement allegation or if, in BankTEL s sole opinion, the item is likely to become the subject of a claim of infringement or a violation of any existing United States patent, copyright, trademark, trade secret or other proprietary right of a third party, BankTEL will, without in any way limiting the foregoing, in BankTEL s sole discretion and at BankTEL s expense, either: (a) Procure for Licensee the right to continue using the item; (b) Replace or modify the item so that it becomes non-infringing, but only if the modification or replacement does not, in BankTEL s reasonable sole opinion, adversely affect the functional performance or specifications for the item or its use by Licensee; or (c) If neither (a) nor (b) above is practical, remove the items from Licensee s Site and refund to Licensee any license fees paid by Licensee less a pro rata portion for periods of use 128 P a g e

129 subsequent to removal, and release Licensee from any further reliability under the applicable order Other Charges. In no event will Licensee be liable to BankTEL for any charges after the date that Licensee no longer uses the item because of actual or claimed infringement. ARTICLE 11 Indemnity 11.1 Indemnity. Subject to the limitations contained in this Agreement, BankTEL agrees to indemnify and hold harmless Licensee, and Licensee agrees to indemnify and hold harmless BankTEL respectively, from any liabilities, penalties, demands or claims finally awarded (including the costs, expenses and reasonable attorney s fees on account thereof) that may be made by any third party, resulting from the indemnifying party s gross negligence or willful acts or omissions or those of persons furnished by the indemnifying party, its agents or subcontractors or resulting from use of the Software, Software Products and/or Services furnished under this Agreement. BankTEL agrees to defend Licensee, at Licensee s request, and Licensee agrees to defend BankTEL, at BankTEL s request, against any such liability, claim or demand. BankTEL and Licensee respectively agree to notify the other party promptly of any written claims or demands against the indemnified party for which the indemnifying party is responsible under this Agreement. The foregoing indemnity will be in addition to any other indemnity obligations of BankTEL or Licensee set forth in this Agreement. ARTICLE 12 Limitation of Liability 12.1 No Special, Indirect, Incidental, Punitive or Consequential Damages. EXCEPT AS PROVIDED IN ARTICLE 14, LICENSEE AGREES THE MAXIMUM LIABILITY ASSUMED BY BANKTEL UNDER THIS AGREEMENT, REGARDLESS OF THE CLAIM OR FORM OF ACTION OR SUIT, WHETHER IN CONTRACT, NEGLIGENCE, OR TORT, WILL BE LIMITED TO CORRECTION OR REPLACEMENT COSTS. BANKTEL WILL NOT BE LIABLE FOR ANY (A) SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF PROFITS, ARISING FROM OR RELATED TO A BREACH OF THIS AGREEMENT OR ANY ORDER OR THE OPERATION OR USE OF THE SOFTWARE, SOFTWARE PRODUCTS AND SERVICES INCLUDING SUCH DAMAGES, WITHOUT LIMITATION, AS DAMAGES ARISING FROM LOSS OF DATA OR PROGRAMMING, LOSS OF REVENUE OR PROFITS, FAILURE TO REALIZE SAVINGS OR OTHER BENEFITS, DAMAGE TO EQUIPMENT, EVEN IF BANKTEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES; (B) DAMAGES (REGARDLESS OF THEIR NATURE) FOR ANY DELAY OR FAILURE BY BANKTEL TO PERFORM ITS OBLIGATIONS UNDER THIS AGREEMENT DUE TO ANY CAUSE BEYOND BANKTEL S REASONABLE CONTROL; OR (C) CLAIMS MADE A SUBJECT OF A LEGAL PROCEEDING AGAINST BANKTEL MORE THAN TWO YEARS AFTER ANY SUCH CAUSE OF ACTION FIRST AROSE Limitation of Liability. NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, BANKTEL S LIABILITIES UNDER THIS AGREEMENT, WHETHER UNDER CONTRACT LAW, TORT LAW, WARRANTY OR OTHER-WISE WILL BE LIMITED TO DIRECT DAMAGES NOT TO EXCEED THE AMOUNTS ACTUALLY RECEIVED BY BANKTEL PURSUANT TO THE PARTICULAR ORDER FROM WHICH SUCH DAMAGES AROSE. 129 P a g e

130 12.3 Indemnity from Third Party Claims. LICENSEE AGREES TO INDEMNIFY OR OTHERWISE HOLD BANKTEL HARMLESS FROM ALL CLAIMS OF THIRD PARTIES THAT MAY ARISE FROM LICENSEE S USE OF THE ITEMS DELIVERED UNDER THIS AGREEMENT. LICENSEE S REMEDIES IN THIS AGREEMENT ARE EXCLUSIVE. ARTICLE 13 Acceptance of Software and Software Products 13.1 Acceptance Tests. BankTEL and Licensee will jointly conduct Software and Software Products acceptance tests during the installation process at a Licensee designated location during a thirty (30) day acceptance period ( Acceptance Period ). The Acceptance Period will commence once the Software is operational in the Licensee s designated location(s). The Software and Software Products will: (a) Materially comply with the provisions of the order; (b) Function substantially in accordance with BankTEL s specification; (c) Be compatible and substantially conform to user documentation and operating manuals furnished by BankTEL; 13.2 Non-compliance. If, during the Acceptance Period, Licensee determines that the Software and/or Software Products do not substantially meet the above requirements, Licensee may either: (a) Return the Software for a refund of the total license charge paid for such Software, as shown on the Exhibits and return all Software and Related Materials and delete all Software from its computer; or (b) Notify BankTEL in writing specifying in detail the area of noncompliance. BankTEL will use its good faith efforts to correct all conditions that prevent the Software and/or Software Products from substantially meeting the requirements within sixty (60) calendar days following receipt of notice from Licensee. If all Licensees reported conditions that prevent the Software and/or Software Products from substantially complying with the acceptance criteria are not corrected by the end of the Acceptance Period, the Licensee will notify BankTEL, in writing, within two (2) calendar days following the end of the Acceptance Period identifying the specific areas of non-compliance. Failure to notify BankTEL in writing constitutes acceptance of the Software and/or Software Products. Upon receipt of written notice of non-compliance, an extension period of sixty (60) calendar days begins which will supply BankTEL with the time necessary to correct the deficiencies identified in the notice. Within five (5) days after such sixty (60) day period, the Licensee will provide written notice to BankTEL indicating Licensee s acceptance of the Software and/or Software Products, Licensee s desire to extend the extension period or the Licensee s intent to terminate this Agreement without penalty or further financial obligation Deemed Acceptance. Notwithstanding anything contained in this Agreement, or any order to the contrary, Licensee will be deemed to have accepted the Software if Licensee uses the Software in the operation of Licensee s business prior to accepting the Software. ARTICLE 14 Warranty and Warranty Disclaimer 130 P a g e

131 14.1 Title. Except as provided below, BankTEL warrants that it owns all rights, title and interest in and to the Software and Software Products, or that in the case of any third party software that it has the right to grant a sublicense to use such third party software Warranties. BankTEL warrants the following: (a) All Software and Software Products will substantially conform to the functional specifications set forth in each order; (b) The Software and Software Products are free from material defects and workmanship and materials that prevent them from substantially meeting the functional specifications; (c) At the time of delivery of the Software and for a period of one year after delivery, the Software will perform in substantial accordance with the Related Materials supplied to Licensee; and (d) Any Services provided by BankTEL under this Agreement will be performed in a workmanlike manner and in accordance with the prevailing professional standards of the software industry. This warranty coverage includes any modifications made to the Software by BankTEL. The extent of BankTEL s obligation under this warranty is limited to the correction or replacement, as soon as practicable, of any defective item, or portion thereof, which BankTEL determines to be necessary, provided written notice of such defective item is received by BankTEL during the warranty period. This warranty does not apply if the item has not been used in accordance with BankTEL s instructions, the item has been altered or modified without the written approval of BankTEL or if the cause of the defect was beyond the reasonable control of BankTEL. In the event that the Software is destroyed, for whatever reason, either with or without the fault of Licensee, BankTEL will provide new Software at reproduction cost only No Warranty of Error Free Operation. BankTEL does not warrant that the operation of the Software or the operation of the Software Products will be uninterrupted or error free No Other Expressed or Implied Representations or Warranties. EXCEPT AS SET FORTH IN THIS ARTICLE 14, BANKTEL MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE SOFTWARE, SOFTWARE PRODUCTS OR SERVICES OR THEIR CONDITION, MERCHANT-ABILITY, FITNESS FOR ANY PARTICULAR PURPOSE OR USE BY LICENSEE. BANKTEL FURNISHES THE ABOVE WARRANTIES IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Void Warranties. Any and all warranties are void as to Services, Software or Software Products damaged or rendered unserviceable by (a) the acts or omissions of non-banktel personnel; (b) misuse, theft, vandalism, fire, water or other peril; and (c) moving, relocation, alterations or additions not authorized by BankTEL Error Correction Under Warranty. During the warranty period, Licensee will notify BankTEL verbally of errors, and provide written notification to BankTEL within seventy-two (72) hours of such verbal notification Correction of Critical Errors. During the warranty period, BankTEL will use its good faith efforts to immediately correct any Critical Errors affecting Licensee s continued business 131 P a g e

132 use of the Software after BankTEL s notification of the error. BankTEL will use its good faith efforts to correct all other Errors within twenty (20) days after BankTEL s notification of the Error. ARTICLE 15 Continuing Maintenance Program Maintenance. Licensee understands and agrees that, except as provided in this Agreement, BankTEL has no obligation to maintain and support the Software. BankTEL will provide the Maintenance and Support for the fees described in the Exhibits attached to this Agreement. The Maintenance and Support covers program updates, telephone, Web Conference, WebEx and WebServ support. Enhancements made to the program by BankTEL are offered as a free upgrade under this agreement. Term with Renewal. The Maintenance and Support Agreement is for the term as described in the Exhibits and must be renewed monthly, annually or in multi-year increments as the case may be in order to maintain continuity of service. If allowed to lapse, any renewal desired by Licensee must be paid to include the lapsed period and forward. BankTEL may increase the charges for the Maintenance and Support Agreement for any renewal term after the primary term. The Maintenance and Support is billed monthly or annually as the case may be in advance and is non-refundable. Consulting Services: BankTEL is available for on-site assistance for training, installation and marketing issues at an additional fee. ARTICLE 16 Installation 16.1 Installation. Licensee will be exclusively responsible for installation and supervision of the use of the Program including, but not limited to the following: (a) Assuring proper machine configuration, program installation assistance and operating methods, including the development and continued maintenance of sufficient audit control. (b) Developing and maintaining adequate backup procedures. (c) Implementing procedures to satisfy these requirements for security and accuracy of input and output, as well as restart and recovery. ARTICLE 17 Security, Access and Safety Requirements 17.1 Security, Access and Safety Requirements. BankTEL will instruct its employees, agents and subcontractors that they must comply with Licensee s security, access and safety requirements for the protections of Licensee s facilities and employees while on Licensee s premises Releases Void. Neither party will require waivers or releases of any personal rights from representatives of the other in connection with visits to BankTEL s and Licensee s respective premises. No such releases or waivers will be pleaded by BankTEL or Licensee or third persons in any action or proceeding against an employee. 132 P a g e

133 133 P a g e ARTICLE 18 Dispute Resolution 18.1 General. Except with respect to disputes arising from a misappropriation or misuse of either party s proprietary rights, any dispute or controversy arising out of this Agreement, or its interpretation, shall be submitted to and resolved exclusively by arbitration under the rules then prevailing of the American Arbitration Association, upon written notice of demand for arbitration by the party seeking arbitration, setting forth the specifics of the matter in controversy or the claim being made. The arbitration shall be heard before an arbitrator mutually agreeable to the parties; provided, that if the parties cannot agree on the choice of arbitrator within 10 days after the first party seeking arbitration has given written notice, then the arbitration shall be heard by 3 arbitrators, 1 chosen by each party, and the third chosen by those 2 arbitrators. The arbitrators will be selected from a panel of persons having experience with and knowledge of information technology and at least 1 of the arbitrators selected will be an attorney. A hearing on the merits of all claims for which arbitration is sought by either party shall be commenced not later than 180 days from the date demand for arbitration is made by the first party seeking arbitration. The arbitrator(s) must render a decision within 30 days after the conclusion of such hearing. Any award in such arbitration shall be final and binding upon the parties and the judgment thereon may be entered in any court of competent jurisdiction. Applicable Law. The arbitration shall be governed by the United States Arbitration Act, 9 U.S.C The arbitrators shall apply the substantive law of the State of Mississippi, without reference to provisions relating to conflict of laws. The arbitrators shall not have the power to alter, modify, amend, add to, or subtract from any term or provision of this Agreement, nor to rule upon or grant any extension, renewal, or continuance of this Agreement. The arbitrators shall have the authority to grant any legal remedy available had the parties submitted the dispute to a judicial proceeding. ARTICLE 19 Miscellaneous Provisions 19.1 Assignment. Licensee may not assign or transfer its interests, rights, or obligations under this Agreement or any order by written agreement, merger, consolidation, operation of law or otherwise, without the prior written consent of an authorized executive officer of BankTEL. Any attempt to assign this Agreement by Licensee will be null and void. Furthermore, for the purposes of this Agreement, the acquisition of an equity interest in Licensee of greater than twenty-five percent (25%) by any third party will be considered an assignment Amendments, Modifications or Supplements. Amendments, modifications or supplements to this Agreement or any order will be permitted, provided all such changes are in writing signed by the authorized representatives of both parties, and all such changes reference this Agreement and identify the specific articles or sections of this Agreement or the particular order that is amended, modified or supplemented Independent Contractor. All work performed by BankTEL in connection with the Software, Software Products and/or Services described in this Agreement will be performed by BankTEL as an independent contractor and not as the agent or employee of Licensee. All persons furnished by BankTEL will be for all purposes solely BankTEL s employees or agents and will not be deemed to be employees of Licensee for any purpose whatsoever. BankTEL will furnish, employ and have exclusive control of all persons to be engaged in performing Services under this Agreement and will prescribe and control the means and methods of performing such

134 Services by providing adequate and proper supervision. BankTEL will be solely responsible for compliance with all rules, laws and regulations relating to employment of labor, hours of labor, working conditions, payment of wages and payment of taxes, such as employment, Social Security, and other payroll taxes including applicable contributions from such persons when required by law Compliance with Laws. BankTEL and Licensee each will comply with the provision of all applicable federal, state, county and local laws, ordinances, regulations and codes including, but not limited to, BankTEL s and Licensee s obligations as employers with regard to the health, safety and payment of its employees, and identification and procurement of required permits, certificates, approvals and inspections in BankTEL s and Licensee s performance of this Agreement Governing Law. The validity, construction, interpretation and performance of this Agreement will be governed by and construed in accordance with the domestic laws of the State of Mississippi except as to its principles of conflicts of laws and the parties irrevocably submit to the jurisdiction and venue of the Federal District Court for the District of Mississippi to resolve any disputes arising under this Agreement or related to this Agreement Waiver of Breach. No waiver of breach or failure to exercise any option, right or privilege or failure to enforce at any time any provision or any portion of any provision under the terms of this Agreement or any order on any occasion or occasions will be construed to be a waiver of the same or any other option, right, privilege, or right to enforce such provision on any other occasion. No delay or failure of either party in exercising any rights under this Agreement and no partial or single exercise of any rights under this Agreement will be deemed to constitute a waiver of such rights or any other rights under this Agreement Force Majeure. Neither party will be considered in default in performance of its obligations or will be responsible for any delay or failure in performance of any part of this Agreement to the extent that such nonperformance of obligations, delay or failure is caused by fire, flood, explosion, war, embargo, government requirement, civil or military authority, act of God, act or omission of carriers or other similar causes beyond the control and without the fault or negligence of the parties to this Agreement Severability. In the event any provision or any portion of any provision of this Agreement is held to be invalid, illegal, or unenforceable under any applicable law, such invalidity, illegality or unenforceability will not affect the remaining provisions of this Agreement and this Agreement will be construed as if such invalid, illegal, or unenforceable provision or provisions had never been contained in this Agreement Risk of Loss. Risk of loss or damage to Software and/or Software Products licensed by Licensee under this Agreement will vest in Licensee when the Software and/or Software Products have been received by Licensee, or its representative, provided that such loss or damage is not caused by BankTEL, its employees or agents Section Headings. The section headings contained in this Agreement are inserted only as a matter of convenience and reference and in no way define, limit or describe the scope of intent of this Agreement and do not in any way affect its provisions Entire Agreement. This Agreement constitutes the entire agreement between BankTEL and Licensee and contains all agreements, expressed or implied, either verbal or in writing. 134 P a g e

135 There are no promises, undertakings, warranties or agreements of any kind pertaining to this Agreement except as stated in this Agreement; provided, however, that all exhibits referenced in this Agreement will be incorporated into the body of this Agreement as if fully set forth in the Agreement Alteration by Licensee. BankTEL will not be responsible in any regard for any Program which is altered by Licensee, and Licensee assumes any and all risks and liabilities arising from such alteration Attorney s Fees. In any action brought by either party to enforce its rights under this Agreement, the prevailing party is entitled to recover from the unsuccessful party reasonable attorney s fees, legal costs, court costs and expenses incurred by that party in connection with such action Binding Effect. This Agreement inures to the benefit of and is binding upon the parties to this Agreement and their successors Specifications. BankTEL reserves the right, without prior approval from or notice to the Licensee, to make changes to the Software and Software Products and to substitute Software and Software Products reflecting those changes provided the Software and Software Products delivered substantially conform to the new specifications Third Party Software. Licensee has sole responsibility to obtain and pay for any third party software necessary or desirable to operate the Software Hardware Requirements. The Programs are designed to run on Windows computers and servers. Updated specs can be obtained from BankTEL Notices. All notices, demands or other communications provided to be given or that may be given by any party to the other will be deemed to have been duly given when made in writing and delivered in person, or upon receipt, if deposited in the United States mail, postage prepaid, certified mail, return receipt requested, as follows: Notices to BankTEL: Attn: Boyce Adams, President& CEO, P.O. Box 8370, Columbus, MS Notices to Licensee: Attn: time. or to such addresses the parties may provide to each other in writing from time to The parties have executed this Agreement effective as of, 2012 BankTEL Systems, a division of BTS Alliance, LLC Licensee: 135 P a g e

136 By: Boyce Adams, President & CEO By: 136 P a g e

137 Exhibit A Products listed License term shall be until. OR - check one ( ) 3 years ( ) 5 years ( ) Other Monthly or Annual maintenance as the case may be, charges will remain the same for the term selected and will be billed after installation. Monthly billing will be by ACH on a monthly basis or by quarterly statement billed in advance, at the option of Licensee Travel expenses will be billed after installation for all on site installations. After expiration of selected term maintenance charges will increase by the 3% or the Consumer Price Index (CPI) whichever is greater annually. In the event the Licensee experiences significant asset growth (defined as growth through asset acquisition whether by merger or purchase), BankTEL reserves the right to adjust maintenance charges to the current maintenance rates it charges Financial Institutions of a similar size. Ongoing support is provided by the use of Webex, if not allowed then problem resolution is not guaranteed. Maintenance will begin (90) days after installation and then be billed every (12) months thereafter. All pricing listed above unless noted otherwise is for one installation of the software. Additional companies can be added at 25% of annual maintenance each. A $500 setup fee per company may apply depending on time needed along with any conversion fees for data. Quotes can be made before any project is started.. NOTES: See Article 15 for Continuing Maintenance Clause; The parties have executed this Agreement effective as of, BankTEL Systems, A division of BTS Alliance, LLC Licensee: By: Boyce Adams, President & CEO By: 137 P a g e

138 BankTEL Disaster Recovery Plan January 2, 2012 To Whom It May Concern: In response to your inquiry about BankTEL s role in your business contingency plan and testing plan. Bank s Responsibility Data and Software: BankTEL assumes that the bank has policies and procedures in place to ensure that all data and programs are backed up in a timely manner with equipment that meets compatibility standards of the bank s hot site. Equipment: All equipment used for BankTEL processing is the property of the bank. BankTEL assumes that equipment needs for hot site processing are addressed in the bank s contingency plan. BankTEL s Role: In the event that the bank declares an emergency and moves processing to the hot site:banktel s software on the server for data access will run on a temporary license for 30 days. When new equipment is acquired or after 30 days BankTEL will provide new licensing. Workstations require an install and setup. BankTEL will provide priority support via WEBEX and the phone to accomplish this. Contingency Testing: This is not part of the yearly software support contract. BankTEL can provide remote assistance at the following rates for Normal Business Hours with a minimum of 3 days notice:$150 per hour with a minimum charge of 4 hours per day. Other notice or Non-Business Hours:$250 per hour with a minimum charge of 4 hours per day. Sincerely, Richard Hunt, VP and COO BankTEL Systems 138 P a g e

139 Introduction The following Disaster Recovery Plan was designed to provide the steps and actions that should be taken by BankTEL Systems management and department staff in the event of a disaster as well as to secure client data. Implementation of the emergency portion of this plan could take place from a number of natural disasters including fire and tornado. Failure in the use of certain hardware and building elements could also call for use of the sections of this plan that were created for use in the event of an emergency. Due to the fact that the different types of disasters that could occur are numerous and each particular one could have a multitude of variables and requirements for restoration of service, this plan was designed to cover a major instance that would see the complete destruction of the main office. In the event of a disaster only the sections of this manual that are associated with that disaster would be used. This decision would come from BankTEL management. In the absence of BankTEL management this decision would be made by BankTEL Department Managers. 1.0 Overview 1.1 Policy Statement It is the policy of BankTEL to maintain a comprehensive Disaster Recovery Plan for all critical organization functions. Each department head is responsible for ensuring compliance with this policy and that their respective plan component is tested no less than annually. BankTEL Disaster Recovery efforts exercise reasonable measures to protect employees, safeguard assets, and client accounts. 1.2 Introduction This plan was specifically designed to guide BankTEL through a recovery effort of specifically identified organization functions. At the onset of an emergency condition, BankTEL employees and resources will respond quickly to any condition, which could impact BankTEL s ability to perform its critical organization functions. The procedures contained within have been designed to provide clear, concise and essential directions to recover from varying degrees of organization interruptions and disasters. 1.3 Confidentiality Statement This manual is classified as the confidential property of BankTEL Systems. Due to the sensitive nature of the information contained herein, this manual is available only to those persons who have been designated as plan participants, assigned membership to one of the BankTEL recovery teams, clients of BankTEL or who are prospective clients of BankTEL. This manual remains the property of BankTEL and may be repossessed at 139 P a g e

140 any time. Unauthorized use or duplication of this manual is strictly prohibited and may result in disciplinary action and/or civil prosecution. 1.4 Manual Distribution Each plan recipient will receive and maintain two (2) copies of the disaster recovery manual; one copy will be kept in the plan recipient s work area; the second copy will be kept at the plan recipient s residence. Replacement manuals and additional copies may be obtained from BankTEL s Disaster Recovery Manager. Backup copies of all recovery documentation are maintained at BankTEL s office in Columbus, MS. 1.5 Manual Reclamation Plan recipients who cease to be an active member of a disaster recovery team or an employee of BankTEL must surrender both copies of their disaster recovery manual to the Disaster Recovery Manager. BankTEL reserves any and all rights to pursue the return of these manuals. 1.6 Plan Revision Date The latest manual revision date is November 2, Defined Scenario A disaster is defined as a disruption of normal organization functions where the expected time for returning to normalcy would seriously impact BankTEL s ability to maintain customer commitments and regulatory compliance. BankTEL s recovery and restoration program is designed to support a recovery effort where BankTEL would not have access to its facilities and data at the onset of the emergency condition. 1.8 Recovery Objectives BankTEL s Disaster Recovery Plan was written with the following objectives: To ensure the life/safety of all BankTEL employees throughout the emergency condition, disaster declaration, and recovery process. To reestablish the essential organization related services provided by BankTEL within their required recovery window as identified in the recovery portfolio in Section 3 at the declaration of disaster. To suspend all non-essential activities until normal and full organization functions have been restored. To mitigate the impact to BankTEL customers through the rapid implementation of effective recovery strategies as defined herein. 140 P a g e

141 To reduce confusion and misinformation by providing a clearly defined command and control structure. To consider relocation of personnel and facilities as a recovery strategy of last resort. 1.9 Plan Exclusions The BankTEL Disaster Recovery Plan was developed with the following exclusions: Succession of Management Restoration of the Primary Facilities 1.10 Plan Assumptions BankTEL s Disaster Recovery Plan was developed under certain assumptions in order for the plan to address a broad spectrum of disaster scenarios. These assumptions are: BankTEL s recovery efforts are based on the premise that any resources required for the restoration of critical organization functions will be available outside of the primary facility. These include but are not limited to Salesforce.com, Quickbooksonline.com, BankTEL.Webex.com and SherWeb.com. Any disaster that occurs will be a local and not regional disaster 1.11 Declaration Initiatives BankTEL s decision process for implementing any of the three levels of recovery strategies to support the restoration of critical organization functions are based on the following declaration initiatives: Every reasonable effort has been made to provide critical services to BankTEL s customers by first attempting to restore the primary facility and / or operate using intraday procedures. After all reasonable efforts have failed to restore the primary facility, and using manual procedures severely degrades client support, BankTEL would invoke a recovery strategy that requires the relocation of personnel and resources to an alternate site(s). If the outage will clearly extend past the acceptable period of time identified in the Recovery Portfolio, (Section 3) a declaration of disaster will immediately be made Recovery Strategies 141 P a g e

142 In order to facilitate a recovery regardless of the type or duration of disaster, BankTEL has implemented multiple recovery strategies. These strategies are categorized into three (3) levels. Each level is designed to provide an effective recovery solution equally matched to the duration of the emergency condition. LEVEL 1: SHORT-TERM OUTAGE (RIDE-OUT) LESS THAN 24 HOURS A short-term outage is defined as the period of time in which phone lines and/or internet service would be non-operational for a period no longer than 24 hours. During this time BankTEL would transfer all incoming support calls to an off-site location that has internet access. BankTEL has been informed by its service provider (Bandwidth.com) that a time period of no longer than 15 minutes would be required to transfer these calls. BankTEL would then send all Support Staff who have high speed internet access home. Support calls would then be logged into BankTEL s CRM (Salesforce.com) and responded to by the aforementioned Support Staff members. All Development projects will be ceased until such time as the outage has been restored. LEVEL 2: MEDIUM-TERM OUTAGE (TEMPORARY) 1 3 DAYS A medium-term outage is defined as the period of time that BankTEL will execute its formal disaster recovery strategy, which includes actually declaring a disaster. A disaster may either be declared company wide or only for the effected department or building. The decision to declare a disaster will be based on the amount of time / expense that is required to implement the formal recovery and the anticipated impact to BankTEL over this period of time. During this time BankTEL Customer Support will continue to operate in a Level 1 recovery strategy. All development projects will continue to be placed on temporary hold. LEVEL 3: LONG-TERM OUTAGE (RELOCATION) 4 DAYS OR MORE A long-term outage is defined, as the period of time that BankTEL will exceed the allowed occupancy time of its primary recovery strategy. During this phase of recovery BankTEL Customer Support will continue to operate in a Level 1 recovery strategy. BankTEL will initiate a physical move of personnel to a location either in a neighboring Mississippi city (Tupelo or Meridian) or a neighboring Alabama city (Birmingham or Tuscaloosa). This decision will be based on the extent and location of the disaster that occurred as well as the amount of time / expense that is required for the physical relocation to take place Team Overview During an emergency each team member contributes the skills that they use in their everyday work to the overall response Team Charters 142 P a g e

143 Crisis Management Team - The CMT is comprised of senior BankTEL management and is responsible for authorizing declarations of disaster, emergency investment strategy and approving public release of information. Business Restoration Team The BRT S consist of personnel from each BankTEL area deemed critical to the continuation of BankTEL. The captains of the BRT are updated with information by the CMT to pass on to their team members to ensure prompt recovery of each department Disaster Recovery Prevention No matter how much preparation is done not all disasters can be prevented. However, there are steps that can be taken to prevent some events and reduce recovery time. BankTEL has taken such steps when it comes to the backing up of source code and the protection of sensitive customer data. BankTEL source code is backed up each night and the previous night s backup tape is taken to a secure offsite location. This source code is also backed up and stored at a professional Software Escrow Company s site on a semi-annual basis. (EscrowTech International). Only employees and designated visitors are allowed to pass the foyer of the BankTEL office. This is done upon successful entry of a security code into an electronic keypad. All visitor are required to sign in by writing there name, date and time on the Visitor s log. All BankTEL employees are given a key to the building, a personnel alarm code and the security code for entrance beyond the foyer of the BankTEL office. Upon termination or resignation the security code and alarm code will be changed. The key given to the employee will be returned to management no later than the employees last day of employment. All workstations require a username and password for logon. All workstations will automatically logoff after 15 minutes of non-activity. Employee logons are immediately deleted upon termination or resignation. Employees are not allowed to save any customer data to local hard drives. Data may only be saved in designated locations on the servers. All servers are located in the Server Room. This room may only be entered by designated personnel upon successful entry of a security code into an electronic keypad. At the end of each business day all employees are required to close and lock all windows in their office. They are also required to close all blinds so that visibility from 143 P a g e

144 the outside of the window is at a minimal. All documentation is required to be locked in their desk drawers. Employees are given a key to each drawer of their desk. A second key is kept under lock in and key and can only be accessed by BankTEL management. If an employee steps away from their desk for an extended amount of time then any visible documentation is to be placed out of sight by anyone who may pass by. The office building is protected by a burglar alarm system which was installed by AES. This alarm is maintained by Complete Home Systems based in Columbus, MS. This alarm system is operation 24 hours a day, 7 days a week with an automatic telephone dialer to the local Fire Department. This phone line is exclusive and does not tie into the company switchboard. This alarm system electronically logs activation and deactivation times as well as the employee code that was used to perform the action. 2.0 Emergency Phone Numbers Complete the following to ensure that you have identified all the Emergency services Police: (662) Fire: (662) Alarm Company (AlarmOne): 662) / (800) Communications Local Telephone (AT&T): (866) Internal Phone System: (fonality.com) VOIP Provider (Bandwidth.com): Network Maintenance Servers (Dell Silver Server Support) : (866) P a g e

145 AntiVirus (ESET): (866) Network Repair ( Synergetics) (662) Customer Support Utilities CRM (Salesforce.com): (415) Website (Hostway Support) : (800) Remote Support (Webex Escalated Support): (866) Back Up Utilities Escrow Source Code Storage (Escrow Tech Intl): (801) P a g e

146 2.3 Threat Profile Hazard: Profile of Hazard: First Response: Freezing Rain Tornadoes 146 P a g e Freezing rain is rain occurring when surface temperatures are below freezing. The moisture falls in liquid form, but freezes upon impact, resulting in a coating of ice glaze on exposed objects. This occurrence may be called an ice storm when a substantial glaze layer accumulates. Ice forming on exposed objects generally ranges from a thin glaze to coatings about an inch thick. A heavy accumulation of ice, especially when accompanied by high winds devastates trees and transmission lines. Sidewalks, streets and highways become extremely hazardous to pedestrians and motorists. During the winter citizens should be prepared to shelter themselves at home for several days possibly without power. Local shelters can be opened in areas where power is not affected but transportation to a shelter may be difficult. Tornadoes are violent rotating columns of air, which descend from severe thunderstorm cloud systems. They are normally short-lived local storms containing high-speed winds usually rotating in a counter-clockwise direction. These are often observable as a funnel-shaped appendage to a thunderstorm cloud. The funnel is initially composed to nothing more than condensed water vapor. It usually picks up dust and debris, which eventually darkens the entire funnel. A Step 1: Monitor weather advisories Step 2: Notify on-site employees Step 3: Call local radio and TV stations to broadcast weather closing information for employees at home Step 4: If roads are deemed unsafe then notify employees that commute a great distance that they should work from home. Step 1: Monitor weather conditions Step 2: Notify employees of potential of severe weather Step 3: Power off equipment Step 4: Shut off utilities (power and gas) Step 5: Instruct employees to assume protective posture Step 6: Assess damage once storm passes Step 7: Assist affected employees

147 Floods 147 P a g e tornado can cause damage even though the funnel does not appear to touch the ground. In several areas of Lowndes County, unusually heavy rains may cause flash floods. Small creeks, gullies, dry streambeds, ravines, culverts or even low lying round frequently flood quickly. In such situations, people are endangered before any warning can be given. Step 1: Monitor flood advisories Step 2: Determine flood potential to BankTEL. Step 3: Determine employees at risk. If needed notify employees that commute great distance that they should work from home. Step 4: Pre-stage emergency power generating equipment Step 5: Assess damage Hazard: Profile of Hazard: First Response: Hurricanes Even though Lowndes County is not considered a coastal area, hurricanes do affect our area. Earthquake s Power Failures An earthquake is the shaking, or trembling, of the earth s crust, caused by underground volcanic forces of breaking and shifting rock beneath the earth s surface. Power failures can be caused by winter storms, lightning or construction equipment digging in the wrong location. For whatever the reason, power outages in a major metropolitan area can severely impact the entire community. Step 1: Power-off all equipment Step 2: Listen to Hurricane advisories Step 3: Evacuate area, if flooding is possible Step 4: Check gas, water and electrical lines for damage Step 5: Do not use telephones, in the event of severe lightning Step 6: Assess damage Step 1: Shut off utilities Step 2: Evacuate building if necessary Step 3: Account for all personnel Step 4: Determine impact of organization disruption Step 1: Call power company for assessment Step 2: Ensure that automatic back up power supply (natural gas generator) has activated. Step 3: If a length of down time cannot be determined

148 Urban Fires In metropolitan areas, urban fires can, and do, cause hundreds of deaths each year and Lowndes County is no exception. Even with strict building codes and exceptions, citizens still parish needlessly in fires. then shut down all servers. Step 1: Attempt to suppress fire in early stages Step 2: Evacuate personnel on alarm, as necessary Step 3: Notify fire department Step 4: Shut off utilities Step 5: Account for all personnel Step 6: Search for missing personnel Step 7: Asses damage 2.4 Recovery Strategy Overview BankTEL s Disaster Recovery Plan is based on the organization surviving the loss of BankTEL s office and/or key personnel and systems during a disaster. Once BankTEL s CMT has determined that a declaration of disaster is required, the following sequence of events will occur: Steps: Instruction: 1: Evacuate affected facility. If the emergency requires an evacuation of employees, execute evacuation plans contained in the Emergency Procedures section. 2: Go to staging area. Follow building evacuation instructions. 3: Determine length of outage. Review written and verbal damage assessment reports from facilities and civil authorities and then estimate the amount of time the facility will be uninhabitable. 4: Select disaster level. Based on the estimated duration of the outage, declare the disaster event as either a L1 (Less than 24hrs.), L2 (1 3 days) or L3 (4 days or longer). 5: Release personnel from the Once the disaster level has been staging area. selected, release all Support Staff from the staging area to their homes. CMT will decide if all departments should work from their homes based on the Recovery Strategy Level. 148 P a g e

149 6: CMT redirect incoming support calls. 7: Customer Support will resume as normal. CMT personnel will transfer incoming phone calls to a Customer Support Representative at an outside location that has internet access. This will be done by notifying Bandwidth.com that a transfer of calls is needed. These calls will be logged into the BankTEL s CRM (Salesforce.com) as normal. At their homes Support Staff members will continue to provide customer support to clients as normal. This will be done via Salesforce.com and Webex.com. The Following Steps Would Only Apply to an L3 Recovery Strategy 8: CMT Begin Process of Finding New Business Location. CMT will begin searching for a new permanent business location. During this time Support Staff Representatives will continue to support clients from their homes. Development Staff members will also work from their homes. 9: Create Technology Shopping List. The IT staff will create a list of items that may need replacing. After a list is compiled then the items will be ordered. Steps: 10: Retrieve electronic/hardcopy vital records, Instruction: Retrieve all vital records including backups of the servers, workstations and source code. These items will be shipped to the new permanent business location. 11: Setup replacement LAN. The priority of BankTEL Server restoration to support all other BankTEL Business functions is: Development Projects Client Data Conversions 12: Populate alternate facility. Once the replacement LAN/WAN is functional, notify all staff members. Business will continue as normal with all members working from the new permanent business location. 2.5 Plan Participants The following presents the BankTEL plan participants and their associated recovery function. At the time of a disaster, these individuals will be among the first to be contacted. 149 P a g e

150 Recovery Role: Primary: Alternate: Recovery Manager IT Recovery Administrative Support 150 P a g e Name: Richard Hunt Title: VP & COO Office: (662) Cell: (662) Home: (662) richard.hunt@banktel.com Pager/other: Name: Synergetics Title: Outside IT Consultants Office: (877) Cell: (662) Home: mlowe@syndcs.com Pager/other: (662) Name: Boyce Adams Title: President & CEO Office: (662) Cell: (662) Home: boyce.adams@banktel.com Name: Nathan Turner Title: Special Projects Manager Office: (662) Cell: (662) Home: nathan.turner@banktel.com Pager/other: Name: Bonnie Baker Title: Technical Operations Director Office: (662) Cell: (662) Home: (662) bonnie.baker@banktel.com Pager/other: Name: John Bowen Title: Chief Financial Officer Office: (662) Cell: (662) Home: (662) john.bowen@banktel.com

151 Pager/other: Pager/other: 3.0 Recovery Portfolio The following organization processes will be recovered within the sequence specified below: Priority Rank: Organization Process: 1 Incoming Support Calls 2 High Speed Internet 3 Development Potential Impact: Incoming Support Calls are the main business operation for BankTEL. Without incoming calls clients could not be assisted and new clients could not be installed. Without high speed internet access Support Representatives could not assist clients remotely. This applies to installation of new clients as well as high priority support calls. Support Representatives would still be able to assist lower level support calls over the phone. Major development changes could be postponed for up to one month. However, bug fixes may or may not be able to be postponed this amount of time. The severity of the bug would determine this. Some bugs could cause data corruption or data loss for clients. Allowable Downtime: 30 Minutes 2 Hours 1 Week 4.0 Recovery Team Checklists 4.1 Support Staff Team Checklist Recovery Function: Support Staff Primary: Alternate: Nathan Turner Jake Brown Alternate Locations: Primary Work Area: Permanent Building Location 151 P a g e

152 Alternate Work Area: Each Support Staff Member s Home Charter: Retrieval List: Responsible for all support aspects of the recovery effort based on decisions made by the CMT. This includes continuing to assist clients with their needs via phone and remote support. The following items should be removed from your work area if possible in the event that you are evacuated from the building: CPU/Laptop Phone Any documents that are of high importance. Recovery Resources: Recovery Steps: In order to perform your recovery efforts, you will need access to the following resources: Phone: PC: Internet The following are the recovery tasks to be followed: Retrieve important items from work area is possible Evacuate building Wait for all clear or activation notice Follow instructions from CMT Contact any support staff members who are not present Calling List: You are responsible for calling the following employees and/or companies: Any support staff members who aren t present. Vital Records: The following documents and/or electronic media will be required for your recovery effort: Only access to webex.com and salesforce.com will be 152 P a g e

153 needed. 4.2 Development Staff Team Checklist Recovery Function: Support Staff Primary: Alternate: Richard Hunt Josh Tubb Primary Work Area: Permanent Building Location Alternate Locations: Alternate Work Area: Each Development Staff Member s Home Charter: Retrieval List: Responsible for development aspects of the recovery effort based on decisions made by the CMT. Development staff member s first priority in the event of a disaster would be to assist the support staff if needed. Their second priority would be bug fixes and major development projects. The following items should be removed from your work area if possible in the event that you are evacuated from the building: CPU/Laptop Phone Any documents that are of high importance. Recovery Resources: Recovery Steps: In order to perform your recovery efforts, you will need access to the following resources: Phone: PC: Internet The following are the recovery tasks to be followed: Retrieve important items from work area is possible Evacuate building Wait for all clear or activation notice 153 P a g e

154 Follow instructions from CMT Contact any development staff members who are not present Calling List: You are responsible for calling the following employees and/or companies: Any development staff members who aren t present. Work with the IT in restoring the latest backup of the source code. Vital Records: The following documents and/or electronic media will be required for your recovery effort: CPU/Laptop with development software installed. If needed the development software can be downloaded from BankTEL s website. Access to the latest source code. Internet access would be needed in order to supply support staff members with changes to the software. 154 P a g e

155 4.3 Network Staff Team Checklist Recovery Function: Support Staff Primary: Alternate: Synergetics Bonnie Connor Alternate Locations: Primary Work Area: Permanent Building Location Alternate Work Area: Synergetics Main Office Charter: Retrieval List: Responsible for the networking aspects of the recovery effort based on decisions made by the CMT. BankTEL s IT admin will restore server backups at Synergetic Main Office on a designated server. If BankTEL s server is destroyed then the IT admin will begin the process of ordering a replacement server. With the assistance of Synergetic BankTEL s IT admin will be responsible of setting up the LAN at the BankTEL s new primary location. The following items should be removed from your work area if possible in the event that you are evacuated from the building: Backup Tapes Windows and Phone Servers CPU/Laptop Phone Any documents that are of high importance. Recovery Resources: Recovery Steps: In order to perform your recovery efforts, you will need access to the following resources: Phone: PC: Internet The following are the recovery tasks to be followed: Retrieve important items from work area is possible Evacuate building 155 P a g e

156 Wait for all clear or activation notice Follow instructions from CMT Contact any development staff members who are not present Calling List: You are responsible for calling the following employees and/or companies: Any IT staff members who aren t present. Synergetic Bandwidth.Com Cisco Fonality AT&T Vital Records: The following documents and/or electronic media will be required for your recovery effort: Existing or replacement Windows server. Existing or replacement workstations Existing or replacement network routers. Existing or replacement phones. 4.4 Administrative Staff Team Checklist Recovery Function: Support Staff Primary: Alternate: Boyce Adams John Bowen Alternate Locations: Primary Work Area: Permanent Building Location Alternate Work Area: Home 156 P a g e

157 Charter: Retrieval List: Responsible for deciding what level of disaster has occurred, coordinating disaster recovery strategies and, if needed, deciding on a new primary location for business. The following items should be removed from your work area if possible in the event that you are evacuated from the building: CPU/Laptop Any documents that are of high importance Phone Recovery Resources: Recovery Steps: In order to perform your recovery efforts, you will need access to the following resources: Phone: PC: Internet The following are the recovery tasks to be followed: Retrieve important items from work area is possible Evacuate building Wait for all clear or activation notice Decide what level of disaster has occurred. Instruct employees as to what recovery strategies should be completed. If needed begin the process of location a new primary location for business. 5.0 Emergency Contacts 5.1 Vendor Dependencies 157 P a g e

158 All plans require a comprehensive listing of external contacts: Provider: Contact: Purpose: Cingular/AT&T Data Analong Phone Line (Fax / 911 ) WatchGuard Firewall Synergetic Network Consultant Dell(Microsoft) Silver Server Technical Support Support AlarmOne Alarm (Burglar and Fire) Hostway Technical Support Website Host Exchange Salesforce Support CRM Symantec Gold Support AntiVirus & AntiSpam Protection WebEx Escalated Support Remote Customer Support Tool Fonality Office Phone System Bandwidth.com VOIP Provider Escrowtech International Source Code Escrow Inc. Progressive Heating & Heating & Air Conditioning Cooling James Taylor Building (Air / Electric) Wythe Rhett Building Mark Reed Electrical Contractor RemitPlus Lockbox Provider Patco Electric Jason Generator Smyth CableOne Cable Internet 158 P a g e

159 7.0. Product Information The BankTEL Financial Suite delivers the industry s most advanced accounting applications to our clients. BankTEL offers total integration, increased efficiency and unprecedented reliability through a single source. Accounts Payable, Pre-Paid and Accruals, Fixed Asset, Shareholder Management, Vendor Management, Branch Scanning and Invoice Approval applications are fully integrated into BankTEL s Financial Accounting Suite providing an automated system to improve operational efficiency. The systems provide financial and cash management solutions that streamline operations and improve profits. The current market for BankTEL Systems consists of financial institutions, from small single office institutions to multi state regional banking entities. 159 P a g e

160 8.0. Financial Information (unaudited) Exhibit A Sales & Recurring Revenue Growth Key financial numbers: BankTEL has achieved an average of 20% revenue growth from 2001 to 2011 BankTEL has averaged a 94% customer retention rate over the last 11 years. The average BankTEL customer averages 3.4 BankTEL products. 160 P a g e

161 Exhibit B Financial History Graph 2003 to 2011 projections to P a g e