Cyber Security Policy

The purpose of this policy is to (a) protect CRS data and infrastructure (b) outline the protocols and guidelines that govern cyber security measures, (c) define the rules for company and personal use, and (d) list the company’s disciplinary process for policy violations. We at CRS
take preserving the security of our data and technology infrastructure very seriously.

The more we rely on technology to collect, store and manage information, the more vulnerable  we have become to experience severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our company’s reputation. For these reasons, we have implemented a number of security measures.

We have also prepared instructions that may help mitigate security risks. We have outlined both provisions in this policy.

This policy applies to all our employees, contractors, volunteers and anyone who has permanent or temporary access to our systems and hardware.

Confidential data defined as, but not limited to:

• Unpublished and classified financial information
• Data of clients/suppliers/partners/vendors
• Client leads and sales-related information
• Census data such as SSN, dates of birth, etc.
• Employees’ passwords, assignments & personal information
• Customer lists (existing and prospective)
• Company contracts (service agreements) and legal confidential records

All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid security breaches.

When employees use their digital devices to access company emails or accounts, they
introduce security risk to our data. We advise our employees to keep both their personal and
company-issued computer, tablet and cell phone secure. They can do this if they:

• Keep all devices password protected.
• Choose and upgrade a complete antivirus software.
• Ensure they do not leave their devices exposed or unattended.
• Install security updates of browsers and systems monthly or as soon as updates are
  available.
• Log into company accounts and systems through secure and private networks only.
• Two factor authentication when available.

We also advise our employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.

When new hires receive company-issued equipment they will receive instructions for:

• Password management tool setup.
• Installation of antivirus/ anti-malware software.

They should follow instructions to protect their devices and refer to our IT Company if they have any questions.

Emails often host scams and malicious software. To avoid virus infection or data theft, we
instruct employees to:

• Avoid opening attachments and clicking on links when the content is not adequately
  explained (e.g. “watch this video, it’s amazing.”)
• Be suspicious of clickbait titles (e.g. offering prizes, advice.)
• Check email and names of people they received a message from to ensure they are
  legitimate.
• Look for inconsistencies or give away signs (e.g. grammar mistakes, capital letters, excessive number of exclamation marks.)
• Our IT Company has trained everyone as to what to look for when it comes to suspicious or inconsistent clues that might help us know an email should not be clicked on. We use KnowBe4 for training purposes of all of our employees thru our IT company.
• Our IT Company actively monitors dark web hits on our email addresses. They proactively reach out to assist if any items are found.
• We have a spam/email filter thru O365 that also helps detect spam, viruses & malware before they come into our inbox.

If an employee isn’t sure that an email they received is safe, they can refer to our IT Company for assistance. Whenever there has been a questionable email, the IT Company scans/reviews it before the employee opens it up.

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our employees to:

• Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)
• Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done. If it kept digital, it must be password protected so no
  one else can access it.
• Exchange credentials only when absolutely necessary. When exchanging them in-person isn’t possible, employees should prefer the phone instead of email, and only if they personally recognize the person they are talking to.
• Change their passwords every six months.

Remembering a large number of passwords can be daunting. We have purchased the services
of a password management tool (BitWarden) which generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the
abovementioned advice.

All employees must use this password management tool which has enforced 2-factor authentication access.

Transferring data introduces security risk. Employees must:

• Avoid transferring sensitive data (e.g. client data information, employee records) to other devices or accounts unless absolutely necessary. When we do have to transfer/share (internally or externally) confidential data, we use a product called Citrix File Sharing (ShareFile). ShareFile is a secure content collaboration, file sharing & sync software that
  supports all the document that a small business would use (Word, Excel, PDF, etc.).
• Share confidential data over the company network/ system and not over public Wi-Fi or private connection.
• Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
• Report scams, privacy breaches and hacking attempts.

Our IT Company needs to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our IT company will investigate promptly, resolve the issue and send a companywide alert when necessary (our IT Company is available to CRS 24/7 including holidays)

Our Security Specialists are responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.

To reduce the likelihood of security breaches, we also instruct our employees to:

• Turn off their screens and lock their devices when leaving their desks.
• Report stolen or damaged equipment as soon as possible to Kristine Faby (Vice President of CRS).
• Change all account passwords at once when a device is stolen.
• Report a perceived threat or possible security weakness in company systems.
• Refrain from downloading suspicious, unauthorized or illegal software on their company equipment.
• Avoid accessing suspicious websites.

We also expect our employees to comply with our social media and internet usage policy. These our outlined in our employee handbook & each employee must sign off on receiving & reading this material.

Our IT Company has:

• Configured AWS firewall in hosted environment, installed EDR & anti-malware software and configured 2-factor authentication access to our systems.
• Arrange for security training to all employees (KnowBe4 is one example of this training
  mentioned earlier in this policy).
• Inform employees regularly about new scam emails or viruses and ways to combat them.
• Investigate security breaches thoroughly.
• Follow this policies provisions as other employees do.

All of our employees are remote and work from home. Everyone must follow this policy’s instructions too. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and
ensure their private network is secure.

We encourage them to seek advice from our IT Company. When CRS went fully remote, our IT Company helped set everything up on AWS (Amazon Web Services) and added additional security training to the employees.

We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action:

• First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
• Intentional, repeated or large scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination. We will examine each incident on a case-by-case basis.

Additionally, employees who are observed to disregard our security instructions will face progressive discipline, even if their behavior hasn’t resulted in a security breach.

Everyone, from our clients to our employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security top of mind.