Pillar 3 – Privacy and Information Security

3.01 Information Security Policy and Privacy Policy

Information is an asset which, like any other asset owned by Company, has significant value. Information security is a critical component to ensure the confidentiality, integrity and availability of information. This policy has been developed to establish the minimum requirements that are necessary to protect information assets against unauthorized access, modification or destruction for both physical and network security.

Scope:

The Policy pertains to all types of information resources, including:

(1)Hardcopy data printed or written on paper

(2)Data stored electronically

(3)Communications sent by mail, courier or transmitted electronically

(4)Removable Media including but not limited to information stored on tape, CD/DVD, video, and USB flash drive.

(5)Recorded audio

Evidence: Information Security Policy, Privacy Policy

Privacy Awareness Training (Available upon written request)

Applicable parties: All GATCO personnel

3.01(a) - Designate Reviewer of Information Security Policy and Privacy Policy

The Company has appointed individual(s) to review and make recommendations for changes to the Information Security Policy and Privacy Policy. These individuals are responsible for coordinating and overseeing the Information Security Policy and Privacy Policy.

Applicable parties: Ronnie Matthews, Chairman

Mike McCoy, Information Security Officer

3.01(b) - Management Approval of Information Security Policy and Privacy Policy

On an annual basis or as necessary based on a change in operations, legal and regulatory requirements, industry best practices, and available technology, management reviews, updates and approves the Information Security Policy and Privacy policy. If exceptions to the Information Security Policy and Privacy Policy are necessary, that request is evaluated by the individual responsible for the Policy. Approved exceptions will be documented and recorded.

Annual Approval of existing Information Security Policy and Privacy Policy are performed by management by January 31st of each year. Applicable parties shall request annually, First American’s SOC-1/SSAE 16 to assure evidence of testing, frequency of testing, approach for testing, remediation, exceptions and/or control gaps.

Evidence: Information Security Policy, Privacy Policy

Applicable parties: Management and Information Security Officer

3.01(c) – Distribution of Information Security Policy and Privacy Policy

Upon approval, management distributes Policies to Applicable Parties to acknowledge receipt. Policy delivery and acknowledgement is maintained on the Employee Tracking Log.

Information Security Policy and Privacy Policy are distributed to all personnel by January 1st of each year and acknowledged by February 28th.

Evidence: Employee Tracking Log, Acknowledgement Form (Available upon written request)

Applicable parties: HR Manager and Corporate Admin

3.01(d) - Background Checks for Employees

At hire, a background check will be performed for all employees who have access to NPI, unless prohibited by law.

(1)Order background check.

(2)Background check results are reviewed and then approved or denied by management.

(3)At least every three years the Company obtains background checks going back five years which are reviewed and then approved or denied by management.

(4)Place evidence (invoice/documentation) in a single location such as the employee file.

Background Checks are run on all employees prior to hire and once every 3 years thereafter.

Evidence: Employee Tracking Log (Available upon written request).

Applicable parties: HR Manager, Corporate Admin

3.01(e) - Background Checks for Service Providers

The Company obtains and stores proof that a background check has been performed for all Service Providers that have access to NPI or Company information systems. Background Search Information and Non Disclosure Agreements are all held in TPSP's Vendor Files and are available.

Evidence: TPSP Non Disclosure Confidentiality Agreement, IT Outsourcing Policy, TPSP Tracking Log (Available upon written request)

Applicable parties: HR Manager, Corporate Admin, Management

3.02 – Clean Desk Policy

The Company maintains a Clean Desk Policy to reduce the threat of a security incident to NPI.

3.02(a) – Clean Desk Policy

All Applicable Parties must comply to the company’s Clean Desk Policy.

Information Security Officer annually performs a review of Escrow Branch Offices, Title Plant Department and Administrative Department to ensure compliance with the policy. Information Security Policy Audit Checklist is submitted to Management for review.

Evidence: Clean Desk Policy, Information Security Policy Audit Checklist (Available upon written request)

Applicable parties: All GATCO Personnel

3.03 – Risk Identification and Assessment Policy

The Company maintains a Risk Identification and Assessment Policy which assesses risk including locations, systems, and methods for storing, processing, transmitting, and disposing of NPI.

Security Risk Assessments that rank risks, including locations, systems and methods for storing, processing, transmitting and disposing of NPI can be found in individual Disaster Recovery and Continuity Plans.

3.03(a) – Risk Identification and Assessment Policy

Risk Evaluation and Implementation of Controls:

(1)Identify and prioritize risks associated with the protection of NPI. These risks are evaluated by:

(a.) The impact and likelihood of an occurrence

(b.) Estimated costs and impact if an event actually occurred

(c.) Evaluation of the priority based on the impact, likelihood, costs and other important factors

(d.) Location of NPI (onsite and offsite)

(e.) Access by Applicable Parties

(2)Implement controls to mitigate risks where appropriate (e.g. firewall, encrypted USB flash drive, implementing patches or software fixes).

Risk Assessment Testing:

(1)Risk Assessment is tested annually by an internal or external resource.

(2)Track any exceptions and/or control gaps on Risk Assessment Worksheet.

(3)Management evaluates and responds to the Risk Assessment Worksheet including timeframe for remediation.

Risk Assessment Remediation:

Exceptions and/or control gaps are remediated by one of the following methods:

(1)Reduce or eliminate the risk.

(2)Changes are made to procedures as applicable based on the risks perceived, scope and types of activities, and access to NPI.

(3)Obtain documented approval from Management whenever the Company deviates from the Information Security Policy or Privacy Policy.

Document completion of remediated items are on the Risk Assessment Worksheet.

Risk Assessment Review:

Annually a review includes, but is not limited to, information systems, including network and software design; information processing, storage and disposal; detecting, preventing and responding to attacks, intrusions or other system failures.

Evidence: Risk Assessment Worksheet, Disaster Recovery and Continuity Plan(s), Information Security Policy Audit Checklist (Available upon written request)

Applicable parties: Information Security Officer, Escrow Personnel (Branch Managers ONLY), Examiners (Title Plant Manager ONLY), Corporate Admin, HR Manager , Management

3.04 – Employee Training, Management, and Responsibilities Policy

The Company provides management and training for Applicable Parties to help ensure compliance with the Information Security Policy and Privacy Policy.

3.04(a) – Employee Training

At hire and annually, the Information Security Policy and Privacy Policy is emphasized through training to Applicable Parties. It includes their responsibilities for handling, protecting and destruction of NPI. This training includes the Acceptable Use of Information Technology Policy, Information Security Policy, Privacy Policy, and the Retention Policy.

Evidence: Acceptable Use of Information Technology Policy, Information Security Policy, Privacy Policy, Retention Policy, Employee Tracking Log, Acknowledgement Form (Available upon written request).

Applicable parties: HR Manager and Corporate Admin

3.04(b) – Violations: Reporting and Penalties

Applicable Parties are required to report (perceived or actual) violations of the Information Security Policy and/or Privacy Policy to their immediate supervisor. Violation of the Information Security and Privacy Policy may result in disciplinary action, up to and including termination.

Evidence: Incident Response Policy, Security Incident Report and Notice of Policy Noncompliance (Available upon written request)

Applicable parties: All GATCO Personnel

3.05 – Information Security Policy

All information stored, handled or processed by the Company is protected by controls appropriate for the associated level of risk and impact.

Evidence: Information Security Policy

Applicable parties: All GATCO Personnel

3.05(a) – Logical Access

Onsite and offsite Logical Access:

(1)Each Applicable Party is required to have a unique User ID and password which is not shared. The User ID will be permanently decommissioned when no longer required.

(2)Passwords must follow the Company’s Password Policy.

(3)Assign appropriate access provisioning based on business need.

(4)CFPB committee shall annually review appropriate access provisioning for users in accordance with policy and business needs.

Segregation of Duty Note: Individuals with the ability to add, modify and remove user access are not assigned to perform business transactions within the system.

Evidence: Password Policy, Information Security Audit Checklist (Available upon written request)

Applicable parties: All GATCO Personnel

3.05(b) – Physical Security Controls

The Company incorporates all contractual and legal requirements based on local, state and federal law into the physical security controls for every location where NPI is stored or other restricted areas. Review of controls is conducted annually.

(1)The Company uses secure points of entry into buildings and any interior offices where NPI is stored or other restricted areas, and requires access codes or personal keys/fobs.

(2)As applicable, physical access to data center, server room or offsite storage will be granted according to the employee’s role, level of access necessary to perform duties associated with the role, and in accordance with the data category (Public, Internal Use Only, NPI).

(3)Company equipment and devices, keys/fobs, material, hardware and software, Removable Media and any documents will be returned upon termination of employment or contract. User accounts and network access including remote access will be immediately disabled for terminated Applicable Parties.

Evidence: Information Security Policy Audit Checklist (Available upon written request)

Applicable parties: ISO, HR Manager, Corporate Admin, Escrow Accounting, Management

3.05(c) – Network Security Controls

The Company incorporates all contractual and legal requirements based on local, state and federal law into the network security controls where NPI is stored. Review of controls is conducted annually.

Evidence: Network Security Policy, Remote Access Policy, Company Tracking Log and Information Security Policy Audit Checklist (Available upon written request)

Applicable parties: Management, Information Security Officer

3.05(d) – Password Policy

Evidence: Password Policy

Applicable parties: All GATCO Personnel

3.05(e) – Restricting use of Removable Media with NPI

Evidence: NPI or Confidential Data Policy

Applicable parties: All GATCO Personnel

3.06 – Acceptable Use of Information Technology Policy

The Company has established an Acceptable Use of Information Technology Policy that describes acceptable use of Company assets and systems, including but not limited to use of Internet, email, and equipment. The Company has the right to monitor networks, computer systems, internet usage and email for Applicable Parties to confirm compliance with the Policy.

Evidence: Acceptable Use of Information Technology Policy

Applicable parties: All GATCO Personnel

3.07– Privacy Policy Evidence: Privacy Policy

Applicable parties: All GATCO Personnel

3.07(a) – Designate Reviewer of Privacy Policy

The Company appoints an individual(s) to review and make recommendations for changes to the Privacy Policy.

Applicable parties: Management

3.07(b) – Management Approval of Privacy Policy

On an annual basis or as necessary based on change in operations, legal and regulatory requirements, industry best practices, and available technology, management reviews, updates and approves the Privacy Policy. If exceptions to the Policy are necessary, that request will be evaluated by the individual responsible for the Privacy Policy. Any approved exceptions will be documented and recorded.

Evidence: Information Security Policy Audit Checklist, Company Tracking Log (Available upon written request)

Applicable parties: Management, Information Security Officer, Corporate Admin

3.07(c) – Provide Privacy Policy

The Company provides the Privacy Policy to its customers as required by law. Proof of notification to customer is retained by the Company in the Guaranty Files. The Privacy Policy is accessible by customers through the Company website.

Evidence: Guaranty Files (Available upon written request)

Applicable parties: Management

3.08 – Record Retention and Disposal Policy

The Company maintains a Data Classification Policy and Retention Policy based on the classification of information (Public, Internal Use Only, NPI) and all legal and contractual requirements along with applicable industry standards. Data classified as Public is excluded from retention unless deemed necessary by management.

Evidence: Data Classification Policy, Retention Policy

Applicable parties: Information Security Officer, Escrow Personnel

3.09 – Overseeing Service Providers

The Company takes reasonable steps to select and retain service providers that are capable of appropriately safeguarding NPI.

Applicable parties: Management

3.09(a) – Overseeing Service Providers Procedure

(1)Select - Prior to selection of Service Providers, due diligence will be required such as an evaluation of their security policies, background screening on staff, financial viability, insurance coverages, references and disaster recovery plans. Due diligence materials are retained.

(2)Verify- The contract provisions, service level agreements and non-disclosure agreements between the Company and the Service Providers will be in accordance with the Company’s Information Security Policy and Privacy Policy. The contract and agreements provide appropriate remedies for violations.

(3)Implement- Service Providers will implement appropriate security controls in accordance with the objectives of the Company’s Information Security Policy and Privacy Policy.

(4)Monitor - Where Service Providers are subject to expanded safeguards as applicable by regulatory, legislative or contractual obligations, the Company will monitor those expanded safeguards.

(a)The Company designates an employee as the Service Provider contact.

(b)The Company Service Provider contact monitors performance on a regular basis.

(c)If contract provisions, service level agreements or non-disclosure agreements are violated, the Company Service Provider contact takes appropriate action.

Evidence: TPSP Non-Disclosure Agreements, Background Checks, Company Tracking Log/TPSP Section (Available upon written request)

Applicable parties: Management, Operating Accounting, HR Manager, Corporate Admin

3.10 – Data Breach Incident Reporting Policy

The Company monitors, investigates attacks/intrusions, and responds to Data Breach incidents.

3.10(a) – Data Breach Incident Reporting Procedure

The Company has designated the Information Security Officer as the Data Breach contact for implementing this procedure.

Evidence: Data Breach Incident Reporting Policy, Incident Response Policy

Applicable parties: All GATCO Personnel

3.11 – Disaster Recovery and Continuity Plan(s)

Disaster Recovery and Continuity Plan(s) are in place to protect critical business processes from effects of failures or disasters. These plans ensure secure methods to protect NPI, Company information and the timely resumption of business information systems.

3.11(a) – Disaster Recovery and Continuity Plan(s)

(1)Identify and prioritize critical business components.

(a)Physical Offices

(b)Equipment

(c)Applications and services

(d)Network

(e)Telecom

(f)Loss of critical Service Providers

(2)Identify risks to critical business components.

(a)Environmental (e.g. fire, flood, storm)

(b)Technological (e.g. hard drive failure, loss of internet)

(c)Vandalism (e.g. malicious computer attack)

(3)Identify timely restoration and alternative workarounds for each critical business components.

(a)Scheduled tasks to be completed

(b)Owner of scheduled tasks

(c)Application and services to be recovered

(4)Identify individuals to institute workaround including contact information.

(5)Backups are made and maintained for all data including offsite and secure locations (See Backup Policy)

(6)Recovery of systems and data must be tested periodically to ensure that processes and procedures are effective.

(7)Results of testing are documented on the Tracking Log.

(8)Copy of Disaster Recovery and Continuity Plan(s) are distributed to all individuals who require them in case of emergency.

3.11(b) – Testing of Disaster Recovery and Continuity Plan(s)

(1)At least one (1) Disaster Recovery and Continuity Plan is to be tested annually

(2)Track any exceptions and/or control gaps

(3)Management evaluates and responds, including timeframe for remediation

Evidence: Disaster Recovery and Continuity Plan(s), Information Security Policy Audit Checklist, Company Tracking Log (Available upon written request)

Applicable parties: Information Security Officer, Management, Corporate Admin, Branch Escrow Managers, Title Plant Manager, HR Manager, Management