GTM Information and Security Compliance Standards

Overview

GTM Lender Advisors is committed to the security of your data. Our policies and Microsoft Office 365 infrastructure meet strict guidelines that are compliant with regulatory industry standards such as ISO 27001, FISMA, the Gramm-Leach-Bliley Act (GLBA), and SAS 70/SSAE16. Internal security policies utilizing hard drive and memory device encryption, email encryption, and physical protection keep information secure and confidential on all company hardware.

Service Provider Industry Certifications and Compliance

GTM Lender Advisors complies with industry standard regulations and holds a number of regulatory certifications utilizing Office 365. For more information, please visit the Office 365 Trust Center.

ISO 27001

The ISO 27000 family of standards helps organizations keep information assets secure.

Using this family of standards helps an organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

ISO 27018

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

FISMA

FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.

The Act consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses). The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.

SOC2 Type II

The SOC 2 Type II certification, defined by the American Institute of Certified Public Accountants (AICPA), is recognized worldwide as one of the strictest audit standards for service providers.

This certification has been designed to meet the needs of the growing number of IT and cloud computing companies. It allows the audited organization to demonstrate that it meets and exceeds the industry's accepted standards governing controls and protection of all hosted and processed data, on behalf of clients.

Safe Harbor

US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data.

Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program as long as they adhere to the 7 principles and the 15 frequently asked questions and answers (FAQs) outlined in the Directive.

The process was developed by the US Department of Commerce in consultation with the EU.

SAS 70

Statement on Auditing Standards (SAS) No. 70, Service Organizations, was a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 (also commonly referred to as a "SAS 70 Audit") represents that a service organization has been through an in-depth examination of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

SSAE16 SOC1 Type II

SSAE 16 is an auditing standard for service organizations, superseding SAS 70. The latter's "service auditor’s examination" is replaced by a "Service Organization Controls" report. SSAE 16 was issued in April 2010, and became effective in June 2011; many organizations which followed SAS 70 have now shifted to SSAE 16.

SSAE 16 is largely an American standard, but it mirrors ISAE 3402. Similarly SSAE 16 has two different kinds of reports; a SOC 1 report is an independent snapshot of the organization’s control landscape on a given day, whilst a SOC 2 report also adds a historical element, showing that controls were managed over time (typically 6 months).

SSAE 16 reporting can help service organizations comply with Sarbanes Oxley's requirement to show effective internal controls covering financial reporting.[2] However, it is not limited to financial reporting; it can also be applied to other sectors, and is useful for data centers in particular.

SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set; in this respect it is similar to ISO 27001:2013.

PCI DSS Level One

The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard defined by the Payment Card Industry Security Standards Council. PCI certification is required for organizations (merchants and service providers) that process credit card payments. The certification is designed to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

HIPAA

The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.

Internal Security Policies

A number of internal policies are in place to assure the safety of data on company laptops and memory devices.

Email Encryption

Exchange Online through Office 365 meets strict security guidelines and standards of operation. The addition of encryption through Azure Rights Management ensures that outgoing emails are encrypted to protect sensitive information.

Hard Drive and Memory Device Policy and Encryption

Company hard drives and memory devices are encrypted using BitLocker. Portable memory devices are routinely scanned and are not permitted for personal use. Online storage through Microsoft SharePoint meets all data transfer regulatory requirements and Office 365 encryption.

Account Level Security

Strong password requirement and 30 day expiration period. Azure AD multi-factor authentication is utilized for additional security.

Antivirus

McAfee Antivirus protects laptops from viruses and malware in conjunction with McAfee Internet Security product for active protection against harm.

Email Legal Hold and eDiscovery Retention Policies

Legal hold and eDiscovery built into Office 365 allow us to find, preserve, analyze, and package electronic content (often referred to as electronically stored information or ESI) for a legal request or investigation. Emails are subject to retention policies for archiving and deletion to ensure that content is available in the case of legal inquiry.

#ISO27001 #GrammLeachBlileyAct #FISMA #ISO27018 #SAS70 #SSAE16