Date: 07/21/2023

EBM shall conduct its own audits pertaining to the Subscription Services. EBM will perform a security audit at least annually and will cause a SSAE 16 SOC 1 Type II audit (or equivalent audit) (“SSAE 16 Audit”) to be conducted periodically for each shared services facility at or from which the Subscription Services are provided or performed. Such security practices shall include:

(i) continuous monitoring for Security Threats and Security Incidents; (ii) use of firewalls and real-time intrusion detection systems, encryption and other secure technologies to collect, store and/or transmit Customer Data; (iii) physical security procedures, including security guards, and regular monitoring of all areas in which Customer Data is stored; (iv) restriction on access to and copying of Customer Data on a “need-to-know” basis and only at authorized locations; and (v) regular monitoring of password procedures used to gain access to Customer Data.

The data center containing the Customer Data shall have the following physical and electronic security requirements: (i) main access monitored with additional access for emergency purposes only; (ii) surveillance cameras in facility; (iii) access validation with identity check; (iv) electronic log-in validation; (v) creation of accounts only as verified by EBM or sub-contracted hosting provider; (vi) access to servers via encrypted means; and, (vii) servers running behind secure firewall.

EBM will take reasonable technical and organizational measures to keep personal data secure and to protect it against accidental loss or unlawful destruction, alteration, disclosure or access; and will process Customer Data only in accordance with Customer’s instructions, provided they are reasonable and lawful. EBM shall maintain and implement, or cause to be maintained and implemented, a commercially reasonable written disaster avoidance and recovery plan with procedures designed to reasonably safeguard and to recover after a disaster event. In the event of any event of unplanned interruption in the availability of the Subscription Services or any loss or corruption of any Customer Data (each, a “Disaster Event”), EBM shall restore availability of the Subscription Services and Customer Data within a reasonable amount of time. EBM shall perform disaster recovery testing at least once every calendar year and provide to Customer copies of such test results upon written request.

EBM System and Data Security Guidelines:

1. Information Security Management System:

a. EBM’s information technology security policy has been developed, documented, approved, and The policy includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security policy addresses the following areas:

  • Risk management
  • Security policy
  • Human Resources Security
  • Asset management
  • Access Control
  • Physical and environmental security
  • Operations Security
  • Communications Security
  • Information systems acquisition, development, and maintenance
  • Information Security Incident Management
  • Business Continuity
  • Compliance

b. EBM Management reviews the IT Security at planned intervals or as a result of changes to the organization to ensure its continuing effectiveness and accuracy. Roles and responsibilities of contractors, employees and third-party users are documented as they relate to information assets and Managers are responsible for maintaining awareness of and complying with security policies, procedures and standards that are relevant to their area of responsibility.

2. Data Governance:
Risk assessments associated with data governance requirements are conducted at least annually at EBM and also considers the following:

a. Awareness of where sensitive data is stored and transmitted across applications, databases, servers and network infrastructure.

b. Compliance with defined retention periods and end-of-life disposal requirements.

c. Data protection from unauthorized use, access, loss, destruction, and falsification.

d. Data retention and storage procedures are established, and backup or redundancy mechanisms are implemented to ensure compliance with regulatory, statutory, contractual or business requirements. Testing the recovery of backups is performed at least annually.

e. Documented procedures are in place for the secure disposal and complete removal data from all storage media, ensuring data is not recoverable by any computer forensic means.

f. Mechanisms are in place to ensure data is not replicated or used in non-production environments.

3. Auditing and Monitoring:

a. Audit logs are maintained that record privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events are retained, complying with applicable policies and regulations.

b. Audit logs are reviewed, and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents.

c. Physical and logical user access to audit logs is restricted to authorized personnel.

d. Access to, and use of, audit tools that interact with the organizations information systems are appropriately segmented and restricted to prevent compromise and misuse of log data.

4. Physical Security:

a. Policies, practices or procedures for physical security exists for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas, along with the data center.

b. Procedures governing asset management are established for secure repurposing of equipment and resources prior to tenant re-assignment.

c. Physical access to information assets and functions by users and support personnel are restricted to only authorized personnel.

d. Physical security perimeters at the data center (fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) are implemented to safeguard sensitive data and information systems.

e. A complete inventory of critical assets is maintained.

5. Human Resources Security:

a. Prior to granting individuals physical or logical access to facilities, systems or data, employees, contractors, third party users and customers contractually agree and sign the terms and conditions of their employment or service contract.

b. Users are made aware of their responsibilities for:

  • Maintaining awareness and compliance with published security policies, procedures, standards and applicable regulatory requirements.
  • Maintaining a safe and secure working environment.
  • Leaving unattended equipment in a secure manner.

c. Procedures to govern employee termination and discipline are in place to ensure privileges are revoked in a timely and comprehensive manner.

6. Access Control:

a. Timely de-provisioning, revocation or modification of user access to the organizations systems, information assets and data are implemented upon any change in status of employees, contractors, or third parties. Any change in status is intended to include termination of employment, contract or agreement, change of employment or transfer within the EBM organization.

b. Procedures are in place for granting and revoking normal and privileged access to applications, databases, and server and network infrastructure in accordance with business, security, and compliance requirements.

c. Access to application, program or object source code is restricted to authorized personnel on a need to know basis.

d. Access is role based and must meet segregation of duties requirements.

7. Incident Management:

a. An incident management procedure is defined and document that facilitates the triage of security related events and ensures timely and thorough incident management.

b. Contractors, employees and third-party users are made aware of their responsibility to report all information security events in a timely manner.

c. Information security events are reported through predefined communications channels in a prompt and expedient manner in compliance with statutory, regulatory and contractual requirements.

d. In the event an information security incident requires legal action proper forensic procedures exist for collection, retention, and presentation of evidence to support potential legal action.

8. Technical Security:

a. User access to diagnostic and configuration ports is restricted to authorized individuals and applications.

b. Procedures are defined for vulnerability and patch management that ensure application and system device vulnerabilities are evaluated and vendor-supplied security patches applied in a timely manner first in a lower environment, before being moved to production.

c. Utility programs and privileged management accounts capable of potentially overriding system, object, network, virtual machine and application controls are restricted.

d. Antivirus mechanisms capable of detecting, removing, and protecting against all known types of malicious or unauthorized software are in place on all EBM workstations with antivirus signatures updated at least every 24 hours.

e. Access to sensitive data from portable and mobile devices, such as laptops, tablets and cell phones is controlled and restricted.

9. Risk Management:

a. Formal risk assessments are performed at least annually for both EBM and third parties. These risk assessments can also occur at planned intervals, determining the likelihood and impact of all identified risks.

b. Risks are mitigated to an acceptable Acceptance levels based on risk criteria are established and documented in accordance with reasonable resolution time frames and executive approval.

c. Risk assessment results include updates to security policies, procedures, standards and controls to ensure they remain relevant and effective.

10. System Development and Maintenance:

a. Applications are designed in accordance with industry accepted security standards (e.g.: OWASP for web applications) and comply with applicable regulatory and business requirements.

b. Development, testing, and operational facilities are separated to reduce the risks of unauthorized access or changes to the operational system.

c. Changes to the production environment are documented, tested in a lower environment, and approved prior to implementation. Production software and hardware changes may include applications, releases, systems, databases and devices requiring patches, service packs, and other updates and modifications.

d. EBM has software in place for systematic monitoring and evaluation to ensure that standards of quality are being met are established for the EBM application. Quality evaluation and acceptance criteria for information systems, upgrades, and new versions are established, documented and tests of the system(s) are carried out both during development and prior to acceptance to maintain security.

11. Security Architecture:

a. Processes are in place to implement and enforce user credential and password controls for applications, databases, and server and network infrastructure for EBM and EBM, requiring the following minimum standards:

  • User identity verification prior to password resets.
  • Timely access revocation for terminated users.
  • Remove/disable inactive user accounts at least every 90 days.
  • Unique user IDs and disallow group, shared, or generic accounts and passwords.
  • Strong passwords containing both numeric and alphabetic characters.
  • User ID lockout after not more than three (3) attempts.
  • Re-enter password to reactivate terminal after session idle time for more than 15 minutes.
  • Maintain user activity logs for privileged access or access to sensitive data.

b. Remote users with administrative privileges must authenticate with strong two step authentication mechanisms before allowed access to any information processing facilities.

c. Network environments are designed and configured to restrict connections between trusted and untrusted networks and reviewed at planned intervals, documenting the business justification for use of all services, protocols, and ports allowed, including rationale or compensating controls implemented for those protocols considered to be insecure.

d. System and network environments are separated by firewalls to ensure the following requirements are adhered to:

  • Business and customer requirements.
  • Security requirements.
  • Compliance with legislative, regulatory, and contractual requirements.
  • Separation of production and non-production environments.
  • Preserve protection and isolation of sensitive data.

e. Policies and procedures are established, and mechanisms implemented to protect wireless network environments, including the following:

  • Perimeter firewalls implemented and configured to restrict unauthorized traffic.
  • Security settings enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings, etc.).
  • The capability to detect the presence of unauthorized (rogue) wireless network devices for a timely disconnect from the network.