Appendix B Sample Written Information Security Plan

1 Appendix BSample Written Information Security PlanI. OBJECTIVE:Our objective, in the development and implementation of this Written informationsecurity plan, is to create effective administrative, technical and physicalsafeguards in order to protect our customers non-public personal plan will evaluate our electronic and physical methods of accessing,collecting, storing, using, transmitting, protecting, and disposing of ourcustomers non-public personal PURPOSES:a) Ensure the Security and confidentiality of our customers Information ;b) Protect against any anticipated threats or hazards to the Security or integrityof our customers Information ;c) Protect against unauthorized access to or use of customer Information thatcould result in substantial harm or inconvenience to any of our ACTION PLANS:a) Identify reasonably foreseeable internal and external threats that could resultin unauthorized disclosure, misuse, alteration, or destruction of customerinformation or Information systems;b) Assess the likelihood and potential damage of these threats, taking intoconsideration the sensitivity of customer Information ;c) Evaluate the sufficiency of existing policies, procedures, customer informationsystems, and other safeguards in place to control ACTION STEPS:a) Appoint a specific person or persons within the firm to be responsible for:1) initial implementation of the plan;2) training of employees.

2 3) regular testing of the controls and safeguards established by the plan;4) evaluating the ability of prospective service providers to maintainappropriate Information Security practices, ensuring that such providersare required to comply with this Information Security plan, and monitoringsuch providers for compliance herewith; and5) periodically evaluating and adjusting the plan, as necessary, in light ofrelevant changes in technology, sensitivity of customer Information ,reasonably foreseeable internal or external threats to customerinformation, changes to our own business (such as mergers oracquisitions or outsourcing), and/or changes to customer ) Conduct an annual training session for all owners, managers, employees andindependent contractors and periodic training for new employees working forthe firm on the elements of this Information Security plan, the contents of thefirm s Privacy Policy, and any other requirements of federal or state privacylaws.

3 All persons in attendance should be required to certify their attendance atthe training, their receipt of the firm s privacy policy, and their familiarity with thefirm s requirements for ensuring the protection of customers non-public ) Determine reasonably foreseeable internal threats that could result inunauthorized disclosure, misuse, alteration, or destruction of customerinformation or Information systems, assess the likelihood and potential damageof these threats, taking into consideration the sensitivity of customerinformation, and evaluate the sufficiency of existing policies, procedures,customer Information systems, and other safeguards in place to control ThreatRiskLevelResponseIntentional orinadvertent misuse ofcustomer Information bycurrent employeesLow1) Dissemination of, and annual training, onprivacy laws and firm privacy ) Incorporation of privacy policy guidelinesinto employee ) Employment agreements amended torequire compliance with privacy policy andto prohibit any nonconforming use ofcustomer Information during or ) Employees encouraged to report anysuspicious or unauthorized use of ) Periodic testing to ensure thesesafeguards are implemented orinadvertent misuse ofcustomer Information byformer employeessubsequent to theiremploymentMedium1)

4 Require return of all customerinformation in the former employee spossession ( , policies requiring return ofall firm property, including laptopcomputers and other devices in whichrecords may be stored, files, records, workpapers, employeessubsequent to theiremploymentall firm property, including laptopcomputers and other devices in whichrecords may be stored, files, records, workpapers, ) Eliminate access to customer Information ( , policies requiring surrender of keys,ID or access codes or badges, businesscards; disable remote electronic access;invalidate voicemail, e-mail, internet,passwords, , and maintain a highlysecured master list of all lock combinations,passwords, and ) Change user-ID s and passwords forcurrent employees ) Amend employment agreements duringemployment to require compliance withprivacy policy and to prohibit anynonconforming use of customer informationduring or after ) Send pre-emptive notices to clientswhen the firm has reason to believe adeparted employee may attempt towrongfully use customer Information ,informing them that the employee has leftthe ) Encourage employees to report anysuspicious or unauthorized use of ) Periodic testing to ensure thesesafeguards are implemented disclosure ofcustomer Information tothe general public orguests in the officeLow1)

5 Prohibit employees from keeping openfiles on their desks when stepping ) Require all files and other recordscontaining customer records to be securedat day s ) Use software program that requires eachemployee to enter a unique log-in ID toaccess computer records, and to re-log-inwhen the computer is inactive for morethan a few ) Change user-ID s and passwords forcurrent employees ) Restrict guests to one entrance point,require them to present a photo ID, sign-in,and wear a plainly visible GUEST badge ortag; restrict areas within the office in whichguests may travel wear a plainly visible GUEST badge ortag; restrict areas within the office in whichguests may travel ) Use shredding machines on unusedphotocopies or other records beingdiscarded before depositing in trash orrecycling ) Ensure secure destruction of obsoleteequipment, including computer hardwareand software ) Encourage employees to report anysuspicious or unauthorized use of ) Periodic testing to ensure thesesafeguards are implemented uniformly.

6 { VERY LARGE FIRMS MAY WISH TOCONSIDER ADDING THE FOLLOWING: }10) Require all customer records to bemaintained in locked desks or filing cabinetswhen the records are not being used, orwhen the office is ) Install Security badge system, requiringemployees to use photo ID badges with anelectronic strip to open locked internaldoors in the ) Determine reasonably foreseeable external threats that could result inunauthorized disclosure, misuse, alteration, or destruction of customerinformation or Information systems, assess the likelihood and potential damageof these threats, taking into consideration the sensitivity of customerinformation, and evaluate the sufficiency of existing policies, procedures,customer Information systems, and other safeguards in place to control ThreatRiskLevelResponseInappropriate access to,or acquisition of,customer Information bythird partiesLow1) Install firewalls for access to firminternet site.

7 Include privacy policy on ) Require secure authentication forinternet and/or intranet and extranet ) Establish dial-in protections (such asCaller-ID, Callback, encryption) to preventunauthorized ) Require encryption and authenticationfor all infrared, radio, or other ) Train employees to protect and securelaptops, handheld computers, or otherdevices used outside the office that containcustomer ) Install virus-checking software thatcontinually monitors all files, downloads,floppy disks, CD s, all incoming andoutgoing e-mail ) Establish uniform procedures forinstallation of updated ) Establish systems and procedures forsecure back-up, storage and retrieval ofcomputerized and paper ) Establish procedures to ensure externalpoints of entry to the office are closed,locked and inaccessible to unauthorizedpersons when the office is ) Install burglar alarm or other securitysystems, with training for authorizedpersons on activation, deactivation.

8 11) Physically lock or otherwise secure thecomputer room, and if necessary, all areasin which paper records are ) Use shredding machines on unusedphotocopies or other records beingdiscarded before depositing in trash orrecycling ) Ensure secure destruction of obsoleteequipment, including computer hardwareand software ) Encourage employees to report anysuspicious or unauthorized use of ) Periodic testing to ensure thesesafeguards are implemented use ofcustomer Information bythird partiesMedium1) Evaluate the ability of all prospectivethird-party service providers to maintainappropriate Information Security ) Provide all third-party service providersto whom contractual access to premises orrecords has been granted (including, butnot limited to, insurance companies beingsolicited for new or renewal policies,mailing houses, custodial or plant services,equipment or services vendors, affiliates,non-affiliated joint marketing partners.

9 With a copy of the Privacy limited to, insurance companies beingsolicited for new or renewal policies,mailing houses, custodial or plant services,equipment or services vendors, affiliates,non-affiliated joint marketing partners, ..)with a copy of the Privacy ) Require all such third-parties bywritten contract to adhere to thePrivacy Policy, agree to make no use of anynonpublic personal Information on yourcustomers that would be prohibitedthereby, or otherwise by law or contract,and agree to hold harmless and indemnifythe firm for any inappropriate use ofcustomer non-public personal ) Require all such third-parties bywritten contract to return all customerinformation and all other firm property atthe completion or termination, for whateverreason, of the agreement between the firmand the ) Prohibit access to customer Information ( , policies requiring surrender of keys,ID or access codes or badges, disablingremote electronic access.

10 Invalidatingvoicemail, e-mail, internet, passwords, , if applicable) to all such third-partiesupon completion or termination, forwhatever reason, of the agreementbetween the firm and the ) Change user-ID s and passwords forcurrent employees ) Send pre-emptive notices to clientswhen the firm has reason to believe aterminated third-party service provider mayattempt to wrongfully use customerinformation, informing them that theagreement with the firm is no longer ) Encourage employees to report anysuspicious or unauthorized use of ) Periodic testing to ensure thesesafeguards are implemented uniformly.