Privacy and Information Security Audit and Oversight Policy

Purpose

This document establishes the corporate policy and standards for audit and oversight of company activities to ensure information and data remains secure at Ury & Moskow, L.L.C.

Policy

Privacy and information security procedures at Ury & Moskow, L.L.C. must be reviewed annually or as needed based on prevailing business conditions to prevent the improper use and/or disclosure of confidential information. Information security issues include, but are not limited to:

  • Evaluating current risk assessment, management, and control activities
  • Addressing service provider arrangement concerns
  • Addressing known security breaches, violations, or other concerns
  • Analyzing summary results of security testing procedures
  • Providing recommendations for program modifications or enhancements

Risk Assessment

The Managing Member continually monitors and evaluates confidential corporate and customer data to account for business process changes, technology changes, emerging vulnerabilities and threats, and other relevant factors that may impact the security or integrity of this information. These assessments are designed to:

  • Identify technical and business process vulnerabilities
  • Determine the effectiveness of existing company policies and procedures

Additionally, the Managing Member maintains a risk assessment system comprised of various anticipated risk factors, weighted with their forecasted probability, resulting in a calculated risk value for a variety of technology systems, business processes, and data sources. The risk assessment system is reviewed and updated on a quarterly basis.

Oversight

To ensure that due diligence is exercised in selecting Service Providers, the Managing Member verifies that:

  • All agreements with third-party service providers:
    • Are reviewed by legal counsel
    • Include provisions for safeguarding Ury & Moskow, L.L.C. company and customer information
  • All service provider contracts include a corporate confidentiality agreement
  • Service providers provide proof that they have met the requirements of the Gramm-Leach-Bliley Act, when appropriate
    Note: Acceptable forms of proof are service provider audit reports, Service Organization Control (SOC) reports, or compliance tests performed by Ury & Moskow, L.L.C.


Monitoring

Ury & Moskow, L.L.C. will monitor its systems and applications to reasonably ensure that safeguards are being followed and to quickly detect and correct breakdowns in security. An appropriate level of monitoring will be based on the potential impact and probability of the risks identified, as well as the sensitivity of the information provided. Monitoring will include:

  • Sampling
  • Performing system checks
  • Reviewing system access reports
  • Reviewing logs
  • Conducting audits
  • Performing any other reasonable measures to adequately verify that information security controls, systems, and procedures are working

Auditing

Ury & Moskow, L.L.C. will periodically conduct audits of:

  • Activity logs
  • Performance data
  • Unauthorized access
  • Viruses and other malicious code
  • Any other indicators of integrity loss

Ury & Moskow, L.L.C. and its third party contractors shall cooperate with and avail themselves of any central services providing support for and/or review of these activities as well as perform more sophisticated procedures such as penetration testing and real-time intrusion detection.

Network Probing

Because the loss of integrity of any device or server on a network provides a platform for launching attacks on the integrity of the entire network, Impact Business Technology, LLC will periodically probe the Ury & Moskow, L.L.C. network and network servers for vulnerabilities using software tools designed for this purpose.

Violation of Policy

Failure to adhere to all requirements stipulated in this policy and all related documents may result in disciplinary actions, up to and including:

  • Immediate removal of any applicable hardware/software/access to the Ury & Moskow, L.L.C. computer network or business systems
  • Formally reporting the incident to Ury & Moskow, L.L.C.'s senior management
  • Termination of employment
  • Any other action deemed necessary by Ury & Moskow, L.L.C.'s senior management

Review

Ury & Moskow, L.L.C. has voluntarily adopted this policy for its sole and exclusive use. This policy and all related documents will be reviewed annually or as needed based on prevailing business conditions.

Approved

Frederic S. Ury, Managing Member

Neal L. Moskow, Managing Member

Revision History

Version Number

Revised Date

Effective Date


Approved By


Brief Change Summary