Articles on: For Notaries

Security Program Management Policy

Information Security Program

Management Policy

BlueNotary Information Security

Program Management

Policy

Document Owner

Effective Date Version 1.0 Document Approver

01 Overview and Scope

01.01 Overview

In accordance with mandated organizational security requirements set forth and approved by

management, BlueNotary has established a formal Information Security Program Management

Policy and Procedures. This comprehensive Policy is implemented immediately along with all

relevant and applicable procedures.

The Policy Owner owns this Policy and is responsible for reviewing the Policy on an annual

basis and following any major changes to BlueNotary’s sensitive data environment to ensure

that it continues to meet its organizational goals. The Policy Owner is also responsible for

ensuring that the Information Security Program Management Procedure is reviewed and

updated on an annual basis and following any major changes.

01.02 Purpose

This Policy and supporting Procedures are designed to provide BlueNotary with a formalized

information security policy to comply with various regulatory and business

requirements. Additionally, this Policy serves as the organization’s primary, enterprise-wide

information security manual. Compliance with the stated Policy and supporting procedures

helps ensure the safety and security of all BlueNotary’s system components within the sensitive

data environment as well as any other environments deemed applicable.

01.03 Scope

This Policy and supporting Procedures cover all system components within the sensitive data

environment owned, operated, maintained, and controlled by BlueNotary. This Policy and

supporting Procedures cover all other system components (both internally and externally) that

interact with these systems and all other relevant systems:

● Internal system components are those owned, operated, maintained, and controlled by

BlueNotary, including all network devices (firewalls, routers, switches, load balancers,

other network devices), servers (both physical and virtual servers, along with the

operating systems and applications residing on them), as well as any other system

components deemed in scope; and

● External system components are those owned, operated, maintained, and controlled by

any entity other than BlueNotary. These external systems may impact the confidentiality,

integrity, and availability (CIA) and the overall security of the sensitive data environment,

along with any other environments deemed applicable.

●

Please note when referencing the terms "system component(s)" or “system resource(s)” that

they imply the following: Any network component, server, or application included in or

connected to the sensitive data environment, or any other relevant environment deemed inscope

for purposes of information security.

This Policy and supporting Procedures cover all employees, interns, volunteers, and

contractors. (All of these individuals will be referred to as “Employees” throughout this Policy

and these Procedures unless otherwise noted. Both Policy and Procedures will be made

available to Employees, who will be required to sign an acknowledgement that they have read

this Policy and these Procedures and agree to abide by them.

01.04 Monitoring and Enforcement

BlueNotary periodically monitors adherence to this Policy to help ensure compliance with

applicable laws, requirements, and contractual agreements applying to client and consumer

data.

Penalties for failing to comply with BlueNotary’s policies and procedures could lead to

disciplinary and/or enforcement actions against individuals and lead to sanctions brought

against BlueNotary. Depending on the seriousness of the offense, enforcement actions could

include civil and/or criminal charges brought against violators.

01.05 Management Commitment

BlueNotary’s management is committed to and takes responsibility for implementing

appropriate technical and organizational safeguards to ensure the protection of sensitive

information (including personally identifiable information). BlueNotary is also committed to

demonstrating that any processing of sensitive information (including personally identifiable

information) is in compliance with all applicable regulations. Implemented measures will be

reviewed and updated as necessary.

01.06 Roles and Responsibilities

Management

Management will demonstrate commitment to and leadership over BlueNotary’s security and

privacy management systems by ensuring the following:

● Establishment of security and privacy policies and objectives in alignment with

BlueNotary’s strategic direction;

● Integration of security and privacy requirements into BlueNotary’s processes;

● Availability of security and privacy resources;

● Communication of security and privacy importance to employees, third parties, and both

internal and external stakeholders as well as conformity to security and privacy

requirements;

● Achievement of the intended outcomes of the security and privacy programs;

● Contribution of firect and support personnel to the effectiveness of the security and

privacy programs;

● Continual improvement of the security and privacy programs;

● Support for other management roles in demonstrating leadership applied to their areas

of responsibilities;

● Assignment and communication of responsibilities and authorities for the security and

privacy programs as well as ensurance that the programs conform to regulatory or

contractual requirements with reports of performance provided to management; and

● Establishment of adequate monitoring and enforcement of policies and procedures.

Privileged Users

Privileged users are employees with elevated access to systems (such as system

administrators) or individuals with assigned roles and responsibilities related to security and

privacy. Privileged users are required to abide by and understand their assigned responsibilities

related to their elevated access rights along with their limitations in using these privileges.

Privileged users must understand their obligations and liabilities in utilizing their privileges and

ensure that they abide by separation of duties related to security and privacy activities.

Employees

Employees are responsible for abiding by and understanding all BlueNotary’s policies and

procedures related to security and privacy. Employees are required to sign an

acknowledgement that they have read and will abide by these policies and procedures.

Employees will be subject to disciplinary actions, up to and including termination, for failing to

abide by these policies and procedures.

Responsibilities include adhering to the organization’s information security policies, procedures,

and practices, and not undertaking any measure to alter such standards on any such

BlueNotary system components. Additionally, end-users are to report instances of noncompliance

– specifically those by other users – to senior authorities=. End users – while

undertaking day-to-day operations – may also notice issues impeding the safety and security of

BlueNotary system components and are to also report such instances immediately to senior

authorities.

Third Parties

Third parties such as external service providers are responsible for abiding by BlueNotary’s

policies and procedures related to security and privacy. Third parties must sign agreements with

BlueNotary concerning their responsibilities for implementing safeguards to protect the security

and privacy of data provided by BlueNotary. Third parties failing to abide by these security and

privacy requirements may be subject to legal actions, including the termination of contracts for

services.

Responsibilities for such individuals and organizations are much like those stated for end-users:

adherence to BlueNotary’s information security policies, procedures, and practices, and not

undertaking any measure to alter such standards on any such system components.

Chief Technology Officer (CTO)

Responsibilities include providing overall direction, guidance, leadership, and support for the

entire information systems environment while also assisting other applicable personnel in their

day-to-day operations. The CTO reports to other members of senior management regularly

regarding all aspects of the organization’s information systems posture.

Chief Information Security Officer (CISO)

The CISO is the designated security official with the mission and resources to coordinate,

develop, implement, and maintain an organization-wide information security program. The CISO

is responsible for the policies, procedures, and security controls required to comply with

regulatory as well as contractual requirements. The CISO will assist the CTO in the overall

direction of the information system environment while also assisting other applicable personnel

in their day-to-day operations. This role requires extensive identification of industry regulations,

benchmarks, standards, and frameworks effectively utilized by the organization for provisioning,

hardening, securing, and locking-down critical system components. Subsequent to the

researching of such standards, the CISO oversees the establishment of a series of baseline

configuration standards to include, but not limited to, the following system components: network

devices, operating systems, applications, internally developed software and systems, and other

relevant hardware and software platforms. Because baseline configurations will change, the

CISO will update the applicable configurations as well as document all modifications and

enhancements as required. The CISO chairs the Security Committee made up of senior

management members and directly reports to the Chief Executive Officer (CEO).

Risk and Compliance Officer

The CEO, or, if applicable, the Board of Directors, will appoint the Risk and Compliance Officer

from the senior management staff of BlueNotary. The Risk and Compliance Officer will report

directly to the CEO, or the Board of Directors, and will carry the responsibilities for reporting

directly to the Executive Committee at least twice a year. The Risk and Compliance Officer’s

primary responsibilities include, but are not limited to:

● Performance, monitoring, and the implementation of the risk and compliance program;

● Reporting at least twice a year to the organization’s Risk Committee and Executive

Committee on implementation progress, and assisting governing authorities to establish

mechanisms to improve the company’s efficiency and quality of services and to reduce

potential vulnerability to fraud, abuse, and waste;

● Revising the program, at least annually based on newly published changes in

governmental guidance and the needs of the organization and in the law and policies

and procedures of government and clients;

● Developing and participating in educational and training programs focusing on the

elements of the compliance program and ensuring all appropriate employees and

management personnel are knowledgeable about, and comply with, pertinent federal

and state standards;

● Ensuring independent contractors and agents who furnish services for the company are

aware of the requirements of the Policy with respect to affected operations;

● Coordinating personnel issues with the Chief Operations Officer (COO), manager, and

human resources department to ensure that proper references have been checked with

respect to all employees, staff, and independent contractors;

● Assisting the COO and management in coordinating internal compliance reviews and

monitoring activities, including quarterly reviews of departments;

● Independently investigating and acting on matters related to compliance, including the

flexibility to design and coordinate internal investigations (e.g., responding to reports of

problems or suspected violations) and any resulting corrective action with all

departments and, if appropriate, independent contractors; and

● Developing policies, procedures, and programs encouraging managers and employees

to report suspected fraud and other improprieties without fear of retaliation by

management.

The Risk and Compliance Officer has the authority and the obligation to review any and all

documents and other information relevant and applicable to compliance activities, including, but

not limited to, customer records, client records, records concerning the marketing efforts of the

company, and the company’s arrangements with other parties, including employees,

independent contractors, suppliers, and agents. This Policy provides for the Risk and

Compliance Officer to review contracts and obligations (seeking the advice of legal counsel,

where appropriate) containing payment issues that could violate relevant statutes as well as

other legal or regulatory requirements.

Systems Administrator

Responsibilities include implementing the baseline configuration standards for all in-scope

system components. This requires obtaining a current and accurate asset inventory of all

systems, assessing their initial posture with the stated baseline, and implementing the

necessary configurations. Because of the complexities and depth often involved with these

activities, numerous personnel designated as Systems Administrators are often engaged in

assigned system administration tasks.

These individuals are responsible for monitoring compliance with the stated baseline

configuration standards, reporting to senior management all instances of non-compliance, and

reporting efforts undertaken to correct any identified issues. Because these individuals

undertake the majority of the operational and technical procedures for the organization, it is

critical to highlight other relevant duties, such as the following:

● Assessing and analyzing baseline configuration standards to ensure they meet the intent

and necessary rigor for the overall safety and security (both logically and physically) of

critical system components;

● Ensuring the asset inventory for all in-scope system components is kept current and

accurate;

● Ensuring network topology documents are kept current and accurate;

● Facilitating requests for validation of baseline configurations for purposes of regulatory

compliance assessments and audits (e.g., SOC-2 compliance, PCI compliance, SSAE

16 reporting, HIPAA, FISMA, GLBA); and

● Ensuring continuous training and certification accreditation for purposes of maintaining

an acceptable level of information security expertise necessary for configuration

management.

Additional duties of Systems Administrators include the following:

● Establishing a network environment by designing system configuration; directing system

installation; and defining, documenting, and enforcing system standards;

● Optimizing network performance by monitoring performance, troubleshooting network

problems and outages, scheduling upgrades, and collaborating with network architects

on network optimization;

● Updating job knowledge by participating in educational opportunities, reading

professional publications, maintaining personal networks, and participating in

professional organizations;

● Securing network systems by establishing and enforcing policies and defining and

monitoring access; and

● Reporting network operational status by gathering and prioritizing information and

managing projects.

Software Developers

Responsibilities include developing secure systems by implementing the required baseline

configuration standards into all systems and software development lifecycle (SDLC) activities.

Coding for security, not functionality, is a core approach to which all software developers are to

adhere. They are responsible for identifying any other necessary baseline configuration

standards when warranted. Ultimately, this requires removing, disabling, and not implementing

insecure services, protocols, or ports for purposes of ease-of-use, which could ultimately

compromise the applicable systems being developed. Software Developers are responsible for

following a structured project management framework utilizing a documented SDLC process

complete with well-defined change management policies, processes, and procedures.

Moreover, these personnel are to support and coordinate all required requests for validation of

the baseline configurations being developed within their systems for purposes of regulatory

compliance and/or internal audit assessments.

Additional duties of Software Developers include the following:

● Developing software solutions by studying information needs; conferring with users;

studying systems flow, data usage, and work processes; investigating problem areas;

and following the software development lifecycle;

● Determining operational feasibility by evaluating analyses, problem definitions,

requirements, solution development, and proposed solutions;

● Maintaining adequate documentation via flowcharts, layouts, diagrams, charts, code

comments, and clear code;

● Preparing and installing solutions by effectively designing system specifications,

standards, and programming;

● Improving operations by conducting systems analyses and recommending changes in

policies and procedures; and

● Obtaining and licensing software from vendors.

Change Management Personnel

Responsibilities include reviewing, approving, and/or denying all changes to critical system

components and specifically for purposes of any changes to the various baseline configuration

standards. While changes are often associated with user functionality, many times issues of

vulnerability, patch, and configuration management are brought to light with change requests. In

such cases, authorized change management personnel are to extensively analyze and assess

these issues to ensure the safety and security of organization-wide system components.

02 Information Security Program and Leadership

Role: PM-02

BlueNotary’s management will appoint a senior information security official with the mission and

resources to coordinate, develop, implement, and maintain an information security program.

Management will also establish defined roles and responsibilities to oversee the implementation

of the security and control environment. To support this effort, BlueNotary will ensure that the

organizational chart is documented and defines the organizational structure and reporting lines.

BlueNotary will also ensure that the organizational chart is updated on an annual basis.

03 Measures of Performance: PM-06

BlueNotary will develop, monitor, and report on the results of information security and privacy

measures. Managers are required to complete performance appraisals for direct reports at least

annually.

04 Enterprise Architecture: PM-07

BlueNotary will develop and maintain an enterprise architecture with consideration for

information security, privacy, and the resulting risk to organizational operations. To achieve this,

the organization will ensure that the enterprise architecture meets the minimum requirements:

● Maintains current network diagrams and data flow diagrams of the enterprise

architecture and related functions and services offered by the organization;

● Keeps up to date network diagrams that are reviewed at least annually ;

● Keeps up to date data flow diagrams that are reviewed at least annually ; and

● When needed, describes, documents, and communicates the service environment and

boundaries to both internal and external authorized users.

05 Risk Management Program and Leadership:

PM-09

BlueNotary will establish and document a Risk Management Program that:

● Manages security risk to organizational operations and assets, individuals, other

organizations, and the nation associated with the operation and use of organizational

systems;

● Manages privacy risk to individuals resulting from the authorized processing of

personally identifiable information;

● Implements the risk management strategy consistently across the organization;

● Reviews and update the Risk Management Program annually or as required to address

organizational changes;

● Provides guidance on the identification of potential threats, ratings of the significance of

the risks associated with the identified threats, and mitigation strategies for those risks;

● Establishes a Risk Committee with oversight responsibilities for internal controls;

● Ensures that the Risk Committee includes directors who are independent of the internal

control function;

● Ensures that the Risk Committee meets on a monthly basis and maintains formal

meeting minutes; and

● Assigns a senior official accountable for the company's risk management.