Boston Financial's Information Security Program is committed to ensuring customer data is protected from unauthorized access through a layered security approach. The program employs risk assessment, security policies and standards, awareness training, and a dedicated security team led by a Chief Information Security Officer to prevent breaches and adhere to industry best practices and compliance standards. The scope of the program encompasses security administration, technology infrastructure, and policy management to consistently monitor threats and protect customer information.

1. Information Security Program Overview
Purpose
This document describes Boston Financial Data Services’ Information Security Program,
Infrastructure Policies and Information Security Requirements. We are committed to
ensuring the safety of our customer’s data from unauthorized use, access, disclosure,
theft, manipulation, reproduction or possible security breach, during the tenure of our
relationship.
Our Information Security Program employs a layered security approach, forming a defense
in depth strategy to mitigate known or potential security risks. Major components of the
program include Risk Assessment, Security Assessment, Security Awareness, Security
Policies and Standards, Risk Mitigation and Reporting. A dedicated Information Security
team, led by the Information Security Officer was established in 2005, and is responsible
for the management of the program. to ensure the prevention of unauthorized access to
the environment supporting the services provided to our customers. We implement
commercially accepted technologies and apply appropriate methods of security to ensure
that the integrity and privacy of our customer’s data is protected. Our security program is
reviewed annually and adheres to industry standards and best practices that addresses the
critical requirements of safeguarding information based on:
 International Organization for Standardization 27002 (ISO/IEC 17799:2005)
 COBIT Framework and Control Objectives
 BITS Financial Services Roundtable Shared Assessment Program
 Legal Compliance Requirements including but not limited to:
 California’s Security Breach Notification Act
 Massachusetts Privacy Act
 Gramm-Leach Bliley Act (“GLB 501b – Standards for Safeguarding Customer
Information”) and implementing legislation and regulations
 Sarbanes Oxley Act (“SOX-404”)
 FTC Information Security Requirements for Safeguarding Customer
Information
 Other state and federal laws and regulations relating to safeguarding
information
Key Points:
 Management Commitment
 Review and Evaluation
 Industry and Regulatory Standards
 Defense in depth via a layered approach
Scope
The scope of the Information Security Program and Requirements at Boston Financial
encompasses Information Security Administration, Security Technology Infrastructure and
Security Policy Management. Consistent monitoring to detect changes in the threat
landscape, allow us to be more proactive with changes to our production environment, and

2. gives us the ability to act in a reasonable manner to address potential exposure to known
or reported risks targeting our information systems.
 Information Security Administration includes:
 Education and Awareness
 Security Incident Response
 Audit and Reporting
 Information Security Policies includes:
 Security Management
 Risk Management
 Personnel Security
 Physical Security
 Operations Management
 Security Monitoring and Response
 Communications Management
 Access Control
 Network Security
 Third Party Services
 Application Development
 Recovery and Business Continuity
 Legal, Compliance and Regulatory
 Information Security Technology Infrastructure includes:
 Access Controls
 Encryption of information in transit through non-dedicated circuits only
 Host Security
 Data Security
 Data Retention
Boston Financial recognizes the need for customer assurance and validation that all private
and sensitive data are being protected. As a result, all security policies must be reviewed
and updated as necessary in accordance to regulatory changes and best practices outlined
in ISO/IEC 27002 (17799:2005). Security policies are confidential and will not be
disseminated to any third-party. Customers can validate the safety of their data and
security principles employed at Boston Financial in one of the following ways:
 Clients may review our Information Security policies on premise with
Information Security Officer
 Boston Financial will answer follow up questions that remain after client
review of the Standard Information Gathering (SIG) document
 Clients can request copy of SSAE16 audit report
 Clients can request an executive summary of independent third-party
Network and Application security assessment findings. The report is
confidential and will not be shared with clients
If you have any questions or require any further information please contact your
relationship manager or the Information Security Officer at Boston Financial.