Professional Documents
Culture Documents
Data Security and Data Breach Policy 2020
Data Security and Data Breach Policy 2020
DEVELOPMENT
This Program consists of the following component policies governing different aspects of information
security for Opportunity Fund (herein defined as “Opportunity Fund”):
The Acceptable Use Policy describes the acceptable use of information and technology resources of
Opportunity Fund. The Acceptable Use Policy protects both Opportunity Fund Personnel and
Opportunity Fund. Inappropriate use exposes Opportunity Fund to risks including virus attacks,
compromise of network systems and services, and legal issues.
The Data Security Policy establishes processes for ensuring the security and confidentiality of
Confidential Information and to create administrative, technical and physical safeguards to protect
against unauthorized access or use of this information. Confidential Information includes sensitive
customer personal information and Opportunity Fund information and must be given the highest level
of protection against unauthorized access, modification or destruction. Unauthorized access to
customer Confidential Information may result in a significant invasion of privacy and may expose
Opportunity Fund to significant financial and reputational risk. Unauthorized access or modification
to Confidential Information may result in direct, materially negative impacts on the finances,
operations and/or reputation of Opportunity Fund. Opportunity Fund’s Confidential Information may
include financial and planning information, legally privileged information, invention disclosures and
other information concerning intellectual property.
The E-mail Policy includes requirements for use of e-mail and computers, including access to the
Internet, within Opportunity Fund’s networks to minimize legal, privacy and security risks.
The Password Protection Policy and Construction Guidelines establish a standard for creation of
strong passwords, the protection of those passwords and the frequency of change. Passwords are a
critical component of information security. A poorly chosen password and failure to secure the
password may result in unauthorized access and/or exploitation of Opportunity Fund resources.
The Software Installation Policy provides the requirements regarding installation of software on
Opportunity Fund devices to minimize the risk of loss of program functionality, the exposure of
sensitive information contained within Opportunity Fund’s networks, the risk of introduction of
malware and the legal exposure of running unlicensed software.
The Server Security Policy establishes the base configuration of internal server equipment and
standards for the web server used by Opportunity Fund because of Opportunity Fund’s online
operations and hosting of Confidential Information. Effective implementation of this Server Security
Policy will minimize unauthorized access to customer information and Opportunity Fund’s
proprietary information and technology.
The Remote Access Policy defines the requirements for approval, monitoring and controlling remote
access tools used by Opportunity Fund Personnel to ensure the security of Opportunity Fund’s
networks.
The Wireless Communication Policy and Standards purpose is to secure and protect the information assets
in Opportunity Fund’s possession, including its Confidential Information. Opportunity Fund may grant
access to these resources via wireless communication standards, and Opportunity Fund Personnel must
manage them responsibly to maintain the confidentiality, integrity and availability of all information
assets. The Wireless Communication Policy and Standards specify the technical requirements that
wireless devices must satisfy to connect to a Opportunity Fund network. Only those wireless devices that
meet the requirements specified in this standard or are granted an exception by the Information
Technology Department (“IT”) are approved for connectivity to a Opportunity Fund network.
The Workstation Security and Clean Desk Policy secures and protects the information assets in hard
copy or electronic form in Opportunity Fund’s possession, including its Confidential Information such
as customer information.
The Data Breach Plan defines the requirements for investigation and response including notification
to customers and regulators of a suspected or actual unauthorized release or access to customer
information whether stored by Opportunity Fund or its servicers.
OPERATING PROCEDURES
The Acceptable Use Policy applies to the use of information, electronic and computing devices, and
network resources to conduct Opportunity Fund’s business or to interact with internal networks and
business systems, whether owned or leased by Opportunity Fund or Opportunity Fund Personnel. All
Opportunity Fund Personnel are responsible for exercising good judgment regarding appropriate use of
information and technology resources in accordance with Opportunity Fund Policies and standards, and
applicable law.
System and Network Activities —The following activities are strictly prohibited, with no exceptions:
Violations of the rights of any person or Opportunity Fund protected by copyright, trade secret, patent
or other intellectual property, or similar laws or regulations, including, but not limited to, the
installation or distribution of “pirated” or other software products that are not appropriately licensed
for use by Opportunity Fund.
Unauthorized copying of copyrighted material including, but not limited to, digitization and
distribution of photographs from magazines, books or other copyrighted sources and copyrighted
music.
Accessing Opportunity Fund’s data, servers or accounts for any purpose other than conducting
Opportunity Fund’s business.
Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-
mail bombs, etc.).
Revealing Opportunity Fund Personnel’s account password to others, including household
members when work is being done at home, or allowing use of Opportunity Fund Personnel’s
account by others. (See the Remote Access Policy below).
Making fraudulent offers of products, items or services originating from any Opportunity Fund e-
mail account.
Making statements about warranty, express or implied, unless it is a part of normal job duties.
Providing non-public information about, or lists of, Opportunity Fund Personnel to parties outside
Opportunity Fund unless it is part of our normal job duties.
Copying account or borrower information in any form to any device other than Opportunity
Fund’s technology platforms – including personal cell phones.
E-mail and Communication Activities —When using Opportunity Fund’s technology resources to
access and use the Internet, users must realize they represent Opportunity Fund. The following
activities are strictly prohibited, with no exceptions:
Sending unsolicited e-mail messages, including the sending of “junk mail” or other advertising
material to individuals who did not specifically request such material. See Marketing Policy.
Any form of harassment via e-mail, telephone or otherwise, whether through language, frequency
or size of messages.
Creating or forwarding “chain letters,” “Ponzi” or other “pyramid” schemes of any type.
Sending account or borrower information outside of the Opportunity Fund without authorization
from the VP of Technology or Chief Financial Officer or Chief Risk Officer.
Blogging and Social Media—Blogging by Opportunity Fund Personnel, whether using Opportunity
Fund’s property and systems or using personal computer systems, is also subject to the terms and
restrictions set forth in the Acceptable Use Policy. See the Social Media Policy in our employee
handbook.
All confidential and other sensitive information is to be safeguarded from unauthorized access, use,
modification or destruction.
All information covered by this Data Security and Data Breach Policy is an “Information Resource”
and is to be classified among one of three categories, according to the level of security required. In
descending order of sensitivity, these categories (or “security classifications”) are “Confidential,”
“Internal Use Only” and “Public.” An “Information Resource” is a discrete body of information
created, collected and stored in connection with the operation and management of Opportunity Fund
and used by members of Opportunity Fund having authorized access as a primary source. Information
Resources include electronic databases as well as physical files.
All Information Resources, whether physical documents, electronic databases or other collections of
information, are to be assigned to a security classification level according to the most sensitive
content contained therein and will be explicitly classified such that users of any particular data are
aware of its classification.
In the event information is not explicitly classified, it is to be treated as follows: any data that includes
any customer information shall be treated as “Confidential Information”. Other information is to be
treated as “Internal Use Only”, unless such information appears in a form accessible to the public
(i.e., on a public website or in a widely distributed publication) or is created for a public purpose
when it is to be treated as public.
“Internal Use Only” includes information that is less sensitive than Confidential Information but that,
if exposed to unauthorized parties, may have an indirect or possible adverse impact on personal
interests, or on the finances, operations or reputation of Opportunity Fund. Examples include our
Credit Policies, Credit ScoreCards, Financial Reports, Board Materials, Loan Performance Reports.
“Public Information” are those items approved by at least one member of the Executive Team to be
shared publicly. Examples include publications on impact, client stories, or our annual report.
Appoint the Opportunity Fund VP of Compliance to work with the Vice President of Technology
to monitor federal, state and local legislation concerning privacy and data security, stay abreast of
evolving best practices in data security and privacy and periodically assess whether any changes
should be made to the Data Security Policy.
Ensure that terminated Opportunity Fund Personnel no longer have access to Opportunity Fund
systems that permit access to Confidential or Internal Use Only information.
Opportunity Fund maintains a computer security system that provides at a minimum, to the extent
technically feasible:
o control of data security passwords to ensure that such passwords are kept in a location and/or
format that does not compromise the security of the data they protect in accordance with the
Password Protection Policy and Construction Guidelines.
Secure access control measures, including restricting access to records and files containing
Confidential Information to those who need such information to perform their job duties
Encryption of all transmitted records and files containing customer Confidential Information that
will travel across public networks, and encryption of all data containing customer Confidential
Information to be transmitted wirelessly.
Reasonably up-to-date firewall protection and operating system security patches reasonably
designed to maintain the integrity of the Information Resources.
Reasonably up-to-date versions of system security agent software, which must include malware
protection and reasonably up-to-date patches and virus definitions, or a version of such software
that can still be supported with up-to-date patches and virus definitions and is set to receive the
most current security updates on a regular basis.
Monitoring software for our applications and environments that scan for internal and external
vulnerabilities. Once identified, vulnerabilities are remediated in the following order of priority:
o Critical
o High
o All Else
For data at rest, we encrypt and mask fields in our customer database.
E-mail Policy
The E-mail Policy covers appropriate use of any e-mail sent from a Opportunity Fund e-mail address
and access to the Internet using Opportunity Fund’s computers and applies to all Opportunity Fund
Personnel.
All use of e-mail must be consistent with Opportunity Fund’s policies and procedures of ethical
conduct, confidentiality and security of Confidential Information, compliance with applicable laws
and best business practices.
Opportunity Fund’s e-mail system and computers, including access to the Internet, should be used
primarily for Opportunity Fund’s business-related purposes. Opportunity Fund specifically prohibits
use of the computers (including access to the Internet) and the e-mail system in ways that are
disruptive, offensive to others, including sexually explicit messages, images and cartoons; ethnic
slurs; racial comments; off-color jokes; or anything that could be construed as harassment or shows
disrespect for others, defames or slanders others or otherwise harms another person or business. All
non-Opportunity Fund-related commercial uses of the computers and e-mail are prohibited.
Opportunity Fund Personnel may not access the Internet to log onto any website that contains any
such material, including any pornographic website or any website that contains any discriminatory
message or disparages any group.
All Opportunity Fund data contained within an e-mail message or an attachment must be secured
according to this Data Security and Data Breach Policy whether it is shared internally or externally.
Opportunity Fund’s e-mail system may not be used for the creation or distribution of any messages
that are disruptive, offensive or harmful to morale, including offensive comments about race, gender,
hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political
beliefs or national origin.
Opportunity Fund Personnel are prohibited from forwarding any Opportunity Fund e-mail containing
Confidential Information to a personal e-mail account. Opportunity Fund Personnel are also
prohibited from using third- party e-mail systems and storage servers to conduct Opportunity Fund
business, to create or memorialize any binding transactions or to store or retain e-mail on behalf of
Opportunity Fund.
Using a reasonable amount of Opportunity Fund resources (as determined by Opportunity Fund) for
personal e-mails is acceptable, but non-work-related e-mail must be saved in a separate folder from
work related e-mail. Sending chain letters or joke e-mails from a Opportunity Fund e-mail account is
prohibited.
Opportunity Fund Personnel shall have no expectation of privacy in anything they store, send or
receive on Opportunity Fund’s e-mail system.
Password Creation
All user-level and system-level passwords must conform to the Password Construction Guidelines.
Users must not use the same password for Opportunity Fund accounts as for other non-
Opportunity Fund access (for example, personal ISP account, benefits and so on).
User accounts that have system-level privileges must have a password that is unique from all
other accounts held by that user to access system-level privileges.
Password Change
Password Protection
Passwords must not be shared with anyone. All passwords are to be treated as Opportunity Fund
Confidential Information.
With the exception of temporary passwords that must be changed on first use, Passwords must
not be inserted into e-mail messages or other forms of electronic communication; revealed over
the phone to anyone; revealed on questionnaires or security forms; shared with anyone, including
administrative assistants, secretaries, managers, co-workers while on vacation and family
members; written down and stored anywhere in Opportunity Fund Personnel’s or office; stored in
a file on a computer system or mobile devices (phone, tablet) without encryption.
Any user suspecting that his or her password may have been compromised must report the
incident to their immediate supervisor and IT Help Desk, and promptly change all passwords.
All passwords must meet or exceed the following requirements and must be changed no less
frequently than the time frames provided in the Password Protection Policy. Three out of the
following four criteria must be met:
If a user attempts to sign in and consecutively fails more than five times, the user’s account will be
automatically locked, and will require the user to wait for 30 minutes before retrying or request IT to
reset the password.
This Software Installation Policy applies to all Opportunity Fund Personnel with a Opportunity Fund
device. The Software Installation Policy covers all computers and servers, operating within
Opportunity Fund’s network.
Opportunity Fund Personnel may not install software on Opportunity Fund devices operated
within Opportunity Fund’s network.
The requester’s immediate supervisor must first approve the software request and will then
forward the request to the IT Help Desk for approval.
All software requests will be fulfilled by software approved by the IT Help Desk.
The Technology Team will obtain and track the licenses, test new software for conflict and
compatibility and perform the installation.
General Requirements
All internal servers deployed at Opportunity Fund must be registered with the Technology Team. At a
minimum, the following information is required to positively identify the point of contact: server
contact(s) and location, and a backup contact; Hardware and Operating System/Version; and Main
functions and applications, if applicable.
Services and applications that will not be used must be disabled where practical.
The most recent security patches must be installed on the system as soon as practical; the only
exception being when immediate application would interfere with business requirements.
Always use standard security principles of least required access to perform a function.
If a methodology for secure channel connection is available, privileged access must be performed
over secure channels.
Opportunity Fund Personnel will receive limited permissions and privileges necessary to perform
their jobs.
Monitoring
Logs such as network server logs, operating system logs are maintained and monitored by IT, and all
security-related events on critical or sensitive systems must be logged and audit trails saved as follows:
Daily incremental backups of server OS logs will be retained for at least two weeks.
Weekly full backups of server OS logs will be retained for at least one month.
Monthly full backups of server OS logs will be retained for a minimum of three months.
Port-scan attacks.
Anomalous occurrences that are not related to specific applications on the host.
Remote Access Policy
Only those Opportunity Fund Personnel who have been permitted remote access to Opportunity
Fund’s networks by IT and have installed required connection, encryption, and authentication
programs may engage in remote access. The Remote Access Policy applies to remote access
connections used to do work on behalf of Opportunity Fund, including reading or sending e-mail and
viewing intranet web resources. Remote access implementations that are covered by the Remote
Access Policy include, but are not limited to, DSL, VPN and SSH. All remote access tools used by
Opportunity Fund Personnel to communicate between Opportunity Fund’s networks or Opportunity
Fund’s devices and other systems must comply with the Remote Access Policy.
General Requirements
Opportunity Fund Personnel with remote access privileges to Opportunity Fund’s networks are
subject to the same security and confidentiality rules that apply to their access to Opportunity
Fund’s data at an onsite location.
General access to the Internet for use by immediate household members through Opportunity
Fund’s networks on personal computers is not permitted.
Secure remote access must be strictly controlled. Opportunity Fund Personnel and servicers with
remote access privileges are prohibited from providing their log-in or e-mail password to anyone,
including family members.
IT must approve non-standard hardware configurations and the IT must approve security
configurations for access to hardware.
Remote Access Tools
Opportunity Fund provides approved mechanisms to allow Opportunity Fund Personnel to connect to
Opportunity Fund’s networks remotely, collaborate with external partners and use non-Opportunity
Fund systems. Because proper configuration is important for secure use of these tools, mandatory
configuration procedures are provided by the Technology Team for each of the approved tools that
may change from time to time.
All Opportunity Fund Personnel who maintain a wireless device on behalf of Opportunity Fund must
comply with this standard. This standard applies to wireless devices that make a connection with
Opportunity Fund’s networks and all wireless devices that provide wireless connectivity to the
networks.
General Requirements
All wireless devices that connect to a Opportunity Fund network or provide access to Opportunity
Fund’s Confidential Information must:
All Bluetooth devices must use Secure Simple Pairing with encryption enabled.
Workstation Security and Clean Desk Policy
The Workstation Security and Clean Desk Policy applies to all Opportunity Fund Personnel and third-
party servicers with access to Opportunity Fund’s Confidential Information in hard copy or electronic
form, whether it is accessed on Opportunity Fund’s premises or at an offsite location. In the
Workstation Security and Clean Desk Policy, references to “workstation” refer to workstations both
on Opportunity Fund’s premises and in all other places where Opportunity Fund Personnel perform
Opportunity Fund work and have access to Confidential Information.
Opportunity Fund provides all Opportunity Fund Personnel with access to paper shredders, secure
storage space, password-protected screen savers and other tools to enable Opportunity Fund
Personnel to maintain the security of Confidential Information.
Secure workstations (screen lock or logout) prior to leaving the area for an extended period, to
prevent unauthorized access.
Use the password-protected screen saver and a password that complies with Opportunity Fund’s
Password Policy.
Promptly clear printers and fax machines of papers as soon as they are printed.
If wireless network access is used, ensure access is secure by following the Wireless
Communication Policy.
Opportunity Fund designates the Vice President of Technology as Head of the Security Breach
Response Team. Other members of the Security Response Team will include but are not limited to:
Chief Executive Officer, Chief Financial Officer, Controller, Chief People Officer.
Reporting
All Opportunity Fund Personnel must report any known Data Breach or any incident that is likely to
cause a Data Breach to Opportunity Fund’s Head of Security Breach Response Team as soon as it is
discovered. These incidents include thefts of computer devices, and viruses, worms or computer
“attacks” that may lead to unauthorized access to Confidential Information.
Investigation
In the event of a Data Breach the Data Breach Response Team will immediately begin an
investigation to determine the nature and scope of the incident and what customer information have
been accessed including:
The status of the breach. When (date and time) did the breach happen and is it an on-going or
active breach?
How did the breach happen?
What types of customer information were obtained and sensitivity of the customer
information (Name; social security; account and password; etc.)?
How many and which customers were affected?
Likelihood customer information is usable or may cause harm and ability of to mitigate the risk of
harm?
Likelihood the customer information was intentionally targeted (increased chance for
fraudulent use)?
Strength and effectiveness of security technologies protecting customer information
(e.g. encrypted customer information)?
If it is determined that the breach is active or on-going, Opportunity Fund will take action to prevent
further data loss by securing the system and data, blocking further unauthorized access and preserve
evidence for the investigation.
Opportunity Fund will institute internal monitoring of affected accounts to prevent further
unauthorized access.
Notification
The Data Breach Response Team will determine which parties to notify of the Data Breach in
consultation with legal counsel and make those notifications in a timely manner in accordance with
applicable data notification requirements. This may include notification to state regulators, local law
enforcement, investors, customers, credit reporting agencies and the media.
The Security Response Team will determine whether the Data Breach creates a threat to customers’
identity security and will determine whether to offer credit monitoring or identity theft protection
services.
The Data Breach Response Team will ensure that appropriate remediation actions are implemented
including:
Revisions to data collection, retention, storage and processing procedures.
Need for additional employee training in data protection procedures.
Review insurance policies and determine if coverage is adequate.
Review of contract provisions with third party servicers that handle customer information.
Review website privacy notices and terms of use and update as needed.
Revisions to Data Breach Response Plan.
The Compliance Department (“Compliance”) and IT are responsible for developing, implementing
and administering the Information Security Program and will report jointly on an as-needed basis, but
no less than annually, to the executive team on compliance with this Policy. Compliance in
consultation with IT will provide recommendations to the executive team for changes needed to be
made to the Information Security Program.
TRAINING
New Opportunity Fund Personnel will receive Information Security Program training as it relates to
their job responsibilities within thirty (30) days of the employee’s start date. All Opportunity Fund
Personnel will receive Information Security Program training annually or as necessary when changes
are made to this Policy and its procedures. Opportunity Fund Personnel questions related to
compliance with this Policy should be directed to Opportunity Fund Personnel’s Manager or IT.
Evidence of training will be retained and made available upon request.
RECORD RETENTION
Refer to the Record Retention Policy for additional information on departments responsible for
retaining evidence of record retention.