GENWORTH MORTGAGE INSURANCE INFORMATION SECURITY PROCEDURE

The purpose of this Security Procedure is to ensure proper safeguards for appropriate levels of confidentiality of sensitive consumer data. This Procedure provides for the proper care of such data from all sources, and includes procedures for the preservation and restoration of data in the event of a disaster. This Procedure applies to all business locations.

Unless otherwise specified, this Procedure will apply to Genworth, its subsidiaries and their employees and contractors, data centers, and all business premises. The term "IT" will refer to Genworth Mortgage Insurance Information Technology and may be used interchangeably with Genworth Mortgage Insurance Information Systems.

Genworth workers who work with physical files containing consumer data including paper documents, computer diskettes, CD's, DVD's, USB storage devices, and magnetic tapes should not leave consumer data in plain view unattended. This rule also applies to consumer data appearing on computer screens. Such screens should be closed, minimized or set to a screen saver if the user leaves the workstation. Additionally, when such files are no longer needed for business purposes, the files should be destroyed. A log-on ID and password are required for access to all of Genworth's network and information systems, including those containing consumer data. These passwords are to be changed on a regular basis. Genworth has a password filter to enforce minimum password complexity requirements for passwords.

Every employee must have a unique log-on ID. Users are responsible for and will be held accountable for the use of their assigned log-on ID. This ID is not to be shared among users. The password is not to be divulged to another user.

User accounts will be disabled at termination of employment (or assignment in the case of contract and temporary workers).

Remote access to Genworth's network requires two-factor authentication. A log-on ID and password will not be sufficient. To gain access, the user must provide the log-on ID, a PIN number, and a one-time password generated via a key-fob (A device that generates a one-time password). At present, Genworth utilizes an industry leading two-factor authentication technology. Any user requiring remote access to the network will be assigned a token that will be associated with his or her user account. Upon access to the network, users will then have to authenticate to network resources and information systems with their normal log-on ID and password.

Genworth utilizes NAC technology (Network admission control) for remote access. Only Genworth owned and managed machines are permitted to establish VPN access to the network. Remote access to non-Genworth machines is limited to specific services (usually HTTPS) and must be approved by the business security leader.

Remote access accounts will be disabled at termination of employment (or assignment in the case of contract and temporary workers).

Access to consumer data is granted to employees when their duties and responsibilities require access. Consumer data will reside on a secured server or database. For further control, departmental business owners must authorize each employee access to the specified data.

When a user has a significant change in duties, such as a transfer to another department, the user's access permissions will be reviewed and modified. If the user's new department and responsibilities no longer require access to consumer data, this access will be revoked.

In general, employees will not have direct access to data files and databases containing consumer data. Access to the consumer data will be delivered by way of an application—meaning presentation software and business logic (such as RMG, eMI, AccessPlus) that will determine what the user may see and do. Applications containing consumer data will be secured. These applications will provide a level of security limiting access to consumer data to those who have access to the application. Sensitve data elements will be masked on screens for users without specific “need to know”. Applications will be responsible for the updates to consumer data and will perform appropriate edit procedures to ensure the integrity of the data.

Authorized employees may be permitted to have direct access to data sources such as files and databases. System software logging and audits will be enabled where applicable to explicitly monitor direct access to data files and databases containing consumer data.

Genworth Mortgage Insurance has implemented hard drive encryption on all computers not in Genworth offices. This covers all laptop computers and any desktop machine not on Genworth premises (i.e. at customer sites, in employee homes, etc.). In addition, Genworth Mortgage Insurance instructs users on the proper use of portable/removable storage media. Data transmitted by Genworth on its private network (intranet) will not require encryption. This will include the local area networks owned and managed by Genworth as well as networks owned and managed by Genworth Financial, Inc.

Excluding email, as explained in the next section, consumer data transmitted by Genworth on public networks, such as the Internet, will be encrypted by Systems. Thus, consumer data transmitted by Genworth on the Internet to and from its web sites will be encrypted automatically. The following are examples of our encryption methods.

  • Internet browser-based applications: Web developers will incorporate SSL encryption to ensure that:
  • Transactions containing consumer data will be conducted with a minimum of 128 bit encryption.
  • Internet ftp file transmissions involve 128 bit or stronger encryption (1024 bit recommended), using the public key provided by the recipient.
  • Additional methods may be used with the approval of the Genworth Mortgage Chief Security Officer.
Genworth strongly encourages the use of encryption of consumer data for email transmitted over the Internet.

When a third party recipient has the technology available, an acceptable and recommended method of encrypting consumer data is to utilize applications with a "password protection" and associated file encryption option, and send the document as an email attachment. The password must be exchanged using an alternate communication channel (e.g. telephone). Applications and data protection methods will be approved by the Genworth Mortgage Chief Security Officer.

In instances when encryption cannot be used, or if the recipient gives us contrary instructions, the following cautionary language should be added to the email.

Notice: This message is confidential and is intended only for the recipient(s) named above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender at [phone#] and delete this message from your computer. Thank you for your cooperation.
The Internet connection will be secured with multiple firewalls and proxy servers. Only required services will be open and available on this connection.

Private network connections between Genworth and "trusted" partners will be isolated and firewalled such that only required services are open and available on these connections. Genworth will manage the firewalls on its end of the connections to ensure integrity.

Access to servers and network devices (switches, routers, firewalls) will be limited to authorized employees. Configuration changes to servers and network devices will be made by authorized employees only after approval pursuant to the IT Change Control Procedure.

Genworth will run network intrusion prevention devices to identify and automatically block unauthorized or unwanted traffic on its internal network to ensure the integrity of controls (firewalls). Critical servers will be monitored by host intrusion detection software to detect unauthorized access or unauthorized changes to the system.

Genworth will have third party vulnerability tests of the network perimeter performed on at least a quarterly basis.

Genworth Mortgage Insurance will perform application security assessments as part of the application software development life cycle. This will include vulnerability scanning of applications and servers for all applications, internal and external. External facing customer applications will be vulnerability scanned by a third party on a regularly scheduled basis as an additional measure of assurance.

Genworth applications undergo an annual attestation process requiring business application owners to sign off on the security of their applications. Genworth internal audit staff regularly audits applications and databases to ensure validity of attestations.

Storage of consumer data is not permitted on individual user workstations. Only software and temporary or work files should be stored on workstation hard drives. All user files and data must be stored on secured servers located in the data center or on the mainframe. Access to secured servers will be provided via mapped network drives and through applications connecting to databases on secured servers. Access to the mainframe will be provided via 3270 applications or client applications connecting to databases and transaction servers on the mainframe.

IT will be responsible for computers located in the data centers and will ensure the availability and integrity of those computers. IT will perform timely backups of all computer storage to ensure the recoverability of those systems. Backup files will be taken to an offsite storage facility to provide for the availability in the event of disaster such as fire, flood, storm, etc. A minimum of one copy of consumer data resides offsite. Backup tapes will only be available to IT staff, authorized IT staff, and staff members of the offsite tape management facility. The tape management facility will execute an appropriate agreement preventing it from using or disclosing the data tapes. As an additional security measure, all backup tapes are encrypted.

On non-mainframe platforms, consumer data is encrypted at rest (on disk) for all primary storage—i.e. databases, disk backup spaces, and file shares using high-speed encryption appliances in the storage network.

Disaster recovery plans for the data centers have been developed. Recovery procedures for individual computer systems will be tested on a periodic basis. Recovery of the data centers will be tested on an annual basis.

Access to document storage facilities will be limited to employees when "necessary" to perform their duties and responsibilities. Storage facilities will remain locked to prevent unauthorized access and will be equipped with fire detection devices and sprinkler systems to guard against loss in the event of fire. Access to data centers will be limited to authorized employees, and entry will be controlled via a two-factor security badge (badge and PIN code). Vendor technicians (i.e. computer hardware technicians, telephone system engineers, etc.) are not permitted in the data center unaccompanied. An authorized employee will accompany and monitor vendor technicians at all times in the data centers. Vendors must adhere to security and confidentiality agreements safeguarding consumer data residing on vendor owned and managed systems. Further, vendors may not use or share consumer data, including vendors providing offsite storage services (such as backup tapes).

Genworth Mortgage Insurance undergoes periodic risk evaluations of vendors receiving consumer data and performs security assessment of vendor technical environments to ensure compliance with Genworth customer requirements.

Security procedures and practices are subject to audits by the Genworth Financial Audit Staff as well as internal review processes.

Genworth Mortgage Insurance has adopted the BITS/FISAP shared assessment program as a standard methodology and has completed the AUP with a third party audit firm. The AUP report and SIG is available to customers upon request.

Any change which may impact consumer data, including application changes, software installation on servers, server configuration changes, network device configuration changes, database changes, etc., must undergo review through the IT Change Control Procedure. This assures effective review by management prior to implementation of changes that could impact the security of consumer data. A breach of consumer data security may be considered a major incident requiring action via the Incident Response Process, subject to review by the Chief Security Officer. All such incidents are required to be identified and reported so that corrective action can be taken. Corrective action will address both immediate and follow up actions to minimize the impact, to facilitate investigation, to ensure proper collection of evidence, to inform management, and to restore services during and after a security incident. The Genworth data security policy begins with the employee. All employees, contractors, and temporary workers will be trained with respect to policies and procedures pertaining to data security and will be required to acknowledge these policies and procedures. All workers understand that violation of data security policy is grounds for disciplinary action, up to and including termination of employment. Genworth IT will monitor this Procedure for compliance and may make changes to this Procedure as needed to accommodate technological and other changes. Changes may be implemented without notice.

Revised: May 2011