Upload
lytram
View
218
Download
0
Embed Size (px)
Citation preview
Member FINRA/SIPC
Home Office Security Policy
and Implementation Standards
for LPL Financial LLC and Affiliates
November 15, 2016
Policy Approved by Patrick E. Cox- SVP, Infrastructure Risk Management and Chief Privacy Officer
LPL Financial Home Office Security Policy
2
Policy Objectives
The purpose of the LPL Financial Home Office Security Policy and Implementation Standards (referred to
collectively herein as the “HOSP” or the “Policy”) is to define the security requirements of LPL Financial and its
affiliates to safeguard the security and confidentiality of personally identifiable information (PII) from
unauthorized access, alteration, or destruction; to protect against anticipated threats or hazards to the security or
integrity of the information; to protect against unauthorized access to, or use of, information that could result in
substantial harm or inconvenience to a customer or LPL Financial or an affiliate; and to ensure the proper
disposal of the information. As used in this Policy, “affiliates” shall mean LPL Independent Advisor Services
Group, LLC, PTC Holdings Inc., Independent Advisers Group Corporation, The Private Trust Company N.A.,
Fortigent, LLC and LPL Insurance Associates, Inc.
Policy Scope
The Policy is designed to comply with Regulation S-P adopted by the Securities and Exchange Commission
(SEC), the federal Red Flag regulations under the Fair and Accurate Credit Transactions Act of 2003, and any
applicable state laws and regulations as well as security best practices, and apply to all LPL Financial and
affiliate employees.
LPL Financial and its affiliates’ employees, contingent workers, SOW workers, and service partners are required
to adhere to the HOSP and to protect PII from unauthorized disclosure. Any request for exceptions must be
addressed to the Privacy Office of LPL Financial.
This Policy applies to all individuals and computers involved with conducting LPL Financial business. This
policy is also recommended for employees’ personal use in the protection of their personal information.
The Standards include:
1.0 Information Classification and Definition
2.0 Information Handling and Disclosure
3.0 Physical and Administrative Security and Business Continuity
4.0 Technology Security
5.0 Training
6.0 Compliance and Reporting
Policy Owner
The Privacy Office of LPL Financial has authority over all LPL Financial security policies and standards
outlined in the HOSP.
Policy
LPL Financial employees must safeguard the security and confidentiality of PII from unauthorized access,
alteration, or destruction; protect against anticipated threats or hazards to the security or integrity of the
information; protect against unauthorized access to or use of information that could result in substantial harm or
inconvenience to a customer, employee or LPL Financial or an affiliate; and ensure the proper disposal of the
information.
LPL Financial employees must not disclose any PII regarding a customer or employee to anyone who does not
have a need to know.
Any violation of this policy and its related standards, intentional or unintentional, must be reported immediately
to your department manager and to the Privacy Office via the LPL Incident Hotline at 6911, option 2.
This policy establishes a standard LPL Financial home office approach to safeguarding PII by:
Requiring administrative, technical, and physical safeguards for the protection of PII.
Mandating standards and procedures that define the required administrative, technical, and physical
safeguards for the protection of PII. The standards and procedures include the security safeguard
requirements for:
LPL Financial Home Office Security Policy
3
o Computer hardware and network systems used to conduct LPL Financial and affiliate business
o Laptops and portable data devices used to conduct LPL Financial and affiliate business
o Security and virus-protection software
o Remote access and e-mail communication
o Secure connection and communication to the LPL Financial or affiliate environment using
multiple-layer authentication, strong password rules, and access restrictions
o Encryption of data
o Proper disposal of information
o Physical office security requirements
Reporting to the LPL Incident Hotline when actual or suspected unauthorized access to information
occurs.
Training employees, service partners, contingent workers, and SOW workers, about information security
program requirements.
Roles and Responsibilities
It is the responsibility of each employee to read and adhere to the HOSP and related communications.
It is against the HOSP to disable, bypass, circumvent, or otherwise attempt to negate the information security
measures of LPL Financial. By following these measures, we can help reduce the risk of security breaches
impacting the PII of our customers and employees.
Employees who do not comply with the HOSP may be subject to disciplinary action up to and including
termination. LPL Financial is an at-will employer. Nothing in this policy alters the at-will employment
relationship with LPL Financial or LPL Financial and its affiliate employees.
Please address any questions and comments concerning the HOSP to the LPL Financial Privacy Office at
Amendments
LPL Financial Privacy Office may amend the LPL Financial HOSP at its discretion from time to time. You will
be advised of such amendments in writing and are required to abide by the HOSP (including the policy and
implementation standards), as amended, at all times.
LPL Financial Home Office Security Policy
4
Security Standards and Guidelines
Standard Description and Guidelines
1.0 Information Classification and Definition
1.1 Personally
Identifiable
Information (PII)
Standard:
PII is defined as all customer and employee information of a personal or financial nature
and is protected by legal and regulatory requirements and is highly sensitive information
and/or could cause significant harm to customers, employees or LPL Financial and its
affiliates if mishandled. PII includes information covered by Title V of the Gramm-
Leach-Bliley Act, SEC Regulation S-P, HIPAA, and state privacy and information
security laws.
Examples include: first name and last name or first initial and last name in combination
with any one or more of the following data elements that relate to a customer or
employee: (a) Social Security number; (b) driver’s license number or state-issued
identification card number; or (c) financial account number, or credit or debit card
number, with or without any required security code, access code, personal identification
number, or password, that would permit access to a client’s financial account. PII may
also include passport number; customer financial information, such as net worth and
annual income; and private health information such as demographic information, medical
history, test and laboratory results, insurance information and other data collected by
healthcare professionals to identify an individual and determine appropriate care.
1.2 Proprietary
Corporate
Information
Standard:
Corporate information which is not PII but is considered sensitive by LPL Financial
because it relates to proprietary data or information critical to LPL Financial maintaining
its competitive advantage in the marketplace and is deemed critical to the success of its
business by the Company’s senior executive management or its board of directors.
Examples of proprietary corporate information may include, but are not limited to, rep
name and ID, compensation (including but not limited to salary, bonus, incentives) and
succession structures, advisor or customer lists, strategic plans, proprietary systems and
processes. This type of data should be protected in the same manner as PII.
1.3 Internal
Information
Standard:
Internal information is defined as any information that is not PII, but its unauthorized
release or access could cause harm or embarrassment to LPL Financial, its employees, or
affiliates, or provide an advantage to competitors. Internal Information is deemed
sensitive and must be protected against unauthorized access or release.
Examples of internal information include internal documents, such as policies and
procedures, memos, inventories, training and system manuals. This type of data should be
protected in the same manner as PII.
1.4 Public
Information
Standard:
Public information is information that would not negatively impact customers or LPL
Financial and/or its affiliates if distributed. This includes information that can be freely
disseminated as long as there is a valid business reason to do so and there would be no
impact if published to a website or other public area.
Examples of public information include job opportunity bulletins, marketing brochures,
and press releases.
LPL Financial Home Office Security Policy
5
Standard Description and Guidelines
2.0 Information Handling and Disclosure
2.1 Identification of
PII
Standard:
You are required to identify the paper, electronic, and other records, computing systems,
and storage media, including laptops and portable devices that contain PII. If you are
unable to do so, you must treat all records and devices as if they contain PII.
2.2 Collection of
PII
Standard:
Collection of PII must be limited to the amount that is reasonably necessary to accomplish
the legitimate purpose for which it is collected.
2.3 Record
Retention &
Storage
Standard:
Information must be stored and retained in accordance with state and federal regulations
and LPL Financial or affiliate policies for record retention and storage. All files, disks,
and other media and documents containing PII must be stored securely.
For more information please see the Record Retention Schedule on LPL@Work.
2.4 Cloud Storage Standard:
Personal networking and storage services such as Dropbox, Carbonite, IDoc, etc. may not
be used to store, view, process or disseminate LPL Financial documents without being
properly vetted through the vendor management program.
2.5 Electronic PII
Storage/Encryption
Standard:
Encryption standards must meet the National Institute of Standards and Technology
(NIST) approved encryption algorithm, such as the Advanced Encryption Standard (AES)
using a minimum 128-bit (256-bit preferred) length key. Unlike file access restrictions,
disk encryption protects information even when the operating system is not active. Disk
encryption can prevent unauthorized access when physical security has been
compromised, or when the device has been lost or stolen. This encryption standard
applies to all encryption including, but not limited to portable media, laptops, phones,
wireless, email, and VPN. Encrypted products must be obtained through Business
Technology Services (“BTS”) desktop support.
2.6 Disposal of
Personally
Identifiable
Information,
Proprietary
Corporate
Information and
Internal
Information
Standard:
PII must be disposed of securely and in accordance with state and federal laws and
regulations, and rules of applicable self-regulatory organizations, when it is no longer
needed. Destruction of any books and records documents required to be retained in
accordance with the Record Retention Schedule and must be pre-approved by LPL
Financial Governance, Risk and Compliance (“GRC”). Safe disposal must be
accomplished by one of the following means:
Shredding paper records (cross cut or confetti cut versus strip cut) so that
reassembly is extremely unlikely
Destruction of electronic media so the information cannot be read or
reconstructed
Contracting with a third party that is engaged in the business of record
destruction to dispose of the information
LPL Financial Home Office Security Policy
6
Standard Description and Guidelines
2.7 Information
Sharing
Standard:
All information must only be used for valid business purposes with respect to securities,
insurance, investment advisory, or other financial service relationships.
LPL Financial and affiliate employees are required to sign a confidentiality agreement
which includes the nonuse/nondisclosure agreement and use of confidential company
information.
2.8 Access to and
Viewing of
Personally
Identifiable
Information,
Proprietary
Corporate
Information and
Internal
Information
Standard:
Do not discuss PII with, or in the presence of, persons who have no legitimate
business need to know the information.
Customer or employee PII must not be accessed out of curiosity, for personal
use, or when a person does not have a business relationship with the customer
or employee that creates a legitimate business need to know the information.
These include, without limitation, information on paper documents in the office
and on computer screens, printers, copiers, and fax machines. Access must be
limited to authorized persons on a need-to-know basis.
Staff must verify the authenticity of the person to whom they are disclosing PII
before that information is disclosed. Please see the Telephone Authentication
Policy on LPL@Work for information about authenticating over the telephone.
Staff must not disclose in writing or orally any PII regarding a customer or
employee to anyone other than the customer, employee, staff, or LPL Financial
or affiliate employees who have a legitimate business need to know the
information, or as contained in the LPL Financial policies and procedures.
Staff must not disclose PII to a customer’s spouse, relatives, employer, or
retained professionals (e.g., lawyers, accountants, etc.) without the written
permission of the customer.
A customer’s account number must not be disclosed to non-affiliated third
parties. If a customer wants his or her account number given to a third party, the
customer must provide such information directly or provide written authorization
to do so. PII received from a non-affiliated financial institution may not be
directly or indirectly disclosed to any non-affiliated third party unless that
disclosure would have been lawful if made directly by the non-affiliated financial
institution.
2.9 E-Mailing
Information
Standard:
Emails containing PII must be encrypted when traveling over the public internet. If you
have a valid business purpose to send PII via email outside of an LPL.com or an affiliate
approved email address, you must enter “[secure]” or “[encrypt]” (including brackets)
anywhere in the subject field of the message. All LPL Financial business must be
conducted using an approved LPL.com email address. Encrypted or password protected
attachments are prohibited as they interfere with the supervision process. The subject line
of an email cannot be encrypted and therefore may not contain PII.
LPL Financial Home Office Security Policy
7
Standard Description and Guidelines
2.10 Use of Web E-
Standard:
Use of corporate web-based e-mail, such as the LPL Financial Outlook Web Access
(OWA), or Webmail, is permitted.
The following procedures and guidelines must be followed when accessing webmail from
remote locations:
Always use an https (SSL/TLS) connection.
Never save passwords or use “auto form fill” features.
Always clear cached browser content, files, or cookies before exiting the browser to
remove potential remnants of PII.
Never save or open file attachments locally unless you are using a computer provided
by LPL Financial.
3.0 Physical and Administrative Security
3.1 Access to
Physical Locations
Standard:
Access to physical locations where PII is stored or used shall be restricted to authorized
persons with a legitimate business need.
3.2 Lock and
Secure Offices
Standard:
Lock and secure all offices containing PII; keep keys and entry devices secure. Where
possible, prevent unauthorized individuals from accessing areas where sensitive
information is stored or readily accessible.
3.3 Secure and
Control Access
Standard:
Secure and control access to dedicated computers, printers, copiers, and fax machines.
This includes locked doors, card-access readers, security systems, isolating the location
of equipment so that only appropriate staff has access to it, and procedurally segregating
staff responsibilities and access to equipment.
3.4 Access Badges Standard:
Employees are required to wear and display their Corporate Security issued badge at all
times when on company property, and swipe their badge prior to entering the facility. If
you forget your badge, or if it is lost, stolen or damaged, Corporate Security can issue you
a temporary replacement. Never attempt to physically restrain or prevent an intruder from
entering the building. Unauthorized building access should be reported immediately to the
LPL Financial Incident Hotline at ext. 6911, option 1.
3.5 Visitor Policy Standard:
Visitors must be escorted by an LPL Financial employee at all times while on company
property and must be signed in prior to accessing the facility. A visitor’s badge must be
worn at all times and returned to LPL Financial Corporate Security at the conclusion of
their visit.
3.6 Protect
Computer
Equipment and
Facilities
Standard:
Safeguards are implemented to protect computer equipment and facilities against fire,
flood and other environmental hazards. Such protections include fire alarms, raising
computer equipment off the floor if there is a reasonable possibility of flood, and
installing air conditioners to keep computer equipment cool. Security includes ensuring
the availability of information, including protection from damage or destruction.
LPL Financial Home Office Security Policy
8
Standard Description and Guidelines
3.7 “Clean Desk
Policy”
Standard:
Employees should maintain a “clean desk,” free of exposed PII, when leaving their
workspace unattended. Do not leave completed applications and related information
where others can read or copy such material.
3.8 Establish
Procedures for the
Secure Handling
of Mail and Mail
Forwarding
Standard:
If you ship sensitive information using the U.S. Postal Service (USPS) or outside carriers
or contractors, keep an inventory that can be referenced in the unfortunate event your
material(s) get lost or stolen. Should this occur, contact the LPL Financial Security
Incident Hotline at ext. 6911, option 2 or email [email protected] and report
exactly what information was lost. The Privacy Office will help determine the appropriate
remediation procedure.
Electronic media containing PII sent via the USPS or courier must follow the encryption
guidelines in section 2.5. Unnecessary PII on hard copy documents must be “blacked
out” or masked, if possible.
3.9 Employee
Background
Checks
Standard:
A background check will be conducted on each new employee once an offer of
employment has been extended. Written consent to conduct the background check will be
a condition of employment. Additionally, LPL Financial performs background checks on
employees who are promoted to positions of assistant vice president or above or are
transferred into a “key” business unit within the firm during their employment with LPL
Financial. These background checks may include the applicant’s/employee’s
employment history, education and academic degrees, credit history, conviction history,
and driving record (to the extent the position at issue requires driving). Continued
employment/promotion is conditioned upon an acceptable outcome of the background
check.
3.10 Terminated
Personnel
Standard:
An employee’s, service partner’s, SOW’s or contingent worker’s physical and electronic
access to all LPL Financial premises and systems must be revoked promptly upon
termination. This includes, without limitation, access to passwords, usernames, e-mail,
internet access, and voicemail. Terminated employees, contingent workers, service
partners, and SOWs are required to immediately surrender all keys, IDs, badges, business
cards, computer equipment, PDA’s and other items which permit access to the LPL
Financial physical premises and electronic systems.
4.0 Technology Security
4.1 Use of
Computer
Equipment for
Business Purposes
Standard:
All LPL Financial employees, service partners, SOWs and contingent workers must use
LPL Financial-provided technological equipment (including, without limitation, desktop
and laptop computers, tablets, smart phones, and related accessories) to conduct LPL
Financial business.
All technological equipment must be purchased through the LPL Financial Help Desk.
The use of non-LPL Financial-issued technological equipment to view, process, store, or
transmit LPL Financial data is prohibited.
LPL Financial Home Office Security Policy
9
Standard Description and Guidelines
Employees may access LPL Financial-provided web-based e-mail through non-LPL
Financial technological equipment; See Section 2.10 “Use of Web E-mail.”
4.2 Password
Security
Passwords must be kept confidential and may not be shared with the following
exceptions:
o When resetting or during initial assignment, passwords may be communicated
through the internal email system or by phone and must be changed upon first use
by the account assignee.
Password manager software may be used so long as the software requires a master
password and encrypts the password in storage.
Temporary passwords must be changed immediately upon receipt.
Storing or caching passwords in your internet browser is prohibited.
Passwords must be changed whenever there is an indication of possible system or
password compromise.
Passwords that provide access to applications containing PII, Proprietary Corporate
Information or Internal Information must be changed at least once every 90 calendar
days.
o Users must not use the same password within 365 days from the date of last
change.
o Passwords must meet the LPL Financial standards for password strength
LPL Financial Baseline Standards for Password Strength:
At least 8 characters in length
Must contain characters from 3 of the following elements:
o Numbers
o Upper case letters
o Lower case letters
o Special Characters (Characters not classified as numbers or letters such as
“~!@#$%^&*”)
One Time Password (OTP) devices must use passwords at least five characters in
length and must not change in a predictable way.
The eight character password requirement applies to desktops, laptops, and third party
applications; while a four character password is sufficient for accessing voicemails.
If third party applications cannot meet the LPL Financial standards for passwords, the
password configuration must be as strong as the application allows.
LPL Financial will never ask you to reveal your password.
4.3 Software
Security
Standard:
Any software or files downloaded from the internet onto the LPL Financial network
becomes the property of LPL Financial. Any such files or software may be used only in
ways that are consistent with their licenses or copyrights.
Files or software may be downloaded only upon explicit authorization from the BTS
desktop support department with prior approval from your immediate supervisor.
All software shall have a current and valid license or other such authorization for use,
including documented “open source” licenses.
Software will be evaluated by BTS for the ability to provide adequate security safeguards
against unauthorized use or modification of data. Software will be periodically patched or
updated.
LPL Financial Home Office Security Policy
10
Standard Description and Guidelines
4.4 Server
Administration
Standard:
Server administrator accounts are used to manage a server or application. Unlike a regular
user account access, an administrator account has elevated access privileges on the server
or application.
Server administrators must meet the following additional password requirements:
The password must be unique from all other passwords held by an
administrator’s personal accounts. Administrator accounts must automatically lock-out after 5 unsuccessful logins.
If account lockouts are not feasible, the account must have a minimum password
length of 16 characters. Server administrator accounts must be approved by BTS Production Services
senior leadership.
4.5 Standards for
Client Security
Software
Standard:
All company-issued computers must be protected by:
Firewall
Anti-virus software
Anti-malware
Automatic software updates
BTS is responsible for installing and maintaining each in accordance with its internal
guidelines.
4.6 Computer
Virus
The BTS helpdesk (ext. 6565) must be notified of any potential malware infections.
Any device confirmed to be infected with a virus or other form of malicious software
must be removed from the network until the infection is contained and remediated.
All infected devices must have critical data backed up by BTS support personnel, and be
completely erased and rebuilt before being re-connected to the corporate network.
4.7 Computer
Screen Lock
Standard:
When leaving a workstation unattended, the user must lock the screen (e.g., press
Ctrl+Alt+Delete, then computer lock, or [Windows Key]+L).
User interface shall automatically lock after 15 minutes of inactivity and require a
password to regain access to the device.
4.8 Account
Lockout
Standard:
Account lockout shall occur after no more than 5 unsuccessful attempts are made.
4.9 File Sharing
(peer to peer)
Standard:
Peer-to-peer file sharing is not allowed. Installing such an application and inadvertently
enabling an LPL Financial network drive to be shared can make it accessible to
unauthorized users. Applications, including but not limited to, BitTorrent, Morpheus and
Napster, are prohibited.
LPL Financial Home Office Security Policy
11
Standard Description and Guidelines
4.10 Instant
Messaging
Standard:
Lync is the only instant messaging technology that is approved for use by LPL Financial.
Examples of instant messaging applications that are not approved include: Facebook chat,
AOL/AIM, Google, Yahoo, Meebo and Myspace.
4.11 Network
Security
Business Technology Services is responsible for the design, configuration, maintenance,
and security of the infrastructure of the LPL Financial network. No others shall make
changes to the LPL Financial network.
Third-party organizations with connections to the LPL Financial network are granted the
least access necessary to perform their valid business functions. This restricted access is
accomplished by using, among other things, firewall access control statements that
specify point-to-point addresses, protocols accepted, and ports used.
When connecting remotely, users shall be denied access to the LPL Financial network
except through prearranged VPN access using the LPL Financial VPN system.
Log files of all traffic entering the LPL Financial network shall be available from
firewalls, load-balancers, and routers for troubleshooting and monitoring.
4.12 Network and
Internet Use
LPL Financial employees must adhere to and sign the LPL Financial Electronic
Communications Policy prior to utilizing the LPL Financial network and accessing the
internet.
4.13 Network
Filtering and
Monitoring
LPL Financial has the right and ability to monitor and filter the use of network and
information systems by users of the LPL Financial private network.
LPL Financial uses monitoring and filtering technologies for reasons of compliance and
troubleshooting.
Employees should not assume any electronic communications are private or confidential
and should transmit their own sensitive information by using other means. The LPL
Financial electronic communications systems are the property of LPL Financial. LPL
Financial retains the right to monitor, access, review, copy, delete, and disclose electronic
communications, even those marked private, without notice to or consent of the employee.
All such information may be used and disclosed to others, in accordance with business
needs, at the firm’s discretion.
LPL Financial uses software to monitor internet traffic and block sites that may pose a
risk to the company. In addition to enhancing security and reducing our risk of legal
liability, this software also allows BTS to log all web traffic to determine if additional
sites not included on the list of blocked sites should be blocked going forward.
4.14 Remote
Network Access
Standard:
Only LPL Financial approved methods of access may be used to access the company
network from offsite. Approved methods include but are not limited to Citrix, VPN, and
dedicated connections.
Multi-factor authentication is required for the end user to access the LPL network over the
internet.
Remote access must be limited to the information, services, and computing resources that
are required for the fulfillment of designated job functions.
LPL Financial Home Office Security Policy
12
Standard Description and Guidelines
Remote access accounts must be periodically recertified with the business owner.
Remote access is only permitted from LPL approved devices.
This standard does not cover business to business connections such as point to point
circuits or connections limited by IP access controls and protected by encryption.
4.15 Remote
Network Access By
Third Parties
Third parties requiring remote access to the LPL Financial network may include:
A temporary worker or contractor employed by LPL Financial or one of its affiliates;
A consultant contracted to perform duties for LPL Financial or one of its affiliates;
An outside vendor with a current and valid business relationship with LPL Financial.
Standard: LPL Financial will limit third party access to the information, services, and computing
resources that are required for the fulfillment of the third party job functions. Third parties
must utilize LPL Financial approved methods of access.
4.16 Encryption of
Data on Portable
Media
The LPL Financial definition of portable media:
Portable media includes removable storage, flash drives, Smart cards, USB drives, CDs,
DVDs, and removable storage for cell phones and personal digital assistants (PDAs).
Standard:
PII stored on any portable media or portable computers and devices must be encrypted.
Encrypted portable media devices must be obtained from the LPL Financial BTS Help
Desk.
Encryption standards must meet the NIST-approved encryption algorithm, such as AES
using a minimum 128-bit (256-bit preferred) length key.
4.17 Securing
Laptop
The LPL Financial definition of laptops: traditional laptops, tablet PCs, and Ultra Mobile
PCs (UMPC).
Standard:
All LPL Financial laptops must remain encrypted using an LPL Financial provided and
approved whole-disk encryption product that has a minimum key length of 256-bit.
Such measures include, without limitation:
Employees must take reasonable measures to protect computers during travel
Do not store laptops or other electronic equipment in checked baggage.
Do not leave laptops in plain sight in vehicles. Do not leave laptops in your vehicle
overnight or for an extended period of time. In the event that you need to leave your
laptop in a vehicle for a short period of time, the laptop must be locked in the
vehicle’s trunk.
Do not leave laptops or other electronic equipment unattended in a public place.
LPL Financial Home Office Security Policy
13
Standard Description and Guidelines
4.18 Securing
Smart Phones,
tablets, and PDAs
LPL Financial definition of smart phones, tablets, and PDAs, includes but is not limited
to: RIM Blackberries, Apple iPhones and android devices, Windows Mobile/CE and
tablets such as iPads and Kindles.
Standard:
To secure these devices and protect data at rest, smart phones and PDA’s must be pre-
configured with the following controls in place:
Devices must require a password to access the device.
Passwords must be four characters or greater in length.
Failure to provide a correct password to a mobile device after no more than 10
attempts must cause all data stored on the device to be permanently deleted.
Removable storage devices used for smart phones and PDAs must be encrypted
using a minimum 128-bit (256-bit preferred) length key
Devices must lockout their user interface after a period of time and require a
password to regain access to the device. The lockout must occur after no more than 5
minutes for smart phones and no more than 15 minutes for tablets.
When a smart phone, tablet or PDA is left unattended, the user must lock the device.
Encryption must be activated and configured.
Enable back-up data encryption when syncing to your computer
Devices that do not have the capability to comply with the above controls may not be used
to view, process, store or transmit LPL Financial data, confidential or otherwise.
4.19 Unauthorized
recording/video
recording/photogra
phy not permitted
in the workplace
Standard:
Employees, service partners, SOWs and contingent workers at LPL may not record, video
record, nor photograph in the workplace other than as authorized; this applies to personal
devices, and includes but is not limited to the use of wearable devices. For more
information please review the Policies and Procedures section of LPL@Work.
4.20 Bluetooth
Connections
Standard:
Bluetooth and short-distance wireless devices are permitted provided they do not accept
unsolicited incoming connections.
Device “pairing” must be initiated from a device in your control.
Disable any Bluetooth service when not in use.
4.21 Wireless
Connectivity
Standard:
The use of unauthorized wireless access points or routers is prohibited while on LPL
Financial property. This applies to personal hotspots offered on smart phones or MiFi
devices.
Under no circumstances may an unapproved wireless access point (AP) or router be
placed on a company network. Wireless ad-hoc connections are not permitted between
wireless devices.
Corporate wireless access points are managed and deployed solely by BTS Network
Engineering. Mobile cellular devices such as cellular modems, aircards, or Gobi for
business use will be provisioned solely by BTS Telecom.
Corporate wireless access points and cellular modems must adhere to the corporate
wireless security standards.
LPL Financial Home Office Security Policy
14
Standard Description and Guidelines
Any wireless system used to conduct LPL Financial-related business must adhere to the
below procedures, at a minimum.
Wireless connectivity procedures:
1. When at the corporate office, only use LPL Financial approved connectivity. This
includes BTS provided wired, WiFi, or cellular connectivity.
2. When traveling or working remotely, use a BTS provided cellular wireless
connection (for example, Verizon aircard, or Gobi) in conjunction with the LPL
Financial VPN.
3. If you are unable to use BTS provided internet connectivity, you must use the LPL
Financial VPN and ensure that you are in compliance with security controls in this
Policy.
The use of corporate webmail does not require prior connection to the LPL Financial
VPN. Please refer to section 2.10 Use of Web E-Mail.
4.22 Security
Testing
BTS is required to perform periodic penetration testing no less than once a year using an
independent third party.
BTS will maintain procedures outlining the scope and methodology for the penetration
test.
4.23 Change
Management
Standard:
Any changes to production systems must follow the BTS change management process.
4.24 Access
Controls
Standard:
Access controls must be in place for all applications, operating systems, databases, and
networking devices to ensure that persons have only the minimal privileges they require.
4.25 Segregation of
Environments
Standard:
Development, testing, and production computing environments will be separated to
reduce the risk of unauthorized access or changes. The rules for the transfer of software
from development to production status must be defined and followed. This activity must
follow a documented change control process or SDLC methodology. Developers, QA
personnel, operations personnel, and end users will be provided access to only those
environments which are necessary to perform approved duties.
Only BTS-approved systems will be connected to production environments, and only after
the systems have fulfilled acceptance criteria.
There will be both logical and physical separation of production, testing, and development
environments. Access to these environments must be controlled.
4.26 Segregation of
Duties
Standard:
Duties and areas of responsibility will be segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of LPL Financial information assets.
Care must be taken that no single person or persons acting in collusion can access,
modify, or use assets without authorization or detection. No single employee authorized to
approve an access request may be involved in the implementation of that access.
LPL Financial Home Office Security Policy
15
Standard Description and Guidelines
4.27 Hardware
Build Process
Standard:
Employees are not permitted to alter any LPL Financial computer outside the BTS
standardized build.
4.28 Public
Computers
Standard:
Use of public computers (internet cafe, hotel business center, etc.) for LPL Financial
business is not allowed with the exception of Web Email.
5.0 Training
5.1 Staff Training Standard:
Privacy and Security Training must be completed once every calendar year by every LPL
Financial employee, SOW worker, service partner, and contingent worker.
Employees must sign an e-mail and internet use statement and agreement and
acknowledgement of this Policy.
5.2 New-Hire
Orientation
Standard:
Privacy and Security Training must be completed within 30-days of employment or
engagement, as applicable, by every LPL Financial employee, SOW worker, service
partner, and contingent worker.
New employees shall be informed of this training requirement during new hire
orientation.
6.0 Compliance and Reporting
6.1 Compliance Compliance with the HOSP will be overseen by the GRC Infrastructure Risk Management
department.
6.2 Reporting Any security incident or violations of the LPL Financial HOSP must be reported
immediately to the Privacy Office of LPL Financial via the LPL Incident hotline at ext.
6911, option 2, or via email at [email protected].
6.3 Policy Violation It is against the LPL Financial HOSP to disable, bypass, circumvent, or otherwise attempt
to negate the security measures of LPL Financial.
Failure to comply with these LPL Financial guidelines and LPL Financial policies related
to confidentiality of information may be subject to disciplinary action up to and including
termination of employment or business relationship.
6.4 Policy
Questions
Questions about this Policy should be directed to the GRC Infrastructure Risk department
via the security mailbox: [email protected]