Information Security Policy

Executive Summary

It is the policy of Vertex Software to establish an Information Security Management System (ISMS) that protects the confidentiality and integrity of information while providing high reliability and appropriate access to information and information systems. An ISMS is a systematic approach to managing sensitive Vertex information so that it remains secure. It includes people, processes, and IT systems and is exercised by applying a risk management process. This Information Security Policy provides the high-level direction of the ISMS and sets the expectations for information security across the organization.

1.0 Scope

1.1 Persons

All Vertex Software employees and contractors/consultants are responsible for complying with this Information Security Policy, supporting policies, and other associated information security documents as applicable. Also, employees are responsible for complying with regulatory and compliance requirements as applicable to the organization. If in doubt about the intent or content of this policy or any supporting documentation, an employee should seek clarification from appropriate information security or technology personnel. In no case shall an employee disclose to unauthorized persons details of the controls used by Vertex Software.

1.2 Systems

All computers, operating systems, network systems, and application systems owned or administered by Vertex Software whether on-premise or cloud based are covered under this policy. This policy also covers information processed, handled, and stored on Vertex Software computers and networks. Systems governed under contract may have requirements that supersede this policy. Information in hard-copy (printed documents, written notes, etc.) or verbal form shall also be protected with due care and appropriate controls.

2.0 Information Security Responsibilities

2.1 Information Security Authority

The Information Security Team is responsible for establishing and maintaining, in coordination with affected stakeholders, the organization’s ISMS, including applicable plans, policies, standards, guidelines, and procedures.

2.2 Information Security Responsibilities - All Personnel

All Vertex Software employees and contractors/consultants are responsible for:

  1. Understanding and complying with Vertex Software information security policies, standards, and procedures as applicable to his or her role(s)
  2. Understanding the security goals and objectives associated with their position and performing their duties accordingly

2.3 Safety

Situations may arise at our facility that present risk to the safety of employees and visitors. Safety is always a primary concern and decisions which ensure the safety of individuals, even if in opposition to policies (such as a physical security policy), should be taken if the situation demands.

3.0 Risk Management

The core component of the ISMS is identifying, prioritizing, and managing security risks to the organization and its business functions. Identified risks shall be articulated and prioritized based upon business impact and be avoided, controlled/mitigated, transferred, or accepted. Risk management decisions will follow an approved risk management process, to include documenting the business risk, the risk treatment options, and management's ultimate decision on risk treatment.

4.0 Acceptable Use

An Acceptable Use Policy shall be developed and maintained to convey to all technology users the acceptable (and unacceptable) uses of information technologies used by the organization. All technology users shall be required to acknowledge their understanding of these rules upon on-boarding into the organization and regularly thereafter.

5.0 Third-Party Service Delivery and Management

Except for emergency support services, before any third party is given access to Vertex systems, a contract defining the terms and conditions of such access must have been signed by appropriate parties at both organizations. Service delivery oversight and management roles and responsibilities shall be clearly defined and documented. Third-party service delivery shall be periodically audited and reviewed to monitor performance and compliance.

6.0 Security Assessment and Authorization

The Vertex Software ISMS shall include activities that are used to assess security starting early in and continuing through the information system life-cycle. Periodic security assessments shall be used to ensure that information security is effectively integrated into information systems and to identify and resolve weaknesses as appropriate. These assessments may take many forms, including internal and external risk assessments, vulnerability scanning, penetration testing, and external audits.

7.0 Personnel Security

Personnel security measures are used to screen candidates for employment, manage security for third-party resources, and support various aspects of security during employment or contractual engagements.

7.1 Screening

Prior to start date and authorizing access to Vertex Software information systems, all on-boarding personnel shall be screened using the appropriate checks commensurate with the person's expected role(s) and position risk designations. Additional screening may be conducted as necessary to fulfill any statutory and compliance requirements where continued access to sensitive or classified information is required.

7.2 Access Requirements

All employees requiring access to Vertex Software information systems shall acknowledge the Vertex Software Employee Handbook and other policies as implemented and appropriate at the time. In addition, Vertex Software employees shall agree and abide by the confidentiality obligations set forth in the Non-Competition, Non-Solicitation, Non-Disclosure, and Invention Assignment Agreement.

7.3 Transfers

When an employee transfers, affected teams shall be notified so that required access may be re-evaluated by appropriate parties, any access change procedures may be initiated, and all designated persons are notified about the transfer. This notification shall also contain any continued or modified accesses required to perform in the new role(s).

7.4 Sanctions

Vertex Software shall maintain a formal disciplinary process for individuals failing to comply with established information security policies and procedures. This places the responsibility on leadership to ensure all employees have been properly trained and, where appropriate, have acknowledged the policies and procedures. Appropriate parties will be notified and included when formal sanctions are considered and/or initiated. Information system and physical accesses shall be reviewed for any required modifications during the sanction period.

7.5 Terminations

When an employee terminates employment, that person's information system access shall be disabled as appropriate upon departure. When an employee is involuntarily terminated from employment, that person’s information system access shall be disabled as quickly as possible. In all instances, individual credentials associated with the individual should be revoked as quickly as appropriate after retaining the information formerly controlled by the individual, which shall be retained pending authorization to dispose of the information. All security-related information system property, such as keys, badges, physical tokens, etc., shall be recovered.

8.0 Physical and Environmental Protection

Physical and environmental security is important to the overall ISMS. It includes physically controlling access to facilities, sensitive areas, and other designated locations that support business operations, as well as controlling access to information, information technology assets, and other business assets. It also supports the organization's ability to monitor the condition of critical business assets and their surrounding environments. Finally, it provides for the safety of employees, contractors, vendors, and visitors at Vertex Software facilities.

8.1 Physical and Environmental Security

Vertex Software will implement controls to ensure only authorized persons can physically access its facility, information system components, business equipment, and information in various forms. Appropriate controls shall be established to track the disposition of physical access mechanisms, such as keys and badges. Environmental security and facility protections shall be used to ensure the availability of information system components and the safety of persons at Vertex Software's facilities.

8.2 Visitor Control

A log shall be maintained to track visitor access, including date, time, the purpose of the visit and person(s) visited. Unless visiting spaces designated as public access, all visitors shall be escorted as appropriate. Visitors entering non-public spaces shall be identified through a visual means (e.g., visitor badge, name tag) to distinguish them from employees. Contractors and consultants with longer term access are not required to be escorted.

8.3 Monitoring

Physical accesses to the facility or spaces where the information system and critical information resides shall also be monitored to detect and respond to physical security incidents. Monitoring may be conducted through various means, such as video surveillance, random security walkthroughs, and auditing of electronic door access mechanisms and physical access logs.

9.0 Media Protection

Media in both digital and non-digital forms enables storage and transportation of information outside the normal confines of the information system or a system component. Though media may be used for authorized purposes, it can potentially be used for unauthorized purposes. Therefore, controls regarding media are implemented to mitigate associated risks and ensure the proper handling of information on media.

9.1 Media Access and Use

User access to and use of media in both digital and non-digital forms shall be restricted/prohibited based on its intended purpose and potential for misuse once information is written to or printed on the media. Security measures must be employed regardless of the media on which information is stored, the systems that process it, or the methods by which it is moved during the life-cycle of the information. In addition, both technical and non-technical measures will be used to restrict or prohibit the unauthorized insertion of media into information system components. Authorization is required before use of a removable device is permitted.

9.2 Information Classification and Marking

Information on media shall be categorized based on the information classification standard, and, depending on the classification, the appropriate level of security controls shall be used and enforced to safeguard the information.

9.3 Media Storage and Transport

Designated media shall be physically controlled and securely stored within designated areas and approved containers. This requirement extends until the media is no longer needed, and that media is either destroyed or sanitized. When media is transported outside controlled areas, protections, such as encryption of said media, shall be used to ensure the media remains with persons authorized to use it and the risk of theft or loss is mitigated. If media is to be transferred to a third-party or other external party, appropriate records, such as a service desk ticket, showing the transfer shall be documented.

9.4 Sanitization

When the information on media is no longer required, or if the media itself is no longer needed, the media shall be sanitized prior to disposal, reuse, or release from organizational control. This applies to all media whether considered removable or not. Only approved sanitization and destruction mechanisms (shredders, etc.) shall be used.

10.0 Contingency Planning

The organization must plan for contingencies that could disrupt business operations. Planning must consider continuing to work through various disruption scenarios (business continuity) and proactively preparing to recover and restore operations in case of a disaster.

10.1 Contingency Plan

A contingency plan shall be developed and maintained as a proactive measure to ensure business continuity in the event of an unplanned disruption of business operations. This plan will define the organization’s business continuity tasks which allow the organization to maintain essential business functions during system disruptions, compromise, or failure. This plan shall be coordinated with other plans and actions to ensure consistency across the spectrum of plans.

10.2 Backups, Recovery and Reconstitution

All critical business information, software, and security documentation must be routinely backed up or otherwise provided appropriate levels of resiliency, and tested per an established schedule. Recovery point/recovery time objectives for critical business information and systems will be assessed and defined as part of this process.

11.0 Incident Response

As part of Vertex Software’s commitment to security, an information security incident response plan shall be implemented and maintained. Please see the Incident Response Plan for further details.

12.0 Configuration and Change Management

Controlling changes to information and information system component configurations through a change management process is vital in ensuring the organization can effectively conduct business. System components must be properly configured, allowing only the functionality necessary to support business needs, and only appropriate and approved software shall be installed and used. With the exception of emergency situations, critical changes to critical Vertex information systems must be controlled, changes documented in a ticket, and approved in advance.

12.1 Information System Component Inventory

An asset inventory shall be developed and documented to reflect current information system components within the authorization boundary of the information system. This inventory shall be reviewed regularly, and at least annually, to ensure accuracy and granularity required for tracking and reporting purposes. Components added, removed, or significantly modified shall be included within the inventory, along with responsible asset owners.

12.2 Configuration Baselines, Settings, and Least Functionality

To ensure information system components are properly configured for use, configuration baselines shall be developed, documented, and maintained to reflect the current baseline configuration. Baselines must be reviewed and, if necessary, updated at least annually. Settings will be adjusted to reflect the most restrictive mode consistent with operational requirements and provide only essential capabilities. In accordance with configuration baselines, unnecessary or non-secure functions, ports, protocols, and services shall be restricted or disabled, and reviews shall be conducted periodically to ensure they are still restricted or disabled. Any deviations from traditional configuration settings must be identified, documented, and approved.

12.3 Changes to Information System Configuration

Change proposals will also be reviewed, approved, and documented prior to implementation. If approved, these changes will be implemented only by individuals qualified to do so, and who have the authorized accesses to make the change.

12.4 Software Installation and Usage

Software and associated documentation must be used in accordance with contract agreements, licenses and copyright laws. All software using quantity licenses shall be tracked to control copying and distribution against licensing terms. Normal system patches and device updates provided to employees will be installed via a centralized management system. If in doubt about installing software on any device, users must seek guidance as stipulated in appropriate procedures.

13.0 Maintenance

Equipment and applications are subject to repair or routine updates and it is expected maintenance actions will need to be performed. Both proactive (scheduled) and reactive (ad hoc; emergency) actions will be performed on equipment during the life of an asset. Maintenance activities shall be coordinated with configuration/change management activities when items placed into configuration control are to be repaired and updated.

13.1 Controlled and Timely Maintenance

Controlled and timely maintenance practices and procedures shall be implemented to ensure business systems are repaired in accordance with manufacturer or vendor specifications and organizational requirements. Maintenance activities will be performed either on-site, off-site, or remotely, and these activities must be approved and monitored.

13.2 Maintenance Activities

When equipment is to be repaired on-site by a vendor, appropriate visitor/physical security controls shall be followed. Removing equipment for off-site repairs requires prior approval, and equipment shall be sanitized prior to removal outside organizational facilities. After repair, equipment shall be checked to ensure all potentially impacted security controls are still functioning properly.

At times, non-local maintenance and diagnostic activities may need to be performed. In these cases, strong authentication mechanisms must be used to establish sessions, and sessions and network connections will be terminated when the non-local maintenance is complete.

13.3 Maintenance Records

When appropriate, system component inventories will be updated to ensure accurate accounting for equipment that may be taken out of service completely.

14.0 Access, Identification, and Authentication Management

14.1 Account Management

All information system accounts (individual, group, guest, system, service, temporary, etc.) shall be managed through a variety of processes and controls to ensure only authorized access to information systems, information repositories, etc. Processes shall be implemented and maintained to create, enable, modify, disable, and remove accounts when personnel begin employment, transfer positions, resign or are terminated. Accounts shall be monitored for unauthorized and inappropriate use. All accounts shall be reviewed and compared with personnel records to reduce the risk of unauthorized access. Account review shall be completed on at least a semi-annual basis.

14.2 Information Flow Enforcement

Information flow control policies and mechanisms shall be used to enforce the flow of information on boundary protection devices and at designated points in the information system.

14.3 Separation of Duties

Certain business functions and information system support functions shall be separated. This shall include separation of duties for those personnel administering access control functions and those performing audit functions.

14.4 Least Privilege

Accesses for employees shall be authorized only to the level necessary to accomplish assigned tasks. Privileged users shall only be authorized to access those security functions (e.g., establishing system accounts, configuring access authorizations, setting firewall configurations) necessary to perform their roles and as commensurate with their role-based training.

14.5 Identifier Management

Information systems and applications shall be configured to uniquely identify and authenticate both organizational and non-organizational users, groups, roles, and devices prior to establishing a connection and allowing access.

14.6 Authenticator Management

Processes for establishing, implementing, and distributing initial authenticators (e.g., passwords, tokens, key cards) shall be established and documented. In addition, processes to handle lost/compromised authenticators and revoking authenticators shall be established. All default authenticators must be reviewed/changed upon information system installation. All passwords shall be protected from unauthorized disclosure and modification. If membership for group and role accounts change, authenticators must also be changed. System users shall be provided training on authenticator controls as part of initial and recurring training.

14.7 Remote Access

An appropriate encrypted point-to-point connection must be used that utilizes multiple factors of authentication to gain administrative access to the underlying system. Upon session completion or after a period of inactivity, the underlying connection must be terminated. Remote access usage restrictions, configuration/ connection requirements, and implementation guidance shall be documented and enforced.

14.8 Wireless Access

Wireless access usage restrictions, configuration/connection requirements, and implementation guidance shall be documented and enforced. Wireless access to Vertex Software information systems shall be controlled through appropriate identification and authentication controls. Wireless networks used by guests shall be segmented from wireless networks used for business functions.

15.0 System and Information Integrity

Multiple layers of controls, processes, and procedures are used to ensure the integrity of both the information system and information. These controls are coordinated with other families of controls as part of Vertex Software’s overall defense-in-depth strategy.

15.1 Anti-Malware and Endpoint Security

Approved anti-malware and endpoint security solutions shall be used across the organization’s infrastructure. Access to manipulate the security settings on these solutions shall be limited to designated personnel. Updates to anti-malware and endpoint security programs will be applied whenever new releases are available and applied in accordance with configuration and change management policy and procedures.

15.2 Patching

Patches shall be prioritized based upon business risk and tested and applied as soon as appropriate following release. A structured process shall be set up for regular patching cycles, that also allows for emergency or off-cycle patching as required. When a system or application is not patchable, a formal risk acceptance must be obtained to document the reason for continuing to operate the system or application. In addition, approval by a designated senior leader must be obtained as part of the risk acceptance. Patches, as well as other updates associated with systems and applications, shall be installed only by persons trained and familiar with the system or application being patched.

15.3 Monitoring

Approved monitoring mechanisms and programs will be used to monitor the information system to detect attacks, indicators of a potential attack, and unauthorized local, network and remote connections. Directory services and servers handling sensitive, valuable, or critical information must securely log (commensurate with the information classification of the connected system) all significant security events and system problems, including but not limited to, Audit Logs, Administrator and Operator Logs, and System Fault Logs. Monitoring information shall itself be protected from unauthorized access, modification, and deletion. Alerts from information monitoring mechanisms and programs will be expeditiously acted upon to determine their nature and validity, and, if applicable, incident handling/response measures will be initiated.

16.0 Systems and Communications Protection

Detective and protective measures shall be implemented, maintained, and monitored to ensure the confidentiality, integrity, and availability of systems and communications. Information, whether at rest or being transmitted, shall be protected at a level commensurate with its information classification.

16.1 Security Zones and Boundary Protection

To the extent practicable, Vertex Software's network infrastructure shall be segmented into subnetworks to provide additional protection in case of system intrusion. The boundary between the internal network and external networks, such as the Internet, shall be protected with a firewall configured in accordance with firewall configuration standards. A firewall policy, defining which services and connections will be permitted and denied, must be documented, reviewed, and approved. An immediate review of the firewall policy must also be performed whenever a major security incident takes place, when major changes have been made to the production applications supported, or when major changes to the Vertex Software internal network have been implemented. All end-user computers and workstations that connect to the Internet directly must have their own approved firewalls installed and continuously enabled. In addition, the external boundary and key internal boundaries shall be monitored to detect suspicious network traffic and activities.

16.2 Cryptographic Management and Controls

Cryptographic keys and devices used for encrypting and decrypting information shall be managed by appropriate parties. When not in use, cryptographic keys must be placed into secure storage, and access must be limited to only authorized and trained individuals. Keys shall only be used if they meet strength requirements for the purpose for which they are to be used.

The information system shall use cryptographic protections for designated communications/ transmissions and information at rest, depending on the sensitivity and classification levels of the systems and information to be protected. In addition, cryptographic protections must be placed on mobile devices, such as laptops and removable portable storage devices, when information is to be transported outside the security protections of the organization, or when devices are to be used for remote access to business information.

16.3 Transmission Security

Both physical and logical controls shall be implemented to secure transmission devices (e.g., servers, mobile devices, scanners, facsimile machines) to reduce the possibility of transmission interception and modification and to enhance information confidentiality and integrity. If the security of transmission services through an external provider cannot reasonably be assured, appropriate compensating controls must be used, or the additional risk must be explicitly documented and accepted.

16.4 Protection of Data at Rest

Employee information and system information shall be protected when it is on storage devices to ensure its confidentiality and integrity. System information to be protected includes configurations, rule sets, filters, and authenticator content. Backup and/or replicated information stored at off-site facilities or in the cloud shall also be protected in accordance with this policy and supporting policies and standards.

17.0 Awareness and Training

A plan will be established to provide awareness and training activities using topics that support both the business’ security goals and general information security best practices. All information security-related training activities shall be documented for all individuals. Initial, annual, role-based, and other designated awareness and training activities shall be documented, and individuals shall acknowledge their attendance/participation by signing training records or recording attendance through a software program.

17.1 Employee Training

All employees, upon hire, shall receive initial basic information security training as part of the on-boarding process. All employees shall also receive training at least annually thereafter. Awareness activities and methods will be established using best practices that support learning and a security-aware culture. Training activities may include testing activities to help build knowledge and skills. Awareness and training activities could include support from outside organizations, such as third-party security vendors and law enforcement.

17.2 Role-Based Training

Personnel with assigned security roles and responsibilities shall receive role-based training as appropriate. Training shall also be provided when required by changes to the information system, or when a certain skill-set is required.

18.0 Audit and Accountability

Audits are necessary within the overall monitoring strategy to help detect potential issues with the information system, including misuse and unauthorized access. Vertex Software shall maintain a capability to review, analyze and report on auditable events and integrate this capability with other aspects of the information security program.

18.1 Audit Capability

The information system shall be configured to provide the capability to audit designated events and transactions, such as failed logins, failed access related to administrative privilege use and third-party credentials, and remote access. Audit logs shall be maintained off the system component being audited, or outside the environment where other auditable events are being monitored. Audit records shall be protected from access by unauthorized individuals.

18.2 Audit Review, Analysis, and Reporting

Audit information shall be centrally reviewed and analyzed to detect inappropriate or unusual activity. Where able, audit information shall be correlated with physical monitoring information. Individually, uncorrelated activities may not indicate inappropriate or unusual activity but do so when correlated. Indications of inappropriate or unusual activity shall be reported as established via appropriate processes and procedures.

18.3 Information Systems Auditing

An independent internal resource or third party must periodically perform audits of the information system and compliance with policies, standards, procedures and applicable laws, regulations, and technical measures. System vulnerability scan/penetration testing reports and other reports detailing exposures and/or technical analysis of Vertex Software’s information systems and information security program must be protected and disclosed only to those persons with a demonstrable and verified need to know.

18.4 Confidentiality and Availability

Customer data shall be classified as confidential as stated in the Data Classification Standard. Vertex Software is committed to having an uptime of 99.5% or greater.

19.0 Compliance With Legal Requirements

Vertex Software shall manage and monitor compliance with all applicable policies, standards, procedures, laws, regulations, license agreements, and technical specifications. All employees are required to comply with this Information Security Policy and associated/supporting policies and standards. When in doubt about the content of any policy, standard, procedure, etc., employees shall seek clarification from management.

20.0 Third-Party Security

As part of the organization's relationships with third-party vendors, security requirements and expectations shall be reviewed and negotiated, including responsibilities, to determine the security requirements that are necessary and, if required, provide security requirements in appropriate documents, such as contracts. Third-party compliance with security requirements shall be monitored and coordinated with other risk and vendor management activities. Failure to comply with contractual requirements may result in a breach of contract, leading to suspension or termination of the contract.