Information Systems Security Policy

Information Security Program
Approved 11/2020
Table of Contents
INTRODUCTION 2
GOVERNANCE 3
ROLES AND RESPONSIBILITIES 4
INFORMATION SECURITY RISK ASSESSMENT 9
INFORMATION SECURITY STRATEGY 13
SECURITY CONTROLS 13
BUSINESS CONTINUITY 16
INFORMATION SECURITY STRATEGIC PLAN 17
NETWORK SECURITY AND SECURITY CHANGE MANAGEMENT 18
SENSITIVE INFORMATION ENCRYPTION POLICY 21
SYSTEMS DEVELOPMENT AND ACQUISITIONS 22
CORE PROCESSING SECURITY 23
VOIP 24
PAPER REPOSITORY POLICY 25
INFORMATION SANITIZATION AND DISPOSAL GUIDELINES 29
STAFF TRAINING 29
Sturgis Bank & Trust Company Page 1 of 30

Approved 11/2020
Introduction
General
Timely and reliable information is necessary to process transactions and support the Bank and customer’s
decisions. The purpose of this policy is to establish a process that identifies risks, forms a strategy to manage the
risks, implements the strategy, tests the implementation, and monitors the environment to control the risks. The
Board of Directors intends for the Bank and its employees to adhere to the guidelines set forth in section 501(b) of
the Gramm-Leach-Bliley Act (GLBA).
The GLBA requires the Bank to establish standards relating to administrative, technical and physical safeguards
for customer records and information. These safeguards are to ensure the security and confidentiality of customer
records and information, protect against any anticipated threats or hazards to the security or integrity of these
records, and protect against unauthorized access to or use of these records or information that would result in
substantial harm or inconvenience to a customer.
These guidelines require the Bank to establish an information security program that meets the following objectives:
1) Availability – Ongoing availability of systems, address the processes, policies, and controls used to ensure
authorized users have access to information. This process protects against intentional or accidental attempts to
deny legitimate users access to information or systems.
2) Integrity of Data and Systems – Integrity relates to controls, processes and policies used to ensure information
has not been altered and that systems are safe from unauthorized manipulation that could compromise reliability,
completeness and accuracy.
3) Confidentiality – This covers the processes, controls, and policies that protect information of customers and the
Bank against unauthorized access or use.
4) Accountability – Accountability support non-repudiation, intrusion prevention, recovery, monitoring, and legal
admissibility of records.
5) Assurance – Assurance develops the confidence that operational and technical security measures work as
intended. Assurance is part of system design and include accountability, confidentiality, integrity, and
availability.
Combined integrity and accountability produce what is known as non-repudiation. Non-repudiation occurs
when the Bank demonstrates that the originators who initiated the transaction are who they say they are, the
recipient is the intended counter party, and no changes occurred in transit or storage. Effective non-repudiation
measures implemented by the Bank reduce fraud and promotes the legal enforceability of the Bank’s electronic
agreements and transactions.
The Bank’s Information Security Program is used to implement and achieve the Bank’s security objectives.
This process is designed to identify, measure, manage and control the risks to system and data availability, integrity,
and confidentiality, and to ensure accountability for system actions. This process includes the following key areas:
1. Information Security Risk Assessment: This process identifies and assesses threats, vulnerabilities, attacks,
probabilities of occurrence and outcomes.
2. Information Security Strategy: This helps to mitigate risk that integrates technology, policies, procedures and
training. The Bank’s Information Security Strategy Plan is reviewed and approved by the Board of Directors on
an annual basis.
3. Security Controls Implementation: This process ensures that the acquisition and operation of technology, the
specific assignment of duties and responsibilities to managers and staff, the deployment of risk appropriate
controls, and the assurance that management and staff understand their responsibilities and have the knowledge,
skills and motivation necessary to fulfill their duties.

Approved 11/2020
4. Security Monitoring: This process ensures the use of various methodologies to gain assurance that risks are
appropriately assessed and mitigated by the Bank. These methodologies are used to verify that significant
controls are effective and performing as intended.
5. Security Process Monitoring and Updating: This process ensures that a continuous system of gathering and
analyzing information regarding new threats and vulnerabilities, actual attacks on the Bank or others combined
with the effectiveness of the existing security controls are maintained. This information is used to update the
Bank’s risk assessment, strategy and control processes. Monitoring and updating makes this process continuous
instead of a one-time event.
All employees are assigned an appropriate level of access to the Bank’s computer systems. All employees are
required to use a unique user ID and secure password to access the Bank’s computer systems, which may include a
third level of authentication. Three repeated failed attempts to gain access to information will result in an automatic
lockout. Security exception reports generated by the software on the Bank’s computer systems are to be reviewed
by the Vice President of Information Technology or other designated personnel and all exceptions that cannot be
explained are to be immediately documented and addressed. Breaches of software controls are to be investigated by
the Information Technology Office.
Sensitive information is not to be sent over the Internet unless it has first been encrypted by approved methods.
Debit card numbers, account numbers, fixed login passwords and other authentication or financial information that
can be used to gain access to services is not to be sent over the Internet in readable form by Bank personnel.
Usually a telephone call or paper letter delivery is an appropriate alternate delivery channel when the original
delivery channel was via the Internet.
Governance
The Bank has established a system of appropriate governance and oversight of its Information Security
Program. The purpose of this topic is to ensure that tasks are completed appropriately, that accountability is
maintained, and that risk is managed for the entire enterprise. Information technology governance is achieved
through management structure, policy establishment, procedures and standards, monitoring, accountability, and
assignment of responsibilities and authority. Through the governance process the Board of Directors and senior
management understand the overall architecture of the Bank’s information technology, what resources are available,
what condition they are in, and what role they play in supporting the Bank’s security posture.
The Bank approaches security in the manner that it must maintain the CIA triad (confidentiality, integrity, and
availability) of all critical information systems assets.
The information protection programs and processes envisioned by this document reflect the diversity of the
Bank’s business while striving to maintain the highest possible level of functionality. This program directs the
development of fundamental sets of minimum information protection objectives which, in the absence of specially
tailored programs, apply to all departments of the Bank and the service providers with whom the Bank conducts
business.
This program also outlines responsibilities of the Board of Directors in overseeing the protection of the Bank’s
customer information. The Board of Directors oversees the Bank's efforts to develop, implement, and maintain an
effective information security program and approve written information security policies and programs.
This program further outlines the responsibilities of Senior Management to oversee the Bank’s service provider
arrangements in order to protect the security of customer information maintained or processed by service providers.
The Bank must exercise due diligence in selecting its service providers. The Bank is also required to monitor its
critical service providers by reviewing audits, summaries of test results, or other equivalent evaluation of its service
providers, to confirm that they have satisfied their contractual obligations.

Approved 11/2020
In general, it is the responsibility of the Board of Directors, Senior Management, information security officers,
employees, auditors, and service providers to fully support the directives of the Bank’s Information Security
Program. Each role has different responsibilities and everyone is held accountable for his or her actions.
Accountability requires clear lines of reporting, clear communication of expectations, and the delegation and
judicious use of appropriate authority to bring about appropriate compliance with the Bank’s policies, standards and
procedures.
Roles and Responsibilities
Board of Directors
It is the responsibility of the Board of Directors (via the Technology Steering Committee) to ensure that proper
oversight of the development, implementation and maintenance of the Bank’s Information Security Program is
attained. This includes the formal approval and adoption of information security plans, policies, and programs, and
the review of various reports on the effectiveness of the program. The Board of Directors is responsible for
providing Senior Management with expectations and requirements and holding them directly accountable for:
1) Central oversight and coordination of the program, including direct responsibility of these actions;
2) Confirming the Bank’s Information Technology Strategic Plan is aligned with the Bank’s overall Strategic
Plan;
3) Maintaining a working knowledge of the Bank’s information resource activities
4) Assignment of responsibility of an appropriate level in varying degrees to other members of Bank
management and personnel;
5) Directing information technology strategy to balance investments between systems that support current
operations, and systems that transform operations and enable business lines to grow and compete in new
areas;
6) Focusing information technology resource decisions on specific objectives such as entry into new markets,
enhanced competitive position, revenue growth, improved customer satisfaction or customer retention;
and
7) Ensuring all Bank personnel possess a general awareness of the Bank’s information resources.
The Board of Directors are further responsible for approving this and other related written information security
policies and the written report on the effectiveness of the Bank’s Information Security Program on an annual basis.
It is the responsibility of the Vice President of Information Technology to prepare a written report to the Board of
Directors that describes the overall status of the Bank’s Information Security Program. At minimum, this report is
to address the results of:
1) The risk assessment process;
2) Risk management and control decisions;
3) Service provider arrangements;
4) Results of security monitoring and testing;
5) Security breaches or violations and Senior Management’s responses
6) Recommendations for changes to the Bank’s Information Security Program.
7) Any acceptance of risk of audit findings
Senior Management
It is the responsibility of Senior Management, in correlation with the responsibilities delegated by the Board of
Directors as set forth above, to:
1) Clearly support all aspects of the Bank’s Information Security Program;

2) Implement the Information Security Program as approved by the Board of Directors;
3) Establish this and other related policies, procedures and controls;
4) Participate in assessing the effect of security issues on the Bank and its business lines and processes;

Approved 11/2020
5) Delineate clear lines of responsibility and accountability for information security risk management decisions
while holding appropriate individuals accountable for complying with these requirements;
6) Define risk measurement definitions and criteria;
7) Establish acceptable levels of information security risks; and
8) Oversee risk mitigation activities.
Senior Management also has the responsibility to ensure integration of security controls throughout the Bank by:
1) Ensuring the security process is governed by organizational policies and practices that are consistently applied;
2) Requiring that data with similar criticality and sensitivity characteristics be protected consistently regardless of
where it resides;
3) Enforcing compliance with the Bank’s Information Security Program in a balanced and consistent manner;
4) Coordinating information security with physical security; and
5) Ensuring an effective information security awareness program has been implemented throughout the
organization. At minimum, this program includes an appropriate level of security training and ongoing security
related communications, employee certifications of compliance, self-assessments, audits and monitoring.
Decisions made by Senior Management regarding the acceptance of security risks and the performance of risk
mitigation activities are to be made in correlation with guidance approved by the Board of Directors. Such decisions
are to be incorporated into this and other related policies, standards and procedures.
It is also the responsibility of Senior Management to consider and monitor the roles and responsibilities of
external third parties. The security responsibilities of service providers, contractors, customers and others who have
access to the Bank’s systems and data is to be clearly delineated and documented in contracts. As such, appropriate
reporting mechanisms are in place to allow Senior Management to make judgments as to the fulfillment of those
responsibilities. Finally, enough controls are to be included in all third-party contracts to enable Senior
Management to enforce contractual requirements. Refer to the Bank’s Vendor Management Program for detailed
guidance.
Delegation and Authority
Senior Management has designated the following entities and/or individuals to govern and administer the
Bank’s Information Security Program and related resources:
1) Technology Steering Committee;
2) Vice President of Information Technology; and
3) Compliance Officer.
The above personnel are responsible and accountable for administration of the Bank’s Information Security
Program. At minimum, they are to directly manage or oversee:
1) The risk assessment process;
2) Development of policies, standards and procedures;
3) Testing; and
4) Security reporting processes.
The above personnel are to maintain enough independence to perform their assigned tasks to ensure appropriate
segregation of duties. Certain members are designated as risk managers in addition to others who are responsible for
production resources assigned to the Bank’s Information Technology Department. In addition, the above personnel
are to possess an understanding and working knowledge of the elements of the Bank’s information resources,
including the development of new information resources and monitoring those same processes. These team
members have the authority to work closely with Senior Management and the Board of Directors to communicate
and implement necessary actions across product and departmental lines. Additionally, these team members are
responsible for carefully considering the impact of any policy or procedural changes in current products and services
which may affect the Bank’s information resources.

Approved 11/2020
Designated personnel have the authority to respond to a security event (when the confidentiality, integrity,
availability or accountability of an information system is compromised) by ordering emergency actions to protect
the Bank and its customers from an imminent loss of information or value. In addition, such personnel are to have
enough knowledge, background and training, as well as an organizational position, to enable them to perform their
assigned tasks.
The Technology Steering Committee is responsible for providing Senior Management with management reports
and related policy recommendations on a regular periodic basis that apply to the Bank’s Information Security
Program and related resources.
Technology Steering Committee

The Technology Steering Committee is responsible for the implementation of the Bank’s Information Security
Program protection standards and related processing and storage of information for the Bank. Responsibilities
include:
1) Developing physical protection safeguards to protect information resources and facilities;

2) Establishing, maintaining and enforcing the Bank’s information technology policies, procedures and standards;
3) Aligning strategic objectives for information technology projects and resource assignments;
4) Developing procedural safeguards for information, including backing up critical or essential information;
5) Developing safeguards for allowing access to Bank information and software on a need to know basis;
6) Developing business resumption plans to ensure continued processing, storage, testing and protection of
information in the event of a man made or natural disaster;
7) Ensuring that information modification follows approved standards and business practices;
8) Monitoring the status of any pending tasks associated with customer information security, system security, audits
and audit recommendations, and regulatory compliance requirements;
9) Prioritizing all information technology projects;
10) Monitoring past information technology projects and initiatives after implementation to determine if the Bank
realized the anticipated costs and benefits based upon a set of objective measures;
11) Following approved standards and procedures for disposing of or forwarding information to other business units;
12) Monitoring vendor relationships;
13) Observing the activities of the Vice President of Information Technology and Information Technology
Department personnel to ensure adherence to information protection standards are consistently maintained;
The Technology Steering Committee is to hold meetings on a quarterly basis. Each meeting is to be recorded
and submitted to the Board of Directors for review through meeting minutes. While agenda items may vary, the
following standard topics of discussion are to be reviewed at each meeting and noted in the meeting minutes:
1) Project prioritization and review;

2) Status on projects in process of those completed;
3) Review new project requests;
4) Status of information technology security, management and regulatory issues;
5) Review of audit results and management actions;
6) Business continuity issues;
7) Status of the Bank’s Information Security Program;
8) General status overview;
9) Risk management, assessment and control issues;
10) Vendor management;
11) Results of testing;
12) Open issues;
13) Security breaches; and
14) Recommendations for program enhancements.
Vice President of Information Technology

Approved 11/2020
The Vice President of Information Technology, and subsequently the Information Technology Department, is
the focal point for information protection standards established by the Technology Steering Committee and is
responsible for the implementation of procedures relating to the Bank’s Information Security Program. At a
minimum, the Vice President of Information Technology is also responsible for:
1) Advising Senior Management and the Technology Steering Committee on the requirements, resources,
applicable protection technology, industry “best practices” and administrative procedures pertaining to
information protection;
2) Establishing and maintaining a corporate strategy and architecture for information protection to be developed in
cooperation with the appropriate concerned personnel;
3) Establishing, maintaining, preparing, promoting and measuring the effectiveness of this and other related
policies and procedures;
4) Providing assistance, support and guidance to those individuals responsible for developing and implementing
specific information protection programs within the Bank;
5) Periodically assessing the need for, and the state of, the Bank’s information continuity, integrity and
confidentiality and report annually to Senior Management and the Technology Steering Committee;
6) Implementing and maintaining the Bank’s information systems and programs on a daily basis. This
responsibility may from time to time require direct contact with outside bureaus or other vendors;
7) Providing daily operational assistance, support and guidance to Bank personnel using information resources of
the Bank;
8) Coordinating with managers in the development and administration of viable contingency plans to recover from
short- or long-term outages; and
9) Managing the activities of Information Technology Department personnel to ensure adherence to information
protection standards are consistently maintained.
The mission of the Vice President of Information Technology and Information Technology Department in no way
alters the Bank’s direct and ultimate responsibility for the protection of information assets.
Information Technology Department

It is the responsibility of the Information Technology Department to perform all technology operations within
the Bank.
The following represents general responsibilities of Information Technology Department personnel to ensure
compliance with this policy and other related procedures and standards. These responsibilities are intended to
ensure regulatory compliance considerations and industry best practices principles:
1) Support the information technology resources of the Bank in accordance with this policy and other related plans
and procedures;
2) Provide Senior Management with an adequate decision support system by providing information that is timely,
accurate, consistent, complete and relevant;
3) Deliver complex material throughout the Bank;
4) Support the Bank's strategic goals and direction;
5) Ensure the integrity and availability of data;
6) Provide an objective system for recording and aggregating information;
7) Reduce expenses related to labor intensive manual activities;
8) Enhance communication among employees;
9) Maintain a current department organization to ensure a clear path of authority and responsibility is maintained;
10) Maintain and review activity logs or reports for system, user, and administrator activities on a as needed;
11) Ensure contingency plans are kept current to assure the survival and restoration of the Bank’s information
systems in the event of disaster or other emergency event;
12) Perform appropriate due diligence for all risks associated with the Bank’s information resources, including risk
assessments;

Approved 11/2020
Compliance Officer
The Bank’s Information Security Program encompasses several regulations, laws, and regulatory issuances.
The Compliance Officer has oversight responsibility for the compliance structure of the entire Bank. As such, the
Compliance Officer has the primary responsibility of maintaining a detailed list of regulations or laws impacted by
such processes. Furthermore, these lists are to be used to assess compliance.
For each new information resource activity, transaction, or customer information communication, the
Technology Steering Committee is to work with the Compliance Officer to ensure the Bank’s compliance with all
federal and state banking laws and regulations.
Users
Corporate information of all types, computer generated data and internal programs are the confidential property
of the Bank. Users of the Bank’s information resources are responsible for the complete protection of Bank
information, computer resources and facilities by following established guidelines in this and other related policies
and procedures. Failure to follow all aspects of this standard may result in disciplinary action and /or immediate
termination.
Information and resources are vital Bank assets. Employees of the Bank and other authorized third party users
are responsible for ensuring that the integrity, confidentiality and availability of those assets are not
compromised.
Information, computer resources and facilities are to be used only in connection with the performance of a
specific job function.
Users of the Bank’s information resources are expected to comply completely with established information
protection standards and shall not use Bank resources to pry or gain unauthorized entry into other Bank or non-
Bank systems.
Use of the Bank’s information, computer resources and facilities for personal gain is expressly prohibited.
The use and/or access of information and facilities for personal use is prohibited unless approved by Senior
Management or Vice President of Information Technology. In certain instances, the approval of personal use of
the Bank’s information resources and facilities may be allowed for the following reasons:
1) Assignments associated with work related classes taken at a college, university, trade school, in-house,
etc.;
2) Occasional incidental personal browsing;
3) Self-directed education (the desire or need to learn more through on the job training).
Users have responsibilities for ownership of information. For example, a user has ownership responsibilities for
information and resources assigned to him or her regarding his or her computer files and information.
Users are prohibited from disclosing or using, in any unauthorized manner, any information to which they have
access. Passing or transmitting Bank information to others (i.e., Bank employees, contract personnel, outside
vendors, etc.) must first be approved by Senior Management.
All individuals granted information system access must use a login ID, password and/or other authentication
method to access system resources and shall maintain exclusive control of such information. Users are
prohibited from disclosing this information to another person unless authorized by management to do so.
However, users who are authorized to share this information are directly responsible for all activities involving
the use of such access.

Approved 11/2020
Users must secure their access to the Bank’s information systems whenever they leave their work areas.
(“Secure” means to signoff or logoff, lock the keyboard with some type of software or physical key, or utilize a
screen saver with a password.)
Internal/External Audit
This policy requires that appropriate and timely tests, audits and evaluations be conducted to determine
compliance with the Bank’s information protection requirements and with regulatory, legal, fiduciary and
contractual obligations. The use of self assessment and peer reviews as a cost effective mode of examination is
supported but these should be used to supplement, not replace, formal reviews by third parties, either internal or
external.
The Bank has designated the Audit Officer and Audit Department to conduct periodic risk based internal audit
reviews of the Bank’s efforts to adhere to the guidelines of this and other information system resource policies. The
results of this audit are to be reported to the Board of Directors’ Audit Committee.
Refer to the Audit Function Policy for detailed guidance.
Information Security Risk Assessment
General
It is the policy of the Bank to maintain an ongoing Information Security Risk Assessment Program that
effectively gathers data regarding the information and technology assets of the Bank, threats to those assets,
vulnerabilities, monitoring existing security controls and processes, and the current security standards and
requirements and analyzes the probability and potential impact associated with the known threats and vulnerabilities
to their assets. This process helps prioritize the risks present due to threats and vulnerabilities to determine the
appropriate level of ongoing monitoring, training, controls and assurance necessary for effective mitigation.
In general, the Bank’s Information Security Risk Assessment Program is a process used to identify and understand
risks to the confidentiality, integrity and availability of information and information systems in all business lines and
risk categories. In general terms, the Bank’s risk assessment process is designed to adhere to the requirements of the
Gramm-Leach-Bliley Act (GLBA) that:
1) Identifies the location of all confidential customer and corporate information;

2) Any foreseeable internal and external threats to the information;
3) The likelihood of the threats; and
4) The sufficiency controls to mitigate the threats.
In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of
those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The
resulting information is used by the Bank to develop strategies to mitigate those risks.
This ongoing assessment process identifies the value and sensitivity of information and system components and
then balances that knowledge with the exposure from threats and vulnerabilities. The Bank’s risk assessment is a
prerequisite to the formation of strategies developed by Senior Management and the Board of Directors that guide
the Bank as it develops, implements, tests and maintains its Information Systems Security Program.
It is the responsibility of the Board of Directors and Senior Management of the Bank to understand the risks
associated with outsourced technology arrangements to ensure that effective risk management practices are in place.
The Bank has implemented an effective Risk Management Program, approved by the Board of Directors,
specifically tailored to meet its needs and circumstances. Specifically, the Bank’s Risk Management Program
includes, at minimum, the following key elements:

Approved 11/2020
1) Risk Identification. Proper risk identification focuses on recognizing and understanding existing risks or risks
that may arise from new business initiatives. Risk identification is a continuous process, and occurs at both the
transaction, account, product, and portfolio level.
2) Risk Control. The Bank has established and communicates limits through policies, standards and procedures
that define responsibility and authority. These control limits are meaningful management tools that can be
adjusted if conditions or risk tolerances change
3) Risk Monitoring. The Bank monitors risk levels to ensure timely review of risks and mitigating factors as new
systems, programs or process changes are made. Monitoring for new threats and vulnerabilities is an ongoing
process and is not done specifically at set intervals.
It is the responsibility of the Technology Steering Committee, Audit Committee, Vice President of Information
Technology and the Compliance Officer to continuously identify, measure and monitor the risks involved with the
Bank’s Information Security Program activities and related operations. The Bank recognizes that such resources
carry a certain element of risk, and believes that effective risk management is comprised of several factors:
1) An effective planning process that aligns information technology and business objectives and supports the
Corporate Strategic Plan;
2) An ongoing risk assessment process that evaluates the environment and potential changes;
3) Technology implementation procedures that include appropriate controls; and
4) Measurement and monitoring efforts that effectively identify ways to manage risk exposure.
The Bank’s information technology risk management focus will center on the following risk categories:
1) Operational Risk. This risk is a function of internal controls, information systems, employee integrity and operating
processes, and exists in all products and services.
2) Compliance Risk. Risks due to nonconformance with, laws, rules, regulations, prescribed practices or ethical
standards. Compliance risk also arises in situations where the laws or rules governing certain Bank products or
activities of the Bank’s customers may be ambiguous or untested. Compliance risk exposes the Bank to fines, civil
money penalties, payment of damages and the voiding of contracts. Compliance risk can lead to a diminished
reputation, reduced franchise value, limited business opportunities, lessened expansion potential and lack of contract
enforceability.
3) Strategic Risk. Risks arising from adverse business decisions or improper implementation of those decisions. This
risk is a function of the compatibility of the Bank’s strategic goals, the business strategies developed to achieve those
goals, the resources deployed against these goals, and the quality of implementation. The resources needed to carry
out business strategies are both tangible and intangible. They include communication channels, operating systems,
delivery networks, and managerial capacities and capabilities.
4) Reputation Risk. Risks arising from negative public opinion. This affects the Bank’s ability to establish new
relationships or services, or to continue servicing existing relationships. This risk can expose the Bank to litigation,
financial loss or damage to its reputation. Reputation risk exposure is present throughout the Bank and is why the
responsibility to exercise an abundance of caution in dealing with its customers and the community is crucial. This
risk is present in activities such as asset management and agency transactions.
5) Technology Risk. Risks to technology touch every aspect of the Bank. Technology is a key resource to the daily
operations at the Bank. The risk of losing technology assets can expose the banking to financial, legal, and
reputational losses that if bad enough could cause the bank to fail.
Risk Assessment Process
The Bank’s Information Security Risk Assessment Program includes the following elements:

Approved 11/2020
Identification of Information and Information Systems. The Bank’s risk assessment includes an identification of
information and the information systems to be protected (both paper and electronic), including electronic systems
and physical components used to access, store, transmit, protect and eventually dispose of information.
In addition, the Bank also considers how it:
1) Stores, transmits, transfers and disposes of media (paper or electronic) containing information;
2) Authorizes and authenticates those who receive information both physically and electronically; and
3) How it makes information available for viewing.
The Bank’s outsourcing strategy is also considered in identifying relevant data flows and information
processing activities. The Bank’s system architecture diagram and related documentation clearly identifies service
provider relationships, where and how data is passed between systems, and that relevant controls are in place.
Analyzing Information. The following represents the Bank’s effort to properly analyze all the gathered
information:
1) Classify and Rank Sensitive Data, Systems and Applications. The Bank assesses the relative importance of the
various information systems based on the nature of their function, the criticality of data they support, and the
sensitivity of data they store, transmit or protect.
2) Assess Threats and Vulnerabilities. The Bank carefully assesses potential threats and vulnerabilities of its
information systems.
Threats are events that could cause harm to the confidentiality, integrity or availability of the Bank’s
information or information systems. They can be characterized as the potential for agents exploiting a vulnerability
to cause harm through the unauthorized disclosure, misuse, alteration or destruction of information or information
systems and arise from a wide variety of sources. Traditionally, the agents have been categorized as internal or
external, and may include the following:
1) Security Breaches. Examples are malicious or incompetent employees, contractors, service providers
and former insiders. Other security breaches that can affect the Bank include programming fraud,
computer viruses, or denial of service attacks.
2) System failures. Common causes of system failures include network failure, interdependency risk,
interface failure, hardware failure, software failure, or internal telecommunication failure.
3) External Events. External natural or man-made threats include weather related events, earthquakes,
terrorism, cyber-attacks, cut utility lines or wide spread power outages that bring about system or
facility failures.
4) Technology Investment Mistakes. Mistakes in technology investment including strategic platform or
supplier risk, inappropriate definition of business requirements, incompatibility with existing systems,
or obsolescence of software may constrain profitability or growth.
5) Systems Development and Implementation Problems. Common system development and
implementation problems include inadequate project management, cost/time overruns, programming
errors (internal/external), failure to integrate and/or migrate successfully from existing systems, or
failure of system to meet business requirements.
6) Capacity Shortages. Shortages in capacity result from lack of adequate capacity planning, including the
lack of accurate forecasts of growth.
Vulnerabilities are characterized as weaknesses in a system (or control gaps) that if exploited, could result in the
unauthorized disclosure, misuse, alteration or destruction of Bank information or information systems.
Vulnerabilities are generally grouped into two types; known and expected:

Approved 11/2020
Known vulnerabilities are discovered by testing or other reviews of the environment, knowledge of policy
weaknesses, knowledge of inadequate implementations, or knowledge of personnel issues. The Bank also
subscribes to the following US Cert mailing lists of:
a) Technical Cyber Security Alerts
b) Cyber Security Bulletins
c) Cyber Security Alerts
d) Cyber Security Tips
Expected vulnerabilities are those that are reasonably anticipated to arise in the future. Examples may include
un-patched software, new and unique attack methodologies that bypass current controls, employee and contractor
failures to perform security duties satisfactorily, personnel turnover resulting in less experienced and knowledgeable
staff, new technology introduced with security flaws, and failure to comply with policies and procedures.
3) The Bank uses a quantitative risk method. A quantitative methods involve assigning numerical measurements
that can be entered into the analysis to determine total and residual risks. Measurements include costs to
safeguard the information and information systems, value of that information and those systems, threat
frequency and probability, and the effectiveness of controls. Techniques include manual or automated data
analysis to provide measurement of the potential damage in relation to the controls. However, a shortcoming of
quantitative methods is a lack of reliable and predictive data on threat frequency and probability, and the future
reliability and performance of the control structure. That shortcoming is typically addressed by the Bank in
assigning numeric values based on qualitative judgments.
4) Evaluate Control Effectiveness. The Bank identifies controls that will mitigate the impact or likelihood of each
identified threat agent exploiting a specific vulnerability. Controls are generally categorized by timing
(preventive, detective, or corrective) or nature (administrative, technical, or physical). This evaluation
recognizes the unique control environment of the Bank and evaluates the effectiveness of that environment in
responding to the threats. This evaluation also addresses the controls that prevent harm in addition to those that
detect harm and correct damage that occurs. Preventive controls act to limit the likelihood of a threat agent
succeeding. Detective and corrective controls are essential to identify harmful actions as they occur, to facilitate
their termination, and to reduce damage.
Controls, however, are not assumed by the Bank to reduce all related risk. Measures of control effectiveness
are obtained from the Bank’s security monitoring efforts. Self-assessments, metrics and independent tests may
address compliance with existing controls and the adequacy of those controls. The Bank’s security monitoring
efforts are based on an assessment of the risk of noncompliance or circumvention of the Bank’s controls.
The Bank’s evaluation of controls includes a review of the relevant physical access controls, including access to
records, equipment, and Bank and data center facilities, and provides an assessment of potential vulnerabilities to a
physical attack or other disaster. These reviews are to be comprehensive and address all data and facilities,
including remote facilities.
Risk Rating Assignment
The Bank assigns an appropriate risk rating to all information and information systems after completing the
inventory of information and systems, assessing the likelihood and exposure of identified threats and vulnerabilities,
and evaluating control effectiveness.
The key to this assignment of risk ratings is to organize the information and information systems within a
logical framework. The framework recognizes that not all threats and risks are equal and acknowledges that the
Bank has finite managerial and financial resources. As with credit or interest rate risk, reasonably foreseeable risks
are prioritized and rated by the Bank according to the sensitivity and importance of the information. The probability
or likelihood of an event occurring, and the impact the event would have on the Bank is considered in determining
the appropriate risk rating for information. The probability of an event occurring, and its impact on the Bank is
directly influenced by the Bank’s overall business profile and the effectiveness of its controls as “High”, “Medium”
or “Low” risk. The specific risk rating is judgmentally determined and assigned in relation to the level of exposure

Approved 11/2020
and the threat likelihood, taking into consideration the adequacy of related internal controls. Where controls are
inadequate or found not to exist, the Bank’s risk assessment includes an action plan to improve the controls.
The Bank, with guidance from the Board of Directors, segregates risk into categories that it is willing to accept
and those that should be mitigated once the risks associated with threats and vulnerabilities have been assessed,
probabilities assigned, and risks rated. This identification is used to develop the Bank’s risk mitigation strategy.
Information Security Strategy

Key Concepts
The bank understands that security requires the integration of people, processes, and technology. All three of these
components need to be managed with the capabilities and limitation of the other components in mind.
The Bank’s security strategies include prevention, detection, and response with the most time and effort spent on
prevention.
The Bank’s security strategy derives from the concept of security domains, least permissions and least privileges.
Security Domains: The Bank’s security domain consists of a Windows based network and active directory.
Resources such as users and groups are designed in a logical and physical manner. Share ACLS, Directory\File
ACLs, internet firewalls, antivirus software, and group policies are implemented to mitigate most network related
risks.
Least Privileged Access: These are used to provide the Bank’s employees the necessary functionality to perform
their jobs while concurrently limiting potential harmful actions. The Bank does this by limiting access at the
network, software, and files to the level the employee needs to perform their job duties.
Multiple layers of security are implemented with control points at each area. At the physical layer the Bank utilizes
locked doors with controlled key, key fob and PIN access for all servers and other networking equipment. At the
networked PC level, usernames and strong passwords are utilized as well as password protected screensavers that
activate after ten minutes of inactivity. At the logical network level share and file ACLs are utilized to provide or
deny access to system resources. Security groups are used to apply security to resources. The IT Department
reviews exceptions to this and as needed will apply security to an individual person.
Outsourced Security Services

The Bank may, at times, outsource security services to obtain greater expertise and a greater range of services to
decrease costs. When the Bank chooses to outsource these services, it will follow the guidance set forth in the
Bank’s Vendor Management Policy.
Security Controls
The goal of the Bank’s access controls is to allow authorized and authenticated employees access to information
to perform their assigned job duties.
Access Rights Administration
The bank utilizes a four-step process for access rights administration
1) Enrollment of new users. The IT department must be provided with a new user access form that lists the date of
hire, the department\location assigned to, and job position.
2) Authorization process to add, delete, or modify authorized access to computers, applications, directories, and
files. All modifications to access must be accompanied by a form requesting the access change. The form must
be signed by the employees’ supervisor or requesting manager and no employee may sign their own access
change request form.
3) An authentication process to identify the user during subsequent activities. The windows network utilizes
Kerberos keys to identify sessions and Usernames and password to provide initial authentication. If a key is
different than what was granted when the user logs in, access will be denied, and an event logged in the domain
controller’s security event log.

Approved 11/2020
4) A monitoring process to manage the access rights granted to each user to ensure appropriate security based on
job duties. At least annually user access will be review for proper access. All access outside of the norm for the
job position must have a security access change request form on file.
Enrollment establishes the user’s identity and anticipated business needs for information and systems. New
employees, IT outsourcing relationships and contractors may also be identified, and the business need for access
determined during the hiring or contracting process.
During enrollment and thereafter, an authorization process determines user access rights. In certain
circumstances the assignment of access rights may be performed only after the manager responsible for each
accessed resource approves the assignment and documents the approval. In other circumstances, the assignment of
rights may be established by the employee’s role or group membership and managed by pre-established
authorizations for that group.
The access rights process programs the system to allow the users only the access rights they were granted.
Since access rights do not automatically expire or update, it is the responsibility of the Information Technology
Department to conduct periodic updating and review of access rights on the system. Updating occurs when an
individual’s business needs for system use changes. Many job changes can result in an expansion or reduction of
access rights. Job events that would trigger a removal of access rights include transfers, resignations and
terminations. It is the responsibility of the Human Resources department to promptly inform the Information
Technology Department to remove the access rights for users who have remote access privileges, access to customer
information, and perform administration functions for the Bank’s systems when these job events occur.
Default users accounts associated with new hardware or software are disabled or the authentication to the
account is changed as standard operating procedure by the Information Technology Department. Additionally,
access to these default accounts is monitored by the Information Technology Department more closely than other
accounts.
Anonymous access accounts are disabled for all systems that allow access to or store sensitive information,
(including customer information) as standard operating procedure by the Information Technology Department.
All users of the Bank’s system are required to read and agree to the Bank’s End User Information Systems
Policy annually and will confirm this information through the HR policy review process.
Authentication
Authentication is the verification of identity by a system based on the use of unique access IDs and passwords to
that system. The Bank defines unique credentials as; either something the user has, something the user knows, or
something the user is. Examples of these are: usernames and passwords, tokens, shared secrets, and biometrics.
For internet relate authentication, the Bank feels that a single factor authentication is not enough. A multifactor
approach for internet related transactions will be taken. Methods such as tokens with one-time passwords, computer
footprint, security questions, and shared secrets will be utilized.
Considering whether multi-factor authentication is appropriate for each application, taking into account that
multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment
activities; and Encrypting the transmission and storage of authenticators (e.g., passwords, personal identification
numbers (PINs), digital certificates, and biometric templates).
Authentication is the verification of identity by a system based on the presentation of unique credentials to that
system. The unique credentials are in the form of something the user knows, something the user has, or something
the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any
authentication process. Authentication that relies on more than one form is called multi-factor authentication and is

Approved 11/2020
generally stronger than any single factor authentication method. Authentication contributes to the confidentiality of
data and the accountability of actions performed on the system by verifying the unique identity of the system user.
For purposes of this policy, the Bank employs the following authentication methods for access to its
information systems:
Login ID and Password for the Bank’s internal network
Access ID, password, and security image for consumer internet banking
Access ID, Hardware token with a one-time password, Pin number for Business eBanking
Network Access Policy

It is the policy of the Bank to secure access to its computer networks through multiple layers of access control
to protect against unauthorized access by:
Grouping network servers, applications, data and users into a security domain ;
Establishing appropriate access requirements within the security domain;
Implementing appropriate technological controls to meet those access requirements consistently.
It is the responsibility of the Vice President of Information Technology and Compliance Officer to be involved
in the development of policies, standards and procedures, and monitor the Bank’s compliance. In addition, these
individuals are also responsible for performing duties as a member of the Bank’s Incident Response Team.
Firewalls
Firewalls are an essential control for the Bank to protect itself from a variety of Internet based attacks such as:
a. Spoofing trusted IP addresses;

b. Denial of service by overloading the firewall with excessive requests or malformed packets;
c. Sniffing of data that is being transmitted outside the network;
d. Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
e. Attacks on un-patched vulnerabilities in the firewall hardware or software;
f. Attacks through flaws in the firewall design providing relatively easy access to data or services residing
on firewall or proxy servers; or
g. Attacks against computers and communications used for remote administration.
Firewalls are managed and maintained by the IT department and firewall logs are compiled, coorelated, and
analyzed through the use of the Bank’s SIEM system.
Integrated security monitoring, additional access controls, hardening the firewall by removing all unnecessary
services and appropriately patching, enhancing and maintaining all software on the firewall unit, restricting
network mapping capabilities through the firewall, primarily by blocking inbound ICMP (Internet Control
Messaging Protocol) traffic, using a rule set that disallows all inbound and outbound traffic that is not
specifically allowed, using NAT to hide internal system names and addresses from external networks, filtering
malicious code, logging activity with daily administrator review, and general control are controls that are to be
implemented on all Firewall devices.
Operating System Access

The bank uses a Microsoft LAPS program to manage operating system administrator accounts. The LAPs program manages
a complex password for each computer and regularly changes that password.

Approved 11/2020
Operating System Policy
It is the policy of the Bank to properly secure access to the operating systems of all system components by:
Securing access to system utilities;
Restricting and monitoring privileged access;
Logging and monitoring user or program access to sensitive resources and alerting on security events;
Updating the operating systems with security patches; and
Securing the devices that can access the operating system through physical and logical means.
The Bank controls access to system software (operating system and system utilities) within the various network
clients and servers in addition to stand alone systems. Access to such systems is only granted to appropriate
members of the Information Technology Department. In addition, the Bank has implemented access control security
software to ensure effective access control to integrate the security management of both the operating system and the
applications. This strategy allows the Bank to improve the effectiveness of the administration and security policy
compliance for a large number of servers often spanning multiple operating system environments.
Business Continuity
It is the policy of the Bank to:
Identify personnel with key security roles during a continuity plan implementation, and training personnel in
those roles; and secure the needs for back up sites and alternate communication networks.
The Bank’s Business Continuity Plan is reviewed as an integral part of the security process. The Bank’s
strategies consider the different risk environment and the degree of risk mitigation necessary to protect the Bank in
the event the continuity plans must be implemented. The implementation considers the training of appropriate
personnel in security roles, and the implementation and updating of technologies and plans for back up sites and
communications networks.
For all business processes for which there is a significant requirement for availability, a complete and tested
business continuity plan is mandatory. The Vice President of Information Technology and the Business Continuity
Committee are responsible for the oversight of such a plan and are responsible for periodic testing of the plan. This
plan is to be developed and regularly tested in cooperation with other affected supervisors and/or third party entities.
The Bank has carefully evaluated and implemented appropriate insurance coverage to further mitigate risk with
respect to the directives and processes of its Information Security Program. The Bank’s insurance covers the
following areas of risk:
1. Vandalism of the Bank’s website or loss of Internet or electronic banking services;

2. Loss of income due to business interruption;
3. Loss of information technology equipment or facilities;
4. Media reconstruction;
5. Computer extortion associated with threats of attack or disclosure of data;
6. Loss of items in transit;
7. Theft of confidential information;
8. Security breaches;
9. Privacy breaches or violations;
10. Employee fidelity;

Approved 11/2020
11. Denial of service attacks;
12. Litigation (breach of contract or errors and omissions);
13. Destruction or manipulation of data (including viruses);
14. Fraud, such as fraudulent electronic signatures on loan agreements or fraudulent instructions through e-mail;
15. Third party risk from companies responsible for security of the Bank’s systems or information;
16. Insiders who exceed system authorization;
17. Liability to customers resulting from electronic fund transfer system (EFTS) activities;
18. System downtime; and
19. Incident response costs related to the use of negotiators, public relations consultants, security and computer
forensic consultants, programmers, replacement systems, etc.
20. Cybersecurity Events
The Bank has attempted to insure itself against these risks through existing blanket bond insurance coverage
added to existing policies in order to address specific threats. These specific threats were assessed in light of
the impact these incidents will have on the Bank’s financial, operational and reputation risk profiles.
Refer to the Bank’s Business Continuity Plan for more detailed information.
Outsourced Systems
It is the responsibility of the Board of Directors and Senior Management to ensure the protection of Bank and
customer data, even when that data is transmitted, processed, stored or disposed of by a service provider. Service
providers are to have appropriate security monitoring based on the risk to their organization, their customer’s
institutions, and the Bank’s customers. Accordingly, the Board of Directors and Senior Management are responsible
for evaluating the Bank’s Service Providers by:
1. Performing initial due diligence;
2. Constructing contracts;
3. Exercising ongoing oversight or audit responsibilities; and
4. Monitoring the service provider’s activities through review of timely audits and test results or other equivalent
evaluations where indicated by the Bank’s risk assessment.
Refer to the Vendor Management Program for detailed guidance.
Information Security Strategic Plan
General
The Bank has developed and maintains an Information Security Strategic Plan (the “Plan”) that takes into
consideration the following:
1. Aligns information technology with the corporate wide strategic plan;
2. Aligns information technology strategically and operationally with business units;
3. Maintains an information technology infrastructure to support current and planned business operations;
4. Integrates information technology spending into the budgeting process and weighs direct and indirect
benefits against the total cost of ownership of the technology;
5. Ensures the identification and assessment of risk before changes or new investment in technology;
6. Considers the appropriate deployment of prevention, detection and response mechanisms;

Approved 11/2020
7. Implements the least permissions and least privileges concepts;
8. Establishes layered controls at multiple control points between threats and organization assets; and
9. Implements this and other related policies and procedures that guide management and employees in
implementing the Bank’s Information Security Program.
The primary purpose of the Plan, originated from the Bank’s overall Corporate Strategic Plan, is to provide an
IT specific plan while complying with legal, statutory, contractual and internally developed requirements within the
next three to five-year period and that supports the Corporate Strategic Plan
For more detailed information, please refer to the IT Strategic Plan which can be obtain from the Vice President
of Information Technology.
Network Security and Security Change Management

1. Scope: Without a security policy, the availability of the Bank’s network can be compromised.
This policy begins with assessing the risk to the network. Continuation of the policy requires implementing a
security change management practice and monitoring the network for security violations. Lastly, the review process
modifies the existing policy as needed and adapts to lessons learned.
2. Policy: This document is divided into three phases: preparation, prevention, and response.
2.1. Preparation: Users’ roles and responsibilities with regard to security are outlined in the Information
Security Program.
2.1.1. Administrator Acceptable Use Statement: The Vice President of Information Technology is hereby
responsible for developing and maintaining administrator acceptable use statement to explain the procedures for user
account administration, access level review, system user level review. The Vice President of Information
Technology will ensure that administrator requirements are reflected in any required administrator training and
performance evaluations. Specific policies concerning user passwords and the handling of data contained in the
Network Admin guide Network Security Settings Appendix.
2.1.2. Risk Analysis: As part of the preparation phase, the Vice President of Information Technology
will conduct a risk analysis to identify the risks to the network, network resources, and data. The
intent of the risk analysis is to identify portions of the network, assign a threat rating to each portion, and apply
an appropriate level of security. This helps maintain a workable balance between security and required network
access. Each network resource will be assigned one of three risk levels:
Low Risk – Systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or
data lost) would not disrupt the institution or cause legal or financial ramifications. The targeted system or data can
be easily restored and does not permit further access of other systems.
Medium Risk – Systems or data that if compromised would cause a moderate disruption to the institution, minor
legal or financial ramifications, or provide further access to other systems. The targeted system or data requires a
moderate effort to restore or the restoration process is disruptive to the system.
High Risk – Systems or data that if compromised would cause an extreme disruption to the institution, cause
major legal or financial ramifications, or threaten the health or safety of a person. The targeted system or data
requires significant effort to restore or the restoration process is disruptive to the institution or other systems.

Approved 11/2020
The identification of the risk level and the type of access required of each network system forms the basis of a
security matrix. The security matrix provides a quick reference for each system and a starting point for further
security measures, such as creating an appropriate strategy for restricting access to network resources.
2.1.3. Information Technology Steering Committee: The Vice President of Information Technology will lead
an Information Technology Steering Committee comprised of a representative of each business unit. The
Information Technology Steering Committee has three areas of responsibility: policy development, practice, and
response.
Policy development is focused on establishing and reviewing security policies for the institution
On an annual basis, to include the risk analysis.
Practice is the stage during which the Information Technology Steering Committee conducts
the risk analysis; the approval of security change requests; reviews security bulletins and alerts from vendors,
US-CERT, and other mailing lists; and turns plain language security policy requirements into specific technical
implementations as required.
The last area of responsibility is response. While network monitoring often identifies a security violation, it is
the Information Technology Steering Committee members who manage the actual troubleshooting and fixing of
such a violation. Each Information Technology Steering Committee member should know in detail the security
features provided by the equipment in his or her operational area and be able to assign resources to implement
resolutions.
2.2. Prevention: Prevention is broken down into two parts: approving security changes and monitoring security
of the network.
2.2.1. Approving Security Changes: Security changes are defined as changes to network equipment that have
a possible impact on the overall security of the network. The Vice President of Information technology can approve
security changes.
Any employee can recommend security changes. Members of the Information Technology Steering Committee
can deny a change request that is considered a security change until it has been approved by the Information
Technology Steering Committee. In an emergency situations, the Vice President of Information Technology can
authorize security changes providing such changes are immediately brought to the attention of the Information
Technology Steering Committee.
2.2.2. Monitoring Security of the Network: Security monitoring is similar to network monitoring, except it
focuses on detecting changes in the network that indicate a security violation. The starting point for security
monitoring is determining what is a violation. In conducting a Risk Analysis the Vice President of Information
Technology develops the level of monitoring required based on the threat to the system. In approving security
changes, the Vice President of Information Technology identifies specific threats to the network the change may
make and modifies the monitoring appropriately.
2.3. Response: Response is broken into three parts: security violations, restoration, and review.
2.3.1. Security Violations\Intrusion Detection: When a violation is detected, the ability to protect network
equipment, determine the extent of the intrusion, and recover normal operations depends on quick decisions. A
Intrusion Detection system has been configured on the network that sends alerts to IT staff for potential intrusions.
IT staff reviews this email and notes the activity and will take appropriate action or make appropriate changes as
necessary. Having guidelines in place to make these decisions ahead of time makes responding to an intrusion much
more manageable. The Information Technology Steering Committee is responsible for developing a notification
system. Additionally, the Board of Directors is responsible for assigning the Information Security Officer.
The Information Security office will determine what should be done and in what order the changes should be
made. Possible corrective actions are:

Approved 11/2020
 Implementing changes to prevent further access to the violation.

 Isolating the violated systems.
 Contacting the carrier or ISP in an attempt to trace the attack.
 Using recording devices to gather evidence.
 Disconnecting the violated systems or the source of the violation.
 Contacting the police, or other governmental agencies.
 Shutting down violated systems.
 Restoring systems according to a prioritized list.
 Notifying internal managerial and legal personnel.
 To determine the extent of the violations, the Information Technology Steering Committee will do the following:
o Record events by obtaining sniffer traces of the network, copies of log files, active user accounts, and
network connections.
o Limit further compromises by disabling accounts, disconnecting network equipment from the network,
and disconnecting from the Internet.
o Backup compromised systems to aid in a detailed analysis of the damage and method of attack.
o Look for signs of compromise. Often when a system is compromised, there are other systems or
accounts involved.
o Maintain and review security device log files and networking monitoring log files, as they often provide
clues to methods of attack.
2.3.2. Restoration: Restoration of normal network operations is the final goal of any security violation
response.
2.3.3. Review: The review process is the final effort in creating and maintaining a security policy. The Network
Security Policy should be a living document that adapts to an ever-changing environment. As such, the Information
Technology Steering Committee will review the existing policy on a continual basis against known best practices,
lessons learned, US-CERT security practices, security improvements, bulletins, alerts, etc. The Vice President of
Information Technology will employ the services of an outside firm that specializes in security to penetrate the
network and test not only the posture of the network, but the security response of the organization as well. Such tests
will be conducted on an annual basis. Additionally, the
3. Exception: Exceptions to this policy must be approved, in writing, by the Vice President of
Information Technology.
5. Sanctions: Accounts and network access may be administratively suspended by the Bank with or without notice
when, in the Bank’s judgment, continued use of the Bank’s resources may interfere with the work of others,
place the Bank or others at risk, or violate Bank policy. Any violation of this policy may lead to disciplinary
charges under the appropriate Human Resource policy, which may include termination. All known and/or
suspected violations must be reported to the Vice President of Information Technology, who will investigate all
such allegations of misuse with the assistance Human Resources.
Further references: Incident Response Program
Branch and Department Security
The Banks branches and departments are “Distributed Hardware and Software Environments” (e.g., local area
networks or LANs) that may offer a full range of applications that are commonly housed without special
environmental controls or raised flooring. In this respect, overall building security becomes an important aspect.
The level of security surrounding any hardware and software is dependent on the sensitivity of the data that can be
accessed, the significance of applications processed, the cost of the equipment, and the availability of backup
equipment.

Approved 11/2020
For PCs in unrestricted areas such as a branch lobby, the Bank secures PCs by using screensaver passwords and
automatic timeouts. It is the responsibility of employees to be fully aware of the sensitivity of computer and
physical information and enforce safeguard controls to ensure their effectiveness.
Whenever possible, the Bank’s PCs are protected from environmental factors such as smoke, dust, heat,
humidity, food particles and liquids through good user behavior.
Hardware, software, network and data components requiring physical security include servers, PCs, removable
media (tapes and disks) or other related devices. In this respect, the Bank’s physical security standard is to prevent
unauthorized personnel from accessing these components, including LAN devices or the transmission of data.
Physical protection includes power protection, physical. Physical access to the network components (i.e., files,
applications, communications, etc.) is limited to those who require access to perform their jobs. Network
workstations or PCs are password protected and monitored for workstation activity by the Information Technology
Department.
Branch and department supervisors are responsible for maintaining proper and adequate physical security
safeguards for the protection of the hardware and software assigned to their respective areas of responsibility.
Supervisors are responsible for ensuring compliance with this policy including, but not limited to:
6. Ensuring sensitive reports and information are properly safeguarded and disposed of in a proper manner;
7. Assessing their branch’s or department’s physical control needs and implementing controls necessary to ensure
proper security and protection;
8. Monitoring and maintaining control over the use of laptops or other portable access devices;
9. Securing the work areas housing computers or access devices;
10. Assessing the need for locks and keys;
11. Establishing proper housekeeping rules;
12. Maintaining adequate environmental controls; and
13. Ensuring their employees receive training in the proper use and care of computers.
All users are responsible for the physical security and protection of their computers, including but not limited to:
Abiding by all security policies and procedures established by the Bank;
1. Securing any laptop or portable access device while in their possession; and
2. Being aware of reporting any suspicious individuals or activity to Bank management.
Sensitive Information Encryption Policy
General
It is the policy of the Bank to employ encryption to mitigate the risk of disclosure or alteration of sensitive
information in storage and transit by ensuring:
1. Encryption strength is sufficient to protect the information from disclosure until such time as disclosure poses no
material risk;
2. Effective key management practices;
3. Robust reliability; and
4. Appropriate protection of the encrypted communication’s endpoints.
The Bank uses encryption to secure communications and data storage; particularly authentication credentials
and the transmission of sensitive information. Specifically, the Bank uses encryption:
As a preventive control and/or a detective control. As a preventitive control, encryption acts to protect the
Bank’s data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of

Approved 11/2020
unauthorized changes to the Bank’s data and assigns responsibility for data among authorized parties. Together,
these elements combine into a key control in ensuring confidentiality, data integrity and accountability.
The Bank makes decisions regarding what data to encrypt and at what points to encrypt the data based on the
sensitivity of the information, risk of disclosure and the costs and risks of encryption. Sensitive information is
encrypted when passing over a public network.
Traveling Laptops
Laptops that leave the institution are required to have it’s hard drive encrypted, have a strong password set and have
antivirus software installed and configured for auto updates. As soon as the laptop is put back on the Bank network
it must have a full system scan and scan for all available system updates. No Bank data should be saved on any
corporate laptop and network access shall only be accessed via a secure VPN connection configured with
multifactor authentication.
Encryption Key Management
It is the responsibility of the Information Technology Department to ensure the Bank maintains effective key
management based upon standards, procedures and secure methods that address, where necessary:
1. Generating keys for different cryptographic systems and different applications;
2. Generating and obtaining public keys;

3. Distributing keys to intended users, including how keys should be activated when received;
4. Storing keys, including how authorized users obtain access to keys;
5. Changing or updating keys, including rules on when keys should be changed and how this will be accomplished;
6. Dealing with compromised keys;
7. Revoking keys and specifying how keys should be withdrawn or deactivated;
8. Recovering keys that are lost or corrupted as part of business continuity management;
9. Archiving keys;
10. Destroying keys;
11. Logging the auditing of key management related activities; and
12. Instituting defined activation and deactivation dates, limiting the usage period of keys.
13. The Bank’s key management system includes the following precautions:
14. Key management is fully automated (e.g., personnel do not have the opportunity to expose a key or influence the
key creation);
15. No key ever appears unencrypted;
16. All patterns in clear text are disguised before encrypting;
17. Keys with a long life are sparsely used;
18. Keys are changed frequently;
19. Keys that are transmitted are securely sent to well authenticated parties; and
Systems Development and Acquisitions
General
Systems development and acquisitions take into consideration the following factors:
1. Project management
2. Controls over the change process
3. Ensuring development and acquisition meets the needs of the end users
4. When necessary, controls over source must be maintained or proxied to a third-party
The Board of Directors, thru the Information Technology Steering committee provides oversight of systems
development and acquisitions. The steering committee is responsible for the establishment of projects and reporting
status and concerns to the Board of Directors thru steering committee meeting minutes.

Approved 11/2020
The Steering Committee will ensure that during development or acquisition that segregation of duties is
maintained to ensure system integrity, proper personnel are assigned for information security, auditing and testing of
technology related projects.
All vendor reviews shall follow the guidance as stated in the Bank’s Vendor Management Program.
It is the policy of the Bank to ensure that systems are developed, acquired and maintained with appropriate
security controls by:
1. Ensuring that systems are developed and implemented with appropriate enabled security features;
2. Ensuring that software is trustworthy by implementing appropriate controls in the development process,
reviewing source code, when appropriate, reviewing the history and reputation of vendors and third party
developers through due diligence, and implementing appropriate controls outside of the software to mitigate the
unacceptable risks from any deficiencies;
3. Maintaining appropriately robust configuration management and change control processes; and
4. Establishing an effective patch management program.
Core Processing Security
General
The core processing system (mainframe computer software) currently used by the Bank is ITI from Fiserv. This
software interfaces with other software applications that may be covered by elements of this policy. Those software
applications include, but are not limited to:
Viewpoint, Microsoft Office, Monarch, MortgageBot, LaserPro, Freddie Mac Loan Prospector,
This section establishes adequate controls over the processing of customer data and ensures timely processing
on a day to day basis. This policy also outlines assigned guidelines and standards for core processing systems. The
Technology Steering Committee, Vice President of Information Technology and Senior Management are
responsible for implementing the standards described in this policy.
Security Standards
The Information Technology Department is responsible for core processing security issues of the Bank.
Physical security for other hardware in the data processing area is the responsibility of the Bank’s core software
provider and encompasses the following:
1. Physical security for the core processing system;

2. Network connectivity to the core processing system; and
3. Front end applications on network application servers.
Unauthorized user access to software and data also presents risk to the Bank. The Information Technology
Department is responsible for assigning user IDs and security class access levels within the core system. All core
processing users utilize a unique user ID, password and may use additional authentication methods. Systematic,
periodic changes to passwords and are required. All users are required to log off the application or lock their
application whenever they are not present.
Access to the application is managed through security groups. All employees are set up as users with an
assigned security group. Security groups are assigned on functionality within the system as it relates to specific job
responsibilities within the Bank. Any individual exceptions to the group must be requested using the Security
Access Change Request form found on the Bank’s intranet site.

Approved 11/2020
Custom Report Standards
All of the Bank’s core system custom reports requests are completed by submitting a custom report request form to
the Information Technology department. All custom or special core system report requests must be requested in
written form. All custom report requests are reviewed by Information Technology Department as to the nature of
the intended report and the need to know of the requestor. The Vice President of Information Technology reserves
the right to deny access to the data requested if the information is not deemed necessary in the requestor course of
business. All reports will be distributed via the local area network in a secured manner. Any information that must
be emailed to a third party will be done so using the Bank’s encrypted email system. This system will encrypt the
attached documents prior to send them using a 256 bit encryption scheme. The documents will then be sent to the
Banks encryption server through a SSL encrypted connection for storage. Recipients will receive a message that an
encrypted message is waiting for delivery. Recipients must have a security username and password to access their
message. Any passphrase to a document must be provided in a manner separate from the data being provided. For
example, if a PDF file is encrypted, the password should not be sent with the email containing the file and should be
provided via a phone call or a different method from that used to send the file.
VOIP
General
Voice Over Internet Protocol (VoIP) refers to the transmission of voice communications over the Internet rather
than through a public switched telephone network (PSTN). When a telephone call is made, VoIP translates the
caller's voice into a stream of data packets by an analog digital converter. The data packets are transmitted over the
Internet and converted to a voice signal on the other end of the communication.
The Bank has implemented a VoIP telephone solution due to considerable cost savings for the Bank when
compared to a traditional telephone network. Cost savings are realized through the elimination of long distance
charges that would normally be incurred through the PSTN. In addition, only one network is managed for both
voice and data, resulting in additional savings. The Bank, however, realizes that VoIP also brings increased data
security risks. As such, the Bank has carefully evaluated the benefits (lower communication expenses) against the
disadvantages (substantial implementation costs and increased data security risks) as outlined in this section.
Risks
VoIP is susceptible to the same risks as the Bank’s data networks that use the Internet, such as exposure to
viruses, worms, Trojans and man in the middle attacks. Configuration weaknesses in VoIP devices and underlying
operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud
(theft of service), all of which can result in the loss of privacy and integrity of the Bank’s system. In addition, a
potential exists for the exploitation of SPAM using VoIP. In this situation, SPAM would refer to unwanted and
potentially offensive phone calls.
VoIP sessions can be established with a variety of protocols. H.323 (International Telecommunications Union
standard for real time communication) and SIP (Session Initiation Protocol) are the most commonly used protocols.
The Bank’s VoIP enabled telephones, software and other network equipment are compatible with more than one
protocol to ensure future interoperability.
Speed is imperative to the quality of transmission, and in order to achieve adequate voice quality, VoIP requires
the highest priority access to available bandwidth. VoIP must be fast enough to avoid a delay, even by milliseconds,
in the processing and delivery of voice packets. The loss, out of sequence delivery or non-delivery of data packets
can also adversely affect the quality of VoIP.
Risk Mitigation Strategies

Approved 11/2020
The Bank has implemented the following VoIP risk mitigation strategies:
The Bank’s VoIP system is configured to not transmit calls over the internet, but to only use the corporate
WAN as VoIP’s communication medium resulting in no external network access points into the Bank’s VoIP
system.
The Bank’s VoIP system is included as part of the Bank’s periodic information technology risk assessment and
discussed in status reports submitted to the Board of Directors as mandated by section 501(b) of the Gramm-Leach-
Bliley Act. Any identified weaknesses are corrected during the normal course of business. It is the responsibility of
the Vice President of Information Technology, along with the Bank’s Technology Steering Committee, to oversee
the administration of the Bank’s VoIP systems.
Paper Repository Policy
Overview
Sturgis Bank & Trust Company (“the Bank”) realizes the need to control and protect access to paper documents
that may contain customers’ personal information. This policy is an always evolving policy. The Bank will use this
policy to establish and ensure compliance with policies for handling and storing information distributed on paper,
ensure safe and secure disposal of sensitive paper, and secure paper in transit to third parties. The purpose of this
policy is to give the Bank’s employees the knowledge and understanding to secure customer’s private information.
Introduction
The security of confidential information cannot be maintained by policies alone. Our behavior as employees
also affects the confidentiality, the integrity, and availability of that information. This document gives the Bank’s
employees the knowledge needed to protect Bank information and assets from misuse, abuse, unauthorized access or
unauthorized disclosure. This policy will address three components to securing information contained on paper:
handling and storage, disposal, and transit.
Handling
Handling of sensitive paper documents is the first step in securing the information contained in the document.
All documents containing non-public personal information are considered sensitive. When not in use, all documents
that contain confidential information will be secured by placing them into locked storage, shredded, or controlled
through restricted visual access by another employee.
Disposal
To minimize the potential of confidential information being combined with non-confidential information, all
disposed paper will be considered confidential. All documents that have been disposed throughout the day will be
collected by janitorial staff and placed in a secured trash bag. A secure trash bag is one that is dark and not
transparent. When all trash has been collected from receptacles, the janitorial staff will dispose of the collected
documents and store them in a locked storage container located at each branch location. Below is a list of locations
with storage containers:
Sturgis Bank Main Office (1 containers)

113-125 East Chicago Road
Sturgis, MI 49091
White Pigeon Banking Center (1 container)

122 W. Chicago
White Pigeon, MI 49099

Approved 11/2020
Colon Banking Center (1 container)

110 S. Blackstone
Colon, MI 49040
Three Rivers Banking Center (1 container)

115 N. Main Street
Three Rivers, MI 49093
Centreville Banking Center (1 container)

158 W. Main
Centreville, MI 49032
Climax Banking Center (1 container)

125 N. Main St.
Climax, MI 49034
South Haven Banking Center (1 container)

1121 LaGrange St.
South Haven, MI 49090
South Haven Banking Center 2 (1 container)

365 Center St.
South Haven, MI 49090
Transit
The Bank recognizes the risk of confidential information while in transit. The Bank will require third party
vendors that have access to confidential information sign a nondisclosure agreement and have all couriers carry
company identification. While in transit, all confidential information will be in locked storage and be in packaging
that is not transparent. All material deemed as extra sensitive, such as checks and credit reports will be shredder
prior to storage or pickup.

Approved 11/2020
EXHIBIT A
Description of Service
Hands-Free Off-Site Shredding Services - Allshred Services will pick up any material designated for
destruction as scheduled. An Allshred driver will arrive at a customer location to pick up the material; the driver
will take a locked container into the building to switch out or collect the confidential material for destruction, record
what is picked up on the Allshred paperwork and ask a customer representative for a signature. Our driver will take
the material, in the locked container, to our truck and transport the material back to our state of the art shredding
facility (tracked by GPS) for processing.
Once the material arrives at our facility, it is unloaded from our locked trucks, weighed or counted, and emptied
into a pit with a conveyor system running directly into the shredding system. This process is hands free and adds
an additional layer of security to this process. The material will be destroyed within 24 hours.
All of our trucks are locked and outfitted with the latest GPS technology. We know where our trucks, and your
materials, are at all times.
At the time of invoicing we will issue a notarized Certificate of Destruction to be kept on file. All shreds of
paper are baled and shipped right to a secured paper mill where they will be pulped and turned back into usable
paper products.

Approved 11/2020

Approved 11/2020
Security Console

Approved 11/2020
Information Sanitization and Disposal Guidelines
1.0 Overview
To ensure the security and confidentiality of sensitive information, Sturgis Bank and Trust Company will sanitize and
destroy information on electronic media when the media falls out of the scope of usefulness.
2.0 Media Sanitization and Disposal
Information sanitization and disposal/destruction is the process of cleaning or damaging information to prevent its
disclosure. To protect the confidentiality of information and to eliminate its exposure, information must be appropriately
disposed of when its retention period has expired. The method of disposal must be appropriate for the format of the
information and the risk of its disclosure.
Sensitive information which must be retained for business purposes but is not expected to be in use, information must be
archived in a locking vault, cabinet, or other form of secure storage until its retention period has expired. This type of
sensitive information must not leave the facility before it is sanitized or destroyed unless its removal is for such a purpose.
Magnetic storage devices, such as hard drives, floppy disks, or storage tapes as well as flash media devices, such as flash
drives, cell phones, and MP3 players that are intended for reuse or disposal, must be sanitized by using Active KillDisk to
adhere to US Department of Defense 5220.22-M Clearing and Sanitation guidelines (http://killdisk.com/dod.htm). A
certification of sanitation will be kept for each device sanitized.
Magnetic storage devices, such as hard drives, floppy discs, or storage tapes that are no longer in use will be physically
destroyed by removing platters or tape and physically smashing with hammer, exposing to intense heat, or by professional
shredding through AllShred services.
Flash media devices, such as flash drives, cell phones, and MP3 players that are no longer in use, must be physically
destroyed
Any digital media storage device that has been determined to be obsolete or has exceeded its useful life must be rendered
unusable by using the appropriate techniques for that type of device.
Staff Training
This policy requires the development of an ongoing, effective program of information protection awareness
education for all management and employees which is directed toward their specific activities and responsibilities.
It also requires specific administrative and technology training for those individuals charged with special protection
responsibilities. It is the responsibility of the Technology Steering Committee and Vice President of Information
Technology to oversee the internal development of relevant education and training programs and assist personnel in
carrying out their responsibilities for planning and conducting these programs.
Training Requests
Computer training for Bank personnel is administered by the Information Technology Department, other
designated Bank personnel, or third party vendors depending on the type, subject matter and scope of training
necessary to service the need. Supervisors are ultimately responsible for assessing and approving the needs of
computer training for their respective area of responsibility, specifically the needs of their employees to enhance job
performance. With the same respect, employees are responsible for identifying and communicating job-related
computer training needs to their supervisors. Supervisors are responsible for communicating internal requests for
computer training directly to the Information Technology Department. Supervisors with requests for external
computer training are to coordinate the training with the Information Technology Department and the Human
Resources Department. Computer training is intended to properly instruct Bank personnel to use the system
efficiently and properly without violating any of the provisions of this and other network and computer policies of
the Bank.

Information Systems Security Policy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Systems Security Policy

Uploaded by

Copyright:

Available Formats

Information Security Program

ROLES AND RESPONSIBILITIES 4

INFORMATION SECURITY RISK ASSESSMENT 9

INFORMATION SECURITY STRATEGY 13

INFORMATION SECURITY STRATEGIC PLAN 17

NETWORK SECURITY AND SECURITY CHANGE MANAGEMENT 18

SENSITIVE INFORMATION ENCRYPTION POLICY 21

SYSTEMS DEVELOPMENT AND ACQUISITIONS 22

CORE PROCESSING SECURITY 23

PAPER REPOSITORY POLICY 25

INFORMATION SANITIZATION AND DISPOSAL GUIDELINES 29

Sturgis Bank & Trust Company Page 1 of 30

Information Security Program

Sturgis Bank & Trust Company Page 2 of 30

Sturgis Bank & Trust Company Page 3 of 30

Roles and Responsibilities

1) Clearly support all aspects of the Bank’s Information Security Program;

Sturgis Bank & Trust Company Page 4 of 30

Delegation and Authority

Sturgis Bank & Trust Company Page 5 of 30

Technology Steering Committee

1) Developing physical protection safeguards to protect information resources and facilities;

1) Project prioritization and review;

Vice President of Information Technology

Sturgis Bank & Trust Company Page 6 of 30

Information Technology Department

Sturgis Bank & Trust Company Page 7 of 30

Sturgis Bank & Trust Company Page 8 of 30

Refer to the Audit Function Policy for detailed guidance.

Information Security Risk Assessment

1) Identifies the location of all confidential customer and corporate information;

Sturgis Bank & Trust Company Page 9 of 30

Risk Assessment Process

Sturgis Bank & Trust Company Page 10 of 30

In addition, the Bank also considers how it:

Sturgis Bank & Trust Company Page 11 of 30

Risk Rating Assignment

Sturgis Bank & Trust Company Page 12 of 30

Information Security Strategy

Outsourced Security Services

Sturgis Bank & Trust Company Page 13 of 30

Sturgis Bank & Trust Company Page 14 of 30

Login ID and Password for the Bank’s internal network

Network Access Policy

Establishing appropriate access requirements within the security domain;

Implementing appropriate technological controls to meet those access requirements consistently.

a. Spoofing trusted IP addresses;

Operating System Access

Sturgis Bank & Trust Company Page 15 of 30

Securing access to system utilities;

Restricting and monitoring privileged access;

Updating the operating systems with security patches; and

It is the policy of the Bank to:

1. Vandalism of the Bank’s website or loss of Internet or electronic banking services;

Sturgis Bank & Trust Company Page 16 of 30

Refer to the Vendor Management Program for detailed guidance.

Information Security Strategic Plan

1. Aligns information technology with the corporate wide strategic plan;

2. Aligns information technology strategically and operationally with business units;

6. Considers the appropriate deployment of prevention, detection and response mechanisms;

Sturgis Bank & Trust Company Page 17 of 30

7. Implements the least permissions and least privileges concepts;

Network Security and Security Change Management

Sturgis Bank & Trust Company Page 18 of 30