1. General Provision
1.1. Information Security Program. OSPInsight - An IQGeo business ("OSPI") maintains and implements its Information Security Program which establishes proper policies, procedures, and standards to protect the confidentiality, integrity and availability of all information and data, whether in electronic or tangible form. The Information Security Program protects against anticipated or actual threats or hazards, including Security Breaches. The Information Security Program contains administrative, physical, technical, and organizational safeguards in accordance with industry best practices having regard to the state of the art, the costs of implementation, the likelihood of an incident, and the perceived security risk. OSPI implements and enforces disciplinary measures against employees and contractors for failure to abide by its Information Security Program.
1.2. Notification of Security Breaches. In the event of a Security Breach, OSPI will promptly, and in accordance with applicable laws, inform Customer and provide available details of the Security Breach, including the nature and scope of the incident and what types of data may have been accessed, lost, or misused.
1.3. Secure Disposal. OSPI securely disposes of Customer Data in accordance with applicable law, taking into account currently available technology so that Customer Data cannot be reasonably read or reconstructed.
1.4. Personnel Training. OSPI provides annual security awareness and privacy and confidentiality training to all personnel who process or may have access to Customer Data. These trainings educate personnel about the importance of information security, laws and contractual obligations that govern personal information and Customer Data, and instructs them on how to safeguard such data against data loss, misuse, or security breaches through physical, logical, and social engineering mechanisms.
1.5. User Access Management. OSPI implements access control policies to support creation, amendment, and deletion of user accounts for systems or applications storing or allowing access to Customer Data. OSPI’s user account and access provisioning process assigns and revokes access rights to systems and applications. Personnel accounts privileges are allocated on a “least privilege” basis. Personnel access to environments and Customer Data are restricted and segregated based on job responsibilities. Personnel access to systems and applications with access to Customer Data are reviewed on at least a quarterly basis.
1.6. Passwords and Multi-factor Authentication. Industry standard password security is implemented for all OSPI employee accounts. Policies include minimum length, complexity, restrictions on password reuse, number of password resets in a given timeframe, and frequency in which passwords must be changed. OSPI has implemented and maintains a multi-factor authentication method required for access to applications and systems containing Customer Data.
1.7. Employee Termination. OSPI maintains an employee termination process that specifies timeframes for termination of logical and physical access, including procedures for OSPI to collect any devices or equipment containing Customer Data from the terminating employee, at the time of termination.
1.8. Secure User Authentication. OSPI ensures proper user authentication for all of its employees and contractors with access to Customer Data, including by assigning each employee and contractor unique access credentials for access to any system on which Customer Data can be accessed and prohibiting employees and contractors from sharing their access credentials. OSPI ensures that all persons having access to OSPI’s systems and Customer Data have appropriately controlled and limited access, access is removed when no longer required or appropriate, and all persons who should not have access (e.g. terminated employees) cannot obtain access.
1.9. Separation of Duties. OSPI maintains separation of duties to prevent end-to-end control of a process by one individual.
1.10. Data Storage. Unless otherwise agreed to in an Order, OSPI stores Customer Data in the United States.
2. Application Security
2.1. Change Control. OSPI maintains policies and procedures for managing changes and updates to production systems, applications, and databases, including processes for documenting security patching, authentication, and the testing and approval of changes into production.
2.2. Secure Communications. OSPI employs industry standard communication security measures to protect data from unauthorized access. The service security measures include server authentication and data encryption. The data processing environment is protected using one or more firewalls that are updated according to industry standards.
2.3. Key Management. OSPI implements key management procedures that include the secure generation, distribution, activation, storage, recovery, and replacement/update of cryptographic keys. Keys are rotated on a regular basis and lost, corrupted, or expired keys are revoked or disabled immediately.
2.4. Logging and Monitoring. OSPI generates administrator and event logs for systems and applications that store, allow access to, or process Customer Data. Logs are archived for a minimum of 180 days. Logs for all applications, systems, or infrastructure that supports, processes, or stores confidential or higher data are archived for at least one year. Logs capture key security event types. Access to modify system logs is restricted. In the event of a confirmed Security Breach, appropriate logs may be shared with Customer upon reasonable request. OSPI reviews system logs regularly to identify system failures, faults, or potential security incidents affecting Customer Data.
2.5. Anti-Virus/Anti-Malware. OSPI implements appropriate anti-virus/anti-malware detection software across all information systems processing Customer Data in its organization that are determined to be at risk, and where an acceptable solution is available. OSPI maintains anti-virus/anti-malware software to ensure it is up-to-date with the most recent virus and malware signatures and definitions. On systems where anti-virus/anti-malware is not implemented, appropriate system hardening procedures are applied to minimize exposure.
2.6. Intrusion Detection. OSPI implements and maintains an intrusion detection monitoring process at the network and/or host level to detect unwanted or hostile network traffic. OSPI updates its intrusion detection software continuously, on a scheduled basis following the availability of updates by the software provider. OSPI implements measures to ensure that OSPI is alerted when the system detects unusual or malicious activity.
2.7. Data Segmentation. To prevent unauthorized access to Customer Data, OSPI implements technical controls to ensure that Customer Data is properly segmented from data belonging to OSPI’s other customers.
2.8. Secure Coding Practices. Developers attend secure development training periodically. All new code is peer-reviewed and undergoes full quality assurance and regression testing prior to being introduced into production. OSPI logically or physically separates environments for development, testing, and production.
3. Physical Security
3.1. Facilities. At facilities that OSPI controls, OSPI maintains appropriate physical security measures to ensure the safety and protection of employees, company assets, and Customer Data. OSPI will continually monitor any changes to the physical infrastructure and known threats.
4. Data Security
4.1. Encryption. OSPI encrypts Customer Data, when writing to removable devices, and while in transit. OSPI utilizes industry standard platform and data-appropriate encryption in non-deprecated, open/validated formats, and standard algorithms.
Vulnerability & Patch Management. OSPI maintains a vulnerability management process to identity, report, and remediate vulnerabilities by performing vulnerability scans, implementing vendor patches or fixes, and developing a remediation plan for critical vulnerabilities. OSPI applies security patches on a regular basis to server, firewalls, and systems used to access or process Customer Data.
Data Transfers and Downloads. OSPI uses commercially reasonable efforts to prevent Customer Data from being taken from OSPI’s premises, copied, or downloaded unless approved by Customer.
4.2. Storage Media. OSPI has implemented industry standard disk-level encryption on all machines that store or otherwise process Customer Data. OSPI will ensure that any storage media within its control (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Customer Data will be securely erased or destroyed before repurposing or disposal.
5.1. Vendor Assessments. Prior to engaging new third-party service providers and vendors that will have access to Customer Data, OSPI conducts a risk assessment of the data security practices of each third-party. OSPI also conducts periodic reviews of each third-party to ensure their data security practices continue to meet the necessary requirements to protect Customer Data. OSPI bears sole responsibility for its subcontractors.
6. Testing and Audits
6.1. Penetration Tests. OSPI periodically undertakes an application penetration test by an independent third-party. OSPI remediates all critical and high vulnerabilities identified in the penetration test. All other findings are remediated in a timeframe that is commensurate with the identified risks.
6.2. Vulnerability Scanning. OSPI performs regular vulnerability scanning against services and key infrastructure utilizing industry standard tools or well-known external suppliers. Internal scans are performed at least monthly. External scans are performed at least quarterly, utilizing a Payment Card Industry Security Standards Council Approved Scanning Vendor.
7. Disaster Recovery & Business Continuity
7.1. Risk Assessment. OSPI maintains a risk assessment program to help identify foreseeable internal and external risks to OSPI’s information resources and determine if existing controls, policies, and procedures are adequate.
Backups. OSPI backs-up its production databases according to a defined schedule and stores back-ups offsite.
7.2. Disaster Recovery Plan. OSPI maintains a disaster recovery plan that is consistent with industry standards. Regular testing of the disaster recovery plan is conducted to ensure its continued effectiveness.
7.3. Business Continuity Plan. OSPI maintains a business continuity plan to manage and minimize the effects of unplanned disruptive events (cyber, physical, or natural). This plan includes procedures to be followed in the event of an actual or potential business interruption and have a stated goal of resumption of routine services within 48 hours of such event.
March 15, 2021