Member FINRA/SIPC

Home Office Security Policy

and Implementation Standards

for LPL Financial LLC and Affiliates

November 15, 2016

Policy Approved by Patrick E. Cox- SVP, Infrastructure Risk Management and Chief Privacy Officer

LPL Financial Home Office Security Policy

2

Policy Objectives

The purpose of the LPL Financial Home Office Security Policy and Implementation Standards (referred to

collectively herein as the “HOSP” or the “Policy”) is to define the security requirements of LPL Financial and its

affiliates to safeguard the security and confidentiality of personally identifiable information (PII) from

unauthorized access, alteration, or destruction; to protect against anticipated threats or hazards to the security or

integrity of the information; to protect against unauthorized access to, or use of, information that could result in

substantial harm or inconvenience to a customer or LPL Financial or an affiliate; and to ensure the proper

disposal of the information. As used in this Policy, “affiliates” shall mean LPL Independent Advisor Services

Group, LLC, PTC Holdings Inc., Independent Advisers Group Corporation, The Private Trust Company N.A.,

Fortigent, LLC and LPL Insurance Associates, Inc.

Policy Scope

The Policy is designed to comply with Regulation S-P adopted by the Securities and Exchange Commission

(SEC), the federal Red Flag regulations under the Fair and Accurate Credit Transactions Act of 2003, and any

applicable state laws and regulations as well as security best practices, and apply to all LPL Financial and

affiliate employees.

LPL Financial and its affiliates’ employees, contingent workers, SOW workers, and service partners are required

to adhere to the HOSP and to protect PII from unauthorized disclosure. Any request for exceptions must be

addressed to the Privacy Office of LPL Financial.

This Policy applies to all individuals and computers involved with conducting LPL Financial business. This

policy is also recommended for employees’ personal use in the protection of their personal information.

The Standards include:

1.0 Information Classification and Definition

2.0 Information Handling and Disclosure

3.0 Physical and Administrative Security and Business Continuity

4.0 Technology Security

5.0 Training

6.0 Compliance and Reporting

Policy Owner

The Privacy Office of LPL Financial has authority over all LPL Financial security policies and standards

outlined in the HOSP.

Policy

LPL Financial employees must safeguard the security and confidentiality of PII from unauthorized access,

alteration, or destruction; protect against anticipated threats or hazards to the security or integrity of the

information; protect against unauthorized access to or use of information that could result in substantial harm or

inconvenience to a customer, employee or LPL Financial or an affiliate; and ensure the proper disposal of the

information.

LPL Financial employees must not disclose any PII regarding a customer or employee to anyone who does not

have a need to know.

Any violation of this policy and its related standards, intentional or unintentional, must be reported immediately

to your department manager and to the Privacy Office via the LPL Incident Hotline at 6911, option 2.

This policy establishes a standard LPL Financial home office approach to safeguarding PII by:

Requiring administrative, technical, and physical safeguards for the protection of PII.

Mandating standards and procedures that define the required administrative, technical, and physical

safeguards for the protection of PII. The standards and procedures include the security safeguard

requirements for:

LPL Financial Home Office Security Policy

3

o Computer hardware and network systems used to conduct LPL Financial and affiliate business

o Laptops and portable data devices used to conduct LPL Financial and affiliate business

o Security and virus-protection software

o Remote access and e-mail communication

o Secure connection and communication to the LPL Financial or affiliate environment using

multiple-layer authentication, strong password rules, and access restrictions

o Encryption of data

o Proper disposal of information

o Physical office security requirements

Reporting to the LPL Incident Hotline when actual or suspected unauthorized access to information

occurs.

Training employees, service partners, contingent workers, and SOW workers, about information security

program requirements.

Roles and Responsibilities

It is the responsibility of each employee to read and adhere to the HOSP and related communications.

It is against the HOSP to disable, bypass, circumvent, or otherwise attempt to negate the information security

measures of LPL Financial. By following these measures, we can help reduce the risk of security breaches

impacting the PII of our customers and employees.

Employees who do not comply with the HOSP may be subject to disciplinary action up to and including

termination. LPL Financial is an at-will employer. Nothing in this policy alters the at-will employment

relationship with LPL Financial or LPL Financial and its affiliate employees.

Please address any questions and comments concerning the HOSP to the LPL Financial Privacy Office at

security.mailbox@lpl.com.

Amendments

LPL Financial Privacy Office may amend the LPL Financial HOSP at its discretion from time to time. You will

be advised of such amendments in writing and are required to abide by the HOSP (including the policy and

implementation standards), as amended, at all times.

LPL Financial Home Office Security Policy

4

Security Standards and Guidelines

Standard Description and Guidelines

1.0 Information Classification and Definition

1.1 Personally

Identifiable

Information (PII)

Standard:

PII is defined as all customer and employee information of a personal or financial nature

and is protected by legal and regulatory requirements and is highly sensitive information

and/or could cause significant harm to customers, employees or LPL Financial and its

affiliates if mishandled. PII includes information covered by Title V of the Gramm-

Leach-Bliley Act, SEC Regulation S-P, HIPAA, and state privacy and information

security laws.

Examples include: first name and last name or first initial and last name in combination

with any one or more of the following data elements that relate to a customer or

employee: (a) Social Security number; (b) driver’s license number or state-issued

identification card number; or (c) financial account number, or credit or debit card

number, with or without any required security code, access code, personal identification

number, or password, that would permit access to a client’s financial account. PII may

also include passport number; customer financial information, such as net worth and

annual income; and private health information such as demographic information, medical

history, test and laboratory results, insurance information and other data collected by

healthcare professionals to identify an individual and determine appropriate care.

1.2 Proprietary

Corporate

Information

Standard:

Corporate information which is not PII but is considered sensitive by LPL Financial

because it relates to proprietary data or information critical to LPL Financial maintaining

its competitive advantage in the marketplace and is deemed critical to the success of its

business by the Company’s senior executive management or its board of directors.

Examples of proprietary corporate information may include, but are not limited to, rep

name and ID, compensation (including but not limited to salary, bonus, incentives) and

succession structures, advisor or customer lists, strategic plans, proprietary systems and

processes. This type of data should be protected in the same manner as PII.

1.3 Internal

Information

Standard:

Internal information is defined as any information that is not PII, but its unauthorized

release or access could cause harm or embarrassment to LPL Financial, its employees, or

affiliates, or provide an advantage to competitors. Internal Information is deemed

sensitive and must be protected against unauthorized access or release.

Examples of internal information include internal documents, such as policies and

procedures, memos, inventories, training and system manuals. This type of data should be

protected in the same manner as PII.

1.4 Public

Information

Standard:

Public information is information that would not negatively impact customers or LPL

Financial and/or its affiliates if distributed. This includes information that can be freely

disseminated as long as there is a valid business reason to do so and there would be no

impact if published to a website or other public area.

Examples of public information include job opportunity bulletins, marketing brochures,

and press releases.

LPL Financial Home Office Security Policy

5

Standard Description and Guidelines

2.0 Information Handling and Disclosure

2.1 Identification of

PII

Standard:

You are required to identify the paper, electronic, and other records, computing systems,

and storage media, including laptops and portable devices that contain PII. If you are

unable to do so, you must treat all records and devices as if they contain PII.

2.2 Collection of

PII

Standard:

Collection of PII must be limited to the amount that is reasonably necessary to accomplish

the legitimate purpose for which it is collected.

2.3 Record

Retention &

Storage

Standard:

Information must be stored and retained in accordance with state and federal regulations

and LPL Financial or affiliate policies for record retention and storage. All files, disks,

and other media and documents containing PII must be stored securely.

For more information please see the Record Retention Schedule on LPL@Work.

2.4 Cloud Storage Standard:

Personal networking and storage services such as Dropbox, Carbonite, IDoc, etc. may not

be used to store, view, process or disseminate LPL Financial documents without being

properly vetted through the vendor management program.

2.5 Electronic PII

Storage/Encryption

Standard:

Encryption standards must meet the National Institute of Standards and Technology

(NIST) approved encryption algorithm, such as the Advanced Encryption Standard (AES)

using a minimum 128-bit (256-bit preferred) length key. Unlike file access restrictions,

disk encryption protects information even when the operating system is not active. Disk

encryption can prevent unauthorized access when physical security has been

compromised, or when the device has been lost or stolen. This encryption standard

applies to all encryption including, but not limited to portable media, laptops, phones,

wireless, email, and VPN. Encrypted products must be obtained through Business

Technology Services (“BTS”) desktop support.

2.6 Disposal of

Personally

Identifiable

Information,

Proprietary

Corporate

Information and

Internal

Information

Standard:

PII must be disposed of securely and in accordance with state and federal laws and

regulations, and rules of applicable self-regulatory organizations, when it is no longer

needed. Destruction of any books and records documents required to be retained in

accordance with the Record Retention Schedule and must be pre-approved by LPL

Financial Governance, Risk and Compliance (“GRC”). Safe disposal must be

accomplished by one of the following means:

Shredding paper records (cross cut or confetti cut versus strip cut) so that

reassembly is extremely unlikely

Destruction of electronic media so the information cannot be read or

reconstructed

Contracting with a third party that is engaged in the business of record

destruction to dispose of the information

LPL Financial Home Office Security Policy

6

Standard Description and Guidelines

2.7 Information

Sharing

Standard:

All information must only be used for valid business purposes with respect to securities,

insurance, investment advisory, or other financial service relationships.

LPL Financial and affiliate employees are required to sign a confidentiality agreement

which includes the nonuse/nondisclosure agreement and use of confidential company

information.

2.8 Access to and

Viewing of

Personally

Identifiable

Information,

Proprietary

Corporate

Information and

Internal

Information

Standard:

Do not discuss PII with, or in the presence of, persons who have no legitimate

business need to know the information.

Customer or employee PII must not be accessed out of curiosity, for personal

use, or when a person does not have a business relationship with the customer

or employee that creates a legitimate business need to know the information.

These include, without limitation, information on paper documents in the office

and on computer screens, printers, copiers, and fax machines. Access must be

limited to authorized persons on a need-to-know basis.

Staff must verify the authenticity of the person to whom they are disclosing PII

before that information is disclosed. Please see the Telephone Authentication

Policy on LPL@Work for information about authenticating over the telephone.

Staff must not disclose in writing or orally any PII regarding a customer or

employee to anyone other than the customer, employee, staff, or LPL Financial

or affiliate employees who have a legitimate business need to know the

information, or as contained in the LPL Financial policies and procedures.

Staff must not disclose PII to a customer’s spouse, relatives, employer, or

retained professionals (e.g., lawyers, accountants, etc.) without the written

permission of the customer.

A customer’s account number must not be disclosed to non-affiliated third

parties. If a customer wants his or her account number given to a third party, the

customer must provide such information directly or provide written authorization

to do so. PII received from a non-affiliated financial institution may not be

directly or indirectly disclosed to any non-affiliated third party unless that

disclosure would have been lawful if made directly by the non-affiliated financial

institution.

2.9 E-Mailing

Information

Standard:

Emails containing PII must be encrypted when traveling over the public internet. If you

have a valid business purpose to send PII via email outside of an LPL.com or an affiliate

approved email address, you must enter “[secure]” or “[encrypt]” (including brackets)

anywhere in the subject field of the message. All LPL Financial business must be

conducted using an approved LPL.com email address. Encrypted or password protected

attachments are prohibited as they interfere with the supervision process. The subject line

of an email cannot be encrypted and therefore may not contain PII.

LPL Financial Home Office Security Policy

7

Standard Description and Guidelines

2.10 Use of Web E-

Mail

Standard:

Use of corporate web-based e-mail, such as the LPL Financial Outlook Web Access

(OWA), or Webmail, is permitted.

The following procedures and guidelines must be followed when accessing webmail from

remote locations:

Always use an https (SSL/TLS) connection.

Never save passwords or use “auto form fill” features.

Always clear cached browser content, files, or cookies before exiting the browser to

remove potential remnants of PII.

Never save or open file attachments locally unless you are using a computer provided

by LPL Financial.

3.0 Physical and Administrative Security

3.1 Access to

Physical Locations

Standard:

Access to physical locations where PII is stored or used shall be restricted to authorized

persons with a legitimate business need.

3.2 Lock and

Secure Offices

Standard:

Lock and secure all offices containing PII; keep keys and entry devices secure. Where

possible, prevent unauthorized individuals from accessing areas where sensitive

information is stored or readily accessible.

3.3 Secure and

Control Access

Standard:

Secure and control access to dedicated computers, printers, copiers, and fax machines.

This includes locked doors, card-access readers, security systems, isolating the location

of equipment so that only appropriate staff has access to it, and procedurally segregating

staff responsibilities and access to equipment.

3.4 Access Badges Standard:

Employees are required to wear and display their Corporate Security issued badge at all

times when on company property, and swipe their badge prior to entering the facility. If

you forget your badge, or if it is lost, stolen or damaged, Corporate Security can issue you

a temporary replacement. Never attempt to physically restrain or prevent an intruder from

entering the building. Unauthorized building access should be reported immediately to the

LPL Financial Incident Hotline at ext. 6911, option 1.

3.5 Visitor Policy Standard:

Visitors must be escorted by an LPL Financial employee at all times while on company

property and must be signed in prior to accessing the facility. A visitor’s badge must be

worn at all times and returned to LPL Financial Corporate Security at the conclusion of

their visit.

3.6 Protect

Computer

Equipment and

Facilities

Standard:

Safeguards are implemented to protect computer equipment and facilities against fire,

flood and other environmental hazards. Such protections include fire alarms, raising

computer equipment off the floor if there is a reasonable possibility of flood, and

installing air conditioners to keep computer equipment cool. Security includes ensuring

the availability of information, including protection from damage or destruction.

LPL Financial Home Office Security Policy

8

Standard Description and Guidelines

3.7 “Clean Desk

Policy”

Standard:

Employees should maintain a “clean desk,” free of exposed PII, when leaving their

workspace unattended. Do not leave completed applications and related information

where others can read or copy such material.

3.8 Establish

Procedures for the

Secure Handling

of Mail and Mail

Forwarding

Standard:

If you ship sensitive information using the U.S. Postal Service (USPS) or outside carriers

or contractors, keep an inventory that can be referenced in the unfortunate event your

material(s) get lost or stolen. Should this occur, contact the LPL Financial Security

Incident Hotline at ext. 6911, option 2 or email security.mailbox@lpl.com and report

exactly what information was lost. The Privacy Office will help determine the appropriate

remediation procedure.

Electronic media containing PII sent via the USPS or courier must follow the encryption

guidelines in section 2.5. Unnecessary PII on hard copy documents must be “blacked

out” or masked, if possible.

3.9 Employee

Background

Checks

Standard:

A background check will be conducted on each new employee once an offer of

employment has been extended. Written consent to conduct the background check will be

a condition of employment. Additionally, LPL Financial performs background checks on

employees who are promoted to positions of assistant vice president or above or are

transferred into a “key” business unit within the firm during their employment with LPL

Financial. These background checks may include the applicant’s/employee’s

employment history, education and academic degrees, credit history, conviction history,

and driving record (to the extent the position at issue requires driving). Continued

employment/promotion is conditioned upon an acceptable outcome of the background

check.

3.10 Terminated

Personnel

Standard:

An employee’s, service partner’s, SOW’s or contingent worker’s physical and electronic

access to all LPL Financial premises and systems must be revoked promptly upon

termination. This includes, without limitation, access to passwords, usernames, e-mail,

internet access, and voicemail. Terminated employees, contingent workers, service

partners, and SOWs are required to immediately surrender all keys, IDs, badges, business

cards, computer equipment, PDA’s and other items which permit access to the LPL

Financial physical premises and electronic systems.

4.0 Technology Security

4.1 Use of

Computer

Equipment for

Business Purposes

Standard:

All LPL Financial employees, service partners, SOWs and contingent workers must use

LPL Financial-provided technological equipment (including, without limitation, desktop

and laptop computers, tablets, smart phones, and related accessories) to conduct LPL

Financial business.

All technological equipment must be purchased through the LPL Financial Help Desk.

The use of non-LPL Financial-issued technological equipment to view, process, store, or

transmit LPL Financial data is prohibited.

LPL Financial Home Office Security Policy

9

Standard Description and Guidelines

Employees may access LPL Financial-provided web-based e-mail through non-LPL

Financial technological equipment; See Section 2.10 “Use of Web E-mail.”

4.2 Password

Security

Passwords must be kept confidential and may not be shared with the following

exceptions:

o When resetting or during initial assignment, passwords may be communicated

through the internal email system or by phone and must be changed upon first use

by the account assignee.

Password manager software may be used so long as the software requires a master

password and encrypts the password in storage.

Temporary passwords must be changed immediately upon receipt.

Storing or caching passwords in your internet browser is prohibited.

Passwords must be changed whenever there is an indication of possible system or

password compromise.

Passwords that provide access to applications containing PII, Proprietary Corporate

Information or Internal Information must be changed at least once every 90 calendar

days.

o Users must not use the same password within 365 days from the date of last

change.

o Passwords must meet the LPL Financial standards for password strength

LPL Financial Baseline Standards for Password Strength:

At least 8 characters in length

Must contain characters from 3 of the following elements:

o Numbers

o Upper case letters

o Lower case letters

o Special Characters (Characters not classified as numbers or letters such as

“~!@#$%^&*”)

One Time Password (OTP) devices must use passwords at least five characters in

length and must not change in a predictable way.

The eight character password requirement applies to desktops, laptops, and third party

applications; while a four character password is sufficient for accessing voicemails.

If third party applications cannot meet the LPL Financial standards for passwords, the

password configuration must be as strong as the application allows.

LPL Financial will never ask you to reveal your password.

4.3 Software

Security

Standard:

Any software or files downloaded from the internet onto the LPL Financial network

becomes the property of LPL Financial. Any such files or software may be used only in

ways that are consistent with their licenses or copyrights.

Files or software may be downloaded only upon explicit authorization from the BTS

desktop support department with prior approval from your immediate supervisor.

All software shall have a current and valid license or other such authorization for use,

including documented “open source” licenses.

Software will be evaluated by BTS for the ability to provide adequate security safeguards

against unauthorized use or modification of data. Software will be periodically patched or

updated.

LPL Financial Home Office Security Policy

10

Standard Description and Guidelines

4.4 Server

Administration

Standard:

Server administrator accounts are used to manage a server or application. Unlike a regular

user account access, an administrator account has elevated access privileges on the server

or application.

Server administrators must meet the following additional password requirements:

The password must be unique from all other passwords held by an

administrator’s personal accounts. Administrator accounts must automatically lock-out after 5 unsuccessful logins.

If account lockouts are not feasible, the account must have a minimum password

length of 16 characters. Server administrator accounts must be approved by BTS Production Services

senior leadership.

4.5 Standards for

Client Security

Software

Standard:

All company-issued computers must be protected by:

Firewall

Anti-virus software

Anti-malware

Automatic software updates

BTS is responsible for installing and maintaining each in accordance with its internal

guidelines.

4.6 Computer

Virus

The BTS helpdesk (ext. 6565) must be notified of any potential malware infections.

Any device confirmed to be infected with a virus or other form of malicious software

must be removed from the network until the infection is contained and remediated.

All infected devices must have critical data backed up by BTS support personnel, and be

completely erased and rebuilt before being re-connected to the corporate network.

4.7 Computer

Screen Lock

Standard:

When leaving a workstation unattended, the user must lock the screen (e.g., press

Ctrl+Alt+Delete, then computer lock, or [Windows Key]+L).

User interface shall automatically lock after 15 minutes of inactivity and require a

password to regain access to the device.

4.8 Account

Lockout

Standard:

Account lockout shall occur after no more than 5 unsuccessful attempts are made.

4.9 File Sharing

(peer to peer)

Standard:

Peer-to-peer file sharing is not allowed. Installing such an application and inadvertently

enabling an LPL Financial network drive to be shared can make it accessible to

unauthorized users. Applications, including but not limited to, BitTorrent, Morpheus and

Napster, are prohibited.

LPL Financial Home Office Security Policy

11

Standard Description and Guidelines

4.10 Instant

Messaging

Standard:

Lync is the only instant messaging technology that is approved for use by LPL Financial.

Examples of instant messaging applications that are not approved include: Facebook chat,

AOL/AIM, Google, Yahoo, Meebo and Myspace.

4.11 Network

Security

Business Technology Services is responsible for the design, configuration, maintenance,

and security of the infrastructure of the LPL Financial network. No others shall make

changes to the LPL Financial network.

Third-party organizations with connections to the LPL Financial network are granted the

least access necessary to perform their valid business functions. This restricted access is

accomplished by using, among other things, firewall access control statements that

specify point-to-point addresses, protocols accepted, and ports used.

When connecting remotely, users shall be denied access to the LPL Financial network

except through prearranged VPN access using the LPL Financial VPN system.

Log files of all traffic entering the LPL Financial network shall be available from

firewalls, load-balancers, and routers for troubleshooting and monitoring.

4.12 Network and

Internet Use

LPL Financial employees must adhere to and sign the LPL Financial Electronic

Communications Policy prior to utilizing the LPL Financial network and accessing the

internet.

4.13 Network

Filtering and

Monitoring

LPL Financial has the right and ability to monitor and filter the use of network and

information systems by users of the LPL Financial private network.

LPL Financial uses monitoring and filtering technologies for reasons of compliance and

troubleshooting.

Employees should not assume any electronic communications are private or confidential

and should transmit their own sensitive information by using other means. The LPL

Financial electronic communications systems are the property of LPL Financial. LPL

Financial retains the right to monitor, access, review, copy, delete, and disclose electronic

communications, even those marked private, without notice to or consent of the employee.

All such information may be used and disclosed to others, in accordance with business

needs, at the firm’s discretion.

LPL Financial uses software to monitor internet traffic and block sites that may pose a

risk to the company. In addition to enhancing security and reducing our risk of legal

liability, this software also allows BTS to log all web traffic to determine if additional

sites not included on the list of blocked sites should be blocked going forward.

4.14 Remote

Network Access

Standard:

Only LPL Financial approved methods of access may be used to access the company

network from offsite. Approved methods include but are not limited to Citrix, VPN, and

dedicated connections.

Multi-factor authentication is required for the end user to access the LPL network over the

internet.

Remote access must be limited to the information, services, and computing resources that

are required for the fulfillment of designated job functions.

LPL Financial Home Office Security Policy

12

Standard Description and Guidelines

Remote access accounts must be periodically recertified with the business owner.

Remote access is only permitted from LPL approved devices.

This standard does not cover business to business connections such as point to point

circuits or connections limited by IP access controls and protected by encryption.

4.15 Remote

Network Access By

Third Parties

Third parties requiring remote access to the LPL Financial network may include:

A temporary worker or contractor employed by LPL Financial or one of its affiliates;

A consultant contracted to perform duties for LPL Financial or one of its affiliates;

An outside vendor with a current and valid business relationship with LPL Financial.

Standard: LPL Financial will limit third party access to the information, services, and computing

resources that are required for the fulfillment of the third party job functions. Third parties

must utilize LPL Financial approved methods of access.

4.16 Encryption of

Data on Portable

Media

The LPL Financial definition of portable media:

Portable media includes removable storage, flash drives, Smart cards, USB drives, CDs,

DVDs, and removable storage for cell phones and personal digital assistants (PDAs).

Standard:

PII stored on any portable media or portable computers and devices must be encrypted.

Encrypted portable media devices must be obtained from the LPL Financial BTS Help

Desk.

Encryption standards must meet the NIST-approved encryption algorithm, such as AES

using a minimum 128-bit (256-bit preferred) length key.

4.17 Securing

Laptop

The LPL Financial definition of laptops: traditional laptops, tablet PCs, and Ultra Mobile

PCs (UMPC).

Standard:

All LPL Financial laptops must remain encrypted using an LPL Financial provided and

approved whole-disk encryption product that has a minimum key length of 256-bit.

Such measures include, without limitation:

Employees must take reasonable measures to protect computers during travel

Do not store laptops or other electronic equipment in checked baggage.

Do not leave laptops in plain sight in vehicles. Do not leave laptops in your vehicle

overnight or for an extended period of time. In the event that you need to leave your

laptop in a vehicle for a short period of time, the laptop must be locked in the

vehicle’s trunk.

Do not leave laptops or other electronic equipment unattended in a public place.

LPL Financial Home Office Security Policy

13

Standard Description and Guidelines

4.18 Securing

Smart Phones,

tablets, and PDAs

LPL Financial definition of smart phones, tablets, and PDAs, includes but is not limited

to: RIM Blackberries, Apple iPhones and android devices, Windows Mobile/CE and

tablets such as iPads and Kindles.

Standard:

To secure these devices and protect data at rest, smart phones and PDA’s must be pre-

configured with the following controls in place:

Devices must require a password to access the device.

Passwords must be four characters or greater in length.

Failure to provide a correct password to a mobile device after no more than 10

attempts must cause all data stored on the device to be permanently deleted.

Removable storage devices used for smart phones and PDAs must be encrypted

using a minimum 128-bit (256-bit preferred) length key

Devices must lockout their user interface after a period of time and require a

password to regain access to the device. The lockout must occur after no more than 5

minutes for smart phones and no more than 15 minutes for tablets.

When a smart phone, tablet or PDA is left unattended, the user must lock the device.

Encryption must be activated and configured.

Enable back-up data encryption when syncing to your computer

Devices that do not have the capability to comply with the above controls may not be used

to view, process, store or transmit LPL Financial data, confidential or otherwise.

4.19 Unauthorized

recording/video

recording/photogra

phy not permitted

in the workplace

Standard:

Employees, service partners, SOWs and contingent workers at LPL may not record, video

record, nor photograph in the workplace other than as authorized; this applies to personal

devices, and includes but is not limited to the use of wearable devices. For more

information please review the Policies and Procedures section of LPL@Work.

4.20 Bluetooth

Connections

Standard:

Bluetooth and short-distance wireless devices are permitted provided they do not accept

unsolicited incoming connections.

Device “pairing” must be initiated from a device in your control.

Disable any Bluetooth service when not in use.

4.21 Wireless

Connectivity

Standard:

The use of unauthorized wireless access points or routers is prohibited while on LPL

Financial property. This applies to personal hotspots offered on smart phones or MiFi

devices.

Under no circumstances may an unapproved wireless access point (AP) or router be

placed on a company network. Wireless ad-hoc connections are not permitted between

wireless devices.

Corporate wireless access points are managed and deployed solely by BTS Network

Engineering. Mobile cellular devices such as cellular modems, aircards, or Gobi for

business use will be provisioned solely by BTS Telecom.

Corporate wireless access points and cellular modems must adhere to the corporate

wireless security standards.

LPL Financial Home Office Security Policy

14

Standard Description and Guidelines

Any wireless system used to conduct LPL Financial-related business must adhere to the

below procedures, at a minimum.

Wireless connectivity procedures:

1. When at the corporate office, only use LPL Financial approved connectivity. This

includes BTS provided wired, WiFi, or cellular connectivity.

2. When traveling or working remotely, use a BTS provided cellular wireless

connection (for example, Verizon aircard, or Gobi) in conjunction with the LPL

Financial VPN.

3. If you are unable to use BTS provided internet connectivity, you must use the LPL

Financial VPN and ensure that you are in compliance with security controls in this

Policy.

The use of corporate webmail does not require prior connection to the LPL Financial

VPN. Please refer to section 2.10 Use of Web E-Mail.

4.22 Security

Testing

BTS is required to perform periodic penetration testing no less than once a year using an

independent third party.

BTS will maintain procedures outlining the scope and methodology for the penetration

test.

4.23 Change

Management

Standard:

Any changes to production systems must follow the BTS change management process.

4.24 Access

Controls

Standard:

Access controls must be in place for all applications, operating systems, databases, and

networking devices to ensure that persons have only the minimal privileges they require.

4.25 Segregation of

Environments

Standard:

Development, testing, and production computing environments will be separated to

reduce the risk of unauthorized access or changes. The rules for the transfer of software

from development to production status must be defined and followed. This activity must

follow a documented change control process or SDLC methodology. Developers, QA

personnel, operations personnel, and end users will be provided access to only those

environments which are necessary to perform approved duties.

Only BTS-approved systems will be connected to production environments, and only after

the systems have fulfilled acceptance criteria.

There will be both logical and physical separation of production, testing, and development

environments. Access to these environments must be controlled.

4.26 Segregation of

Duties

Standard:

Duties and areas of responsibility will be segregated to reduce opportunities for

unauthorized or unintentional modification or misuse of LPL Financial information assets.

Care must be taken that no single person or persons acting in collusion can access,

modify, or use assets without authorization or detection. No single employee authorized to

approve an access request may be involved in the implementation of that access.

LPL Financial Home Office Security Policy

15

Standard Description and Guidelines

4.27 Hardware

Build Process

Standard:

Employees are not permitted to alter any LPL Financial computer outside the BTS

standardized build.

4.28 Public

Computers

Standard:

Use of public computers (internet cafe, hotel business center, etc.) for LPL Financial

business is not allowed with the exception of Web Email.

5.0 Training

5.1 Staff Training Standard:

Privacy and Security Training must be completed once every calendar year by every LPL

Financial employee, SOW worker, service partner, and contingent worker.

Employees must sign an e-mail and internet use statement and agreement and

acknowledgement of this Policy.

5.2 New-Hire

Orientation

Standard:

Privacy and Security Training must be completed within 30-days of employment or

engagement, as applicable, by every LPL Financial employee, SOW worker, service

partner, and contingent worker.

New employees shall be informed of this training requirement during new hire

orientation.

6.0 Compliance and Reporting

6.1 Compliance Compliance with the HOSP will be overseen by the GRC Infrastructure Risk Management

department.

6.2 Reporting Any security incident or violations of the LPL Financial HOSP must be reported

immediately to the Privacy Office of LPL Financial via the LPL Incident hotline at ext.

6911, option 2, or via email at security.mailbox@lpl.com.

6.3 Policy Violation It is against the LPL Financial HOSP to disable, bypass, circumvent, or otherwise attempt

to negate the security measures of LPL Financial.

Failure to comply with these LPL Financial guidelines and LPL Financial policies related

to confidentiality of information may be subject to disciplinary action up to and including

termination of employment or business relationship.

6.4 Policy

Questions

Questions about this Policy should be directed to the GRC Infrastructure Risk department

via the security mailbox: security.mailbox@lpl.com