Data Security Policy (DSP) of UniGroup, C.A.

IntroductionThe Data Security Policy (DSP) provides definitive information on the prescribed measures used to establish and enforce the Information Security Program at UniGroup, C.A. (UniGroup).UniGroup is committed to protecting its customers, members, employees, companies, and partners from damaging acts, whether intentional or unintentional. Security is a collaboration requiring the participation and support of everyone who interacts with data and information systems. Therefore, it is the responsibility of every user to know these policies and to conduct their activities in accordance with these policies.Protecting UniGroup, member, client, and partner information and systems that collect, process, and store this information is critical. The security of data and information systems must include controls and safeguards to offset threats and reduce exposure to risk as well as ensure the confidentiality, integrity, and availability of data. Security measures must be taken to guard against unauthorized access, alteration, disclosure, or destruction of data and information systems; this includes accidental loss or destruction.PurposeThe purpose of the DSP is to prescribe a comprehensive framework for:

• Protecting the confidentiality, integrity, and availability of UniGroup data and information systems.
• Protecting UniGroup, its employees, members, and clients from illicit use of UniGroup information systems and data.
• Ensuring the effectiveness of security controls over data and information systems that support UniGroup’s business operations.
• Recognizing the highly networked nature of the current computing environment and providing effective enterprise-wide management and oversight of related information security risks.
• Providing for the development, review, and maintenance of minimum-security controls required to protect UniGroup’s data, information systems, and business operations.
• Implementing consistent security controls across all systems processing UniGroup data, including member locations and third-party supply chain partners, to help UniGroup comply with current and future legal obligations and ensure long-term due diligence in protecting the confidentiality, integrity, and availability of UniGroup data.

Scope and ApplicabilityThese policies, standards, and procedures apply to all UniGroup data, information systems, activities, and assets owned, leased, controlled, or used by UniGroup, its members, contractors, or other business partners on behalf of UniGroup. These policies, standards, and procedures apply to all UniGroup employees, contractors, sub-contractors, and their respective facilities supporting UniGroup business operations, wherever UniGroup data is stored or processed, including any third party contracted by UniGroup to handle, process, transmit, store, or dispose of UniGroup data.All personnel supporting or processing UniGroup business functions shall comply with this DSP. UniGroup business units, partners, or members may create and use a more restrictive policy, but not one that is less restrictive, less comprehensive, or less compliant than this policy. This policy does not supersede any other applicable law, existing labor management agreement, or government regulation in effect as of the effective date of this policy.ViolationsPersonnel supporting or processing UniGroup business who are found to have violated this DSP will be subject to disciplinary action, up to and including termination of employment and/or termination of association with UniGroup. Violators of local, state, federal, and/or international law will be reported to the appropriate law enforcement agency for civil and/or criminal prosecution.1.0 Information Security ProgramUniGroup will maintain a privacy and information security program to ensure a level of security appropriate to the risk, nature, and scope of its activities, which protects against reasonably foreseeable forms of compromise. Such program will include reasonable and appropriate administrative, technical, and physical measures, including a comprehensive set of policies, systems, and services based on best practices to ensure:

1. The ongoing confidentiality, integrity, and availability of its data;
2. The resiliency of systems or services handling its data and the ability to restore such systems in a timely manner;
3. Regular testing, assessment, and evaluation of the effectiveness of such measures; and
4. Incorporation of any other policies and measures as needed to comply with applicable legal obligations.

Dedicated security, privacy, information governance, and compliance professionals will maintain the program, with oversight provided by senior management. An independent, annual risk assessment reviews risks regularly and tracks risks using a process compliant with ISO 27005.1.1 Management Commitment to Information SecurityUniGroup management is committed to the protection of information assets. Management demonstrates its commitment to information security through its adherence to the following fundamental principles:

• Treating information as a critical business asset.
• Incorporating high standards of corporate governance to all data elements stored, processed, and transmitted.
• Demonstrating to customers and business partners that the enterprise handles information security in a professional manner.
• Ensuring that the enterprise has a set of security policies that implement controls over information and systems that address confidentiality, integrity, and availability.

Management further demonstrates its commitment to information security by engaging in the following actions:

• Assigning overall responsibility for information security to a member of senior management.
• Allocating dedicated organizational resources to information security.
• Providing a review of information security risk to the board of directors at least annually.
• Conducting an external review (third party) of the Information Security (IS) policies to ensure they are meeting or exceeding industry best practices.

1.2 Organization of Information Security

The authority and responsibility for managing the information security program are delegated to UniGroup’s Information Security Officer (ISO), who has the responsibility for:Establishing, documenting, and distributing information security policies, procedures, and guidelines. Defining, implementing, and supporting a set of security services that provide a range of security capabilities. Providing expert advice on all aspects of information security. Overseeing the investigation of information security incidents. Escalating security alerts to appropriate personnel. Contributing to information security awareness programs and developing security skills for staff. Evaluating the security risks and implications of business initiatives and procurement of services. Working cooperatively with internal and external auditors in the auditing of security practices. Partnering with internal groups that have related responsibilities (e.g., Law, Treasury/Audit, Human Resources). Monitoring and analyzing security alerts and information. Reviewing standards for applicability. Revising standards to address organizational changes.

1.3 Information Security General Awareness and Training

Specific activities are undertaken to promote security awareness to all associates who have access to information and systems supporting UniGroup business. These activities are:Endorsed and promoted by management. Delivered as part of associate new-hire orientations and as part of ongoing associate training, occurring at a minimum annually. Aimed at providing associates with specific expectations of their role in securing, protecting, and handling information. Aimed at reducing the frequency and magnitude of information security incidents. Role-based security-related training will occur before authorizing access to data or systems required for assigned job duties.

1.4 Identification of Information Security Controls

UniGroup uses the following sources for the identification of security requirements:Risk assessments Internal and external penetration tests Internal and external vulnerability assessments Statutory, regulatory, and contractual requirements that UniGroup must satisfy Principles, objectives, and business requirements for information handling developed to support its operations.

1.5 Assessments

The results of risk assessments, vulnerability assessments, and penetration tests assist in identifying threats to assets, vulnerabilities, their likelihood of occurrence, and potential estimated business impact. This helps in determining appropriate management action, priorities for managing risks, and implementation of controls selected to protect against these risks. The following represents UniGroup’s approach to information security risk assessment:The scope of assessments can be the whole organization, parts of the organization, a specific information system, or a specific component of an information system. Assessments will have a clearly defined scope and will include relationships with risk assessments from other areas as appropriate (e.g., Law, Human Resources, Finance). Assessments may be performed internally, by a third-party, or a combination of both. Expenditure on controls to address risk will be balanced against the business harm likely to result from security failures. Before considering the control of a risk, criteria will be established for determining whether the risk can be accepted. Such decisions should be recorded. Assessments shall be conducted at a minimum, annually.

1.6 Data Classification and Handling

Determining how to protect and handle data and information depends on the type of information, importance, and usage. Classification is necessary to understand which security practices and controls should be applied to the data. All data is classified as Public, Proprietary, Restricted, and Highly Restricted as defined in Appendix 1. Data should be handled according to its classification.Special handling procedures may be required for Restricted or Highly Restricted data; specific customer data may have additional handling instructions that UniGroup has contractually agreed to. Users should ensure they understand the proper handling procedures prior to processing data.

1.7 Legal, Regulatory, and Contractual Compliance

UniGroup will ensure compliance with relevant statutory, regulatory, and contractual requirements affecting information security. The information security organization will collaborate with other UniGroup entities, including Legal, Risk Management, Human Resources, and Contracts, to evaluate the applicability of information security controls to new and existing legislation or regulatory requirements.

1.8 Audits and Reviews of Information Security Controls

Information security controls are periodically monitored, reviewed, and improved to ensure that UniGroup’s specific security and business objectives are met. Information security conditions and policies are subject to annual internal and independent audits or reviews. Security audits or reviews are:Performed by individuals with sufficient technical skills and knowledge of information security disciplines. Focused on ensuring that information security controls function as intended and effectively reduce risk to an acceptable level. Provided to management for review and remediation of risks, or modification of controls.

2.0 Access Control

Access controls are designed to reduce the risk of unauthorized access to UniGroup data and to protect the confidentiality, integrity, and availability of UniGroup systems. All assigned access shall be reviewed and audited for accuracy to ensure employees only have access to the data required for their assigned operational duties. Audits shall occur at least annually; access to Restricted or Highly Restricted data shall be audited quarterly.

2.1 User Access Management

The security administration team is responsible for ensuring proper user identification and authentication management through a formal, documented provisioning and de-provisioning procedure as follows:Centralized control regarding addition, deletion, and modification of user accounts and credentials. Verifying user identity and receiving appropriate management before creating or modifying accounts. Immediately revoking access for any terminated user. Disabling or removing inactive accounts at least every 90 days. Limiting repeated access attempts by locking out an account after no more than six failed attempts. Requiring an administrator to unlock any disabled account. Tracking and monitoring role assignments for privileged user accounts. Enabling vendor accounts for remote access only during the time period they are needed. Ensuring assigned access provides adequate separation of duties for all employees.

2.2 Least Privilege

The principle of “least privilege” access states that only the minimum level of access will be granted to perform assigned operational duties. Access shall not be granted without an approved business requirement and management approval. Additional approval from the data owner may be required for access to Restricted or Highly Restricted data.

2.3 Identification and Authorization

Each individual user is provided a unique user identity for identification, authorization, and authentication to systems processing UniGroup data or supporting UniGroup business functions. This unique identity and associated credentials are considered Highly Restricted information and should only be used by the individual to whom it is assigned. Sharing unique user identities or passwords is strictly prohibited.

2.4 Password Management

Passwords are considered Highly Restricted information and should not be written down or stored in an unencrypted format. Passwords, complexity, and lifecycle should adhere to current industry best practices. Forbidden actions related to passwords include:Do not use default vendor passwords. Do not reveal a password over the phone. Do not send your password via email. Do not share your password with others. Do not write down your password.

3.0 Operational Security

Operational security processes are used to identify critical data and information, the vulnerabilities associated with them, and to determine the appropriate risk mitigations needed to ensure UniGroup operations are not negatively impacted.

3.1 System Hardening

System hardening procedures should be defined and followed for all systems and platforms (workstations, servers, databases, etc.) to reduce the risk of compromise. These procedures should be consistent with industry-accepted hardening standards and include:Procedures and standards updated as new vulnerabilities are identified. Applied when new systems are configured, prior to connection to the production network. Following the least privilege access model. Removal of unnecessary functionality. Implementation of relevant security features (SSH, TLS, etc.). Removal of all default vendor accounts and passwords. Installation of anti-virus software where feasible. Appropriate monitoring and logging enabled to review after a service-impacting event. Additionally:Establish owners of each system and assign responsibility. Restrict privileged access to authorized personnel only. Design systems to operate within current and predicted load levels. Monitor and supervise the activities of personnel responsible for systems. Ensure appropriate replication and backups are configured. Use industry-accepted levels of encryption for data at rest, transit, and processing when feasible. Identify end-of-life components and plan migrations before end of support/life.

3.3 Change Control

Change control processes are followed to maintain the integrity of production and non-production systems, to ensure that standardized methods are used for handling all changes, and to minimize the impact of change-related incidents. A defined and documented change management process should be followed that includes, at a minimum, the following:Logged change request Prioritization of the change Documentation of the impact Documented approval for the change Functionality testing to verify the change does not have a negative impact Back-out procedures.

3.4 Asset Management

UniGroup personnel, business partners, agents, and contractors shall protect assets associated with UniGroup operations by ensuring appropriate handling requirements are followed to prevent unauthorized disclosures, regardless of whether assets or data are being stored or transmitted. All assets associated with data or with data processing shall be inventoried and tracked. The inventory shall include, but not be limited to:A list of all devices Method to determine the owner accurately and quickly Contact information for the asset owner Updated promptly as necessary.

3.5 Physical Security

A defined and documented physical security program and procedures shall be used to ensure the physical protection of all systems associated with UniGroup business. The physical security program shall include, but not be limited to:Security perimeters defined to protect areas that contain UniGroup data or systems. A list of personnel with authorized access to the facility, with prompt removal of access as necessary. Use of access control mechanisms (access badge, biometrics, etc.) where possible. Issuing authorization for physical access. Strictly limiting access to sensitive areas and/or areas that contain systems processing UniGroup data. Use of video cameras and other recording and/or logging devices when possible. Registering and logging all visitors to the facility.

4.0 Business Continuity and Disaster Recovery

Business Continuity (BC) and Disaster Recovery (DR) refers to responding to an operational interruption through the implementation of a recovery plan. The recovery plan accounts for applications deemed critical for business operations, service delivery, and ensures the timely restoration of UniGroup’s capability to deliver services. The BC/DR plan is tested, at a minimum, annually to ensure the plan is up to date and capable of sustaining business operations during a crisis or period of disruption.UniGroup, and those conducting UniGroup business shall:Develop a contingency plan for business-critical systems that provides recovery objectives and restoration priorities. Determine contingency roles, responsibilities, and assigned individuals. Address maintaining essential business functions during a disruption. Address full system restoration. Review and approve the plan by designated company officials. Communicate contingency plans throughout the organization and ensure assignments are understood. Coordinate contingency planning and plan reviews at least annually. Modify the plan accordingly to address business changes. Establish procedures to access data and systems during periods of disruption. Ensure defined plans and procedures meet and adhere to contractually obligated recovery timelines and/or objectives.

5.0 Incident Response

Incident response refers to the actions taken to address an event that either creates service disruption or impacts a customer, and incidents can range from minor to business-crippling in scale. Incident response procedures should be periodically reviewed to ensure the defined steps are current and applicable to the existing environment. To have an effective response to an incident, there must be a defined, repeatable process that is followed. UniGroup addresses incident response by applying these main steps to all encountered incidents:Preparation: Ensuring staff are properly trained and know what steps to take. Identification and Prioritization: Determine that an incident has occurred, and assign the priority/urgency. Containment: Isolate the impacted items to prevent additional damage. Neutralization: Remove the disruption from the environment and perform root cause analysis. Recovery: Return impacted items to normal operations. Lessons Learned: Determine ways to prevent the incident from reoccurring.

6.0 Software Development Life Cycle

A Software Development Life Cycle (SDLC) is a series of steps that provides a framework for developing and managing software throughout its life cycle. When implemented correctly, an SDLC ensures that the highest quality software is delivered in the least amount of time, for the lowest overall cost. All development activities at UniGroup follow a defined SDLC which considers the following items:Plan Build Test Deploy Maintain During this process, attention is given to clearly identify the functional requirements, remedy the code of vulnerabilities and bugs, ensure it meets the stakeholder’s needs, and is safe to deploy into the production environment. The SDLC is followed for all feature enhancements, upgrades, etc., until the product is discontinued and removed from service.

7.0 Acceptable Use

Employees are granted access to UniGroup equipment, systems, and data to assist them in performing their job. The equipment, systems, and data belong to UniGroup, and use is intended only for legitimate business purposes in the fulfillment of services. Employees should not have an expectation of privacy in anything they create, store, send, or receive on UniGroup systems or equipment. Without prior notice, UniGroup may review any material created, stored, sent, or received on its systems or equipment. All employees using UniGroup equipment, systems, and/or data are obligated to use these items responsibly, professionally, ethically, and lawfully to process, protect, and secure UniGroup, its members, employees, companies, partners, and its customers.

7.1 Equipment and System Usage

Users shall:Immediately report all lost or stolen equipment, known or suspected privacy or security incidents. Log off or lock systems when leaving them unattended; set the screen saver to lock the system after inactivity. Complete all required security and privacy training. Follow appropriate data handling procedures. Be vigilant when accessing the Internet and verify all material safe before viewing. Follow the “Clean Screen, Clean Desk” mentality to protect sensitive data, including customer data. Follow all defined record retention policies. Only connect to known and trusted networks. Speak only for yourself on social media accounts, as you could mistakenly be viewed as a spokesperson for UniGroup in your online communications. Only use UniGroup systems and equipment for their intended business purposes. Adhere to UniGroup’s privacy policy, code of conduct, mobile device use agreement, and data security policy. Only use customer data for the purpose it was collected and in accordance with UniGroup’s privacy policy. Report all policy violations to: integritymatters@unigroup.com. Users shall not:Copy or store sensitive/proprietary information or customer information on removable media devices or unapproved storage. View material that is sexually explicit, profane, obscene, harassing, fraudulent, racially offensive, defamatory, or otherwise unlawful in nature. Download material or software from the Internet or unknown sources. Install software on UniGroup systems or equipment. Modify, revise, transform, or adapt any UniGroup licensed software installed on equipment and systems. Transfer UniGroup or UniGroup customer data through any unsecured network. Use any utility program that allows circumventing of UniGroup applied controls. Send unsolicited emails or spam emails. Use UniGroup systems or equipment for any activity that violates local, state, federal, or international law. Introduce any malicious software (virus, trojan, malware, etc.) into or onto UniGroup systems or equipment. Use UniGroup equipment or systems in support of “for-profit” activities or outside employment/business activity (such as consulting for pay, sale of goods, etc.). Use UniGroup systems or equipment for malicious activities to acquire, use, reproduce, transmit, or distribute any controlled information including computer software and data that includes information subject to the Privacy Act, copyrighted, trademarked, or material with other intellectual property rights (beyond fair use), proprietary data, or export-controlled software or data. Remove UniGroup systems or equipment from the organization without prior management approval. Post information on social media sites or other public forums that are derogatory to UniGroup or its management, contrary to UniGroup’s code of conduct and mission, or brings discredit to UniGroup.

7.2 Record Retention

Information created, received, or maintained in the transaction of UniGroup business, whether in paper or electronic form, is considered a formal record and is subject to UniGroup’s Control of Record Procedure. This procedure defines the process for identification, storage, protection, retrieval, retention, hold, and disposition of records.UniGroup will not keep personal information in a form that permits identification of data subjects for longer than necessary for the purposes for which it was collected or to which the data subject has consented, except for legitimate purposes permitted by law, such as regulatory compliance. All record disposals will follow UniGroup Derelict Media Collection and Destruction Process.

7.3 Remote Working

Associates identified as critical to business continuity will have the ability to work remotely. In addition, remote working may be a viable alternative work arrangement for some employees. In addition to the acceptable use policy, employees working remotely should take additional precautions to ensure the protection of data by properly securing, both logically and physically, all equipment, data, and communications as previously outlined in the DSP.