System controls

A. Access. Enable ISMS includes policies, procedures and logical controls designed to restrict access to Enable networks, systems and all elements of the Subscription Service (including customer data) on a need-to-know basis and based on the principle of “least privilege.”

Enable (i) electronically monitors and manages active access privileges.

(ii) verifies business justification for access requests;

(iii) limits duration of access; and

(iv) promptly removes access in the event of a change in job responsibilities, job status or otherwise when access is no longer needed working on the principle of least privilege, granted only essential access. Enable secures access points via the use of unique identifiers; password complexity in line with the United States National Institute for Standards and Technology’s (NIST) guidelines regularly scheduled password updates and, where deemed appropriate, multi-factor authentication (MFA).

B. Intrusion Detection and Prevention. Enable ISMS incorporates policies, procedures and logical controls designed to limit unauthorized access to and within the Enable internal network application layer firewalls and local network intrusion prevention. Enable maintains intrusion-detection or intrusion-prevention systems (IDS/IPS) to monitor network traffic and system operations including:

•   Enable environments that host systems processing, transmitting, or storing customer data;

•   Internet-facing network segments; and

•   Network entry and exit points for third party connections.

Enable configures and maintains all IDS/IPS devices in accordance with Enable ISMS standards consistent with industry best practices and security vendor recommendations.

C. Malware. Enable ISMS includes layered protection designed to prevent malware across Enable systems, including those supporting customer environments. Enable uses a combination of client-based threat prevention and trust enforcement (such as trusted change modelling and predictive threat prevention) and network-based threat identification and threat interruption (such as network-embedded anti-virus protection and dynamic threat detonation).

D. Monitoring. Enable ISMS will include a comprehensive program of network-wide monitoring, including the Subscription Service. Enable promptly investigates and responds to any reported anomalies. Network monitoring extends to performance monitoring and tuning, capacity planning and resource allocation designed to continuously adjust to meet changing legislative, regulatory, contractual, and business requirements.

E. Logging. Enable ISMS includes a logging platform designed to enable security review and analysis under which all Enable systems (including firewalls, routers, network switches, operating systems, and applications) log information to a centralized log server. Enable configures monitors of critical systems to alert system administrators to events that could indicate a Security Incident or a failure of security systems to operate as designed. Enable regularly reviews log files for trend analysis and pattern identification.

F. System Hardening. Enable ISMS incorporates a program for hardening operating systems designed to promptly disable unnecessary ports, protocols, and services and to apply security measures to meet baseline security configuration requirements for all infrastructure components, including network and server elements. Enable evaluates new Subscription Service implementations for compliance with Enable ISMS baseline security configuration requirements, documenting any deviation(s) from such baseline security configuration requirements and secure appropriate approval before the affected system is deployed into production.

G. Penetration Testing. Enable engage an independent third party to conduct penetration testing (“ethical hacking”) of Enable systems every 18 months as a minimum. The process of penetration testing is, on its surface, almost identical to actual hacking. The tools and techniques typically employed by malicious hackers are used by testers in order to discover system vulnerabilities and highlight potential risks. In Enable’s case, the potential vulnerabilities of a web-based SaaS platform are the primary point of focus. Enable provides the applicable pen-testing Letter of Attestation to customers upon request.

H. Vulnerability Assessment & Remediation. Enable retains an independent third party to conduct both internal and external vulnerability scans on a periodic basis. Enable tracks all identified vulnerabilities, and then prioritize and address identified vulnerabilities using a risk-based model.