UPDATED MARCH 2020
The purpose of this Information Security Process and Procedures document is to provide insight to our customers on the safeguards we utilize to provide appropriate levels of confidentiality with sensitive consumer data. Our procedures provide for the proper care of such data from all sources and include procedures for the preservation and restoration of data in the event of a disaster. These procedures apply to all Genworth Mortgage Insurance business locations.
Unless otherwise specified, this brief will apply to Genworth Mortgage Insurance Corporation (Genworth), its subsidiaries and their employees (includes users, associates, contractors, and temporary workers) and contractors, datacenters, and all business premises. The term "IT" will refer to Genworth Mortgage Insurance Information Technology and may be used interchangeably with Genworth Mortgage Insurance Information Systems.
Physical and Electronic Files
Genworth is highly digitized, however, there are occasions we handle physical files. Associates who work with physical files containing sensitive consumer data (including paper documents, computer diskettes, CDs, DVDs, and USB storage devices) should remove them from plain view at the end of the workday. Additionally, this rule applies to sensitive consumer data appearing on computer screens. Employees are trained to lock their workstation prior to stepping away. An automatic screen saver engages within minutes if the employee leaves the workstation unattended. When such files are no longer needed based on our document retention schedule, the files are destroyed. We utilize locked storage bins and a commercial shredding service to shred physical files on our premises./p>
A unique log-on ID and 16-character password are required for access to all of Genworth's network and information systems. Passwords are required to be changed on a regular basis. Employees are responsible for, and are held accountable for, the use of their assigned log-on ID and password. Employee IDs and passwords are not to be shared or divulged to other employees. Genworth has implemented a new password policy to strengthen passwords, demonstrated by our regular testing of passwords (password “cracking”).
Employee accounts are disabled at termination of employment or assignment. This action is automated based on the status of the employee (full-time or contract) in the HR management system. Employee accounts that are inactive for an extended period of time are disabled or deleted.
Remote Access Authentication
Remote access to Genworth's network requires two-factor authentication. A log-on ID and password is insufficient. To gain access, the employee must provide the log-on ID, a unique PIN number, and a one-time passcode generated via a key-fob (a device that generates a one-time password) or smartphone app. Genworth utilizes an industry leading two-factor authentication technology. Any employee requiring remote access to the network is assigned a token that is associated with his or her employee account. Upon remote access to the network, employees will then have to authenticate to network resources and information systems with their normal log-on ID and password.
Genworth utilizes Network Admission Control (NAC) technology for remote access. Only Genworth owned and managed machines are permitted to establish VPN access to the network. Remote access by non-Genworth devices is limited to our Virtual Desktop Infrastructure (VDI) environment. This technology provides the employee with the appearance of an on-premise workstation environment; however, it is encapsulated from the physical connecting device so that no data can be transferred to the physical device.
Remote access accounts are disabled at termination of employment or assignment.
Access to Data and Systems
Access to sensitive consumer data is granted only to employees whose duties and responsibilities require such access. Sensitive consumer data will reside on a secured server or database. For further control, departmental business owners must authorize each employee’s access to the specified data.
When an employee has a significant change in duties, such as a transfer to another department, the employee's access permissions is reviewed and modified as necessary. If the employee's new department and responsibilities no longer require access to sensitive consumer data, this access is revoked. This process is managed by a fully automated system to identify changes in job roles and prompt resource owners to review access immediately.
In general, employees will not have direct access to data files and databases containing sensitive consumer data. Access to the sensitive consumer data is delivered by way of an application—meaning presentation software and business logic that will determine what the employee may see and do. Applications containing sensitive consumer data are explicitly secured. These applications provide a level of security limiting access to sensitive consumer data to those who have access to the application and specific roles. Sensitive data elements are masked on screens for employees without specific “need to know” roles. Applications are responsible for the updates to sensitive consumer data and perform appropriate edit procedures to ensure the integrity of the data.
Authorized employees may be permitted to have direct access to data sources such as files and databases. System software logging and audits are enabled where applicable to explicitly monitor direct access to data files and databases containing sensitive consumer data. Where applicable, systematic “redaction” is applied to limit the visibility of sensitive data even when direct access to databases is provided.
Portable Devices, Media, and Hard Drive Encryption
Genworth has implemented hard drive encryption on all computers – both laptop devices and workstations on premise or home offices. Use of removable media such as USB “thumb” drives and CD/DVD disks is limited and restricted to read-only access unless explicitly approved. Data Loss Prevention (DLP) software monitors transmission of sensitive information when USB or CD/DVD write access is permitted. In addition, Genworth instructs employees on the proper use of portable/removable storage devices and media.
Sensitive Consumer Data Transmitted to Third Parties
Sensitive consumer data transmitted by Genworth on its private network (intranet) is encrypted where technically feasible. Internal applications utilize TLS encryption to desktops.
Excluding email, as explained in the next section, sensitive consumer data transmitted by Genworth on public networks, such as the Internet, is encrypted by IT systems. Thus, sensitive consumer data transmitted by Genworth on the Internet to and from its websites is encrypted automatically. The following are examples of our encryption methods.Internet browser-based applications - Web developers will incorporate TLS encryption to ensure that:
- Transactions containing sensitive consumer data are conducted with a minimum of 256 bit encryption
- Internet SFTP/SSH transmissions involve 256 bit or stronger encryption
- Internet FTP transmissions require file level encryption with 2048 bit or stronger keys, using the public key provided by the recipient
Additional methods may be used with the approval of the Genworth Mortgage Chief Information Security Officer.
Sensitive Consumer Data Transmitted to Third Parties via Internet Mail
Genworth strongly encourages the use of encryption of sensitive consumer data for email transmitted over the Internet. Genworth leverages a TLS capable gateway configured in “Opportunistic Mode” to encrypt by default with any mail domain that is TLS capable. This means that customers that have TLS capability can be assured that mail transmissions are secured by encryption over the Internet. If desired, customers can request their domain be enabled in “Enforcement Mode” to guarantee TLS encryption is always utilized.
When a third party recipient does not have TLS capability, but does have the technology available, an acceptable and recommended method of encrypting sensitive consumer data is to utilize applications with a "password protection" and associated file encryption option. The encrypted data can be sent as an email attachment. The password should not be included in the email with the attachment and must be exchanged using an alternate communication channel (e.g., telephone). Applications and data protection methods are approved by the Genworth Mortgage Chief Information Security Officer.
Genworth utilizes its Data Loss Prevention (DLP) capabilities to prevent sending emails with unprotected sensitive consumer data. Any email sent to an unprotected domain (non-TLS) with un-encrypted sensitive consumer data is blocked and returned to the sender for correction.
Network and Server Security
The Internet connection is secured with multiple firewalls and proxy servers. Only required services are open and available on this connection. Outbound Internet traffic will pass through a proxy server to log and monitor activity. FTP and SFTP traffic is limited to specific known business partner addresses. HTTP and HTTPS traffic is filtered to restrict access to approved categories of Internet sites. Internet storage and email sites are blocked by default to reduce data loss risk. Employees are warned if they attempt to access un-categorized sites. DLP technology is in place to examine traffic to prevent potential data loss. Laptop computers are equipped with a “cloud based” proxy to enforce the same controls off network as on network.
Private network connections between Genworth and "trusted" partners are isolated and firewalled such that only required services are open and available on these connections. Genworth will manage the firewalls on its end of the connections to ensure integrity.
Access to servers and network devices (switches, routers, firewalls) is limited to authorized employees. Configuration changes to servers and network devices are made by authorized employees only after approval pursuant to the IT Change Control Procedure.
System administrator credentials for servers and databases leverage a privileged account management system to provide multi-factor authentication for use. This provides for the use of very strong passwords rotated on a very frequent basis.
Genworth will run network intrusion prevention devices to identify and automatically block unauthorized or unwanted traffic on its internal network to ensure the integrity of controls (firewalls). All servers are monitored by host intrusion detection software to detect unauthorized access or unauthorized changes to the system. Network and server events are sent to a SEIM monitored 24/7 by CSIRT (Computer Security Incident and Response Team), a team dedicated to the incident response process. Genworth will have third party vulnerability tests of the network perimeter performed on at least a quarterly basis.
Genworth will perform application security assessments as part of the application software development life cycle. This will include vulnerability scanning of applications and servers for applications, internal and external. External facing customer applications are vulnerability scanned and penetration tested by a third party on a regularly scheduled basis as an additional measure of assurance.
Genworth applications undergo an annual attestation process requiring business application owners to sign off on the security of their applications. Genworth internal audit staff regularly audits applications and databases to ensure validity of attestations.
Storage of Sensitive Consumer Data
Storage of sensitive consumer data is not permitted on individual employee workstations. Only software and temporary work files are permitted to be stored on workstation hard drives. Nonetheless, all workstation hard drives are encrypted as a precaution. All employee files and data must be stored on secured servers located in the datacenter or on the mainframe. IT is responsible for computers located in the datacenters and will ensure the availability and integrity of those computers. Sensitive consumer data is encrypted at rest (on disk) for all primary storage—i.e. databases, disk backup spaces, and file shares using specialized software to protect the data.
Genworth has implemented a rigorous data loss prevention (DLP) scanning program to ensure that sensitive consumer data is not stored in inappropriate storage locations. All workstation and laptop hard drives are scanned weekly. Server file shares and SharePoint sites are scanned monthly to ensure that data is stored in appropriate locations.
Use of production sensitive consumer data is not permitted in non-production systems and databases. Regularly scheduled routines are run against non-production environments to obfuscate any data placed there unintentionally.
Data is replicated to a backup datacenter for disaster recovery purposes on a near real-time basis to ensure minimal data loss in the event of a disaster. The data replication is encrypted on the network, and the data is encrypted in storage at the backup datacenter. Disaster recovery plans for the datacenters have been developed to ensure a timely recovery in event of disaster. Recovery procedures for individual computer systems are tested on a periodic basis. Recovery of the datacenters is tested on an annual basis.
Access to Storage Facilities
Access to document storage facilities will be limited to employees when "necessary" to perform their duties and responsibilities. Storage facilities will remain locked to prevent unauthorized access and will be equipped with smoke and fire detection devices and sprinkler systems to guard against loss in the event of fire
Access to the Datacenter
Access to datacenters is limited to authorized employees, and entry is controlled via a two-factor security badge (badge and PIN code). Vendor technicians (e.g., computer hardware technicians, telephone system engineers, etc.) are not permitted in the datacenter unaccompanied. An authorized employee will accompany and monitor vendor technicians at all times in the datacenters.
Vendors must adhere to written security and confidentiality commitments safeguarding sensitive consumer data residing on vendor owned and managed systems. Further, vendors may not use or share sensitive consumer data, including vendors providing offsite storage services (such as backup tapes).
Genworth undergoes annual risk evaluations of vendors receiving sensitive consumer data and performs security assessments of vendor technical environments to ensure compliance with Genworth customer requirements.
Auditing, Testing and Governance
Security procedures and practices are subject to audits by the Genworth Financial Audit Staff as well as internal review processes. Genworth contracts with third parties to conduct penetration testing multiple times per year. Penetration test results are reported to the Board of Directors.
Genworth has a Governance, Risk, and Compliance (GRC) council that meets monthly to monitor changing risks within the business. The Chief Information Security Officer is a member of this council with the responsibility of raising IT security issues to the council for review. When appropriate, issues are escalated to the board Risk Committee for review and acceptance. There is an IT Risk Dashboard prepared quarterly for the Risk Committee by Enterprise Risk Management in conjunction with the Chief Information Security Officer.
Genworth performs quarterly penetration tests of the technical infrastructure to ensure that security controls are operating effectively. On a bi-annual basis, the penetration testing firm conducts a maturity assessment of the Genworth Security Program to rate its effectiveness and benchmark against industry peers.
Genworth has adopted the SSAE 18 framework SOC 2 as a standard methodology for attesting our security controls. An annual SOC 2 report is available to customers upon request.
IT Change Control Procedure
Any change to IT systems including application changes, software installation on servers, server configuration changes, network device configuration changes, database changes, etc., must undergo review through the IT Change Control Procedure. This assures effective review by management prior to implementation of changes that could impact the security of sensitive consumer data.
Use of Public Cloud Technology
Genworth does make use of public cloud technology in a strategic manner with data security a central focus. Support applications such as customer relations management, IT service request ticketing, project management, and HR are cloud based. This allows us to leverage “best of breed” technology while reducing the complexity of our internal network and eliminating the need to manage vulnerabilities in non-critical applications. Public cloud is also used to take advantage of the vast compute power for data analytics. Our newest applications have been “built for the cloud” to leverage the resiliency of the cloud. However, data is not stored in the public cloud as the applications connect to on-premise databases so that Genworth remains in complete control of the data.
Incident Response Handling
Incidents are tracked and reported. Incident response is performed by appropriately trained personnel. A breach of sensitive consumer data security is considered a significant incident requiring action via the Incident Response Process, subject to review by the Chief Information Security Officer. All such incidents are required to be identified and reported so that corrective action can be taken. Corrective action will address both immediate and follow-up actions to minimize the impact, to facilitate investigation, to ensure proper collection of evidence, to inform management, and to restore services during and after a security incident.
Employee Training and Awareness
The Genworth data security program begins with our employees. All employees are trained with respect to policies and procedures pertaining to data security and such training is tracked and documented. Training includes monthly security awareness modules for all associates, phishing testing on a regular basis, how to report incidents, and associates are graded individually on a quarterly basis on security awareness. All employees understand that violation of data security policy is grounds for disciplinary action, up to and including termination of employment and assignment.
Modifications to the Security Process and Procedure Document
Genworth IT will monitor the Security Process and Procedure document for compliance and may make changes as needed to accommodate technological and other changes. Changes to this document will be posted to our website and may be implemented without prior notice.