Security

Introduction

This DartPoints Security Policy (the “Policy”) defines acceptable security practices relating to the location by the customers (the “Customers” or “you”) of DartPoints Operating Company, LLC and all of its affiliates (including, but not limited to, direct or indirect subsidiaries and parents), owners, managers, members, directors, officers, employees and professional advisers  (“DartPoints,”  “we” or “our”) of their equipment (the “Customer Equipment”) at locations leased or owned by DartPoints (the “Customer Locations”) and the use by such Customers of the services provided by DartPoints to its Customers at such Customer Locations (the “Service“) and by users that have gained access to the Service through Customer accounts (the “Users”). By locating its Customer Equipment in the assigned Customer Location and by using the Service, you acknowledge that you and your Users are responsible for compliance with this Policy and that you will indemnify DartPoints against any claims arising from any violation of this Policy as specified in the Master Service Agreement executed by all Customers prior to the location of their respective Customer Equipment in the applicable Customer Location (the “Master Services Agreement”). Undefined capitalized terms used herein shall have the meanings respectively given to them in the Master Services Agreement.

System Access Control

Minimum Password Length

The length of passwords must always be checked automatically at the time that users construct or select them. All passwords must have at least eight (8) characters.

Passwords Require Change Periodically

Customer-chosen passwords will require changing at least every 90 days. Several warnings will be presented to the Customer to make the required change at least 1 week before the 90 days are up. If the user fails to make the required change within the 90 days, the user account will be de-activated.

Difficult-To-Guess Passwords Required

All Customer-chosen passwords for computers and networks must be difficult to guess. Words in a dictionary, derivatives of user-IDs, and common character sequences such as “123456” should not be employed. Likewise, personal details such as spouse’s name, automobile license plate, social security number, and birthday must not be used unless accompanied by additional unrelated characters. Customer-chosen passwords must also not be any part of speech. For example, proper names, geographical locations, common acronyms, and slang must not be employed.

Cyclical Passwords Prohibited

Customers are prohibited from constructing fixed passwords by combining a set of characters that do not change, with a set of characters that predictably change. In these prohibited passwords, characters which change are typically based on the month, a department, a project, or some other easily-guessed factor. For example, users must not employ passwords like “X34JAN” in January, “X34FEB” in February, etc.

Customer-Chosen Passwords Must Not Be Reused

Customers must not construct passwords that are identical or substantially similar to passwords that they had previously employed.

Passwords Never In Readable Form When Outside Workstations

Fixed passwords must never be in readable form outside a personal computer or workstation (e.g. sticky notes).

Password Guessing Lockout Requires Help Desk Password Reset

Each Customer that employs fixed passwords at log-on time will be given a limited number of attempts to enter a correct password. If a user has incorrectly entered a password three consecutive times, the linked Customer-ID will be deactivated until DartPoints staff authenticates the user’s identity and then resets the password.

Prevention Of Password Retrieval

Computer and communication systems must be designed, tested, and controlled so as to prevent both the retrieval of, and unauthorized use of stored passwords, whether the passwords appear in encrypted or unencrypted form.

Password Sharing Prohibition

Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorized user. To do so exposes the authorized user to responsibility for actions that the other party takes with the password. If a password is provided to a DartPoints IT support representative in order to help diagnose a specific user issue, that user should change their password immediately after the issue is resolved.

Customers Responsible For All Activities Involving Personal Customer-IDs

Customers are responsible for all activity performed with their personal Customer-IDs. Customer-IDs may not be utilized by anyone but the individuals to whom they have been issued. Customers must not allow others to perform any activity with their Customer-IDs. Similarly, Customers are forbidden from performing any activity with IDs belonging to other Customers.

Removal of User-ID for Termination or Job Change

Customers must notify DartPoints immediately upon termination or a job change of one of its personnel such that they will no longer require system’s access. Upon receipt of notification, DartPoints will immediately deactivate and remove the Customer- ID from the system.

DartPoints Password Management

All DartPoints controlled passwords (e.g. server root passwords, network device passwords, client access passwords) will be stored encrypted and not be produced in printed format. Passwords will never be shared between DartPoints employees and/or Customers in clear text format. PGP is the general standard DartPoints uses to encrypt data and pass data securely between both employees and clients.

Desktop Lockout Settings

All Customers requiring desktop support services from DartPoints are requested to implement a desktop timeout feature (screen saver) with password control set to a minimum or 30 minutes. This policy is provided to reduce the possibility of authorized attempts made to the Customer’s specific desktop and connected networked infrastructure.

Privilege Control

Third Party Access To DartPoints Systems

Before any third party is given access to DartPoints computer systems, written agreement to abide by DartPoints Rules and Regulations must have been signed by a responsible manager at the third party organization.

Support For Special Privileged Type Of Users

All multi-user computer and network systems must support a special type of user-ID which has broadly-defined system privileges. This user-ID will in turn enable authorized individuals to change the security state of systems. The number of privileged user-IDs must be strictly limited to those individuals who absolutely must have such privileges for authorized business purposes.

Restriction Of Special System Privileges

Special system privileges, such as the ability to examine the files of other users, must be restricted to those directly responsible for system management and/or security. File access control permissions for all DartPoints computer systems must be set to a default which blocks access by unauthorized users. Beyond that which they need to do their jobs, computer operations, hardware and systems support staff must not be given access to–nor permitted to modify–production data, production programs, or the operating system.

Unbecoming Conduct And The Revocation Of Access Privileges

DartPoints reserves the right to revoke the privileges of any user at any time. Conduct that interferes with the normal and proper operation of DartPoints information systems, which adversely affects the ability of others to use these information systems, or which is harmful or offensive to others will not be permitted.

Termination Of User Processes Or Sessions And Removal Of User Files

DartPoints systems administration staff may alter the priority of, or terminate the execution of, any user process which it believes is consuming excessive system resources, significantly degrading system response time, or if this usage is deemed to be in violation of security policies.

Maintenance Of Master User-ID And Privilege Database

So that their privileges may be expediently revoked on short notice, records reflecting all the computer systems on which users have user-IDs must be kept up-to-date.

Monitoring and Logging

Inclusion Of Security Relevant Events In System Logs

Computer systems handling sensitive, valuable, or critical information should securely log all significant security relevant events. Examples of security relevant events include but are not limited to: password guessing attempts, attempts to use privileges that have not been authorized, modifications to production application software, and modifications to system software.

Computer System Logs Must Support Audits

Logs of computer security relevant events must provide sufficient data to support comprehensive audits of the effectiveness of, and compliance with security measures.

Intellectual Property Rights

Information As An Important DartPoints Asset

Accurate, timely, relevant, and properly protected information is absolutely essential to DartPoints and its Customers. To ensure that information is properly handled, all accesses to, uses of, and processing of DartPoints internal or Customer information must be consistent with DartPoints information systems related policies and standards.

Tools Used To Break Systems Security Prohibited

Unless specifically authorized by DartPoints no person shall use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include but are not limited to those that defeat software copy protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files.

Valid Client Software Licenses

DartPoints staff are not permitted to install client software without valid software licensing provided by the client.

Data Privacy and Confidentiality

Notification Of Suspected Loss Or Disclosure Of Sensitive Information

If sensitive information is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, the owner of such information and DartPoints Management should be notified immediately.

Data Integrity

Right To Remove (Offensive) Material Without Warning

DartPoints Management retains the right to remove from its information systems any material it views as (offensive) or potentially illegal.

No Responsibility For Monitoring Content Of Information Systems

DartPoints Management reserves the right to remove any message, file, database, graphic, or other material from its information systems. At the same time, DartPoints Management has no obligation to monitor the information content resident on or flowing through its information systems.

Establishment Of Access Paths And Systems

Security Requirements For Network-Connected Third Party Systems

As a condition of gaining access to the DartPoints computer network, every third party must secure its own connected systems in a manner consistent with DartPoints requirements. DartPoints reserves the right to audit the security measures in effect on these connected systems. DartPoints also reserves the right to immediately terminate network connections with any third party systems not meeting such requirements.

Standards Of Common Carriers Do Not Apply
The networking services provided by DartPoints are provided on a contractual carrier basis, not those of a common carrier. As the operator of a private network, DartPoints has a right to make policies regarding the use of its network systems without being held to the standards of common carriers.

Encryption

Standard Encryption Algorithm & Implementation

If encryption is used, government-approved standard algorithms (such as the Data Encryption Standard or AES) and standard implementations (such as cipher-block chaining) must be employed.

Disclosure Of Encryption Keys Requires Special Approval

Encryption keys are a most sensitive type of information, and access to such keys must be strictly limited to those who have a need-to-know. Unless the approval of DartPoints is obtained, encryption keys must not be revealed to consultants, contractors, or other third parties.

Time Period For Protection Of Encryption Keys Used For Confidentiality

The secrecy of any encryption key used for confidentiality purposes (e.g., for data encryption or as a seed to an access control system) must be maintained until all of the protected information is no longer considered confidential.

Never Automatically Backup Private Key Used for Digital Certificates

Users must not allow automatic backup systems to make a copy of the readable version of their private key used for digital signatures and digital certificates. Automatic backups could allow unauthorized transactions to be generated in the involved users’ names. These backups are prevented by keeping private keys in smart cards or otherwise in encrypted form.

Prevention Of Unauthorized Disclosure Of Encryption Keys

Encryption keys must be prevented from unauthorized disclosure via technical controls such as encryption under a separate key and use of tamper-resistant hardware.

Explicit Assignment Of Encryption Key Management Functions

Whenever encryption is used to protect sensitive data, the relevant owner(s) of the data must explicitly assign responsibility for encryption key management.

Internet and Remote Dial Up Connections

Digital Certificate For All DartPoints Internet Web And Commerce Sites

A current digital certificate is recommended for both DartPoints and client Internet servers handling confidential information.

Administrative Security

Required Reporting of Information Security Incidents

All suspected Information Security incidents must be reported immediately to DartPoints Management.

Centralized Reporting Of Information Security Problems

Information Security is the inability of unauthorized third parties to access any documents, data or other information stored or otherwise normally available to authorized parties on DartPoints network or any DartPoints infrastructure components. All known vulnerabilities – in addition to all suspected or known violations – must be communicated in an expeditious and confidential manner to DartPoints Management. Unauthorized disclosures of DartPoints information must additionally be reported to the involved information owners. Reporting security violations, problems, or vulnerabilities to any party outside DartPoints (except external auditors) without the prior written approval of the DartPoints Legal Department is strictly prohibited. No external reporting of any Information Security violation or problem may occur without consent of DartPoints Management.

Required Investigation Following Computer Crimes

Whenever evidence clearly shows that DartPoints has been victimized by a computer or communications crime, a thorough investigation must be performed. This investigation must provide sufficient information so that DartPoints Management can take steps to ensure that: (1) such incidents will not be likely to take place again, and (2) effective security measures have been reestablished.

Information Ownership And Management’s Responsibilities

All production information possessed by or used by a particular client must have a designated owner. Owners must determine appropriate sensitivity classifications as well as criticality ratings. Owners must also make decisions about who will be permitted to access the information, and the uses to which this information will be put. Owners must additionally take steps to ensure that appropriate controls are utilized in the storage, handling, distribution, and regular usage of information. Designated owner lists are to be provided to DartPoints Management and reviewed on a no less than annual basis.

Outsourcing and Third Party Contracts

Agreements With Third Parties Which Handle DartPoints Information

All agreements dealing with the handling of DartPoints information by third parties where the third party has direct access to DartPoints information must include a special clause. This clause must allow DartPoints to audit the controls used for these information-handling activities, and to specify the ways in which DartPoints information will be protected.

Termination Of Outsourcing Contracts For Security Violations

All information-systems-related outsourcing contracts must be reviewed and approved by DartPoints Management. It is DartPoints Management’s responsibility to make sure that these contracts sufficiently define information security responsibilities, as well as how to respond to a variety of potential security problems. It is also DartPoints Management’s responsibility to make sure that all such contracts allow DartPoints Management to terminate the contract for cause if it can be shown that the outsourcing firm does not abide by the information security terms of the contract.