Information Risk Workforce Orientation


    Information RiskWorkforce Orientation

    AEGON - Internal Use Only

    This is a summary of Company Information Security Policies to assist new workforce members. Workforce

    members include any employee, agent or third party who utilize AEGON companies internal resources on

    behalf of the Company. It is not intended to be an all-encompassing document, but a quick overview to provide

    initial direction until new workers have time to become better acquainted with the full Information Risk Program.

    AEGON - Internal Use Only

    Your Commitment

    As a new workforce member of the AEGON companies, it is important for you to

    understand that maintaining a secure and reliable environment is vital to protecting

    Company information assets. Your commitment is important to the Company as well as

    its customers, business partners, stockholders, and employees.


    Why is this Important?

    A large amount of the information handled by those working at the Company can be

    considered business critical and confidential, and should be handled appropriately.

    Your awareness and proper handling of information assets both internally and

    externally to the Company is essential in order to minimize risks (e.g. unauthorized

    disclosure or modification).

    An impact to business critical and confidential information assets could adversely

    affect the business interests of the Company or its customers, business partners,

    stockholders or employees.

    Policies and programs are in place to safeguard Company information assets.All

    workforce members are responsible for the understanding and complying with these

    policies and programs, and are accountable for reporting any known or suspected

    violations. In this orientation, you will be introduced to some of those policies and


    Information Assets

    AEGON - Internal Use Only

    What is an Information Asset?

    An information asset is any data owned and/or maintained by the Company for businesspurposes. Information assets can originate from our business units, partners, customers

    or employees and may include data elements such as:

    Health Information (e.g., lab results, health condition, medications used, etc.)

    Personal Information (e.g., Social Security Number, drivers license number, Date ofBirth, etc.)

    Financial Information (e.g., policy number, bank account and credit card numbers,


    Some Company information assets are protected by federal and state laws. Special

    precautions need to be taken when handling and combining customer/employee names

    with other sensitive data elements such as:

    Customer/Employee Names and

    Personal Data

    Social Security Numbers

    Account/Policy Numbers

    Merger/Acquisition Information

    Credit Card Numbers

    New Product Information

    Policy Information

    Company Financial Data

    Information Assets

    AEGON - Internal Use Only

    What is an Information Asset?

    Those working at the AEGON companies are exposed to information assets on a dailybasis. If you are in contact with any of the following, you are exposed to Company

    information assets:

    Billing Information

    Employee/Personnel Data


    Customer Account/Policy Records

    eCommerce Websites

    Product Development Plans

    Financial Statistics and Statements

    An information asset can be accessed, maintained and stored in electronic (digital) or

    paper form. Common forms include computer hardware, software, storage media, and

    portable devices, for example:


    Cell Phones/Blackberry Devices



    USB Storage Devices

    Tape/Cartridge Storage Media



    Information Assets

    AEGON - Internal Use Only

    Information Asset Confidentiality Classification

    The sensitivity and handling of an information asset is determined by its confidentiality

    classification. An information asset that is labeled or categorized with any of the following

    classifications is considered to be sensit ive :

    Strictly ConfidentialThe most sensitive. Compromise wouldlead to financial, legalor competitive impact or fraud. (Examples include: reorganization plans, merger and

    acquisition information, new product launches, unannounced financial statements, etc.)

    Confidential Compromise couldpotentially lead to financial, legal or competitiveimpact or fraud. (Examples include: customer data, passwords, encryption keys,

    employee personal and private information, payroll information, business plans, etc.)

    Internal (Proprietary)Disclosure outside of the Company, employees, and thirdparties should be avoided to reduce the risk of compromise. (Examples include: inter-

    office memos, policies and procedures, operational guidelines, bulletins, training

    material, etc.)

    An information asset that is labeled or categorized with the following classification is

    considered to be non-sensi t ive :

    Public Refers to all information determined not to be confidential orinternal/proprietary. This information comes from public sources or is provided by the

    Company to the general public.

    Information Assets

    AEGON - Internal Use Only

    Managing Information Assets

    It is essential to understand how information flows both internally and externally in order tominimize risks associated with information assets.

    The emergence of more strict industry and regulatory information handling mandates,

    such as data privacy regulations, require companies to implement reasonable internal


    It is important to demonstrate that proper protection is always applied to sensitive

    information assets.

    Information assets must be managed and protected while:

    In UseInformation that is currently being accessed and within a persons ororganizations control.

    In Motion(or in transit)Information that is being transported from its origin or resting

    location to another location.

    At RestInformation in storage.

    Sanitizing or Disposing (Destruction)The process of purging or physicallydamaging the information asset so that it is not usable and there is no known method

    for unauthorized individuals to retrieve the information.

    Information Risks

    AEGON - Internal Use Only

    What are the key risks to our Information Assets?

    The key risksassociated with Company information assets are:

    Unauthorized Disclosure- The act of making known or revealing sensitive information

    (e.g., customer account information, internal corporate knowledge, etc.) to unauthorized

    groups or individuals.

    Unauthorized Modification- To alter or change the structure, condition or meaning of

    information (e.g., customer account information, financial data, etc.) without approval.

    Unauthorized Destruction- To eliminate the existence, structure, or condition of

    information (e.g., computer hard drives, web servers, database tables, etc.) without


    Loss of Availability - Inaccessibility of information assets or systems (e.g., customer

    account information, billing systems, websites, etc.) to users approved for access.

    Information Risk Management

    AEGON - Internal Use Only

    What is Information Risk Management?

    Information Risk Management helps the AEGON companies analyze the risk to itsinformation assets by conducting risk assessments to determine:

    What are the threats or vulnerabilities to our business operations or systems?

    Should vulnerabilities be proactively addressed to lower the level of risk?

    What controls do we have in place to protect us from threats and how strong are those


    What is the likelihood that an event or incident will occur given our current level of risk


    If an event or incident does occur, what is the impact to the business?

    What level of risk is acceptable?What mitigation activities need to be resolved in order

    to more effectively manage the risks to Company business?

    The bottom line at AEGON companiesrisk management

    is everyones responsibility!

    Information Risk Management

    AEGON - Internal Use Only

    How Can I Help Manage Information Risks?

    As a new workforce memberyou may be wondering:

    How can I help protect Company information assets?

    What can I do to maintain a secure environment and safeguard

    this workplace?

    Where can I find more information?

    Who can I ask if I have questions?

    The following will explain how YOU can help manage risks to Company information

    assets by your:

    Knowledge of Information Management and Classification (IM&C); Record Retention.

    Compliance with General Information Security Policies and applied safeguards (e.g.

    Internet Usage, Electronic Communication, Access Controls, User IDs, Passwords,

    Physical Access, Workplace, Mobile Computing Security, etc.)

    Recognition and Reporting of Security Incidents.

    Awareness in Business Continuity efforts.
    Information Management and Classification Program

    AEGON - Internal Use Only

    Information Management and Classification Program (IM&C)

    Ask yourself these questions:

    Would I like my hospital to protect my healthcare information?

    Would I like my bank to ensure my financial information is complete and accurate?

    Would I like my bank to ensure my money is available when I need it?

    At the AEGON Companies, the IM&C Program focuses on:

    ConfidentialityInformation is accessible only by those who are authorized. IM&Chelps to prevent unauthorized access or disclosure of sensitive information which

    may result in legal liability or customer distrust.

    IntegrityInformation is accurate and complete. IM&C helps to protect criticalbusiness information assets from the risks which may compromise accuracy orcompleteness.

    AvailabilityInformation is available when it is required. IM&C helps to identify therisks which may prevent critical business information assets from being available.

    Record Retention Program

    AEGON - Internal Use Only

    Record Retention

    Federal and State laws and regulations require that the AEGONs companies retain certainrecords for specified periods of time. In addition, records may need to be retrieved by the

    Company to assist withits operations. Thus, good recordkeeping practices are an

    important business function.

    The Record Retention Program:

    Defines guidance for determining what constitutes a Record.

    Defines record types.

    Determines retention periods for record types.

    Defines specific destruction requirements.

    Facilitates proper classification, indexing and storage methods.

    Contact a manager or Record Retention representative for more information about your

    divisions program and your responsibilities.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    General Information Security Policies and Safeguards

    Throughout your time at the AEGON companies, you will become aware of many differentpolicies and safeguards aimed to protect the confidentiality, integrity and availability of

    Company information assets. The following sections will make you aware of the key General

    Information Security Policies and practical safeguards including:

    Internet Usage

    Electronic CommunicationAccess Controls

    User Identification Basics

    Password Safeguards

    Physical Access / Workplace SafeguardsClear Desk / Clear Screen

    Mobile Computing

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    Internet Usage Policy

    When using the Internet, you must follow the Internet Usage Policy which includes:Use mainly for business purposes and only for incidental or occasional personal use.

    All Company provided Internet resources remain the property of the AEGON companies

    and are subject to monitoring at any time.

    Internet use is a privilege, not a right, and access may be revoked at any time.

    The Company has a right to restrict access to websites it deems inappropriate or a high

    risk to information assets.

    Do not engage in activities that conflict with Company business interests or operations.

    Unless specifically authorized by the Company, do not post Company information on public

    websites (e.g. Facebook, Twitter, etc.).

    If you post to a blog site, your affiliation to the Company is known, and you reference the

    Company or the financial services industry in general, a disclaimer must be included that

    clearly states your post is your opinion only and does not reflect the opinion or position of

    the AEGON companies.

    If you witness Internet usage that you consider to be a violation of this policy, refer to

    Recognizing and Reporting a Security Incident for details.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    Electronic Communication Policy

    Applies, for example, to e-mail, Web-Mail, Instant Messaging, Blogging, Voice Mail and Phones

    (e.g., Landline, Cell, Smart Phones). It is important that you follow the electronic communication

    policy including, but not limited to:

    Use mainly for business purposes and only for incidental or occasional personal use.

    All electronic communications conducted via Company systems are the property of AEGON

    companies and are subject to review at any time.

    Sensitive information must never be sent via e-mail or other electronic file transfer methods

    unless proper safeguards are applied, such as encryption.

    Do not forward internal electronic communications outside of the Company without prior

    consent from the originator or information owner.

    Do not engage in activities that conflict with Company business interests or operations.

    E-mail from unknown sources is a risk. As a general rule, do not open e-mail attachments

    from those you dont know.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    Access Controls

    All technical and physical access controls at the Company are established to limit the

    access rights an individual has to information assets including information, systems,

    business applications and buildings:

    Access is granted on a need-to-know basis; being granted access to only what isneeded for your job function.

    Requests for access to information assets must be approved by the information assetowner or his/her authorized designee.

    Challenge anyone who does not appear to have a need-to-know.

    Once you are granted access to a given system, you must never:

    Use any element of the system that you are not authorized to use.Attempt to bypass any access control system.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    User Identification Basics

    To properly identify a user, a unique User Name (User ID) is assigned to each individual.

    Once you have been assigned a User ID, each system that you access will require you to

    provide your User ID along with a password.

    It is important to remember:

    User IDs must only be used by those to whom they are assigned; Do NOT share your

    User ID!You are accountable for all activity performed using your User ID.

    Use Ctrl+Alt+Delete and then Enter (or press the Windows key + L) to lock yourdesktop or laptop when leaving it unattended for any reason.

    Log out from your desktop or laptop upon leaving the office for the day or when no

    longer being used.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    Password Safeguards

    The security provided by a User ID depends on the password being kept secret at all times.

    Your password is the proof of your identity and should be properly safeguarded.

    Never share your password. If your password is disclosed, contact your DISO

    immediately. Remember: Keep your password confidential!

    Do not ask others to reveal their password to you.

    Never write down your password.

    Do not use the remember my password feature on any internet site.

    Your password must be changed at regular intervals.

    Create strong passwords using a combination of upper case, lower case, standard

    symbols (e.g., +, $, &, etc.), and at least one numeric character.

    Your password should be easy for you to remember and

    difficult for others to guess.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    Physical Access / Workplace Safeguards

    Physical Access Safeguards are in place at the AEGON companies and must be followedby workforce members at all times. Maintaining good physical security requires the


    All individuals entering Companyfacilities are assigned an ID Card (or Badge) which must be

    visibly worn at all times.

    Each workforce member should use his/her own ID Card to enter secured areas. Do not share your ID Card with anyone.

    If you forget your ID Card, contact Facilities Security Management to obtain a temporary ID

    Card for entry.

    ID Cards that have been lost or stolen must be reported immediately to Human Resources or

    Facilities Security Management.All visitors must sign in and be escorted at all times.

    Be aware of unknown individuals who try to follow you into a secured area without using his/her

    own ID Card (also known as piggybacking or tailgating).

    Report any suspicious behavior to a local facility security contact, DISO, or to a manager.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    Clear Desk / Clear Screen

    When at your workplace or leaving the office follow these simple safeguards to assist inprotecting information assets:

    Do not leave sensitive information accessible within your work area or on printers or fax

    machines. Use password function when available.

    At the end of the day, secure all sensitive paperwork in a locked drawer or cabinet.

    Secure mobile devices including your laptop, cell/smart phones, PDA, USB drives, etc.

    Remove sticky notes from your desk that contain sensitive information.

    Do not leave sensitive information in your waste bin. Use Company provided locked

    disposal bins to discard sensitive items (e.g., papers, diskettes, CDs, etc.).

    If you are unsure if something should be recycled orshredded, use the locked disposal bins as a precaution.

    Use Ctrl+Alt+Delete (or Windows L) to lock your desktopor laptop when leaving it unattended for any reason.

    Log out from your desktop or laptop upon leaving the

    office for the day or when no longer being used.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    Additional Safeguards

    Physical security personnel located at the various entrances into the building are

    there for your protection. Be cooperative with their requests for identification.

    Do not discuss Company business or other information that may be considered

    confidential or sensitive in public places where you may be heard.

    Clean meeting rooms including tables, waste bins and whiteboards.Do not prop doors open. This may allow unauthorized entry and trigger an alarm.

    .For additional information on Information Security Policies,

    including safeguards, reference the following

    Enterprise Information Risk Management Intranet site:

    Contact the Division Information Security Officer (DISO) for

    supplemental information referencing Information Security

    Policies and safeguards.
    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    Traveling, Telecommuting, Mobile Computing

    Today, most business professionals use laptops and other mobile equipment while at home,traveling, and as a part of their normal business routine. This equipment may include

    laptops, cell phones, personal digital assistants (PDAs), Smart Phones, pagers, VPNtokens, USB drives, etc.

    This type of equipment is extremely vulnerable. To minimize the risk extra precautions are

    required while in the office, working remotely or traveling.

    All Company policies, programs and safeguards still apply outside Company facilities

    and must not be bypassed.

    Do not conduct Company business or access information that may be considered as

    confidential or sensitive in public places where it may be seen by unauthorized

    individuals (e.g., airports, planes, restaurants, hotel lobbies, etc.).

    Obey all applicable state and local laws regarding the usage of this type of equipmentwhile traveling.

    General Information Security Policies & Safeguards

    AEGON - Internal Use Only

    All Mobile Devices (including laptops, cell phones, Smart Phones, PDAs, etc.)

    You are accountable for all activity performed with any Company mobile device assigned

    to you.

    Company mobile devices assigned to you must not be used by anyone but you.

    Company equipment must not be left unattended or unsecured in public areas. (e.g.,

    hotel rooms, automobiles, restaurants, airports, etc.)

    Always use a cable lock to secure your laptop in unsecured locations.

    Loss or theft of Company mobile devices must be reported immediately. Refer to

    Recognizing and Reporting a Security Incident for more details.

    Your mobile devices, such as laptops and USB drives, must employ Company standard


    Do not communicate sensitive information using Text or Instant Messaging.

    The Company does not allow synchronizing e-mail to a personal PDA (a Company

    issued Blackberry is permissible).

    All business critical files stored on local drives must be backed up to Company network

    drives to prevent unintentional or malicious loss of data.

    Recognizing and Reporting a Security Incident

    AEGON - Internal Use Only

    Recognizing and Reporting a Security Incident

    All workforce members are responsible for compliance with the Company InformationSecurity Policy and are accountable for reporting any known or suspected violations.

    Reporting a security breach as soon as it is noticed is paramount. Quick reporting can help

    to minimize potential damage to the Company or to its customers, business partners,

    stockholders, and employees.

    Be on the lookout for the following:

    Files or systems that should be accessible to you are suddenly unavailable or missing.

    Output of sensitive and confidential information found in printer trays, left unprotected in

    the work area, or sent to the wrong person or group.

    Unauthorized persons or personnel are discovered in the work area.

    Files appear, disappear, or undergo significant and unexpected changes in size.

    Your password has been changed without your knowledge or involvement.

    Report these or any other anomalies to a manager, the Divisional Information Security

    Officer (DISO), S.H.A.R.E. hotline (1-866-263-7787), AIT Customer Service Center

    (18888524357) or the Enterprise Information Risk Management Intranet site:
    Business Continuity

    AEGON - Internal Use Only

    Business Continuity

    Business Continuity is about keeping the AEGON companies operating during any plannedor unplanned business disruption. Business Continuity helps the Company to be proactively

    prepared for such an event.

    Events can be caused by natural or man made disasters and may include; floods,

    hurricanes, blizzards, earthquakes, terrorists, power outages or technology failures.

    The Business Continuity framework is divided into three phases:

    Assessment -Ensures that the Company assumes the correct level of risk, since not

    all risks can be totally eliminated or controlled. Understanding the critical processes

    and their associated risks will help protect against unanticipated losses that could

    significantly affect personnel, property, revenues and the ability to fulfill responsibilities

    to customers, employees, shareholders, and the public.

    Preparedness - Ensures that the Company is able to recover from potential disruptive

    events. This is accomplished by having a comprehensive Business Continuity Plan thatincludes strategy, recovery and testing phases.

    Event Management - Execution of Business Continuity Plans. In the event of an

    outage, quick response and recovery are critical. This phase ensures that relief and

    restoration activities are performed to restore the business functions to a pre-event


    Business Continuity

    AEGON - Internal Use Only

    Business Continuity

    At the AEGON companies your participation is critical in many ways. We have plans, but itsyour responsibility to become familiar with the departmental emergency response plan

    by doing the following:

    Know where the emergency shelter area is within the building.

    Know where the meeting place is when you evacuate the building.

    Identify the floor marshal.

    Identify the BCP coordinator in the department and discuss your role.

    Maintain your current contact information to preserve the integrity of essential

    emergency communication channels.

    Need More Information?

    AEGON - Internal Use Only

    For More Information

    Visit the Enterprise Information Risk Management Intranet Site for additional information,

    including Information Security Policies, Business Continuity, Disaster Recovery and much

    more. Check out the website today!

    Divisions may have additional information including information security procedures,

    guidelines and resources available (e.g. intranet sites).

    Contact the Divisional Information Security Officer (DISO), Risk Manager, or Business

    Continuity Planning (BCP) Manager for questions regarding topics covered in this


    My Information Security Acknowledgement
