GENWORTH MORTGAGE INSURANCE
SECURITY PROCEDURE

The purpose of this Security Procedure is to ensure proper safeguards for appropriate levels of confidentiality of all consumer data. This Procedure provides for the proper care of consumer data from all sources, and includes procedures for the preservation and restoration of data in the event of a disaster. This Procedure applies to all business locations.

Unless otherwise specified, this Procedure will apply to Genworth, its subsidiaries and their employees and contractors, data centers, and all business premises. The term "IT" will refer to Genworth Mortgage Insurance Information Technology and may be used interchangeably with Genworth Mortgage Insurance Information Systems.

Physical Files

Genworth workers who work with physical files containing consumer data including paper documents, computer diskettes, CDs, and magnetic tapes should not leave consumer data in plain view unattended. This rule also applies to consumer data appearing on computer screens. Such screens should be closed, minimized or set to a screen saver if the user leaves the workstation. Additionally, when such files are no longer needed for business purposes, the files should be destroyed.

User Authentication

A log-on ID and password are required for access to all of Genworth's network and information systems, including those containing consumer data. These passwords are to be changed on a regular basis.

IT Security will test passwords on a regular basis to determine the relative strength of user passwords by utilizing password "cracking" software. IT Security reserves the right to require users to change their passwords if they are determined to be unacceptably weak. Administrator account passwords that are "cracked" will be changed immediately.

Every employee must have a unique log-on ID. Users are responsible for and will be held accountable for the use of their assigned log-on ID. This ID is not to be shared among users. The password is not to be divulged to another user.

User accounts will be disabled at termination of employment (or assignment in the case of contract and temporary workers). Accounts showing no activity for a period of 60 days will be automatically disabled.

Remote Access Authentication

Remote access to Genworth's network requires two-factor authentication. A log-on ID and password will not be sufficient. To gain access, the user must provide the log-on ID, a PIN number, and a one-time password generated via a key-fob (A device that generates a one-time password). At present, Genworth utilizes RSA SecureIDTM technology. Any user requiring remote access to the network will be assigned a SecureID key-fob that will be associated with his or her user account. Upon access to the network, users will then have to authenticate to network resources and information systems with their normal log-on ID and password.

Remote access accounts will be disabled at termination of employment (or assignment in the case of contract and temporary workers).

Access to Data and Systems

Access to consumer data is granted to employees when their duties and responsibilities require access. Consumer data will reside on a secured server or database. For further control, departmental business owners must authorize each employee access to the specified data.

When a user has a significant change in duties, such as a transfer to another department, the user's access permissions will be reviewed and modified. If the user's new department and responsibilities no longer require access to consumer data, this access will be revoked.

In general, employees will not have direct access to data files and databases containing consumer data. Access to the consumer data will be delivered by way of an application - meaning presentation software and business logic (such as RMG, Underwriter Workstation, Claude, GEMortgageInsurance.com) that will determine what the user may see and do. Applications containing consumer data will be secured. These applications will provide a level of security limiting access to consumer data to those who have access to the application. Applications will be responsible for the updates to consumer data and will perform appropriate edit procedures to ensure the integrity of the data.

Authorized employees may be permitted to have direct access to data sources such as files and databases. System software logging and audits will be enabled where applicable to explicitly monitor direct access to data files and databases containing consumer data.

Consumer Data Transmitted to Third Parties

Data transmitted by Genworth on its private network (intranet) will not require encryption. This will include the local area networks owned and managed by Genworth as well as networks owned and managed by Genworth Financial, Inc.

Excluding email, as explained in the next section, consumer data transmitted by Genworth on public networks, such as the Internet, will be encrypted by Systems. Thus, consumer data transmitted by Genworth on the Internet to and from its web sites will be encrypted automatically. The following are examples of our encryption methods. Internet browser-based applications: Web developers will incorporate SSL encryption to ensure that:

• "Chat" will be conducted with a minimum of 40 bit encryption.
• Transactions containing consumer data will be conducted with a minimum of 128 bit encryption.
• Internet ftp file transmissions involve 128 bit or stronger encryption (1024 bit recommended), using the public key provided by the recipient.
• Additional methods may be used with the approval of Genworth’s Chief Security Officer.

Consumer Data Transmitted to Third Parties via Internet Mail

Genworth strongly encourages the use of encryption of consumer data for email transmitted over the Internet.

When a third party recipient has the technology available, an acceptable and recommended method of encrypting consumer data is to place the consumer data on a MS-Excel or MS-Word document, enable the "password protection" option, and send the document as an email attachment. The password must be exchanged using an alternate communication channel (e.g. telephone). This solution is recommended for consumer data when the customer has the capability of using Microsoft Office 97 or later versions.

In instances when encryption cannot be used, or if the recipient gives us contrary instructions, the following cautionary language should be added to the email.

Notice: This message is confidential and is intended only for the recipient(s) named above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender at [phone#] and delete this message from your computer. Thank you for your cooperation.

Network and Server Security

The Internet connection will be secured with multiple firewalls and proxy servers. Only required services will be open and available on this connection.

Private network connections between Genworth and "trusted" partners will be isolated and firewalled such that only required services are open and available on these connections. Genworth Mortgage Insurance will manage the firewalls on its end of the connections to ensure integrity.

Access to servers and network devices (switches, routers, firewalls) will be limited to authorized employees. Configuration changes to servers and network devices will be made by authorized employees only after approval pursuant to the IT Change Control Procedure.

Genworth will run network intrusion detection devices to identify unauthorized or unwanted traffic on its internal network to ensure the integrity of controls (firewalls). Critical servers will be monitored by host intrusion detection software to detect unauthorized access or unauthorized changes to the system.

Storage of Data

Storage of consumer data is not permitted on individual user workstations. Only software and temporary or work files should be stored on workstation hard drives. All user files and data must be stored on secured servers located in the data center or on the mainframe. Access to secured servers will be provided via mapped network drives and through applications connecting to databases on secured servers. Access to the mainframe will be provided via 3270 applications or client applications connecting to databases and transaction servers on the mainframe.

IT will be responsible for computers located in the data centers and will ensure the availability and integrity of those computers. IT will perform timely backups of all computer storage to ensure the recoverability of those systems. Backup files will be taken to an offsite storage facility to provide for the availability in the event of disaster such as fire, flood, storm, etc. A minimum of one copy of consumer data resides offsite. Backup tapes will only be available to IT staff, authorized IT staff, and staff members of the offsite tape management facility. The tape management facility will execute an appropriate agreement preventing it from using or disclosing the data tapes.

Disaster recovery plans for the data centers have been developed. Recovery procedures for individual computer systems will be tested on a periodic basis. Recovery of the data centers will be tested on an annual basis.

Access to Storage Facilities

Access to document storage facilities will be limited to employees when "necessary" to perform their duties and responsibilities. Storage facilities will remain locked to prevent unauthorized access and will be equipped with fire detection devices and sprinkler systems to guard against loss in the event of fire.

Access to the Data Center

Access to data centers will be limited to authorized employees, and entry will be controlled via a security badge. Vendor technicians (i.e. computer hardware technicians, telephone system engineers, etc.) are not permitted in the data center unaccompanied. An authorized employee will accompany and monitor vendor technicians at all times in the data centers.

Vendor Relationships

Vendors must adhere to security and confidentiality agreements safeguarding consumer data residing on vendor owned and managed systems. Further, vendors may not use or share consumer data, including vendors providing offsite storage services (such as backup tapes).

Auditing and Testing

Security procedures and practices are subject to audits by the Genworth Financial Audit Staff as well as internal review processes.

IT Change Control Procedure

Any change which may impact consumer data, including application changes, software installation on servers, server configuration changes, network device configuration changes, database changes, etc., must undergo review through the IT Change Control Procedure. This assures effective review by management prior to implementation of changes that could impact the security of consumer data.

Incident Response Handling

A breach of consumer data security may be considered a major incident requiring action via the Incident Response Process, subject to review by the Chief Security Officer. All such incidents are required to be identified and reported so that corrective action can be taken. Corrective action will address both immediate and follow up actions to minimize the impact, to facilitate investigation, to ensure proper collection of evidence, to inform management, and to restore services during and after a security incident.

Employees – Training and Awareness

The Genworth data security policy begins with the employee. All employees, contractors, and temporary workers will be trained with respect to policies and procedures pertaining to data security and will be required to acknowledge these policies and procedures. All workers understand that violation of data security policy is grounds for disciplinary action, up to and including termination of employment.

Modifications to this Procedure

Genworth IT will monitor this Procedure for compliance and may make changes to this Procedure as needed to accommodate technological and other changes. Changes may be implemented without notice.

Revised: September 2006

¹This Privacy Policy applies only to Genworth's US-based operations.