1. Overview

Berkshire Associates LLC is committed to protecting its employees, customers, partners and its operations from illegal or damaging actions by individuals, either knowingly or unknowingly. All desktops, laptops, mobile devices, servers, email gateway, network devices, and information under this policy are protected from malicious software.

2. Purpose

This standard defines Berkshire employees’ responsibilities for responding to and reporting breaches of information and for sharing information related to potential security incidents or threats with Berkshire’s Information Technology (IT) Security Team.

3. Scope

The IT Director working with the Product Support Manager, Product Development Manager and Systems Administration Team shall be responsible for ensuring the effective implementation of a Company-wide standard for reporting security incidents.

This policy covers all employees, temporary employees, contractors or consultants of Berkshire, and/or any affiliate, company or division of Berkshire. All departments of the company are included within this policy. It is the responsibility of each employee to know the contents of this policy as it relates to incident response.

4. Policy

Every employee is responsible for reporting any kind of security incident. The type of report and the action of the employee will depend on the nature of the security incident. The personnel assigned to handle security incidents will determine how incidents should be handled and reported.

This document outlines the procedures that individuals should follow in reporting potentially serious IT security incidents. Berkshire’s IT staff has even greater responsibilities. This document outlines their responsibilities in securing systems, monitoring and reporting IT security incidents, and assisting individuals, administrators, and other IT staff to resolve security problems.

4.0 Definition
For the purposes of this policy a "security incident" is any accidental or malicious act with the potential to:

• Result in intentional or accidental misappropriation or misuse of private, sensitive or confidential information of an individual or of Berkshire’s clients.
• Significantly imperil the functionality of the information technology infrastructure of Berkshire, including but not limited to a Denial of Service type of attack.
• Provide for unauthorized access to Berkshire’s resources or information.
• Allow Berkshire’s information technology resources to be used to launch attacks against the resources and information of other individuals or organizations.

4.1 Information Security Team (IST)
A team will be assigned to accept all security incident reports. Employees should contact one of the members if the security team to report an incident. The team will consist of:

• IT Director
• Systems Administration Team
• Product Support Manager
• Product Development Manager

4.2. Reporting Responsibilities - Employees
Each employee must take responsibility for reporting security incidents. Employees should follow the following guidelines:

1. An employee should attempt to stop any IT security incident as it occurs to the best of their knowledge/ability.
2. An employee should immediately report IT security incidents to a member of the Information Security Team (IST), regardless if it is during or outside of normal business hours. If the IST member is not available, regardless of the incident, the employee should report it to an IT employee immediately. IT staff will help you assess the problem and determine how to proceed. In the event an IT employee is not available, such as on weekends, holidays, etc., an employee should contact their supervisor who will have emergency contact information for a member of the IT department.
3. A member of the IST will work with the employee to complete the IT Security Incident Report form. The form will be reviewed by the appropriate members of the IST and may assist in determining what action is necessary. The Incident Response Form will be provided by the IT department.
4. Following the report, individuals should comply with directions provided by the IT department to repair the system, restore service, mitigate future risk and preserve evidence of the incident.
5. No retaliatory action should be taken against a system or person, internal or external to the organization, believed to have been involved in the IT security incident. All response actions should be guided by Berkshire’s Information Security Policy. If necessary, once the root cause of an incident has occurred, the IST will take corrective or disciplinary action.

4.3. Reporting Responsibilities - IT Personnel
Information technology department professionals have additional responsibilities for IT security incident handling. In the case of an IT security incident, IT staff should:

1. Respond quickly to reports from individuals.
2. Take immediate action to stop the incident from continuing or recurring.
3. Determine whether the incident should be reported to the IT Security Team.
   • If the incident does not involve the loss of confidential information or have other serious impacts to individuals or the company, the IT staff should repair the system, restore service, mitigate future risk and preserve evidence of the incident.
   • If the incident involves the loss of confidential information or critical data or has other potentially serious impacts, the IT staff should
     1. File an IT Security Incident Report form including a description of the incident and documenting any actions that have been taken.
     2. Notify a member of the Information Security Team.
     3. Notify the appropriate department(s) that an incident has occurred and that the IT Security Response Team has been contacted.
     4. Notify Berkshire’s customers if downtime or other critical situations exist.
     5. Refrain from discussing the incident with others until a response plan has been formulated.
     6. Repair the system and restore service.
     7. Preserve evidence of the incident.
     8. Develop a notification plan and deliver it to affected clients within 1 business day, if the incident is related to breach of their data.
     9. Mitigate future risk.

4.4 Reporting for Users of Berkshire's Hosted Solutions
All users should report security incidents using the online Support form found at the top of every page in the application. The following guidelines should be considered when reporting an incident:

1. When the incident involves another member of your organization and you have administrative rights, disable their account to minimize the impact of the issue, and then immediately report the incident to Berkshire.
2. During standard business hours, the Product Support team may also be contacted by phone to report potential security issues at 800-882-8904 and choose option 4.
3. Berkshire staff will respond to the incident in accordance with 4.2 and 4.3 of this policy. The user reporting the issue may be contacted by Product Support or a member of the IST throughout the process to collect additional information when required. Affected users and all appropriate contacts will be notified once the issue has been investigated and addressed by Berkshire.

4.5 Reporting Incidents
The following examples are security incidents that should be reported immediately:

• Wide spread virus or malware infection.
• Unauthorized root or administrator access to critical servers, routers, firewalls or any other networked system.
• Major outages or performance degradation to access to normal business systems and applications from denial of service attacks.
• Attacks or attempts to cause failure on mission critical infrastructure services.
• Unauthorized access to Berkshire’s systems through the use of other user’s credentials.
• Instances of other malicious code that has had wide-spread impact or adversely affected one (or more) of Berkshire’s mission critical server(s).
• Unauthorized access to servers or server management functions outside of Berkshire’s networks not in the course of normal business or operational duties. (e.g. running a home web server, hacking another site, etc.).
• Reconnaissance scans and probes that precede or are related to the incidents listed above should be reported.
• Changes to system hardware, firmware or software without Berkshire’s knowledge, instruction or consent.
• Attempts to cause failures that may cause loss of life or significant impact on the health or economic security of any agency, organization, individual, group or state or federal government.
• Reckless uses of an IT device or network to engage in a scheme or course of conduct that is directed toward another person and that seriously alarms, torments, threatens, or terrorizes the person.
• Knowingly obtaining information that is required by law to be kept confidential or any records that are not classified as public records by accessing an IT device or network that is operated by the State, a political subdivision of the State, or a medical institution.
• Sending Berkshire Confidential information over email networks or any other electronic transmission method with the intent to sell or acquire gain from that information.
• Attempts to use the identity or personal information of a fellow employee in any way.
• Password violations (sharing passwords, posting passwords in open areas, bypassing passwords, etc.)

Important information that should be documented during an incident when available:

1. The systems impacted and the extent of the damage or breach
2. How the breach occurred
3. Steps taken to mitigate or remedy the situation
4. Suspects (internal or external)
5. Evidence that exists or needs to be preserved

5. Enforcement

Any employee found to have violated this policy may be subject to disciplinary action based on the severity of offense, up to and including termination of employment.

6. Distribution

This security policy is to be distributed as follows:

1. All Berkshire employees via the company employee portal and reviewed during annual security training
2. Posted within the balanceWORKS application to be accessed by all authenticated users