PURPOSE
The purpose of this policy is to establish a comprehensive information security program that meets the objectives of interagency guidelines required by the Gramm-Leach-Bliley Act section 501 and 505 (b) (collectively, GLBA). This regulation requires compliance with the following: (i) ensure the security and confidentiality of customer records and information, (ii) protect against any anticipated threats or hazards to the security or integrity of such records, (iii) protect against unauthorized access to or use of such records that could results in substantial harm or inconvenience to any customer, and (iv) ensure the proper disposal of customer data. Trustgrid will also comply with the Payment Card Industry Data Security Standard (PCI-DSS) as it pertains to cardholder (ATM/Debit) data.
POLICY
It is the policy of Trustgrid, Inc. (“Trustgrid”) to safeguard and hold confidential all nonpublic personal information (NPI) except as necessary to carry out the services for which Trustgrid has been engaged or under an exception provided by the privacy laws. The Privacy Rule defines a “customer” as a consumer who has established a continuing relationship with an institution that does business with Trustgrid under which the institution provides one or more financial products or services to the customer to be used primarily for personal, family, or household purposes. This definition is used to determine what information will be covered under the Trustgrid Information Security Program. Additionally, Trustgrid shall instruct its employees, agents, and contractors to use the same care and discretion with respect to confidential information.
GLBA requires an employee or group be designated to coordinate and oversee Trustgrid’s Information Security Program. The Trustgrid Board of Directors has mandated the creation of a Risk Management Group (RMG) to govern information security policies and standards.
STANDARDS
Risk Assessment
Reasonably foreseeable internal and external risks to the confidentiality, integrity, and availability of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information must be identified. In addition, the likelihood and potential damage of these threats while taking into consideration the sensitivity of customer information must be assessed. Furthermore, an assessment of the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risk shall be conducted. At a minimum, such a risk assessment should include consideration of risks in each relevant business area at least on an annual basis.
Safeguards and Controls
Information safeguards must be designed and implemented to control the risks identified through risk assessment and regularly test or otherwise monitor the effectiveness of the safeguards. Safeguards should be evaluated from testing or monitoring to overall operation or business arrangements or circumstances that may have a material impact on the information security program. Trustgrid will control risk in the following ways:
- Individual employees are authorized access to Trustgrid customer data, files, or reports if their specific job responsibilities require access to those files. Employees must ensure that data is appropriately stored and protected during use and secured or disposed of after use. Controls should be established to minimize the risk of employees from providing customer information to unauthorized individuals who may seek to obtain that information through fraudulent means. These controls are defined and tested in through the SOC 2 evaluation.
- Appropriate restrictions must be taken to limit access to data by unauthorized individuals during periods when data is not monitored. Data records must be placed in locked or secured areas to ensure the confidentiality of customer records.
- Disposal of any NPI must ensure that confidentiality is guaranteed. To that end, Trustgrid will ensure that any medium (paper, disk, USB, etc.) containing confidential information will be disposed of in such a way to eliminate possible future access. Data that is stored on hard drives or removable storage should be expunged or physically destroyed according to the RMG Data Destruction Policy v1.0 or newer.
- Measures will be utilized to protect against the destruction, loss, or damage of customer information due to potential environmental hazards such as fire/water damage or technological failures.
- Background checks shall be performed on all new employees and independent contractors (individuals performing job duties with access to non-public customer information) prior to employment including, but not limited to, some or all of the following depending on job responsibilities: criminal, financial, educational and professional credentials, employment history, professional references, motor vehicle records (MVR) and drug screening.
- Management shall evaluate and structure employee responsibilities in a manner to provide appropriate separation of duties to reduce the risk that an employee or group of employees could conceal errors or fraud in the normal course of their duties.
- Monitoring systems and procedures shall be utilized to detect actual and attempted attacks on, or intrusion into, customer information systems.
- Periodic Information Security training shall be conducted that discusses methods of implementing the Information Security Program and new threats to the confidentiality, integrity, and availability of information systems in accordance with RMG Information Security Policy or newer.
- Appropriate action to address any incident of unauthorized access to customer information and to notify customers as soon as possible of any breach in Trustgrid’s security that materially affects customers or customers’ information. Incident reporting and notification shall follow Trustgrid’s Incident Response Policy or newer.
- Regular tests shall be performed of the Information Security Program that confirm the program’s key controls, systems, and procedures. The tests will be conducted by an independent third party or by the internal compliance department who are independent of those staff that develop or maintain the Information Security Program.
- Physical access to any Trustgrid facility shall be granted only at the discretion of management and in accordance with Trustgrid policies.
- Trustgrid may use or store Google user data solely for the purpose of authenticating a user to Trustgrid resources. Trustgrid does not store any passwords or other information about the user except email address, name, and group memberships.