UPDATED JANUARY 2017
The purpose of this Information Security Process and Procedures document is to provide insight to our customers on the safeguards we utilize to provide appropriate levels of confidentiality with sensitive consumer data. Our procedures provide for the proper care of such data from all sources, and include procedures for the preservation and restoration of data in the event of a disaster. These procedures apply to all Genworth Mortgage Insurance business locations.
Unless otherwise specified, this brief will apply to Genworth Mortgage Insurance Corporation (Genworth), its subsidiaries and their employees (includes users, associates, contractors, and temporary workers) and contractors, datacenters, and all business premises. The term "IT" will refer to Genworth Mortgage Insurance Information Technology and may be used interchangeably with Genworth Mortgage Insurance Information Systems
Physical and Electronic Files
Genworth is highly digitized, however, in some situations we handle physical files. Associates who work with physical files containing sensitive consumer data including paper documents, computer diskettes, CD's, DVD's, and USB storage devices should remove any such materials from plain view at the end of the workday. When such files are no longer needed based on our document retention schedule, the files are destroyed. We utilize locked storage bins and a commercial shredding service to shred physical media on our premises. Additionally, our “plain view” rule applies to sensitive consumer data appearing on computer screens. Employees are trained to lock their workstation prior to stepping away. An automatic screen saver engages within minutes if the employee leaves the workstation without locking the screen.
A unique log-on ID and password are required for access to all of Genworth's network and information systems. Passwords are required to be changed on a regular basis. Genworth imposes complexity and length requirements for passwords. Employees are responsible for, and will be held accountable for, the use of their assigned log-on ID and password. Employee IDs and passwords are not to be shared or divulged to other employees.
Employee accounts are disabled at termination of employment or assignment. This action is automated based on the status of the employee (full-time or contract) in the HR/Contractor management system. Employee accounts that are inactive for an extended period of time are disabled or deleted.
Remote Access Authentication
Remote access to Genworth's network requires two-factor authentication. A log-on ID and password will not be sufficient. To gain access, the employee must provide the log-on ID, a unique PIN number, and a one-time passcode generated via a key-fob (a device that generates a one-time password) or smartphone app. Genworth utilizes an industry leading two-factor authentication technology. Any employee requiring remote access to the network will be assigned a token that will be associated with his or her employee account. Upon remote access to the network, employees will then have to authenticate to network resources and information systems with their normal log-on ID and password.
Genworth utilizes Network Admission Control (NAC) technology for remote access. Only Genworth owned and managed machines are permitted to establish VPN access to the network. Remote access by non-Genworth devices is limited to our Virtual Desktop Infrastructure (VDI) environment. This technology provides the employee with the appearance of an on premise workstation environment; however, it is encapsulated from the physical connecting device so that no data can be transferred to the physical device.
Remote access accounts are disabled at termination of employment or assignment.
Access to data and systems
Access to sensitive consumer data is granted to employees whose duties and responsibilities require such access. Sensitive consumer data will reside on a secured server or database. For further control, departmental business owners must authorize each employee’s access to the specified data.
When an employee has a significant change in duties, such as a transfer to another department, the employee's access permissions will be reviewed and modified as necessary. If the employee's new department and responsibilities no longer require access to sensitive consumer data, this access will be revoked.
In general, employees will not have direct access to data files and databases containing sensitive consumer data. Access to the sensitive consumer data will be delivered by way of an application—meaning presentation software and business logic that will determine what the employee may see and do. Applications containing sensitive consumer data will be explicitly secured. These applications will provide a level of security limiting access to sensitive consumer data to those who have access to the application and specific roles. Sensitive data elements will be masked on screens for employees without specific “need to know” roles. Applications will be responsible for the updates to sensitive consumer data and perform appropriate edit procedures to ensure the integrity of the data.
Authorized employees may be permitted to have direct access to data sources such as files and databases. System software logging and audits will be enabled where applicable to explicitly monitor direct access to data files and databases containing sensitive consumer data. Where applicable, systematic “redaction” will be applied to limit the visibility of sensitive data even when direct access to databases is provided.
Portable Devices, Media, and Hard Drive Encryption
Genworth has implemented hard drive encryption on all computers – both laptop devices and workstations on premise or home offices. Use of removable media such as USB “thumb” drives and CD/DVD disks are restricted to read-only access unless explicitly approved. Data Loss Prevention (DLP) software monitors transmission of sensitive information when USB or CD/DVD write access is permitted. In addition, Genworth instructs employees on the proper use of portable/removable storage devices and media.
Sensitive Consumer Data Transmitted to Third Parties
Sensitive consumer data transmitted by Genworth on its private network (intranet) will be encrypted where technically feasible. Internal applications utilize TLS encryption to desktops
Excluding email, as explained in the next section, sensitive consumer data transmitted by Genworth on public networks, such as the Internet, will be encrypted by IT systems. Thus, sensitive consumer data transmitted by Genworth on the Internet to and from its websites will be encrypted automatically. The following are examples of our encryption methods.
Internet browser-based applications - Web developers will incorporate TLS encryption to ensure that:
- Transactions containing sensitive consumer data will be conducted with a minimum of 128 bit encryption
- Internet SFTP/SSH transmissions involve 128 bit or stronger encryption
- Internet FTP transmissions require file level encryption with 2048 bit or stronger keys, using the public key provided by the recipient
Additional methods may be used with the approval of the Genworth Mortgage Chief Information Security Officer.
Sensitive Consumer Data Transmitted to Third Parties via Internet Mail
Genworth strongly encourages the use of encryption of sensitive consumer data for email transmitted over the Internet. Genworth leverages a TLS capable gateway configured in “Opportunistic Mode” to encrypt by default with any mail domain that is TLS capable. This means that customers that have TLS capability can be assured that mail transmissions are secured by encryption over the Internet. If desired, customers can request their domain be enabled in “Enforcement Mode” to guarantee TLS encryption is always utilized.
When a third party recipient does not have TLS capability, but does have the technology available, an acceptable and recommended method of encrypting sensitive consumer data is to utilize applications with a "password protection" and associated file encryption option. The encrypted data can be sent as an email attachment. The password should not be included in the email with the attachment and must be exchanged using an alternate communication channel (e.g., telephone). Applications and data protection methods will be approved by the Genworth Mortgage Chief Information Security Officer.
Genworth utilizes its Data Loss Prevention (DLP) capabilities to prevent sending emails with unprotected sensitive consumer data. Any email sent to an unprotected domain (non-TLS) with un-encrypted sensitive consumer data is blocked and returned to the sender for correction.
Network and Server Security
The Internet connection will be secured with multiple firewalls and proxy servers. Only required services will be open and available on this connection. Outbound Internet traffic will pass through a proxy server to log and monitor activity. FTP and SFTP traffic is limited to specific known business partner addresses. HTTP and HTTPS traffic is filtered to restrict access to approved categories of Internet sites. Internet storage and email sites are blocked by default to reduce data loss risk. Employees are warned if they attempt to access un-categorized sites. DLP technology is in place to examine traffic to prevent potential data loss. Laptop computers are equipped with a “cloud based” proxy to enforce the same controls off network as on network.
Private network connections between Genworth and "trusted" partners will be isolated and firewalled such that only required services are open and available on these connections. Genworth will manage the firewalls on its end of the connections to ensure integrity.
Access to servers and network devices (switches, routers, firewalls) will be limited to authorized employees. Configuration changes to servers and network devices will be made by authorized employees only after approval pursuant to the IT Change Control Procedure.
Genworth will run network intrusion prevention devices to identify and automatically block unauthorized or unwanted traffic on its internal network to ensure the integrity of controls (firewalls). All servers will be monitored by host intrusion detection software to detect unauthorized access or unauthorized changes to the system. Network and server events are sent to a SEIM monitored 24/7 by the incident response team.
Genworth will have third party vulnerability tests of the network perimeter performed on at least a quarterly basis.
Genworth will perform application security assessments as part of the application software development life cycle. This will include vulnerability scanning of applications and servers for applications, internal and external. External facing customer applications will be vulnerability scanned and penetration tested by a third party on a regularly scheduled basis as an additional measure of assurance.
Genworth applications undergo an annual attestation process requiring business application owners to sign off on the security of their applications. Genworth internal audit staff regularly audits applications and databases to ensure validity of attestations.
Storage of Sensitive Consumer Data
Storage of sensitive consumer data is not permitted on individual employee workstations. Only software and temporary work files are permitted to be stored on workstation hard drives. Nonetheless, all workstation hard drives are encrypted as a precaution. All employee files and data must be stored on secured servers located in the datacenter or on the mainframe. IT will be responsible for computers located in the datacenters and will ensure the availability and integrity of those computers. Sensitive consumer data is encrypted at rest (on disk) for all primary storage—i.e. databases, disk backup spaces, and file shares using specialized software to protect the data.
Use of production sensitive consumer data is not permitted in non-production systems and databases. Regularly scheduled routines are run against non-production environments to obfuscate any data placed there unintentionally.
Data is replicated to a backup datacenter for disaster recovery purposes on a near real-time basis to ensure minimal data loss in the event of a disaster. The data replication is encrypted on the network, and the data is encrypted in storage at the backup datacenter. Disaster recovery plans for the datacenters have been developed to ensure a timely recovery in event of disaster. Recovery procedures for individual computer systems will be tested on a periodic basis. Recovery of the datacenters will be tested on an annual basis.
Access to Storage Facilities
Access to document storage facilities will be limited to employees when "necessary" to perform their duties and responsibilities. Storage facilities will remain locked to prevent unauthorized access and will be equipped with smoke and fire detection devices and sprinkler systems to guard against loss in the event of fire
Access to the Datacenter
Access to datacenters will be limited to authorized employees, and entry will be controlled via a two-factor security badge (badge and PIN code). Vendor technicians (e.g., computer hardware technicians, telephone system engineers, etc.) are not permitted in the datacenter unaccompanied. An authorized employee will accompany and monitor vendor technicians at all times in the datacenters.
Vendors must adhere to written security and confidentiality commitments safeguarding sensitive consumer data residing on vendor owned and managed systems. Further, vendors may not use or share sensitive consumer data, including vendors providing offsite storage services (such as backup tapes).
Genworth undergoes periodic risk evaluations of vendors receiving sensitive consumer data and performs security assessment of vendor technical environments to ensure compliance with Genworth customer requirements.
Auditing, Testing and Governance
Security procedures and practices are subject to audits by the Genworth Financial Audit Staff as well as internal review processes. Genworth contracts with third parties to conduct penetration testing multiple times per year. Penetration test results are reported to the Board of Directors.
Genworth has a Governance, Risk, and Compliance (GRC) council that meets monthly to monitor changing risks within the business. The Chief Information Security Officer is a member of this council with the responsibility of raising IT security issues to the council for review.
Genworth has completed the FFIEC Cybersecurity Assessment Tool (CAT) to better understand its IT security risk relative to the financial services industry, industry peers and customers.
Genworth has adopted the SSAE 16 framework SOC 2 as a standard methodology for attesting our security controls. An annual SOC 2 report is available to customers upon request.
IT Change Control Procedure
Any change to IT systems including application changes, software installation on servers, server configuration changes, network device configuration changes, database changes, etc., must undergo review through the IT Change Control Procedure. This assures effective review by management prior to implementation of changes that could impact the security of sensitive consumer data.
Incident Response Handling
Incidents are tracked and reported. Incident response is performed by appropriately trained personnel. A breach of sensitive consumer data security is considered a significant incident requiring action via the Incident Response Process, subject to review by the Chief Information Security Officer. All such incidents are required to be identified and reported so that corrective action can be taken. Corrective action will address both immediate and follow-up actions to minimize the impact, to facilitate investigation, to ensure proper collection of evidence, to inform management, and to restore services during and after a security incident.
Employee Training and Awareness
The Genworth data security program begins with our employees. All employees are trained with respect to policies and procedures pertaining to data security and such training is tracked and documented. All employees understand that violation of data security policy is grounds for disciplinary action, up to and including termination of employment and assignment.
Modifications to the Security Process and Procedure Document
Genworth IT will monitor this document for conformity to our security practices, and may make changes as needed to accommodate technological and other developments. Changes to this document will be posted to our website, and may be implemented without prior notice.