2022 Data Security Policy

LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy

Revision Number: 2.7
Effective Date: December 2021
1.0 Purpose
The protection of Confidential Information belonging to Lincoln Financial Securities Corporation (“LFS”) and its
customers is of utmost importance to LFS. The purpose of this document is to define the LFS Data Security
Policy (“Policy”) and to describe the requirements for all registered persons and non-registered fingerprinted
persons of LFS (“Associated Persons”). All Associated Persons of LFS are considered to have access to
Confidential Information, as this term is defined below and in the Lincoln Financial Network Information
Handling Policy. Confidential Information belonging both to LFS and its customers is sensitive in nature and
must be protected.
The two main objectives of this Policy are to (i) protect Confidential Information from unauthorized access;
and (ii) manage the risks associated with potential security compromises or privacy violations involving
Confidential Information.
2.0 Scope
All Associated Persons of LFS are required to comply with this Policy. This Policy applies to all Confidential
Information that exists in any processing environment or media during any part of its life cycle, including all
applications, systems, and networks that LFS owns or operates or that are owned or operated by Associated
Persons. This includes, without limitation, servers, workstations, Internet-based applications (“Cloud
Applications”), mobile devices such as tablets and smart phones, email systems, and removable media such as
USB/Flash Drives and USB/External Hard Drives. Out of Scope: Any Associated Person of LFS using a
workstation built and provisioned by Lincoln National Corporation (LNC) Information Technology department
or server systems hosted in a LNC data center and managed by LNC Information Technology department or
hosted and managed by an LNC authorized 3rd party vendor are excluded from this Policy because those
people and systems are required to adhere to the LNC Information Security Policy.
3.0 Enforcement
Failure to comply with this policy may result in a recommendation to the Lincoln Financial Network Business
Conduct Committee for disciplinary action which could include fines, other sanctions, or termination. All
Associated Persons, including those serving in a supervisory capacity, are responsible for ensuring compliance
with this Policy. No non-registered person may be granted access to Confidential Information without first
being fingerprinted and submitted to FINRA as a Non-Registered Fingerprinted Person of LFS.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 1 of 24
4.0 Standard Requirements
4.1 Remote Network Access

Logging into your LFS branch office system as an authorized user from a location other than your
office computer – such as through a Virtual Private Network (VPN) or Terminal Services (RDP)
connection from home or another location – presents potential data security risks that must be
carefully managed. The following applies to all LFS Associated Persons who access their LFS office
network remotely.
1. All Remote Network Access services must be protected by Multi-Factor Authentication (MFA).
If MFA is not possible, access must be restricted by source IP address.
Multi-factor authentication refers to a method of computer access control in which a user,
such as an LFS Associated Person, is only granted access to a system after successfully
presenting multiple pieces of evidence that he or she is entitled to access the system. As
an example, the multiple pieces of evidence could be a Username/Password, and in
addition, a One-Time Password generated on a mobile phone. Requiring multiple pieces
of information prior to granting access provides extra security, as compared to systems
that require only one piece of evidence.
2. All authentication attempts must, at a minimum, log: Connection Time, Connection Duration,
User ID, Source IP Address, and Destination IP Address.
Since a remote access service listens for connections from anywhere on the Internet, it is
vital that any attempts to connect to the service are captured in security logs along with
the details of the connection attempt, like the source IP address, date, time and outcome
of the connection attempt. This is an essential part of detecting and protecting LFS, its
customers and Associated Persons against unauthorized third parties who may be seeking
to access Confidential Information.
3. All remote access connections must be encrypted with only publicly available cipher suites
known to be secure with appropriate key lengths.
Encryption refers to the process of converting data into a code that can only be read by
the intended sender and receiver of the data. Since remote access connections are
traversing the Internet, which is considered an “untrusted” network, the connection must
be established with encryption, to allow for confidentiality of the data that is going back
and forth between Associated Persons’ computers and their respective LFS branch office
systems, when using a remote access service.
4. Access must be restricted only to users who need remote access to perform their duties.
This means that any Associated Persons who do not have a business need to access their
LFS branch office systems remotely should not have access to do so.
5. Remote access services must be protected by a firewall.

The remote access service that is listening for connections must be behind a firewall. This
configuration allows the firewall to be the first device to “inspect” inbound Internet traffic
that is destined for the remote access service. The use of a firewall when using remote
access service is important because firewalls can block attempts by unauthorized third
parties to access the Confidential Information of LFS, its customers and Associated
Persons.
6. Remote Access solutions must be currently supported by the vendor/manufacturer.
7. Reliance on Self-Signed Certificates for securing Remote Access connections is highly
discouraged.
Digital certificates are for sharing public keys to be used for encryption and authentication
operations. Computers that wish to securely communicate with each other over an
untrusted network, like the Internet, must exchange encryption keys to establish a secure
communication channel. Certificates signed by a trusted 3rd party Certificate Authority
(CA) help prove the ownership of the encryption keys and establish trust between the two
computers because each computer trusts the 3rd party CA. Self-Signed Certificates do not
rely on a trusted 3rd party CA, therefore the two computers must “take each other at their
word” regarding their identity. Modern web browsers will produce a warning when
connecting to a computer with a self-signed certificate due to the lack of trust.
8. Use of the Secure Socket Layer (SSL) protocol is prohibited.
Secure Socket Layer (SSL) is a cryptographic protocol to provide secure communication
over an untrusted network. Due to known security vulnerabilities in the SSL protocol, it
was marked as obsolete in 2015. Any communication over the Internet that requires
confidentiality over a secure channel should be using the SSL successor Transport Layer
Security (TLS) version 1.2 or higher.
4.2 Wireless Networks

The use of wireless networks presents potential opportunities for unauthorized third parties to
attack the systems participating in the network and steal the data on those systems. It is
important that Associated Persons adhere to the following requirements when using a wireless
network to transmit, store, or process LFS Confidential Information as defined in the LFN
Information Handling Policy.
1. Wi-Fi-Protected Access II (WPA2) is required.

This refers to a security protocol and security certification program that provides data
protection and network access control to wireless computer networks. In other words,
this provides an acceptable level of security to enable an Associated Person to conduct LFS
business using a wireless network. Please note that there are several different available
protocols that are designed to secure wireless networks, but Wi-Fi-Protected Access II
(WPA2) is the only one that satisfies this Policy. All others including Wired Equivalent
Privacy (WEP) and the original Wi-Fi Protected Access (WPA) are strictly prohibited.
2. Wi-Fi Protected Setup (WPS) is prohibited.
WPS is a method for setting up a new wireless router for a home network. The WPS
standard requires a PIN to be used during the setup of a system to participate on the
wireless network. A vulnerability discovered in WPS makes the PIN susceptible to
repeated guessing (“brute force”) attacks, which is why WPS functionality should be
disabled. Thus, Associated Persons that use LFS branch office systems that participate on
a wireless network should make sure that WPS is not used.
3. Wireless network communications must be encrypted using Advanced Encryption Standard
(AES).
As modern computers have become more powerful, the cryptographic algorithms used to
encrypt data have also had to change. Older algorithms like the Data Encryption Standard
(DES) have been rendered obsolete, as modern computers are able “crack” the encryption
key. In other words, modern computers are powerful enough to try every possible key to
unlock the data in a short period of time. Associated Persons who use LFS branch offices
that participate on using wireless networks should make sure that AES encryption is in use.
Refer to section 6.0 Definitions of this Policy for a more detailed definition of AES.
4. Service Set Identifier (SSID) must not be a default value.
Wireless access points and/or routers typically have a default value for the Service Set
Identifier (SSID), for example, “Linksys”, “Netgear”, or “Sonicwall”. The value of the SSID is
used in conjunction with other parameters to create the wireless encryption keys, so
keeping the default value is a security risk. Attackers use pre-computed tables of keys
using these default SSIDs coupled with dictionary words, which drastically reduces the
time to figure out the wireless network password. Thus, LFS branch office wireless
networks should not keep default SSIDs, but rather should implement a unique SSID,
subject to the additional requirements set forth below.
5. Service Set Identifier (SSID) must not identify Lincoln Financial Securities (LFS), an affiliated
firm name or a marketing name.
6. As set forth in Section 4.8 of this Policy, the wireless network password must be at least 8
characters in length.
7. As set forth in Section 4.8 of this Policy, the wireless network password must be mixed case
and alphanumeric.
8. As set forth in Section 4.8 of this Policy, the wireless network password must change every 90
days (quarterly).
9. Default administrative account passwords are prohibited.
Using default passwords as opposed to unique passwords that conform to Section 4.8 of
this Policy would make it more likely that attackers will be able to access LFS branch office
systems. As a result, all passwords must be set in accordance with Section 4.8.
10. Use of public Wi-Fi networks is highly discouraged.
The best practice for short-term access to the Internet when traveling is to use a Personal
Mobile Hotspot. Personal hotspot functionality, which is common on most Smartphones,
allows the phone to become a Wi-Fi Access Point that accesses the Internet via the
phone’s cellular data connection.
4.3 Servers
Because Confidential Information relating to LFS and its customers is often stored using servers,
like a file server or a database server, it is critically important to take the necessary precautions to
secure all such servers. Servers are computers responsible for a wide variety of tasks, like creation
and storage of user accounts, validating users when logging into a networked computer, or the
central storage and management of data files which, in the LFS context, can include Confidential
Information belonging to LFS, its customers and Associated Persons. All LFS Associated Persons
are responsible for understanding how and where Confidential Information relating to their LFS
business is stored, accessed, and processed. If a server is in use, either a physical or virtual server
in a branch location or at a 3rd party hosting provider, the system must adhere to the following
requirements.
1. Required compliance monitoring software must be installed and operational. *

As of the latest revision of this Policy, the compliance monitoring software used by LFS is
Opswat MetaAccess.
2. Operating systems must be currently supported by vendor/manufacturer. *
3. Operating systems and 3rd party software security updates must be installed as soon as
possible, but in no event later than within 30 days of their release.
4. Anti-virus software must be installed.
Anti-Virus software prevents the installation or execution of known malicious software
(Malware) by maintaining a list of virus signatures or definitions and removing the
software when it is encountered. LFS recommends that Associated Persons use one of the
Anti-virus software packages identified in the LFS IT Security Software Reference
Document, attached to this Policy as Attachment A.
5. Anti-virus software must be set to auto update.
Setting the Anti-Virus software to ‘auto-update’ allows the software to automatically
update the virus signatures or definitions of known malicious software to ensure the
product affords protection for the latest known threats.
6. Anti-virus software must be set to a real-time scanning mode.
Real-Time Scanning is a mode of most modern Anti-Virus products that enables the
protection to be running at all times while the computer is powered on.
7. A password must be set in accordance with Section 4.8.
8. Users must have access to only those applications and services that are necessary for them to
perform their job responsibilities.
9. Security logs must be enabled and configured to a minimum size of 100 MB.
Most operating systems have built-in logging functionality to capture relevant security
events that occur on the system; however, the default log size does not always log a
sufficient length of time.
10. Accessing the Internet from a server is limited to only those websites that support business
operations, system security or operational health of the server.
Examples of this include operating systems’ or application vendors’ websites to obtain

security updates or new versions of critical software. Therefore, non-essential web
browsing from a server is prohibited.
11. Full Disk Encryption (FDE), using AES-128 or better, is required for servers storing LFS
Confidential Information. In the event FDE cannot be implemented, effective alternative
compensating controls must be used.
* See the LFS IT Security Software Reference document for the list of specific software.
4.4 Workstations
Because Confidential Information relating to LFS and its customers is often stored locally on
Associated Persons’ workstations, it is also critically important to take the necessary precautions to
secure all workstations. LFS Associated Persons must adhere to the following requirements with
respect to all workstations used for LFS business.
1. Required compliance monitoring software must be installed and operational. *

Opswat MetaAccess.
2. Required web security software must be installed and operational. *
As of the latest revision of this Policy, the web security software used by LFS is Zscaler.
3. Operating systems must be currently supported by the vendor/manufacturer. *
As of the last revision date of this document, the predominant workstation operating
system vendor in the marketplace is Microsoft with its Windows Operating System. Other
vendors such as Apple and Google also produce operating systems. Any workstation used
to conduct LFS business should be running a version of an operating system that is fully
supported by the vendor and receives security updates published by the vendor.
4. Operating systems and 3rd party software security updates must be installed as soon as
possible, but in no event later than within 30 days of their release.
Operating System and 3rd Party software vendors will typically release security updates to
their software products on a regular frequency, like monthly or quarterly. Not all vendors
publish on the same frequency, so it is a best practice to enable automatic updates within
the software where possible.
5. Anti-virus software must be installed.
Anti-Virus software prevents the installation or execution of known malicious software
(“Malware”) by maintaining an up-to-date list of virus signatures or definitions and
removing the virus/malware when it is encountered. LFS recommends that LFS Associated
Persons use the Anti-virus software identified in the LFS IT Security Software Reference
Document, attached to this Policy as Attachment A.
6. Anti-virus software must be set to “auto update”.
Setting the Anti-Virus software to “auto-update” allows the software to automatically
update the virus signatures or definitions of known malicious software to ensure the
product affords protection for the latest known threats.
7. Anti-virus software must be set to a real-time scanning mode.
Real-Time Scanning is a mode of most modern anti-virus products that enables the
protection to be running at all times while the computer is powered on.
8. Where possible, 3rd party applications must be set to auto-update.
3rd Party software vendors will typically release security updates to their software products
on a regular frequency, like monthly or quarterly. Not all vendors publish on the same
frequency, so it is a best practice to enable automatic updates within the software where
possible.
9. Full disk encryption is required. (AES-128 or better)
Disk encryption is a technology which protects information by converting it into
unreadable code that cannot be deciphered easily by unauthorized people. The process
uses disk encryption software or hardware to encrypt every bit of data that goes on a disk
or disk volume. Disk encryption prevents unauthorized access to data storage.
10. Host-based Firewall must be installed and running.
A firewall is a network security system that monitors and controls the incoming and
outgoing network traffic based on predetermined security rules. A firewall typically
establishes a barrier between a trusted, secure internal network and another outside
network, such as the Internet, that is assumed not to be secure or trusted. Host-based
firewalls provide a layer of software on one host that controls network traffic in and out of
that single machine. LFS Associated persons should refer to the LFS IT Security Software
Reference Document, attached to this Policy as Attachment A, for recommended Firewall
software.
11. Security logs must be enabled and configured to a minimum size of 100 MB.
Most operating systems have built-in logging functionality to capture relevant security
events that occur on the system; however, the default log size does not always log a
sufficient length of time.
13. A screen saver lockout must be enforced after a maximum of 20 minutes of inactivity.
14. Workstations must be locked when left unattended.
4.5 Mobile Devices

For many professionals including LFS Associated Persons, mobile devices such as smartphones or
tablets running operating systems like Apple iOS or Google Android, are frequently used to
conduct business. Mobile devices may contain Confidential Information, particularly if used to
receive and send emails, which must be adequately protected. LFS Associated Persons must
adhere to the following requirements with respect to all mobile devices used to access systems
that contain or provide access to LFS Confidential Information.
1. Required compliance monitoring software must be installed. *

Opswat MetaAccess.
2. Required web security software must be installed and operational. *
3. Mobile Operating Systems must be currently supported by vendor. *

As of the last revision date of this Policy, the predominant mobile operating system vendor
in the marketplace is Google with its Android Operating System. Other vendors such as
Apple and Microsoft also produce mobile operating systems. Any mobile device used to
conduct LFS business should be running an operating system version that is fully
supported by the vendor and receives security updates published by the vendor.
4. Circumventing operating system integrity by “jailbreaking,” “rooting,” or a similar method is
prohibited.
“Jailbreaking” or “Rooting” are terms used to describe a process for tampering with a
mobile operating system to remove restrictions imposed by the manufacturer or operator,
for example, to allow the installation of unauthorized software from a source other than
the official App Store.
5. Internal device storage, and External SD card storage if available, must be encrypted (AES-128
or better).
Disk encryption is a technology which protects information by converting it into
unreadable code that cannot be deciphered easily by unauthorized people. Similar to the
need for encryption on workstations, mobile devices can also hold confidential
information and require encryption to protect the data stored on the device.
6. Device backups must be encrypted (AES-128 or better).
When leveraging a mobile device to conduct LFS business, the device encryption that is
implemented on the internal storage does not automatically extend to a backup of that
data. In order to create the backup, the internal storage must be decrypted so the data
can be read, and a copy created. LFS Associated Persons are required to enable
encryption for device backups to protect the confidential data that it contains.
7. Devices must be protected by a passcode of at least 4 characters in length.
4.6 Network Devices

LFS Associated Persons must adhere to the following requirements with respect to all network
devices including, without limitation Firewalls, Wireless Access Points, Network Attached Storage
(NAS) Appliances, used in connection with LFS business.
1. 3rd party technology support that remotely access an LFS Branch Office must leverage Multi-
Factor Authentication (MFA) or be limited to a predefined set of IP addresses.
If you leverage a 3rd party for support of your computers, network, or applications to
conduct LFS business and the 3rd party accesses the network remotely to render the
support, they must only connect to your network using MFA or the connection must be
restricted to a predefined set of Internet Protocol (IP) addresses. This is intended to
reduce potential threats that could seek to attack network devices via IP addresses other
than the predefined set.
2. Administrative access to network devices must use an encrypted connection with only publicly
available cipher suites known to be secure with appropriate key lengths.
Most network devices provide some type of administrative interface to connect to the
device for initial setup and make changes to the device configuration. Typically, these
interfaces are either a Command-Line Interface (CLI) via Secure Shell (SSH) or a Graphical
User Interface (GUI) via a web browser. Regardless of which method is used to connect to
a network device’s administrative interface, the connection must be through a secure
protocol like SSHv2 or HTTPS.
3. SSHv1 is prohibited.
Secure Shell (SSH) is remote access protocol that provides command-line access to a
network device or server. Version 1 of this protocol (SSHv1) is known to contain inherent
vulnerabilities. Secure Shell Version 2 (SSHv2) was created to address the flaws in the
earlier version and should be used instead of Version 1.
4. Telnet is prohibited.
Telnet is a remote access protocol that provides command-line access to a network device
or server. Telnet is not a secure protocol as all data sent between the client and server is
transmitted in clear text.
5. SNMPv1 and SNMPv2 are prohibited.
Simple Network Management Protocol (SNMP) is a protocol for collecting and organizing
information about managed devices on a network and for modifying that information to
change device behavior. Both Version 1 and Version 2 of SNMP are not secure protocols
and may transmit sensitive data over a network in clear text.
6. Security patches must be installed as soon as possible but in no event later than 30 days after
their release.
Like servers and workstations, vendors of network devices will release security patches for
their devices. Applying security updates in a timely manner is vital to maintaining the
integrity and availability of network devices.
7. Firewall changes must be tracked by a formal change control process.
This means that when an LFS branch office changes its firewall solution or changes the
settings on its firewall, those changes need to be maintained and tracked via a formal
process to ensure that a record is kept as to the adequacy of the firewall protection at all
times.
8. Default administrative account passwords are prohibited. All passwords must be set in
accordance with Section 4.8.
Using default passwords as opposed to unique passwords that conform to Section 4.8 of
this Policy would make it more likely that attackers will be able to access network devices.
Thus, default passwords are prohibited.
9. Logging of network connections to and from the Internet for a minimum 90-day period is
highly recommended.
Logging of inbound and outbound network connections is vital information to support
Security Incident Response activities. At a minimum, both the Source and Destination
Internet Protocol (IP) Addresses should be logged along with Date, Time, and Action (e.g.
‘Block’ or ‘Allow’). Additional information like ‘Connection Duration’ and ‘Total Bytes’ can
also prove useful.
10. Use of a ‘Business-Class’ Firewall with Intrusion Detection System & Intrusion Prevention
System (IDS/IPS) functionality to protect an LFS Branch Office Internet connection is highly
recommended.
11. Full Disk Encryption (FDE), using AES-128 or better, is required for Network Attached Storage
(NAS) devices storing LFS Confidential Information. In the event FDE cannot be implemented,
effective alternative compensating controls must be used.
Unlike a traditional server, which can fulfill many different computing roles, Network-
Attached Storage (NAS) devices are computer appliances – purpose-built specialized
computers - that are designed solely for file sharing. Since NAS devices are networked and
contain storage drives like traditional servers, they are subject to the same data encryption
requirement when storing, transmitting, or processing LFS Confidential Information.
12. Simple Network Management Protocol (SNMP) default strings of ‘public’ & ‘private’ are
prohibited.
A Simple Network Management Protocol (SNMP) Community String is like a User
ID/Password that is sent with each SNMP request. There are typically two default strings,
one for ‘Read’ access and one for ‘Write’ access, that all SNMP compliant devices
understand: ‘public’ for reading and ‘private’ for writing. These two default strings (i.e
passwords) are very well known and often abused by attackers if available.
4.7 Business Continuity/Disaster Recovery

A robust data backup strategy is not only a core component of a business continuity plan; it is also
vital for recovery efforts due to a security incident. For example, certain strains of Ransomware
will encrypt data to hold it hostage and demand payment for the keys to unlock the data. With
valid backups, data could be restored at a point in time just prior to the ransomware infection,
thereby minimizing the impact and negating the ransom payment. LFS Associated Persons must
adhere to the following requirements with respect to BC/DR activities conducted in connection
with LFS business.
1. Backups containing Confidential Information must be encrypted (AES-128 or better).

2. Data backups of systems containing LFS Confidential Information shall be periodically validated
through restoration testing.
Making backup copies of business data is a critical first step in a Business Continuity plan.
Performing a data restoration validates that the backup process is successfully copying and
storing the data. It also, helps to validate the restoration procedures and train personnel
to recover from incidents that cause data loss or corruption.
3. Internet-accessible backups must be protected by multi-factor authentication.
Multi-factor authentication refers to a method of computer access control in which a user
is only granted access to a system after successfully presenting multiple pieces of evidence
that he or she is entitled to access the system. For example, a Username and Password,
plus a One-Time Password generated on a mobile phone.
rd
4. 3 party backup services must be able to provide certification of data destruction.
Upon expiration of the data backup retention period, the 3rd party vendor must be able to
provide written certification of data destruction.
5. All servers, workstations, and mobile devices leveraged as part of a Business

Continuity/Disaster Recovery plan used to protect LFS Confidential Information and/or LFS
Broker/Dealer Operations must comply with the provisions of this policy's Sections '4.3
Servers', '4.4 Workstations', and '4.5 Mobile Devices' respectively unless those devices have
been obtained solely for the purpose of spare hardware and are maintained in a "brand new"
state such that they have never connected to LFS systems, stored or processed LFS
Confidential Information, or installed LFS security controls.
A component of the LFS Information Security program is maintaining an updated inventory
of devices that are conducting LFS business and monitoring the health of the security
controls installed on those devices. Configuring a system to be fully compliant with the
LFS Data Security Policy and then turning that system off to be stored in the event of a
disaster or other business disruption prevents LFS from maintaining an accurate device
inventory.
4.8 Passwords
Each LFS Associated Person must have his/her own unique login credentials (username and
password) to access any electronic system or website that may contain Confidential Information.
Associated Persons may not create, obtain, or use the login credentials of another Associated
Person to access electronic systems or websites that contain Confidential Information. If
passwords have been shared in the past, they must be changed immediately. Associated Persons
may not create, obtain, or use client identification, names or passwords to access client account
information or other data electronically. In addition, LFS Associated Persons must adhere to the
following requirements with respect to passwords:
1. Passwords must be changed every 90 days (quarterly).

2. Passwords must be at least 8 characters in length.
3. Passwords must contain:
• At least one Upper Case and one Lower Case letter (i.e. Mixed Case)
• At least one number (0-9)
• At least one special character (e.g. !@#$%)
4. Accounts must be disabled after 10 invalid logon attempts or less.
5. Electronic copies of passwords must be encrypted (AES-128 or better) at the file or database
level. *
6. Written copies of passwords must not be stored in unlocked or easily accessible locations.
4.9 Removable Data Storage

LFS Associated Persons must adhere to the following requirements when using removable media
such as USB/Flash Drives or USB External Hard Drives to transmit, store, or process LFS
Confidential Information as defined in the LFN Information Handling Policy.
1. Insertion of removable media from an unknown or untrusted source (e.g. USB/Flash Drive or
USB External Hard Drive) into a computer system that contains or processes LFS Confidential
Information is prohibited.
2. Full disk encryption is required for trusted removable media. (AES-128 or better)
3. Data backed up to removable media must comply with backup provisions set forth in Section
4.7.
4.10 Email
LFS Associated Persons must adhere to the following requirements pertaining to LFS email.
1. Email containing Confidential Information must be encrypted.

Lincoln’s email solution enables Associated Persons to initiate an encrypted message by
using the ‘Encrypt’ button within the appropriate email client or by putting the word
“secure” surrounded by parentheses in the subject line of the email.
2. LFS Associated Persons must leverage the LFS email platform for all securities business-related
communications.
Rule 17a-4(f) of the Security Exchange Act of 1934 requires firms to preserve electronically
stored records in a non-rewritable, non-erasable format. FINRA Rule 3110 outlines the
rules that govern the review of Correspondence and Internal Communications. As of the
latest revision of this Policy, the LFS email system used within the firm is part of a
Microsoft M365 subscription and is configured to satisfy the requirements under these,
and any other applicable regulations.
3. Required web security software must be installed and operational on any device (Desktop,
Laptop, Tablet, Smartphone, etc.) used to send or receive LFS email. *
4.11 Data Destruction

Data destruction, also known as Media sanitization, is the process by which data is irreversibly
removed from media – including traditional computer hard drives, solid state drives, USB/Flash
Drives, USB/External Hard Drives, and mobile devices such as tablet and smart phones – or the
media is permanently destroyed. LFS Associated Persons must destroy LFS Confidential
Information, as defined by the LFN Information Handling Policy, in accordance with the following
requirements.
1. Electronic media including, but not limited to, Magnetic Disk Drives, Solid-State Hard Drives,
Magnetic Tape, or Optical Disk, must be securely wiped or destroyed prior to disposal.
Deleting Confidential Information without securely wiping the device (e.g. deleting a file
from the device via the recycle bin) is not a secure method for Confidential Information
removal. Confidential Information removed in this manner still remains on the device.
2. Hard copy media including, printed or hand-written paper records, containing Confidential
Data must be destroyed when no longer necessary.
3. Media sanitization processes must be documented.
4.12 User Account Management

The following requirements apply to all LFS Associated Persons with respect to the accounts that
they use for any LFS business.
1. Only least privilege access to data and applications may be granted.

When granting access to a system, application, or data, the access level should be only the
minimum level required to complete the required task/job function. This means that
access to LFS data and applications used for LFS business must be restricted to only users
who need access to perform their duties.
2. User accounts must uniquely identify a user to a system.
This means that each user account must be associated with an individual LFS Associated
Person who, in turn, must have his/her own unique login credentials (username and
password) to access any electronic system or website that may contain Confidential
Information.
3. User accounts with access to systems containing Confidential Information shall be periodically
reviewed at least annually by the Confidential Information owner to validate the need for such
access privileges.
5. LFS Associated Persons are prohibited from sharing user accounts.
6. Access to LFS systems by LFS Associated Persons must be revoked as soon as possible but no
later than 1 business day after receipt of the termination notification for the LFS Associated
Person.
7. User administration processes for non-LFS managed systems that contain or provide access to
LFS Confidential Information that are in LFS business locations must be documented.
8. In the event of a person’s termination of association with LFS, that person's access to LFS
Confidential Information located in an LFS business location must be revoked.
4.13 Application Security

To reduce the risk of disclosure of Confidential Information, LFS requires that all Associated
Persons seek prior approval before creating custom applications or websites that will transmit,
store, or process LFS Confidential Information as defined in the LFN Information Handling Policy.
Custom applications that have been approved by LFS will be subject to a security review after
development work is complete and periodic reviews and/or testing throughout the lifespan of the
application.
4.14 3rd Party Support

Access by all third-party information technology or data security providers to any LFS Confidential
Information, as defined by the LFN Information Handling Policy, or to any server, workstation,
mobile device, network device, cloud service, data backup, or removable media containing LFS
Confidential Information requires that, prior to any work being initiated, a Non-Disclosure
Agreement (NDA), in a form approved by Lincoln be executed. The executed NDA must, at a
minimum, require the third-party service provider to agree to protect Confidential Information
and not use or disclose it.
4.15 Cloud Services

The following applies to all LFS Associated Persons who leverage third-party cloud services that
transmit, store, or process LFS Confidential Information.
1. It is recommended that LFS Associated Persons who are considering purchasing or using cloud-
based services to conduct LFS business confer with your OSJ Manager, LFS IT Security Team,
LFS Compliance, and LFS Strategic Operations personnel prior to purchasing or using any such
services for LFS business.
Any Associated Person of LFS using cloud-based services is responsible for conducting due
diligence on the service and for any potential information security risks in using a service
that could impact any LFS Confidential Information.
2. Storing of LFS Confidential Information within cloud-based file sharing services is highly
discouraged. (e.g. Dropbox, Google Drive, ShareFile, OneDrive, etc.)
There are many different types of cloud services. File sharing services are typically
characterized by functionality that allows for the direct sharing of file data with the public.
3. Cloud-based services must encrypt data in transit with only publicly available cipher suites
known to be secure with appropriate key lengths.
4. Cloud-based services must encrypt data at rest with only publicly available cipher suites known
to be secure with appropriate key lengths.
5. User Authentication to cloud-based services must be protected with Multi-Factor
Authentication (MFA).
6. It is highly recommended that selected vendors of cloud-based services maintain an
acceptable level of ‘Information Security hygiene’ in line with industry best practices and
cybersecurity frameworks like the Open Web Application Security Project (OWASP) Top 10 list
and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
4.16 Vulnerability Management

Vulnerability management is the practice of identifying, classifying, and remediating or mitigating
vulnerabilities, which occur in software and firmware. Correcting vulnerabilities typically involve
the installation of a software patch or modification of software configuration (such as a firewall
policy or rule). Vulnerability management is a foundational component of an Information Security
program and vital to achieve an acceptable level of computer security. To mitigate the risk of
disclosure of Confidential Information, LFS Associated Persons must adhere to the following
requirements.
1. Any internet-facing, self-hosted applications, storing or transmitting Confidential Information

must submit to weekly vulnerability scanning by LFG Information Security.
2. Any self-hosted remote access services must submit to weekly vulnerability scanning by LFG
information Security.
3. Any software used to conduct LFS business must be currently supported by

vendor/manufacturer such that security updates are released.
4. External vulnerabilities (i.e. Internet exposed) must be remediated according to the table
below:
Severity CVSS Score Range Remediation Timeframe
Critical vulnerabilities are to be
approved by the LFG CISO, or their
Critical *See Note designee, and coordinated through
LFS Leadership for immediate
remediation.
High 7.0 – 10.0 7 Business days from Notification
Note: Critical severity is to be determined by LFS IT Security team based on CVSS v2.0 score,
pervasiveness, and exploitability.
4.17 Reporting of Suspected Data Security Incidents

LFS Associated Persons are required to immediately report instances in which Confidential
Information could be lost or compromised as follows:
1. The loss of any computer, laptop, mobile device, tablet, external hard drive, or other
computing device containing LFS Confidential Information must be reported immediately.
2. All actual and suspected data security incidents or unauthorized access to LFS Confidential
Information must be reported to LFS immediately. This includes all actual and suspected
incidents involving any system or device that stores or processes any LFS Confidential
Information that may have been accessed without authority, hacked, or otherwise
compromised.
3. All reports made under this Section 4.17 of the Policy must be made to LFSITSecurity@lfg.com
and Privacy@LFG.com, email boxes established for reporting actual and possible data
security/privacy incidents to the LFS Data Security and LFG Privacy Teams.
5.0 Compliance
If an Associated Person becomes aware that a laptop or desktop computer, smart phone, tablet, removable
media, portable storage device, server, or cloud-based service contains LFS Confidential Information in a
manner that does not comply with the Standard Requirements detailed in Section 4 of this Policy, the
Associated Person should immediately:
• Implement upgrades or install software to bring that device or service into compliance with the
Standard Requirements; or
• If unable to bring a device or service into compliance with the Standard Requirements contact LFS IT
Security (LFSITSecurity@lfg.com) to discuss the details of the issue and depending on the
circumstances, a policy exception may be requested. In the event a Policy Exception Request is
denied, all Confidential Information must be immediately removed from the device in a secure
manner.
6.0 Definitions
Advanced Encryption Standard (AES)

The Advanced Encryption Standard is a symmetric-key block cipher algorithm and U.S. government standard
for secure and classified data encryption and decryption. In December 2001, the National Institute of
Standards (NIST) approved the AES as Federal Information Processing Standards Publication (FIPS PUB) 197,
which specifies application of the Rijndael algorithm to all sensitive classified data. The Advanced Encryption
Standard was originally known as Rijndael. AES is designed to be used with key lengths of 128, 192, or 256
bits. The greater the number of bits used as the cryptographic key means that there are a greater number of
possible “keys” to encrypt or decrypt data. References like “AES-128” translate to “The use of Advanced
Encryption Standard with a key length of 128 bits.”
Anti-Virus Software
Anti-Virus Software is a software utility that detects, prevents, and removes viruses, worms, and other
malware from a computer. Most anti-virus programs include an auto-update feature that permits the
program to download profiles of new viruses, enabling the system to check for new threats. Anti-virus
programs are essential utilities for any computer but the choice of which one is very important. One Anti-
virus program might find a certain virus or worm while another cannot, or vice-versa.
Application Service Provider (ASP)

Application Service Providers host cloud-based applications to customers over a network. Applications tend
to address a particular business need or specialty, like Customer Relationship Management (CRM).
Associated Persons
All Registered Representatives of LFS and all Non-Registered Fingerprinted Persons of LFS are Associated
Persons.
Authentication
Authentication is the process of confirming the correctness of the claimed identity.
Backup
Backup refers to the process of making copies of data or data files to use in the event the original data or
data files are lost or destroyed. Secondarily, a backup may refer to making copies for historical purposes or
to meet the requirements of a data retention policy.
Business Information
Business Information is all non-public information (written and oral) relating to Lincoln and its past, present
and future business, products, services, markets, operations, personnel, assets, liabilities, condition (financial
or otherwise), strategy and prospects, as well as any similar information pertaining to another company with
which the Company has done, is doing, or may do business with in the future. Business Information includes
but is not limited to: budget information, operating expenses, financial arrangements (example: vendor
contracts, service agreements), financial reporting, financial transactions, strategic information, proprietary
software code, application system planning, development and maintenance of financial information, trade
secrets and other competitively-sensitive material, day-to-day financial business activities, collection of
financial information for business activities, and financial information residing on all technological platforms
and in business documents.
Cipher Suite
A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security
(TLS). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk
encryption algorithm, and a message authentication code (MAC) algorithm.
Client Information
Client Information includes ALL information in various forms relating to potential, existing, and former
applicants, beneficiaries, claimants, annuitants, insureds, customers and consumers and their fiduciaries.
Client Information includes NPPI and PHI.
Cloud
The cloud is a general metaphor that is used to refer to the Internet. Initially, the Internet was seen as a
distributed network and then, with the invention of the World Wide Web, as a tangle of interlinked media.
As the Internet continued to grow in both size and the range of activities it encompassed, it came to be
known as "the cloud."
Cloud App
A cloud app is an application that operates in the cloud. Cloud apps are considered to be a blend of standard
Web applications and conventional desktop applications. Cloud apps incorporate the advantages of both
Web and desktop apps without absorbing many of their drawbacks. Similar to desktop apps, cloud apps can
provide offline mode, rich user experience and instant responses to user actions. Similar to Web
applications, there is no need to install cloud apps on a computer. Updates can be done at any time by
simply uploading a newer version to the Web server. Cloud apps also store data in the cloud.
Confidential Information
Confidential Information includes but is not limited to Client Information, Employee Information, Health
Information, Individually Identifiable Health Information, Non-public Personal Information, Protected Health
Information and Business Information. Each of these terms is defined in this section.
Employee Information
Employee Information includes all information in various forms relating to compensation and benefits, past
or present employment information, residence telephone number and address, race, sex, age, birth date,
marital status, disciplinary actions, performance appraisals, employee grievances, Social Security Number,
personnel test results, banking information, medical information relating to the past, present or predicted
future health, finance, insurance contracts, religious affiliation, Annual Incentive Plan information, 401(k)
contributions, performance measurements, etc. of any employees, retirees or former employees of Lincoln.
Encryption
Encryption is the process of using a mathematical algorithm to transform information to make it unreadable
for unauthorized users. This cryptographic method protects sensitive data by encoding and transforming
information into unreadable cipher text. This encoded data may only be decrypted or made readable with a
key. Encryption is essential for ensured and trusted delivery of sensitive information.
External Hard Drives

An external hard drive is a storage device located outside of a computer that is connected through a USB
cable or wireless connection. An external hard drive is usually used to store media that a user needs to be
portable, for backups, and when the internal drive of the computer is already at its full memory capacity.
These devices have a high storage capacity compared to flash drives and are mostly used for backing up
numerous computer files or serving as a network drive to store shared content. External hard drives are also
known as removable hard drives.
Firewall
A firewall is software used to maintain the security of a private network. Firewalls block unauthorized access
to or from private networks and are often employed to prevent unauthorized Web users or illicit software
from gaining access to private networks connected to the Internet. A firewall may be implemented using
hardware, software, or a combination of both. A firewall is recognized as the first line of defense in securing
sensitive information.
Flash Memory
Flash memory is a non-volatile memory chip used for storage and for transferring data between a personal
computer (PC) and digital devices. It has the ability to be electronically reprogrammed and erased. It is
often found in USB flash drives, MP3 players, digital cameras and solid-state drives.
Flash Storage
Flash storage is the term used to describe any electronic device which is capable of performing as a storage
repository with the help of flash memory. It can be anything from a fully integrated all-flash storage array to
a simple universal serial bus device. Flash storage is capable of improving the efficiency and performance for
many applications compared to traditional storage media.
Full-Disk Encryption (FDE)

Full-Disk Encryption (FDE) is the encryption of all data on a disk drive, including the program that encrypts
the bootable OS partition. It is performed by disk encryption software or hardware that is installed on the
drive during manufacturing or via an additional software driver. FDE converts all device data into a form that
can be only understood by the one who has the key to decrypt the encrypted data. FDE is also known as
Whole Disk Encryption (WDE).
Health Information
Health Information means any information, whether oral or recorded in any form or medium, that:
1. Is created or received by a health care provider, health plan, public health authority, employer, life
insurer, school or university, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past, present, or future payment for the provision of
health care to an individual.
Individually Identifiable Health Information

Individually Identifiable Health Information is information that is a subset of Health Information, including
demographic information collected from an individual, and:
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past, present, or future payment for the provision of
health care to an individual; and
a. That identifies the individual; or
b. With respect to which there is a reasonable basis to believe the information can be used to identify
the individual.
Infrastructure as a Service (IaaS)
Infrastructure as a Service is cloud-based model for hosting and delivering computing resources on a
subscription basis. The resources provided tend to be virtualized servers and allows the customer/subscriber
to install applications and maintain the configuration of the computing devices.
Internet Protocol address (IP address)

An Internet Protocol address is a logical numeric address that is assigned to every single computer, printer,
switch, router or any other device that is part of a network. The IP address is the core component on which
the networking architecture is built; no network exists without it. An IP address is used to uniquely identify
every node in the network. Because IP addresses are logical, they can change. They are similar to addresses
in a town or city because the IP address gives the network node an address so that it can communicate with
other nodes or networks, just like mail is sent to friends and relatives.
Jailbreak
Jailbreak refers to the process of gaining root access to the iOS operating system that runs on Apple devices,
including the iPad, iPhone and iPod Touch. Jailbreaking frees the device from dependence on Apple as the
exclusive source of applications, allowing users to install third-party apps unavailable at the official App
Store. Users can also customize their home screens and modify the appearance of icons and menus.
Jailbreaking is sometimes a prelude to unlocking an iPhone or modifying its baseband so that the unit can
work with other mobile networks. Jailbreak may also be known as jailbreaking or iOS jailbreak.
Multifactor Authentication (MFA)

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know
(e.g. password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii)
something you are (e.g., biometric). Multi-Factor Authentication is also known as Two-Factor Authentication
or Two-Step Authentication.
Network attached storage (NAS)

Network attached storage is a hard drive attached to a network, also referred to as an appliance, used for file
storage and accessed through an assigned network address. It acts as a server for file sharing but does not
allow other services or applications typically found on a server to run. As an example, email or database
services cannot be installed on a NAS appliance.
Non-public Personal Information (NPPI)

Non-public Personal Information means personally identifiable information, including financial information,
provided by a Consumer to a financial institution; resulting from any transaction with the Consumer or any
service performed for the Consumer; or otherwise obtained by the financial institution. The term does not
include publicly available information, but it does include any list, description, or other grouping of
Consumers (and publicly available information pertaining to them) that is derived using information other
than publicly available information.
Operating System (OS)

The operating system manages a computer's hardware resources, including: Input devices
(keyboard/mouse), Output devices (monitors/printers/scanners), Network devices (modems/network
interface cards), and Storage devices (internal and external drives). The OS also provides services to facilitate
the efficient execution and management of any additional installed software application programs. While it
is possible for a software application to interface directly with hardware, the vast majority of applications are
written for an OS, which allows them to take advantage of common OS functionality and not worry about
specific hardware details.
Patch
A patch is a software update comprised of new computer code inserted (or patched) into the existing code of
an executable program. Patches are often temporary fixes between full releases of a software package.
Typically, they address newly discovered security vulnerabilities or software stability issues.
Protected Health Information (PHI)

Protected Health Information means Individually Identifiable Health Information except as provided by
statute that is: Transmitted by electronic media; maintained in electronic media; or transmitted or
maintained in any other form or medium.
Rooting
Rooting is the term used to describe the process of gaining root access or privileged control over devices,
most commonly Android smartphones and tablets. Rooting can also be done on devices based on Linux
environments. Although similar to terms like unlocking and jailbreaking, conceptually rooting is quite
different from these terms. Rooting enables a normal user to have administrator-level permissions to the
operating system environment. In the case of Android devices, it helps in circumventing the security
architecture, which makes devices susceptible to infection by malicious applications.
Secure Digital Card (SD Card)

A Secure Digital card is a non-volatile form of flash memory for portable and mobile devices. Because it is
not proprietary, SD card usage is widespread. SD cards are located in thousands of consumer electronic
device models, including mobile phones, digital cameras, camcorders, tablets and portable audio players.
Service Set Identifier (SSID)

A service set identifier is a type of identifier that uniquely identifies a wireless local area network (WLAN).
Service set identifiers differentiate wireless LANs by assigning each a unique, 32-bit alphanumeric character
identifier. SSID is also referred to as the wireless network name.
Software as a Service (SaaS)

Software as a Service is another cloud-based model for centrally hosting and delivering software on a
subscription basis.
Universal Serial Bus (USB)

A Universal Serial Bus is a common interface that enables communication between devices and a host
controller such as a personal computer (PC). It connects peripheral devices such as digital cameras, mice,
keyboards, printers, scanners, media devices, external hard drives and flash drives. Because of its wide
variety of uses, including support for electrical power, the USB has replaced a wide range of interfaces like
the parallel and serial port.
Wi-Fi Protected Access II (WPA2)

Wi-Fi Protected Access II is a security standard to secure computers connected to a Wi-Fi network. Its
purpose is to achieve complete compliance with the IEEE802.11i standard, only partially achieved with WPA,
and to address the security flaw in the 128-bit “temporary key integrity protocol” (TKIP) in WPA by replacing
it with CCMP. The term is also referenced as Wi-Fi Protected Access 2.
Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup is a communications protocol designed to help facilitate the setup of wireless
networks in homes and small offices. It is geared toward users and groups that are not familiar with Wi-Fi
configuration. WPS allows devices to be easily added to a network while providing a secure connection.
Unfortunately, WPS is prone to brute-force attacks, which can allow other devices to connect to a network.
Wireless Fidelity (Wi-Fi)

Wi-Fi is a type of wireless network technology used for connecting to the Internet. The frequencies used by
Wi-Fi are 2.4Ghz or 5Ghz, ensure no interference with cellphones, broadcast radio, TV antenna and two-way
radios are encountered during transmission. To simplify, Wi-Fi is basically just radio waves broadcast from a
Wi-Fi router, a device detecting and deciphering the waves, and then sending back data to the router. It
works very similarly to an AM/ FM radio, but it is a two-way communication channel. Wi-Fi works over
longer distances making it suitable for portable devices, such as laptops and mobile devices. Wi-Fi is
governed by the Wi-Fi Alliance, an association of manufacturers and regulators defining standards and
certifying products as Wi-Fi compatible.
Wireless Networks
Wireless networks are computer networks that are not connected by cables of any kind. The use of a
wireless network enables enterprises to avoid the costly process of introducing cables into buildings or as a
connection between different equipment locations. The bases of wireless system are radio waves, an
implementation that takes place at the physical level of network structure. A Wireless Local Area Network
(WLAN) is considered a Wireless Network.
REVISION HISTORY
Revision Revision Effective Revision Details
Number Date Date
2.7 12/2/2021 12/20/2021 3.0 Enforcement - Updated section to remove reference to termination of
Associated Persons as this is covered in Section 4.12 Items 6 & 7.
4.1 Remote Network Access - Updated Item 8 to prohibit the use of Secure Socket
Layer (SSL) protocol.
4.3 Servers - Updated section footnote to remove LFS IT Security Software
Reference document as “Attachment A” of the policy.
4.4 Workstations - Updated section footnote to remove LFS IT Security Software
4.5 Mobile Devices - Updated introductory paragraph for clarity and to change
scope to mobile devices that access systems with LFS confidential information.
4.5 Mobile Devices - Added Item 2 to require Zscaler on mobile devices used to
access systems with LFS confidential information.
4.5 Mobile Devices - Updated section footnote to remove LFS IT Security Software
4.6 Network Devices - Removed Item 7 pertaining to terminated user access
revocation due to duplication with Section 4.12 Item 6.
4.7 Business Continuity/Disaster Recovery - Added Item 5 for clarity about storing
devices for use in the event of a BC/DR declaration.
4.8 Passwords - Updated Item 4 to increase failed login attempts to 10 or less.
4.8 Passwords - Updated section footnote to remove LFS IT Security Software
4.10 Email - Updated Item 1 to remove reference to vendor Intermedia and update
for new methodology to enable email encryption.
4.10 Email - Modified Item 2 to require the use of the LFS email platform for all
securities related business communications
4.10 Email - Added Item 3 to require Zscaler on any device used to send or receive
LFS email.
4.10 Email - Updated section footnote to remove LFS IT Security Software
4.11 Data Destruction - Updated introductory paragraph for clarity about data
destruction.
4.12 User Account Management - Updated Item 6 to limit scope of affected systems
to LFS managed systems and updated timeframe to 1 business day.
4.12 User Account Management - Updated Item 7 to add clarity for documented
user administration processes governing non-LFS managed systems located in
branch offices.
4.12 User Account Management - Added Item 8 to require the revocation of access
to LFS confidential information when a person terminates
4.14 3rd Party Support - Updated section for clarity about NDA usage and removed
the Field Office NDA as “Attachment B” of the policy.
4.16 Vulnerability Management - Added Item 3 to require software being used for
LFS business be supported by the vendor to receive security updates.
4.16 Vulnerability Management - Updated Item 4 to provide clarity.
4.16 Vulnerability Management - Updated Item 4 to provide clarity around
vulnerability severities, remediation timeframe, and for approval & coordination of
remediation of critical vulnerabilities.
4.17 Reporting of Suspected Data Security Incidents - Updated Items 1 & 2 for
clarity about reporting security incidents involving LFS Confidential Information.
2.6 4/16/2020 4/27/2020 Updated Section 4.1 Item 3 for clarity about encryption cipher suites.
Added Section 4.1 Items 6, 7, and 8 for vendor support and discouraging use of self-
signed certs and SSL
Updated Section 4.2 introductory paragraph for clarity about wireless networks.
Added Section 4.2 Item 10 discouraging the use of public Wi-Fi
Updated Section 4.3 introductory paragraph for clarity about physical, virtual, or
host servers.
Added Section 4.3 Item 11 requiring full disk encryption for servers
Updated Section 4.6 Item 1 for MFA or IP restrictions
Updated Section 4.6 Item 2 for clarity about access type and encryption ciphers
Added Section 4.6 Items 11 to recommend business-class firewalls
Added Section 4.6 Items 12 to require full disk encryption for NAS devices
Added Section 4.6 Items 13 to prohibit SNMP with Public/Private strings
Updated Section 4.9 introductory paragraph for clarity about in-scope removeable
storage usage.
Updated Section 4.15 introductory paragraph for clarity about in-scope cloud
services.
Update Section 4.15 Items 2 & 3 for clarity about ciphers for encryption in transit
and at rest.
Update Section 4.15 Item 4 for clarity MFA for user authentication to cloud
services.
Added Section 4.15 Item 5 recommending adherence to infosec best practices &
frameworks for cloud vendors.
Updated Section 5.0 for clarity to include cloud services as well as devices.
2.5 1/15/2019 2/5/2019 Update section 4.8 Item #5 requiring encryption for electronic copies of passwords.
Added section 4.13 ‘Application Security’
2.4 4/25/2018 4/30/2018 Updated appropriate sections to reflect Multi-Factor Authentication is required.
Updated section 4.7 title to 'Business Continuity/Disaster Recovery'.
Added BC/DR statement for testing backups/restore processes.
Added language to section 5.0 Compliance to consult with LFS IT Security for
exceptions.
Removed year ‘2017’ from the Footer section.
2.3 10/20/2017 10/30/2017 Added Section 4.12 Item #3 regarding periodic review of privileged user
access.
2.2 5/5/2017 5/8/2017 Policy rewritten.
1.4 12/1/2015 12/1/2015 Updated language throughout to include latest technologies such as smart phones
and tablets.
Updated Section 4.1.5 – Encryption: to include language pertaining to smart phone
and tablet encryption.
Updated Section 4.3.2 – Wireless: to outline the difference between WPA2 and
WPA. Denied the use of WEP.
Updated Section 5.2 – Email Encryption: to include directions on how to send
encrypted email for those using the Lincoln provided intermedia hosting solution.
1.3 9/1/2013 10/1/2013 Added statement in Section 5.0 – Information Handling and Privacy Standards:
All LFS Associated Persons must comply with the Lincoln Financial Network
(LFN) Information Handling Policy.
Added Section 5.2 – Email Encryption
1.2 8/1/2012 11/1/2012 Updated Section 4.1.5 – Encryption:

Minimum encryption strength changed from 256-bit to 128-bit
Advanced Encryption Standard (AES) or stronger.
Added Section 4.4 Cloud/SaaS/ASP Providers
1.1 9/1/2010 9/1/2010 Reformatted, revised definitions, and removed server encryption
requirement.
1.0 12/1/2009 1/1/2010 New Policy

2022 Data Security Policy

Uploaded by

Copyright:

Available Formats

You might also like

2022 Data Security Policy

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2022 Data Security Policy

Uploaded by

Copyright:

Available Formats

LINCOLN FINANCIAL SECURITIES CORPORATION

Data Security Policy

4.0 Standard Requirements

4.1 Remote Network Access

5. Remote access services must be protected by a firewall.

4.2 Wireless Networks

1. Wi-Fi-Protected Access II (WPA2) is required.

1. Required compliance monitoring software must be installed and operational. *

Examples of this include operating systems’ or application vendors’ websites to obtain

1. Required compliance monitoring software must be installed and operational. *

4.5 Mobile Devices

1. Required compliance monitoring software must be installed. *

3. Mobile Operating Systems must be currently supported by vendor. *

4.6 Network Devices

4.7 Business Continuity/Disaster Recovery

1. Backups containing Confidential Information must be encrypted (AES-128 or better).

5. All servers, workstations, and mobile devices leveraged as part of a Business

1. Passwords must be changed every 90 days (quarterly).

4.9 Removable Data Storage

1. Email containing Confidential Information must be encrypted.

4.11 Data Destruction

3. Media sanitization processes must be documented.

4.12 User Account Management

1. Only least privilege access to data and applications may be granted.

4.13 Application Security

4.14 3rd Party Support

4.15 Cloud Services

4.16 Vulnerability Management

1. Any internet-facing, self-hosted applications, storing or transmitting Confidential Information

3. Any software used to conduct LFS business must be currently supported by

4.17 Reporting of Suspected Data Security Incidents

Advanced Encryption Standard (AES)

Application Service Provider (ASP)

External Hard Drives

Full-Disk Encryption (FDE)

Individually Identifiable Health Information

Infrastructure as a Service (IaaS)

Internet Protocol address (IP address)

Multifactor Authentication (MFA)

Network attached storage (NAS)

Non-public Personal Information (NPPI)

Operating System (OS)

Protected Health Information (PHI)

Secure Digital Card (SD Card)

Service Set Identifier (SSID)

Software as a Service (SaaS)

Universal Serial Bus (USB)

Wi-Fi Protected Access II (WPA2)

Wi-Fi Protected Setup (WPS)

Wireless Fidelity (Wi-Fi)

1.2 8/1/2012 11/1/2012 Updated Section 4.1.5 – Encryption:

You might also like