Data Security and Privacy Protocol
Technical and Organizational Measures

The technical and organizational security measures (“TOMs”) and controls implemented by Sentry Management, Inc. (“SMI”) to protect Customer Data, including personal data and ensure the ongoing confidentiality, integrity, and availability of SMI’s products and services are described herein. SMI may, from time to time, make changes to these security measures and controls, but in so doing will not materially weaken its protection of Customer Data.

1.             Information Security Governance.

A.         SMI maintains dedicated staff responsible for the development, implementation, and maintenance of SMI’s information security program.

B.         SMI implements a set of policies for information security that are defined, approved by management, published, and communicated to personnel and relevant external parties.

C.         SMI regularly reviews the policies for information security at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness.

D.         SMI implements audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the SMI organization, monitoring and maintaining compliance with SMI policies and procedures, and reporting the condition of its information security and compliance to executive management.

E.         SMI values the confidentiality of information and adheres to requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of such information are identified, regularly reviewed, documented, and enforced.

2.             Information Security Training.

A.         SMI requires that new personnel complete security awareness training as part of the on-boarding process.

B.         SMI ensures that all employees of the organization and, where relevant, contractors receive regular, but at least annually, and appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

C.            Employees and, where relevant, contractors complete regular, but at least annually, data protection training as relevant for their job function.

3.             Data Protection.

A.         SMI engages in information assets classification to classify information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

B.         SMI maintains identified, documented, and implemented acceptable use standards of information, the assets associated with the information, and information processing facilities.

C.         SMI storage media is disposed of securely, ensuring data is rendered unrecoverable, when no longer required or prior to reuse, using formal procedures.

D.         SMI has an established access control policy which is, documented, and reviewed based on business and information security requirements. The controls include:

•              Access controls for workspaces,

•              Access controls for IT systems, and

•              Access controls for apps and data.

E.         SMI actively engages in security controls which include logical segregation of data, restricted (e.g., role-based) access, monitoring, and where applicable, utilization of industry-standard encryption technologies.

F.          SMI actively engages in data security controls for requesting, approving, revoking, and revalidating user access to systems and applications. Only personnel with clear business need will be provided access to systems and applications with personal data.

G.         SMI has a designated Network Systems and Security Director.

H.            Employees receive work instructions and guidelines regarding confidentiality and data protection as relevant for their job, to ensure compliant handling of personal data.

I.          Sub processors and service providers are carefully selected and are bound to SMI’s processing restrictions. Incidents are notified to SMI without undue delay.

4.             Technical Security Controls.

A.         SMI implements detection, prevention, and recovery controls to protect against malware, combined with appropriate user awareness.

B.         SMI regularly scans to detect technical vulnerabilities and apply appropriate mitigation actions to reduce the associate risk and exposure to such vulnerabilities.

C.         SMI regularly patches and updates, in a timely manner, systems and applications based on the severity of identified vulnerabilities.

D.         SMI monitors various information sources to ensure knowledge of and response to relevant threats.

E.         SMI networks are managed and controlled to protect information in systems and applications and segregates groups of information services, users, and information systems as appropriate. This includes separation of networks for processing, administration and supporting services in case of high protection requirements.

F.          SMI applies appropriate protections at the network edge, including stateful firewalls to filter attacks.

G.         SMI ensures information involved in electronic messaging will be appropriately protected.

H.         SMI information involved in consulting services passing over public networks is protected from fraudulent activity and unauthorized visibility to the extent commercially practical.

I.          SMI implements password controls designed to manage and control password strength and usage. Company prohibits users from sharing passwords and accounts.

J.          SMI ensures that all remote access to internal networks, systems and applications are protected by multi-factor authentication.

K.         SMI protects internal devices utilizing security controls including automated locking screen saver, antivirus software, firewall software, hard disk encryption and appropriate patch levels.

5.             Physical security.

A.         SMI ensures physical security perimeters are defined and used to protect areas that contain either sensitive or critical systems and information.

B.         SMI ensures secure areas are protected by appropriate entry controls to ensure that only authorized personnel, based on job role, are allowed access.

C.         SMI ensures that non-authorized personnel are logged and escorted in areas that contain either sensitive or critical systems and information.

D.         SMI ensures that secure areas containing sensitive or critical systems and information monitor for environmental hazards such as heat, fire, and water damage.

6.             Secure Software Development Lifecycle.

A.         SMI ensures principles, including such principles similar to Privacy by Design, for engineering secure systems are established, documented, maintained, and applied to any information system implementation efforts.

B.         SMI ensures testing of security functionality is carried out during development and that acceptance testing programs and related criteria are established for new information systems, upgrades, and new versions.

C.         SMI ensures test data is selected carefully, protected, and controlled.

D.         SMI ensures that changes to systems and applications undergo and appropriate change management procedure designed to test, approve, and monitor changes to the SMI environment.

7.             Logging and Monitoring.

A.         SMI maintains a central repository of security records and ensures collection of such records from all relevant information technology infrastructure. These logs will be maintained for a minimum of one year.

B.         SMI ensures all user access activities, including successful and failed logins, are maintained in the central repository.

C.         SMI ensures information security logs are actively monitored and events are reported through appropriate management channels as quickly as possible and will ensure information security incidents are responded to in accordance with the documented procedures.

8.             Incident Response.

A.         SMI has an established, documented Information security event response program.  Events are with reported through appropriate management channels as quickly as possible.

B.         SMI ensures information security incidents, including privacy related incidents are responded to in accordance with the documented procedures and compliance requirements. SMI will follow documented incident response processes, including notification to the impacted parties without undue delay.

C.         SMI ensures the Incident Response process includes a detailed investigation to identify root cause of the event and to document and incorporate lessons learned.

9.             Disaster Recovery and Business Continuity.

A.         SMI determines its requirements for information security and the continuity of information security management in adverse situations, e.g., during a crisis or disaster.

B.         SMI will document and maintains procedures to maintain business continuity and recover from a disaster.

C.         SMI maintains a backup policy to define the organization’s requirements for backup of information, software, and systems.

 

LAST UPDATED: October 25, 2022