Unless otherwise specified, this Procedure will apply to Genworth, its subsidiaries
and their employees and contractors, data centers, and all business premises. The
term "IT" will refer to Genworth Mortgage Insurance Information Technology and may
be used interchangeably with Genworth Mortgage Insurance Information Systems.
Every employee must have a unique log-on ID. Users are responsible for and will
be held accountable for the use of their assigned log-on ID. This ID is not to be
shared among users. The password is not to be divulged to another user.
User accounts will be disabled at termination of employment (or assignment in the
case of contract and temporary workers).
Genworth utilizes NAC technology (Network admission control) for remote access.
Only Genworth owned and managed machines are permitted to establish VPN access to
the network. Remote access to non-Genworth machines is limited to specific services
(usually HTTPS) and must be approved by the business security leader.
Remote access accounts will be disabled at termination of employment (or assignment
in the case of contract and temporary workers).
When a user has a significant change in duties, such as a transfer to another department,
the user's access permissions will be reviewed and modified. If the user's new department
and responsibilities no longer require access to consumer data, this access will
In general, employees will not have direct access to data files and databases containing
consumer data. Access to the consumer data will be delivered by way of an application—meaning
presentation software and business logic (such as RMG, eMI, AccessPlus) that will
determine what the user may see and do. Applications containing consumer data will
be secured. These applications will provide a level of security limiting access
to consumer data to those who have access to the application. Sensitve data elements
will be masked on screens for users without specific “need to know”. Applications
will be responsible for the updates to consumer data and will perform appropriate
edit procedures to ensure the integrity of the data.
Authorized employees may be permitted to have direct access to data sources such
as files and databases. System software logging and audits will be enabled where
applicable to explicitly monitor direct access to data files and databases containing
Excluding email, as explained in the next section, consumer data transmitted by
Genworth on public networks, such as the Internet, will be encrypted by Systems.
Thus, consumer data transmitted by Genworth on the Internet to and from its web
sites will be encrypted automatically. The following are examples of our encryption
When a third party recipient has the technology available, an acceptable and recommended
method of encrypting consumer data is to utilize applications with a "password protection"
and associated file encryption option, and send the document as an email attachment.
The password must be exchanged using an alternate communication channel (e.g. telephone).
Applications and data protection methods will be approved by the Genworth Mortgage
Chief Security Officer.
In instances when encryption cannot be used, or if the recipient gives us contrary
instructions, the following cautionary language should be added to the email.
Notice: This message is confidential and is intended only for the recipient(s) named
above. If you have received this message in error, or are not the named recipient(s),
please immediately notify the sender at [phone#] and delete this message from your
computer. Thank you for your cooperation.
Private network connections between Genworth and "trusted" partners will be isolated
and firewalled such that only required services are open and available on these
connections. Genworth will manage the firewalls on its end of the connections to
Access to servers and network devices (switches, routers, firewalls) will be limited
to authorized employees. Configuration changes to servers and network devices will
be made by authorized employees only after approval pursuant to the IT Change Control
Genworth will run network intrusion prevention devices to identify and automatically
block unauthorized or unwanted traffic on its internal network to ensure the integrity
of controls (firewalls). Critical servers will be monitored by host intrusion detection
software to detect unauthorized access or unauthorized changes to the system.
Genworth will have third party vulnerability tests of the network perimeter performed
on at least a quarterly basis.
Genworth applications undergo an annual attestation process requiring business application
owners to sign off on the security of their applications. Genworth internal audit
staff regularly audits applications and databases to ensure validity of attestations.
IT will be responsible for computers located in the data centers and will ensure
the availability and integrity of those computers. IT will perform timely backups
of all computer storage to ensure the recoverability of those systems. Backup files
will be taken to an offsite storage facility to provide for the availability in
the event of disaster such as fire, flood, storm, etc. A minimum of one copy of
consumer data resides offsite. Backup tapes will only be available to IT staff,
authorized IT staff, and staff members of the offsite tape management facility.
The tape management facility will execute an appropriate agreement preventing it
from using or disclosing the data tapes. As an additional security measure, all
backup tapes are encrypted.
On non-mainframe platforms, consumer data is encrypted at rest (on disk) for all
primary storage—i.e. databases, disk backup spaces, and file shares using
high-speed encryption appliances in the storage network.
Disaster recovery plans for the data centers have been developed. Recovery procedures
for individual computer systems will be tested on a periodic basis. Recovery of
the data centers will be tested on an annual basis.
Genworth Mortgage Insurance undergoes periodic risk evaluations of vendors receiving
consumer data and performs security assessment of vendor technical environments
to ensure compliance with Genworth customer requirements.
Genworth Mortgage Insurance has adopted the BITS/FISAP shared assessment program
as a standard methodology and has completed the AUP with a third party audit firm.
The AUP report and SIG is available to customers upon request.
Revised: May 2011