Information Security Guidelines

These Information Security Guidelines set forth the security controls that Firstup, Inc. and its affiliates (including Dynamic Signal, Inc.) (“Firstup”) agree to maintain.

1. Vendor Management.

Firstup requires that its agreements with its contractors, subcontractors, sub-processors, and other parties who have access to, store, process, or transmit Client data contain industry standard security requirements commensurate with the risk posed. For example, Firstup:

• maintains a documented third party risk management program based upon industry standards and conduct assessments of contractors, subcontractors, or sub-processors upon initial onboarding and at minimum annually thereafter.
• contractually requires that its and its clients’ non-public information is kept confidential.
• contractually requires subcontractors to maintain adequate safeguards commensurate with the risk profile that are at least equivalent to the safeguards that Firstup implements.

2. Information Security Management.

Firstup has implemented and will maintain an appropriate information security management system (“ISMS”) that:

• includes policies and procedures designed to ensure the confidentiality, integrity, and availability of Firstup and Client data.
• aligns with globally recognized standards, such as ISO 27001 or NIST CyberSecurity Framework.
• will be reviewed and update, as necessary, at least annually to ensure policies address current threats and remain consistent with the standards upon which it is built.
• will include annual cybersecurity awareness training for Firstup personnel.
• will designate an individual responsible for information security and have defined information security roles and responsibilities – to include the development, implementation, and ongoing maintenance of its ISMS.

3. Asset Management.

Firstup will maintain an asset lifecycle management program that includes accurate lifecycle status of all assets, the identification and mitigation of assets not in compliance with the policy, including:

• regularly and periodically review a current inventory of all hardware and software used to process Confidential Information to ensure compliance with policies.
• maintain documentation and other records of baseline system and security configurations, including configuration changes for all hardware, software, and virtual system components.
• maintain a technology asset provisioning and disposal program that includes only procuring appropriately sourced technology assets and disposing of/removing/deleting all technology assets in an industry standard secure manner when they reach end of life.
• ensure technology assets are transported in a secure manner.
• ensure installation of anti-malware programs that include up-to-date definitions and protection mechanisms designed to detect and/or prevent malware and other threats. They will be configured to perform real-time or scheduled scans of systems, and alert when malware is discovered.
• apply patches according to an industry standard vulnerability risk program.

4. Business Continuity / Disaster Recovery.

Firstup maintains formal, comprehensive business continuity (“BC”) and disaster recovery (“DR”) plans, policies, and procedures designed to ensure contractual obligations can be met. The BC and DR plans will:

• be tested at minimum annually, noted deficiencies/failures will be addressed timely, and testing will:
  • be conducted in conditions comparable to production.
  • demonstrate recovery within the established Recovery Time and Point Objectives.
• identify key resources and address business interruptions of those resources supporting services, including those provided by Firstup’s subcontractors.
• employ a backup policy in order to meet application recoverability requirements. The policy will define datasets, frequencies, criteria for a successful backup, annual test requirements, offsite storage requirements, and retention periods.
• require that backups are performed based on the business requirements to maximize data availability and prevent information loss based on contractual commitments.
• require that data backups are performed immediately prior to any system upgrade or maintenance activity and backup and recovery events are logged.
• require that data backups are stored in a geographically separate, physically secure facility or cloud platform.

5. Compliance Management.

Firstup maintains an ISO27001, SSAE16 (SOC2 Type II) or similar industry recognized certification designed to ensure that the security controls in place are appropriate to counter the threats and vulnerabilities relating to Firstup’s IT systems and applications used to provide services, and upon request, provide an ISO27001 certificate and SOC2 Type II report(s).

6. Data Protection.

Firstup maintains a data protection policy that will be reviewed against industry standards on a regular basis. The data protection policy will:

• cover encryption, key and certificate lifecycle management, permitted cryptographic algorithms and associated key lengths, message authentication, hash functions, digital signatures, and random number generation.
• contain policies, procedures, and controls in place to protect the exchange of Client data through the use of all types of communication mechanisms.
• require that disposal of Client data occurs securely and in accordance with applicable law and industry standards so that the disposed Client data cannot be reconstructed.
• prohibit download and use of unauthorized file sharing and other software that can open security vulnerabilities to areas or systems that hold Client data.
• include appropriate data loss prevention (“DLP”) controls designed to detect and/or prevent unauthorized removal of confidential information from Firstup systems.
• Include procedures around cookie management that is compliant with applicable laws and regulations.
• Require logical separation of Client data from data belonging to other Firstup customers.

7. Encryption.

Firstup maintains policies and procedures for encryption based on industry standard practices that include:

• implementing encryption using industry standard algorithms that meet or exceed current industry standard requirements for both data at rest, and in transit.
• safeguarding encryption keys and maintain cryptographic and hashing algorithm types, strength, and key management processes consistent with industry standard practices.
• requiring that authentication credentials (e.g., passwords, personal identification numbers, challenge answers) are encrypted in transit and at rest.
• requiring strong encryption of confidential information:
  • stored on laptops, mobile devices, or media.
  • stored outside of the organization’s physical controls.
  • transmitted across any public network (such as the Internet), via VPN, wirelessly, or outside of the organization’s information systems.
• default vendor‐generated symmetric encryption keys will always be changed to non‐default values, such that the changed values are not known to the vendor’s other customers and not known to the vendor unless required by the intended function.
• symmetric encryption keys used to encrypt backups will be stored separately from the data being backed up and managed according to industry standard practice.

8. Incident Management.

Firstup maintains an incident response program that includes:

• notifying Clients promptly without undue delay and in no event in more than 72 hours of confirming a Security Incident. A “Security Incident” means the unauthorized access, use, disclosure, loss, theft or other processing of Client data.
• the documenting of root cause analysis, implementing appropriate solutions or mitigation measures, preventative actions, and service improvement opportunities, providing conclusions to Clients following a Security Incident.
• providing notification and updates of Firstup’s progress in responding to any Security Incident in accordance with contracted, legal, and regulatory requirements.

9. Identity & Access Management.

Firstup maintains a documented authentication and authorization policy which covers all applicable systems and networks, including elevated privileges, multi-factor authentication (“MFA”), password provisioning requirements, password complexity requirements, password resets, thresholds for lockout attempts, thresholds for inactivity, and shared accounts. The policy includes:

• documenting logical access policies and procedures will support role-based, “need-to-know” access based on the principle of least privilege, and ensure segregation of duties during the approval and provisioning process.
• management approval for all requests for elevated privileges and revoke such privileges when no longer needed.
• MFA for administrative user access.
• requirements that all personnel, subcontractors, and other third parties change passwords whenever there is any indication of possible system or password compromise.
• storing passwords utilizing a cryptographically strong credential-specific salt and a function to compute a one-way (irreversible) password and ensuring that passwords are not hardcoded into software or scripts.
• requirements that all users accessing Firstup internal or hosted networks remotely use a secure method of connection including VPN and/or MFA.
• termination of user access after a predetermined period of inactivity.
• ensuring that passwords and PINs are delivered in a confidential manner that requires the recipient to prove their identity before the password/PIN is received.
• changing default passwords/PINs during or immediately upon the completion of the installation process.
• ensuring compromised accounts and accounts suspected of having been compromised are disabled within 24 hours.
• disabling an individual’s accounts upon termination of employment and change all shared passwords and PINs under that individual’s control (e.g., service account password) no later than 72 hours after termination.
• maintaining secure control over user IDs, passwords, and other authentication identifiers.
• maintaining a current record of personnel and third parties who are authorized to access confidential information (including Client data) and relevant information systems.

10. IT Operations Management.

Firstup maintains documented operational procedures designed to ensure correct and secure operation of assets including monitoring of capacity and performance. These procedures include:

• changes to the production system, network, applications, data files structures, other system components and physical/environmental changes are monitored and controlled through a formal, documented change control process.
• changes are approved prior to implementation, and evaluated after implementation to ensure that the expected outcome was achieved.
• changes are tested prior to implementation and reviewed for impact.
• an emergency change management procedure is documented.
• any changes materially affecting services will be communicated prior to implementation.
• infrastructure assets follow a documented and approved maintenance process.
• that unless otherwise expressly agreed between Client and Firstup, impose physical and/or logical segregation of development and testing environments from production environments and prohibit any Firstup information from being included in such environments.

11. Logging & Monitoring.

Firstup audit logging is enabled on network devices and server systems that contain Client data, in‐scope applications and all security‐related systems and appliances (e.g., identity and access management systems, domain controllers, anti‐malware management servers, etc.), where supported by the log source system, to capture at a minimum the security‐related events defined below:

• account logon (both successful and unsuccessful) and logoff
• failed access attempts
• account lockouts
• elevation of privileges (both successful and unsuccessful), and use of elevated privileges or actions taken
• creation, modification and deletion (both successful and unsuccessful) of:
  • accounts or logon identifiers
  • group membership
  • access privileges/attributes for accounts and groups
  • user rights and permissions
• changes in account or logon identifier status (both successful and unsuccessful)
• modifications to, or unauthorized attempts to modify the security configuration, security function, or authorization policy
• audit logs capture, at a minimum, the information for each security‐related event defined below:
  • user, system or process identifier that triggered the event
  • description of the event
  • date and time the event occurred
  • identifier of the system generating the event (e.g., IP address)
  • authorization information associated with the event
• audit logs are retained for not less than ninety (90) days.
• audit logs and/or error reports are reviewed at least weekly for critical systems (domain controllers, remote access gateways, etc.) and at least monthly for all other systems, or in response to a security notification from an audit system.
• audit logs are protected from accidental or intentional modification or destruction and computing and network Resources are automatically synchronized to a trusted time source.
• applicable IDS events and alerts, and other security alerts/events generated by other computing and network resources, are handled according to Firstup’s Security Incident monitoring, reporting, and response process.

12. Media Protection.

Firstup maintains policies and procedures for media protection based on industry standard practices, including:

• ensuring third party and open source code or software used are appropriately licensed, inventoried, and where commercially licensed, supported by the vendor.
• securely erasing media containing confidential information before reuse.
• refraining from storing confidential information on high risk media which is unduly exposed to external threats or unauthorized persons.
• implementing appropriate technical configuration for the protection of encrypted portable media.
• erasing discarded media (paper, film, or electronic) in accordance with industry standard practice such as NIST SP 800‐88 Guidelines for Media Sanitization.

13. Mobile Computing.

Firstup maintains policies and procedures for mobile computing based on industry standard practices designed to ensure:

• mobile computing devices and any portable device containing Client data will be encrypted at the device level (i.e., full disk encryption). This includes but is not limited to mobile phones, tablets, laptops, USB storage.
• mobile computing devices containing Client data are configured to wipe information residing on the device (i.e., erasing the information or ensuring the encryption key protecting the information is erased) upon a remote command.
• remote access or wireless access communication sessions adhere to all applicable industry cryptographic standards for algorithms and key lengths.
• remote access employs MFA.

14. Network Security.

Firstup’s network security includes:

• maintaining intrusion detection systems (“IDS”).
• implementing up-to-date firewall or equivalent technology between the organization’s information systems, the Internet (including internal networks connected to the Internet) and other public networks, and internal networks.
• using firewall rules to allow or deny connections over both outbound and inbound connections where possible. Access which is not explicitly allowed will be denied.
• documenting the business purpose and an associated risk assessment for all changes to the hardware, software or configuration of the firewall.
• ensuring that any direct or remote administrative session on a firewall will not display the last user to log in and will be logged off when unattended.
• maintaining a current network and data flow diagram.
• ensuring that network devices have internal clocks synchronized to reliable time sources.
• maintaining standard security configurations, using the principles of least functionality/privileges.
• deploying information systems only with appropriate security configurations which are reviewed / updated periodically for compliance with Firstup’s security policies and standards.
• maintain policies, procedures, and controls designed to ensure proper control of an electronic mail and/or instant messaging system.
• implementing preventive controls to block malicious messages and attachments as well as to prevent auto-forwarding of emails
• ensuring that direct diagnostic access to Firstup systems or networks, for the purpose of monitoring or problem diagnosis and/or repair, will not allow:
  • elevated or administrator privilege without explicit enablement and supervision by authorized personnel
  • access to any other location or service on Firstup’s network
  • access to Firstup’s information or networks
• configuring audio and audiovisual teleconferencing equipment to not answer any incoming connections without human action to establish a connection.
• enabling anti-spoofing filters.
• deploying DLP technology, processes, and/or solutions to protect against the exfiltration of information.

15. Personnel Security.

Firstup policies and procedures related to personnel security are based on industry standard practices and include:

• conducting reasonable background checks of any Firstup personnel who will have access to certain types of confidential information or relevant information systems.
• requiring that personnel agree to non-disclosure or confidentiality obligations before assigning them to services and / or giving access to systems and information.
• having a disciplinary process in place for policy violations.
• terminating personnel access to information system resources, facilities and secure areas when an individual’s employment ends or no longer needs access.

16. Physical and Environmental Security.

Firstup maintains policies and procedures for physical and environmental security based on industry standard practices that include:

• maintaining reasonable restrictions on physical access to confidential information and relevant information systems (e.g., clean desk policy, keeping documents secured when not in use).
• restricting physical access to facilities, with all access recertified on a regular schedule. Access is granted based on the principle of least privilege.
• requiring visitors at Firstup locations to sign a visitors register. For data centers or similar facilities, visitors will be escorted or observed at all times.
• maintaining appropriate environmental controls, including fire detection and suppression, climate control and monitoring, power and back-up power solutions, and water damage detection for all company-controlled facilities.
• locking workstations with access to Confidential Information when unattended.
• monitoring and periodically testing environmental control components.
• conducting regular (at least annual) inspections of the perimeter and all access control mechanisms to ensure that hardware cannot be easily manipulated or bypassed to gain unauthorized access to information.
• ensuring that data centers are resilient to natural or man‐made disasters and that personnel within facilities (e.g., employees, visitors, resident contractors) are able to be immediately identified (e.g., using identification badges, visual recognition or other means).
• securing information that is in paper form, when not in use.
• controlling delivery and loading areas and isolating these areas and storage areas from data centers, if possible, to avoid unauthorized access.
• maintaining appropriate procedures to control unauthorized removal of server systems and network devices.

17. Personal Privacy Management.

Firstup maintains policies and procedures to treat personal information in accordance with its contractual and legal requirements, including:

• performing privacy impact assessments during the requirements phase of system development to evaluate the impact to confidential information and review the scope of monitoring.
• via Client accounts, giving end users the ability to access, correct, opt-out, delete, restrict, make portable, or object to the processing of personal information.
• providing a mechanism for Clients to post a privacy notice that informs their respective users how their personal information is collected, transmitted, processed, and stored.
• collecting only as much personal information as needed to accomplish the purpose for which the information is collected.

18. Risk Management.

Firstup maintains risk management policies and practices in accordance with industry standards that include:

• performing risk assessments of software, systems, networking, and facilities.
• maintaining a risk-based exception management process for prioritization and remediation or risk acceptance of controls that have not been adopted or implemented.
• conducting an annual risk assessment to verify the implementation of controls that protect business operations and confidential information.
• requiring sub-processors to comply protections no less protective of confidential information processed by them than the protections required of Firstup.

19. Technology Planning & Development.

Firstup abides by security by design principles for technology planning and development that include:

• maintaining a Secure Software Development Lifecycle (S-SDLC) based on industry standard practices to identify and remediate defects, vulnerabilities, errors, and design flaws prior to production using a risk-based approach.
• establishing acceptance criteria for new systems and network devices during development and prior to production release.
• completing security configuration standards, or “hardening documents,” for information systems prior to placing them in production based on industry standard practices.
• using secure coding practices such as those dictated by OWASP Secure Coding Practices for internet‐facing websites/web applications, including but not limited to input/output validation, error and exception handling, cryptography, cookie and session management, and system configuration (e.g., default credentials/files will be removed or disabled).

20. Threat Management.

Firstup maintains a threat and vulnerability management program which includes the receipt of vulnerability related security alerts and intelligence from external and internal sources in order to identify and monitor for vulnerabilities, along with the following:

• engaging an independent third party to conduct application penetration testing at least annually.
• monitoring external attack surface monitoring across externally accessible assets.
• documenting the risk/vulnerability assessment and provide evidence of such upon request.
• conducting static and dynamic application security testing of production internet‐facing, web‐based in‐scope applications and production internet‐facing websites, at a minimum scanning for the OWASP Top 10 on a monthly basis.
• identifying and prioritizing vulnerabilities and remediating based on industry standard vulnerability ratings.

21. Employee and Contractor Training.

Firstup regularly performs information security training taking into account employee roles and responsibilities and requires the same from its contractors. Training begins at employee onboarding and occurs thereafter not less frequently than annually. Security training will cover areas such as:

• proper selection of passwords and PINs, and how to keep them private.
• responsible use of computing resources: never leaving an unlocked device unattended, maintaining control of devices in public, secure portable storage, etc.
• simulated phishing attacks or other situational awareness mechanisms.
• reminders that paper documents also need to be protected properly.
• training to identify and report suspected security weaknesses, suspicious activity, and security events, or incidents.

22. Vulnerability Disclosure.

If you would like to report a vulnerability, please contact security@firstup.io with a proof of concept, list of tools used, and the output of the tools. If you choose to disclose a vulnerability, you are expressly agreeing to our Vulnerability Disclosure requirements.

If a vulnerability disclosure is received, we will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to remedy.