Laserfiche WebLink
7. Data Security. Empower's Information Security Policies and related policies address the <br />management of information security, the security controls employed by the organization. These policies <br />include, without limitation: <br />7.1 An Information Security Board that is responsible for the development, implementation, <br />and ongoing maintenance of Empower's data security. <br />7.2 Documented policies ("Information Security Policies") that Empower formally approves, <br />internally publishes, communicates to appropriate personnel and reviews at least annually. Empower's <br />Information Security Policies shall (i) mandate the secure protection and handling of confidential data, (ii) <br />comply with applicable laws, (Ili) conform to or exceed applicable industry standards for the retirement plan <br />services industry, and (iv) documented, clear assignment of responsibility and authority for data security - <br />related activities. <br />7.3 Policies covering acceptable computer use, record retention/destruction, information <br />.classification, cryptographic controls, access control, network security, removable media, remote access, <br />mobile computing and wireless access. <br />7.4 Regular testing of the key controls, systems and procedures, including (i) testing of <br />information technology general controls (ITGC) at least annually or whenever there is a material change in <br />business practices, and (ii) infrastructure penetration tests and scans against internet-facing points of <br />presence. Empower will correct vulnerabilities or security issues discovered through such assessments in <br />a manner and time frame consistent with established standards. <br />7.5 Policies and procedures designed to protect the security of Plan Data and Personal Data <br />that is accessible to, or held by, Empower's third party suppliers. Such policies shall be based on Empower's <br />Information Security Policies, and shall address, as applicable: (1) the identification and risk assessment of <br />such supplier; (ii) minimum cybersecurity standards required to be met by such suppliers; (Ili) due diligence <br />processes used to evaluate the adequacy of cybersecurity practices of such suppliers; and (iv) periodic <br />assessment of such suppliers based on the risk they present and the continued adequacy of their <br />cybersecurity practices. <br />7.6 Use of appropriate administrative, technical and operational measures designed to ensure <br />Personal Data and Plan Data is secure. <br />7.7 Monitoring, evaluating and adjusting, as appropriate, its data security protocols <br />summarized herein, In light of relevant changes in Data Protection Laws, Services, technology or industry <br />security standards, the sensitivity of data collected orprocessed by Empower in the provision of its Services, <br />and evolving internal or external risks. Empower may make such updates to its data security protocols and <br />the terms hereof at any time without notice so long as such updates maintain a comparable or better level <br />of security. Individual measures may be replaced by new measures that serve the same purpose without <br />diminishing the security level protecting Personal Data or Plan Data. <br />8. Risk Management. Empower has a risk assessment program that includes regular risk <br />assessments and management for risk identification, analysis, monitoring and reporting. <br />9. Human Resources. <br />9.1 Acknowledgements. Empower shall provide training on its information security practices <br />to its personnel at least annually. Empower personnel shall acknowledge their information security and <br />privacy responsibilities under Empower's policies. <br />city IF, y otmci - 19 — 18 9/19/2023 <br />