Professional Documents
Culture Documents
2022 Data Security Policy
2022 Data Security Policy
2022 Data Security Policy
1.0 Purpose
The protection of Confidential Information belonging to Lincoln Financial Securities Corporation (“LFS”) and its
customers is of utmost importance to LFS. The purpose of this document is to define the LFS Data Security
Policy (“Policy”) and to describe the requirements for all registered persons and non-registered fingerprinted
persons of LFS (“Associated Persons”). All Associated Persons of LFS are considered to have access to
Confidential Information, as this term is defined below and in the Lincoln Financial Network Information
Handling Policy. Confidential Information belonging both to LFS and its customers is sensitive in nature and
must be protected.
The two main objectives of this Policy are to (i) protect Confidential Information from unauthorized access;
and (ii) manage the risks associated with potential security compromises or privacy violations involving
Confidential Information.
2.0 Scope
All Associated Persons of LFS are required to comply with this Policy. This Policy applies to all Confidential
Information that exists in any processing environment or media during any part of its life cycle, including all
applications, systems, and networks that LFS owns or operates or that are owned or operated by Associated
Persons. This includes, without limitation, servers, workstations, Internet-based applications (“Cloud
Applications”), mobile devices such as tablets and smart phones, email systems, and removable media such as
USB/Flash Drives and USB/External Hard Drives. Out of Scope: Any Associated Person of LFS using a
workstation built and provisioned by Lincoln National Corporation (LNC) Information Technology department
or server systems hosted in a LNC data center and managed by LNC Information Technology department or
hosted and managed by an LNC authorized 3rd party vendor are excluded from this Policy because those
people and systems are required to adhere to the LNC Information Security Policy.
3.0 Enforcement
Failure to comply with this policy may result in a recommendation to the Lincoln Financial Network Business
Conduct Committee for disciplinary action which could include fines, other sanctions, or termination. All
Associated Persons, including those serving in a supervisory capacity, are responsible for ensuring compliance
with this Policy. No non-registered person may be granted access to Confidential Information without first
being fingerprinted and submitted to FINRA as a Non-Registered Fingerprinted Person of LFS.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 1 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
1. All Remote Network Access services must be protected by Multi-Factor Authentication (MFA).
If MFA is not possible, access must be restricted by source IP address.
Multi-factor authentication refers to a method of computer access control in which a user,
such as an LFS Associated Person, is only granted access to a system after successfully
presenting multiple pieces of evidence that he or she is entitled to access the system. As
an example, the multiple pieces of evidence could be a Username/Password, and in
addition, a One-Time Password generated on a mobile phone. Requiring multiple pieces
of information prior to granting access provides extra security, as compared to systems
that require only one piece of evidence.
2. All authentication attempts must, at a minimum, log: Connection Time, Connection Duration,
User ID, Source IP Address, and Destination IP Address.
Since a remote access service listens for connections from anywhere on the Internet, it is
vital that any attempts to connect to the service are captured in security logs along with
the details of the connection attempt, like the source IP address, date, time and outcome
of the connection attempt. This is an essential part of detecting and protecting LFS, its
customers and Associated Persons against unauthorized third parties who may be seeking
to access Confidential Information.
3. All remote access connections must be encrypted with only publicly available cipher suites
known to be secure with appropriate key lengths.
Encryption refers to the process of converting data into a code that can only be read by
the intended sender and receiver of the data. Since remote access connections are
traversing the Internet, which is considered an “untrusted” network, the connection must
be established with encryption, to allow for confidentiality of the data that is going back
and forth between Associated Persons’ computers and their respective LFS branch office
systems, when using a remote access service.
4. Access must be restricted only to users who need remote access to perform their duties.
This means that any Associated Persons who do not have a business need to access their
LFS branch office systems remotely should not have access to do so.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 2 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 3 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
WPS is a method for setting up a new wireless router for a home network. The WPS
standard requires a PIN to be used during the setup of a system to participate on the
wireless network. A vulnerability discovered in WPS makes the PIN susceptible to
repeated guessing (“brute force”) attacks, which is why WPS functionality should be
disabled. Thus, Associated Persons that use LFS branch office systems that participate on
a wireless network should make sure that WPS is not used.
3. Wireless network communications must be encrypted using Advanced Encryption Standard
(AES).
As modern computers have become more powerful, the cryptographic algorithms used to
encrypt data have also had to change. Older algorithms like the Data Encryption Standard
(DES) have been rendered obsolete, as modern computers are able “crack” the encryption
key. In other words, modern computers are powerful enough to try every possible key to
unlock the data in a short period of time. Associated Persons who use LFS branch offices
that participate on using wireless networks should make sure that AES encryption is in use.
Refer to section 6.0 Definitions of this Policy for a more detailed definition of AES.
4. Service Set Identifier (SSID) must not be a default value.
Wireless access points and/or routers typically have a default value for the Service Set
Identifier (SSID), for example, “Linksys”, “Netgear”, or “Sonicwall”. The value of the SSID is
used in conjunction with other parameters to create the wireless encryption keys, so
keeping the default value is a security risk. Attackers use pre-computed tables of keys
using these default SSIDs coupled with dictionary words, which drastically reduces the
time to figure out the wireless network password. Thus, LFS branch office wireless
networks should not keep default SSIDs, but rather should implement a unique SSID,
subject to the additional requirements set forth below.
5. Service Set Identifier (SSID) must not identify Lincoln Financial Securities (LFS), an affiliated
firm name or a marketing name.
6. As set forth in Section 4.8 of this Policy, the wireless network password must be at least 8
characters in length.
7. As set forth in Section 4.8 of this Policy, the wireless network password must be mixed case
and alphanumeric.
8. As set forth in Section 4.8 of this Policy, the wireless network password must change every 90
days (quarterly).
9. Default administrative account passwords are prohibited.
Using default passwords as opposed to unique passwords that conform to Section 4.8 of
this Policy would make it more likely that attackers will be able to access LFS branch office
systems. As a result, all passwords must be set in accordance with Section 4.8.
10. Use of public Wi-Fi networks is highly discouraged.
The best practice for short-term access to the Internet when traveling is to use a Personal
Mobile Hotspot. Personal hotspot functionality, which is common on most Smartphones,
allows the phone to become a Wi-Fi Access Point that accesses the Internet via the
phone’s cellular data connection.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 4 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
4.3 Servers
Because Confidential Information relating to LFS and its customers is often stored using servers,
like a file server or a database server, it is critically important to take the necessary precautions to
secure all such servers. Servers are computers responsible for a wide variety of tasks, like creation
and storage of user accounts, validating users when logging into a networked computer, or the
central storage and management of data files which, in the LFS context, can include Confidential
Information belonging to LFS, its customers and Associated Persons. All LFS Associated Persons
are responsible for understanding how and where Confidential Information relating to their LFS
business is stored, accessed, and processed. If a server is in use, either a physical or virtual server
in a branch location or at a 3rd party hosting provider, the system must adhere to the following
requirements.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 5 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
4.4 Workstations
Because Confidential Information relating to LFS and its customers is often stored locally on
Associated Persons’ workstations, it is also critically important to take the necessary precautions to
secure all workstations. LFS Associated Persons must adhere to the following requirements with
respect to all workstations used for LFS business.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 6 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
Real-Time Scanning is a mode of most modern anti-virus products that enables the
protection to be running at all times while the computer is powered on.
8. Where possible, 3rd party applications must be set to auto-update.
3rd Party software vendors will typically release security updates to their software products
on a regular frequency, like monthly or quarterly. Not all vendors publish on the same
frequency, so it is a best practice to enable automatic updates within the software where
possible.
9. Full disk encryption is required. (AES-128 or better)
Disk encryption is a technology which protects information by converting it into
unreadable code that cannot be deciphered easily by unauthorized people. The process
uses disk encryption software or hardware to encrypt every bit of data that goes on a disk
or disk volume. Disk encryption prevents unauthorized access to data storage.
10. Host-based Firewall must be installed and running.
A firewall is a network security system that monitors and controls the incoming and
outgoing network traffic based on predetermined security rules. A firewall typically
establishes a barrier between a trusted, secure internal network and another outside
network, such as the Internet, that is assumed not to be secure or trusted. Host-based
firewalls provide a layer of software on one host that controls network traffic in and out of
that single machine. LFS Associated persons should refer to the LFS IT Security Software
Reference Document, attached to this Policy as Attachment A, for recommended Firewall
software.
11. Security logs must be enabled and configured to a minimum size of 100 MB.
Most operating systems have built-in logging functionality to capture relevant security
events that occur on the system; however, the default log size does not always log a
sufficient length of time.
12. A password must be set in accordance with Section 4.8.
13. A screen saver lockout must be enforced after a maximum of 20 minutes of inactivity.
14. Workstations must be locked when left unattended.
* See the LFS IT Security Software Reference document for the list of specific software.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 7 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
1. 3rd party technology support that remotely access an LFS Branch Office must leverage Multi-
Factor Authentication (MFA) or be limited to a predefined set of IP addresses.
If you leverage a 3rd party for support of your computers, network, or applications to
conduct LFS business and the 3rd party accesses the network remotely to render the
support, they must only connect to your network using MFA or the connection must be
restricted to a predefined set of Internet Protocol (IP) addresses. This is intended to
reduce potential threats that could seek to attack network devices via IP addresses other
than the predefined set.
2. Administrative access to network devices must use an encrypted connection with only publicly
available cipher suites known to be secure with appropriate key lengths.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 8 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
Most network devices provide some type of administrative interface to connect to the
device for initial setup and make changes to the device configuration. Typically, these
interfaces are either a Command-Line Interface (CLI) via Secure Shell (SSH) or a Graphical
User Interface (GUI) via a web browser. Regardless of which method is used to connect to
a network device’s administrative interface, the connection must be through a secure
protocol like SSHv2 or HTTPS.
3. SSHv1 is prohibited.
Secure Shell (SSH) is remote access protocol that provides command-line access to a
network device or server. Version 1 of this protocol (SSHv1) is known to contain inherent
vulnerabilities. Secure Shell Version 2 (SSHv2) was created to address the flaws in the
earlier version and should be used instead of Version 1.
4. Telnet is prohibited.
Telnet is a remote access protocol that provides command-line access to a network device
or server. Telnet is not a secure protocol as all data sent between the client and server is
transmitted in clear text.
5. SNMPv1 and SNMPv2 are prohibited.
Simple Network Management Protocol (SNMP) is a protocol for collecting and organizing
information about managed devices on a network and for modifying that information to
change device behavior. Both Version 1 and Version 2 of SNMP are not secure protocols
and may transmit sensitive data over a network in clear text.
6. Security patches must be installed as soon as possible but in no event later than 30 days after
their release.
Like servers and workstations, vendors of network devices will release security patches for
their devices. Applying security updates in a timely manner is vital to maintaining the
integrity and availability of network devices.
7. Firewall changes must be tracked by a formal change control process.
This means that when an LFS branch office changes its firewall solution or changes the
settings on its firewall, those changes need to be maintained and tracked via a formal
process to ensure that a record is kept as to the adequacy of the firewall protection at all
times.
8. Default administrative account passwords are prohibited. All passwords must be set in
accordance with Section 4.8.
Using default passwords as opposed to unique passwords that conform to Section 4.8 of
this Policy would make it more likely that attackers will be able to access network devices.
Thus, default passwords are prohibited.
9. Logging of network connections to and from the Internet for a minimum 90-day period is
highly recommended.
Logging of inbound and outbound network connections is vital information to support
Security Incident Response activities. At a minimum, both the Source and Destination
Internet Protocol (IP) Addresses should be logged along with Date, Time, and Action (e.g.
‘Block’ or ‘Allow’). Additional information like ‘Connection Duration’ and ‘Total Bytes’ can
also prove useful.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 9 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
10. Use of a ‘Business-Class’ Firewall with Intrusion Detection System & Intrusion Prevention
System (IDS/IPS) functionality to protect an LFS Branch Office Internet connection is highly
recommended.
11. Full Disk Encryption (FDE), using AES-128 or better, is required for Network Attached Storage
(NAS) devices storing LFS Confidential Information. In the event FDE cannot be implemented,
effective alternative compensating controls must be used.
Unlike a traditional server, which can fulfill many different computing roles, Network-
Attached Storage (NAS) devices are computer appliances – purpose-built specialized
computers - that are designed solely for file sharing. Since NAS devices are networked and
contain storage drives like traditional servers, they are subject to the same data encryption
requirement when storing, transmitting, or processing LFS Confidential Information.
12. Simple Network Management Protocol (SNMP) default strings of ‘public’ & ‘private’ are
prohibited.
A Simple Network Management Protocol (SNMP) Community String is like a User
ID/Password that is sent with each SNMP request. There are typically two default strings,
one for ‘Read’ access and one for ‘Write’ access, that all SNMP compliant devices
understand: ‘public’ for reading and ‘private’ for writing. These two default strings (i.e
passwords) are very well known and often abused by attackers if available.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 10 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
4.8 Passwords
Each LFS Associated Person must have his/her own unique login credentials (username and
password) to access any electronic system or website that may contain Confidential Information.
Associated Persons may not create, obtain, or use the login credentials of another Associated
Person to access electronic systems or websites that contain Confidential Information. If
passwords have been shared in the past, they must be changed immediately. Associated Persons
may not create, obtain, or use client identification, names or passwords to access client account
information or other data electronically. In addition, LFS Associated Persons must adhere to the
following requirements with respect to passwords:
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 11 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
1. Insertion of removable media from an unknown or untrusted source (e.g. USB/Flash Drive or
USB External Hard Drive) into a computer system that contains or processes LFS Confidential
Information is prohibited.
2. Full disk encryption is required for trusted removable media. (AES-128 or better)
3. Data backed up to removable media must comply with backup provisions set forth in Section
4.7.
4.10 Email
LFS Associated Persons must adhere to the following requirements pertaining to LFS email.
3. Required web security software must be installed and operational on any device (Desktop,
Laptop, Tablet, Smartphone, etc.) used to send or receive LFS email. *
As of the latest revision of this Policy, the web security software used by LFS is Zscaler.
* See the LFS IT Security Software Reference document for the list of specific software.
1. Electronic media including, but not limited to, Magnetic Disk Drives, Solid-State Hard Drives,
Magnetic Tape, or Optical Disk, must be securely wiped or destroyed prior to disposal.
Deleting Confidential Information without securely wiping the device (e.g. deleting a file
from the device via the recycle bin) is not a secure method for Confidential Information
removal. Confidential Information removed in this manner still remains on the device.
2. Hard copy media including, printed or hand-written paper records, containing Confidential
Data must be destroyed when no longer necessary.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 12 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 13 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
minimum, require the third-party service provider to agree to protect Confidential Information
and not use or disclose it.
1. It is recommended that LFS Associated Persons who are considering purchasing or using cloud-
based services to conduct LFS business confer with your OSJ Manager, LFS IT Security Team,
LFS Compliance, and LFS Strategic Operations personnel prior to purchasing or using any such
services for LFS business.
Any Associated Person of LFS using cloud-based services is responsible for conducting due
diligence on the service and for any potential information security risks in using a service
that could impact any LFS Confidential Information.
2. Storing of LFS Confidential Information within cloud-based file sharing services is highly
discouraged. (e.g. Dropbox, Google Drive, ShareFile, OneDrive, etc.)
There are many different types of cloud services. File sharing services are typically
characterized by functionality that allows for the direct sharing of file data with the public.
3. Cloud-based services must encrypt data in transit with only publicly available cipher suites
known to be secure with appropriate key lengths.
4. Cloud-based services must encrypt data at rest with only publicly available cipher suites known
to be secure with appropriate key lengths.
5. User Authentication to cloud-based services must be protected with Multi-Factor
Authentication (MFA).
6. It is highly recommended that selected vendors of cloud-based services maintain an
acceptable level of ‘Information Security hygiene’ in line with industry best practices and
cybersecurity frameworks like the Open Web Application Security Project (OWASP) Top 10 list
and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 14 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
1. The loss of any computer, laptop, mobile device, tablet, external hard drive, or other
computing device containing LFS Confidential Information must be reported immediately.
2. All actual and suspected data security incidents or unauthorized access to LFS Confidential
Information must be reported to LFS immediately. This includes all actual and suspected
incidents involving any system or device that stores or processes any LFS Confidential
Information that may have been accessed without authority, hacked, or otherwise
compromised.
3. All reports made under this Section 4.17 of the Policy must be made to LFSITSecurity@lfg.com
and Privacy@LFG.com, email boxes established for reporting actual and possible data
security/privacy incidents to the LFS Data Security and LFG Privacy Teams.
5.0 Compliance
If an Associated Person becomes aware that a laptop or desktop computer, smart phone, tablet, removable
media, portable storage device, server, or cloud-based service contains LFS Confidential Information in a
manner that does not comply with the Standard Requirements detailed in Section 4 of this Policy, the
Associated Person should immediately:
• Implement upgrades or install software to bring that device or service into compliance with the
Standard Requirements; or
• If unable to bring a device or service into compliance with the Standard Requirements contact LFS IT
Security (LFSITSecurity@lfg.com) to discuss the details of the issue and depending on the
circumstances, a policy exception may be requested. In the event a Policy Exception Request is
denied, all Confidential Information must be immediately removed from the device in a secure
manner.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 15 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
6.0 Definitions
Anti-Virus Software
Anti-Virus Software is a software utility that detects, prevents, and removes viruses, worms, and other
malware from a computer. Most anti-virus programs include an auto-update feature that permits the
program to download profiles of new viruses, enabling the system to check for new threats. Anti-virus
programs are essential utilities for any computer but the choice of which one is very important. One Anti-
virus program might find a certain virus or worm while another cannot, or vice-versa.
Associated Persons
All Registered Representatives of LFS and all Non-Registered Fingerprinted Persons of LFS are Associated
Persons.
Authentication
Authentication is the process of confirming the correctness of the claimed identity.
Backup
Backup refers to the process of making copies of data or data files to use in the event the original data or
data files are lost or destroyed. Secondarily, a backup may refer to making copies for historical purposes or
to meet the requirements of a data retention policy.
Business Information
Business Information is all non-public information (written and oral) relating to Lincoln and its past, present
and future business, products, services, markets, operations, personnel, assets, liabilities, condition (financial
or otherwise), strategy and prospects, as well as any similar information pertaining to another company with
which the Company has done, is doing, or may do business with in the future. Business Information includes
but is not limited to: budget information, operating expenses, financial arrangements (example: vendor
contracts, service agreements), financial reporting, financial transactions, strategic information, proprietary
software code, application system planning, development and maintenance of financial information, trade
secrets and other competitively-sensitive material, day-to-day financial business activities, collection of
financial information for business activities, and financial information residing on all technological platforms
and in business documents.
Cipher Suite
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 16 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security
(TLS). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk
encryption algorithm, and a message authentication code (MAC) algorithm.
Client Information
Client Information includes ALL information in various forms relating to potential, existing, and former
applicants, beneficiaries, claimants, annuitants, insureds, customers and consumers and their fiduciaries.
Client Information includes NPPI and PHI.
Cloud
The cloud is a general metaphor that is used to refer to the Internet. Initially, the Internet was seen as a
distributed network and then, with the invention of the World Wide Web, as a tangle of interlinked media.
As the Internet continued to grow in both size and the range of activities it encompassed, it came to be
known as "the cloud."
Cloud App
A cloud app is an application that operates in the cloud. Cloud apps are considered to be a blend of standard
Web applications and conventional desktop applications. Cloud apps incorporate the advantages of both
Web and desktop apps without absorbing many of their drawbacks. Similar to desktop apps, cloud apps can
provide offline mode, rich user experience and instant responses to user actions. Similar to Web
applications, there is no need to install cloud apps on a computer. Updates can be done at any time by
simply uploading a newer version to the Web server. Cloud apps also store data in the cloud.
Confidential Information
Confidential Information includes but is not limited to Client Information, Employee Information, Health
Information, Individually Identifiable Health Information, Non-public Personal Information, Protected Health
Information and Business Information. Each of these terms is defined in this section.
Employee Information
Employee Information includes all information in various forms relating to compensation and benefits, past
or present employment information, residence telephone number and address, race, sex, age, birth date,
marital status, disciplinary actions, performance appraisals, employee grievances, Social Security Number,
personnel test results, banking information, medical information relating to the past, present or predicted
future health, finance, insurance contracts, religious affiliation, Annual Incentive Plan information, 401(k)
contributions, performance measurements, etc. of any employees, retirees or former employees of Lincoln.
Encryption
Encryption is the process of using a mathematical algorithm to transform information to make it unreadable
for unauthorized users. This cryptographic method protects sensitive data by encoding and transforming
information into unreadable cipher text. This encoded data may only be decrypted or made readable with a
key. Encryption is essential for ensured and trusted delivery of sensitive information.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 17 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
numerous computer files or serving as a network drive to store shared content. External hard drives are also
known as removable hard drives.
Firewall
A firewall is software used to maintain the security of a private network. Firewalls block unauthorized access
to or from private networks and are often employed to prevent unauthorized Web users or illicit software
from gaining access to private networks connected to the Internet. A firewall may be implemented using
hardware, software, or a combination of both. A firewall is recognized as the first line of defense in securing
sensitive information.
Flash Memory
Flash memory is a non-volatile memory chip used for storage and for transferring data between a personal
computer (PC) and digital devices. It has the ability to be electronically reprogrammed and erased. It is
often found in USB flash drives, MP3 players, digital cameras and solid-state drives.
Flash Storage
Flash storage is the term used to describe any electronic device which is capable of performing as a storage
repository with the help of flash memory. It can be anything from a fully integrated all-flash storage array to
a simple universal serial bus device. Flash storage is capable of improving the efficiency and performance for
many applications compared to traditional storage media.
Health Information
Health Information means any information, whether oral or recorded in any form or medium, that:
1. Is created or received by a health care provider, health plan, public health authority, employer, life
insurer, school or university, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past, present, or future payment for the provision of
health care to an individual.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 18 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
Infrastructure as a Service is cloud-based model for hosting and delivering computing resources on a
subscription basis. The resources provided tend to be virtualized servers and allows the customer/subscriber
to install applications and maintain the configuration of the computing devices.
Jailbreak
Jailbreak refers to the process of gaining root access to the iOS operating system that runs on Apple devices,
including the iPad, iPhone and iPod Touch. Jailbreaking frees the device from dependence on Apple as the
exclusive source of applications, allowing users to install third-party apps unavailable at the official App
Store. Users can also customize their home screens and modify the appearance of icons and menus.
Jailbreaking is sometimes a prelude to unlocking an iPhone or modifying its baseband so that the unit can
work with other mobile networks. Jailbreak may also be known as jailbreaking or iOS jailbreak.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 19 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
Patch
A patch is a software update comprised of new computer code inserted (or patched) into the existing code of
an executable program. Patches are often temporary fixes between full releases of a software package.
Typically, they address newly discovered security vulnerabilities or software stability issues.
Rooting
Rooting is the term used to describe the process of gaining root access or privileged control over devices,
most commonly Android smartphones and tablets. Rooting can also be done on devices based on Linux
environments. Although similar to terms like unlocking and jailbreaking, conceptually rooting is quite
different from these terms. Rooting enables a normal user to have administrator-level permissions to the
operating system environment. In the case of Android devices, it helps in circumventing the security
architecture, which makes devices susceptible to infection by malicious applications.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 20 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
Wi-Fi Protected Setup is a communications protocol designed to help facilitate the setup of wireless
networks in homes and small offices. It is geared toward users and groups that are not familiar with Wi-Fi
configuration. WPS allows devices to be easily added to a network while providing a secure connection.
Unfortunately, WPS is prone to brute-force attacks, which can allow other devices to connect to a network.
Wireless Networks
Wireless networks are computer networks that are not connected by cables of any kind. The use of a
wireless network enables enterprises to avoid the costly process of introducing cables into buildings or as a
connection between different equipment locations. The bases of wireless system are radio waves, an
implementation that takes place at the physical level of network structure. A Wireless Local Area Network
(WLAN) is considered a Wireless Network.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 21 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
REVISION HISTORY
Revision Revision Effective Revision Details
Number Date Date
2.7 12/2/2021 12/20/2021 3.0 Enforcement - Updated section to remove reference to termination of
Associated Persons as this is covered in Section 4.12 Items 6 & 7.
4.1 Remote Network Access - Updated Item 8 to prohibit the use of Secure Socket
Layer (SSL) protocol.
4.3 Servers - Updated section footnote to remove LFS IT Security Software
Reference document as “Attachment A” of the policy.
4.4 Workstations - Updated section footnote to remove LFS IT Security Software
Reference document as “Attachment A” of the policy.
4.5 Mobile Devices - Updated introductory paragraph for clarity and to change
scope to mobile devices that access systems with LFS confidential information.
4.5 Mobile Devices - Added Item 2 to require Zscaler on mobile devices used to
access systems with LFS confidential information.
4.5 Mobile Devices - Updated section footnote to remove LFS IT Security Software
Reference document as “Attachment A” of the policy.
4.6 Network Devices - Removed Item 7 pertaining to terminated user access
revocation due to duplication with Section 4.12 Item 6.
4.7 Business Continuity/Disaster Recovery - Added Item 5 for clarity about storing
devices for use in the event of a BC/DR declaration.
4.8 Passwords - Updated Item 4 to increase failed login attempts to 10 or less.
4.8 Passwords - Updated section footnote to remove LFS IT Security Software
Reference document as “Attachment A” of the policy.
4.10 Email - Updated Item 1 to remove reference to vendor Intermedia and update
for new methodology to enable email encryption.
4.10 Email - Modified Item 2 to require the use of the LFS email platform for all
securities related business communications
4.10 Email - Added Item 3 to require Zscaler on any device used to send or receive
LFS email.
4.10 Email - Updated section footnote to remove LFS IT Security Software
Reference document as “Attachment A” of the policy.
4.11 Data Destruction - Updated introductory paragraph for clarity about data
destruction.
4.12 User Account Management - Updated Item 6 to limit scope of affected systems
to LFS managed systems and updated timeframe to 1 business day.
4.12 User Account Management - Updated Item 7 to add clarity for documented
user administration processes governing non-LFS managed systems located in
branch offices.
4.12 User Account Management - Added Item 8 to require the revocation of access
to LFS confidential information when a person terminates
4.14 3rd Party Support - Updated section for clarity about NDA usage and removed
the Field Office NDA as “Attachment B” of the policy.
4.16 Vulnerability Management - Added Item 3 to require software being used for
LFS business be supported by the vendor to receive security updates.
4.16 Vulnerability Management - Updated Item 4 to provide clarity.
4.16 Vulnerability Management - Updated Item 4 to provide clarity around
vulnerability severities, remediation timeframe, and for approval & coordination of
remediation of critical vulnerabilities.
4.17 Reporting of Suspected Data Security Incidents - Updated Items 1 & 2 for
clarity about reporting security incidents involving LFS Confidential Information.
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 22 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
2.6 4/16/2020 4/27/2020 Updated Section 4.1 Item 3 for clarity about encryption cipher suites.
Added Section 4.1 Items 6, 7, and 8 for vendor support and discouraging use of self-
signed certs and SSL
Updated Section 4.2 introductory paragraph for clarity about wireless networks.
Added Section 4.2 Item 10 discouraging the use of public Wi-Fi
Updated Section 4.3 introductory paragraph for clarity about physical, virtual, or
host servers.
Added Section 4.3 Item 11 requiring full disk encryption for servers
Updated Section 4.6 Item 1 for MFA or IP restrictions
Updated Section 4.6 Item 2 for clarity about access type and encryption ciphers
Added Section 4.6 Items 11 to recommend business-class firewalls
Added Section 4.6 Items 12 to require full disk encryption for NAS devices
Added Section 4.6 Items 13 to prohibit SNMP with Public/Private strings
Updated Section 4.9 introductory paragraph for clarity about in-scope removeable
storage usage.
Updated Section 4.15 introductory paragraph for clarity about in-scope cloud
services.
Update Section 4.15 Items 2 & 3 for clarity about ciphers for encryption in transit
and at rest.
Update Section 4.15 Item 4 for clarity MFA for user authentication to cloud
services.
Added Section 4.15 Item 5 recommending adherence to infosec best practices &
frameworks for cloud vendors.
Updated Section 5.0 for clarity to include cloud services as well as devices.
2.5 1/15/2019 2/5/2019 Update section 4.8 Item #5 requiring encryption for electronic copies of passwords.
Added section 4.13 ‘Application Security’
2.4 4/25/2018 4/30/2018 Updated appropriate sections to reflect Multi-Factor Authentication is required.
Updated section 4.7 title to 'Business Continuity/Disaster Recovery'.
Added BC/DR statement for testing backups/restore processes.
Added language to section 5.0 Compliance to consult with LFS IT Security for
exceptions.
Removed year ‘2017’ from the Footer section.
2.3 10/20/2017 10/30/2017 Added Section 4.12 Item #3 regarding periodic review of privileged user
access.
2.2 5/5/2017 5/8/2017 Policy rewritten.
1.4 12/1/2015 12/1/2015 Updated language throughout to include latest technologies such as smart phones
and tablets.
Updated Section 4.1.5 – Encryption: to include language pertaining to smart phone
and tablet encryption.
Updated Section 4.3.2 – Wireless: to outline the difference between WPA2 and
WPA. Denied the use of WEP.
Updated Section 5.2 – Email Encryption: to include directions on how to send
encrypted email for those using the Lincoln provided intermedia hosting solution.
1.3 9/1/2013 10/1/2013 Added statement in Section 5.0 – Information Handling and Privacy Standards:
All LFS Associated Persons must comply with the Lincoln Financial Network
(LFN) Information Handling Policy.
Added Section 5.2 – Email Encryption
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 23 of 24
LINCOLN FINANCIAL SECURITIES CORPORATION
Data Security Policy
Lincoln National Corporation For Internal Use Only LFS Data Security Policy Page 24 of 24