SOFTWAREIDM INFORMATION SECURITY POLICY
SoftwareIDM’s Information Security Program. SoftwareIDM’s information security program (“ISP”), the elements of which are described below, is designed to help: (i) protect the confidentiality, integrity, and availability of Customer data against any anticipated threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; accidental loss or destruction or damage; and (ii) safeguard information as set forth in any local, state or federal regulations applicable to any service provided by SoftwareIDM. SoftwareIDM’s ISP contains administrative, technical, and physical safeguards that are appropriate to: (i) the size, scope and type of SoftwareIDM’s business; (ii) the amount of resources available to SoftwareIDM; (iii) the type of information that SoftwareIDM stores; and (iv) the need for security and confidentiality of such information.
- Security Awareness Training. Security awareness training includes mandatory security training about the handling and securing of confidential information and sensitive information such as personally identifiable information, financial account information, and health information consistent with applicable law, and periodic security awareness communications and security courses that focus on end-user awareness.
- Security Policies and Procedures. Information Security, Use and Management Policies are designed to (i) educate employees and contractors regarding appropriate use, access to and storage of confidential and sensitive information; (ii) restrict access to confidential and sensitive information to members of SoftwareIDM’s workforce who have a “need to know” such information; (iii) prevent terminated employees from accessing SoftwareIDM information post-termination; and (iv) impose disciplinary measures for failure to abide by such policies. SoftwareIDM performs background checks of its employees at time of hire, as permitted by law.
- Physical and Environmental Access Controls. SoftwareIDM limits physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to its data centers is limited to authorized individuals. SoftwareIDM also has camera or video surveillance systems at critical internal and external entry points. SoftwareIDM applies air temperature and humidity controls for its data centers and protects against loss due to power failure.
- Vulnerability Management. SoftwareIDM regularly performs vulnerability scans and addresses detected vulnerabilities on a risk basis. Periodically, SoftwareIDM engages third parties to perform network vulnerability assessments and penetration testing.
- Cyber Incident Response Plan. SoftwareIDM has an incident response plan to manage and minimize the effects of unplanned cyber events that includes procedures to be followed in the event of an actual or potential security breach, including: an internal incident response team with a response leader; an investigation team performing a root causes analysis and identifying affected parties; internal reporting and notification processes; documentation of responsive actions and remediation plans; and a post-incident review of events.
- Risk Identification & Assessment. SoftwareIDM uses a risk assessment program to help it identify foreseeable internal and external risks to SoftwareIDM’s information resources and determine if its existing controls, policies, and procedures are adequate to address the identified risks.