Laserfiche WebLink
9.2 Personnel Controls. Empower completes appropriate pre -employment background <br />checks and screening on its personnel, and requires personnel to complete initial security training at the <br />time they are first employed with Empower and annually thereafter. All personnel attest annually to <br />Empower's Code of Business Conduct and Ethics, which enforces the tenets of Empower's Information <br />Security Policies and its privacy policies. Empower has disciplinary processes for violations of information <br />security or privacy requirements, and promptly removes personnel access to Plan Data or Personal Data <br />upon termination or applicable role change. <br />10. Physical and Environmental Safety. <br />10.1 Physical and Environmental Security Controls. Empower has appropriate physical and <br />environmental controls to protect Empower's equipment, assets, and facilities used to provision services. <br />Physical Security includes, without limitation (i) physical security in the protection of valuable information <br />assets of the business enterprise; and (ii) the provision of protection techniques for the entire facility, from <br />the outside perimeter to the inside office space, including the datacenters and wiring closets. <br />10.2 Ongoing Operations. Empower protects its facilities and systems containing Data from <br />failures of power, networks, telecommunications, water supply, sewage, heating, ventilation, and air- <br />conditioning. <br />11. Communications and Operations Management. <br />11.1 Controls. Empower has policies and procedures in place for communications and <br />operations management controls. Such controls address: hardening, change control, segregation of duties, <br />separation of development and production environments, network security, virus protection, patch <br />management, media controls, data in transit, encryption, audit logs, and time synchronization. <br />11.2 Operations Security. Empower's Information Security Policies mandate ongoing <br />Operations Security requirements, including but not limited to, installing or maintaining (i) security patches <br />for operating systems and applications within standard timeframes based on severity; (ii) industry standard <br />versions of operating systems, software and firmware for system applications and components; and (Ili) up-- <br />to-date system security agent software which includes updated malware and virus definitions. <br />12. Access Control <br />12.1 Access Control. Empower utilizes access controls designed to ensure that only Empower <br />personnel with the proper need and authority can access its internal recordkeeping system and associated <br />data. Empower's access controls include but are not limited to: limiting access to personnel with a <br />requirement to view Personal Data; establishing least -privilege controls to protect systems and Personal <br />Data; generation of audit trails; periodic review and approval of personnel who need to access the Empower <br />recordkeeping system; and termination of personnel access promptly following severance from <br />employment. <br />12.2 Authentication. Empower authenticates user identity through appropriate authentication <br />controls such as strong passwords, token devices, or biometrics. Passwords must meet minimum length <br />and complexity requirements. <br />12.3 Remote Access to Empower Systems. Empower uses multi -factor authentication for <br />remote access to its systems. <br />13. Information Systems Acquisition, Development and Maintenance. <br />City i y oUPlcl ' - 19 - 19 9/19/2023 <br />