1. Information Security Program Overview
Purpose
This document describes Boston Financial Data Services’ Information Security Program,
Infrastructure Policies and Information Security Requirements. We are committed to
ensuring the safety of our customer’s data from unauthorized use, access, disclosure,
theft, manipulation, reproduction or possible security breach, during the tenure of our
relationship.
Our Information Security Program employs a layered security approach, forming a defense
in depth strategy to mitigate known or potential security risks. Major components of the
program include Risk Assessment, Security Assessment, Security Awareness, Security
Policies and Standards, Risk Mitigation and Reporting. A dedicated Information Security
team, led by the Information Security Officer was established in 2005, and is responsible
for the management of the program. to ensure the prevention of unauthorized access to
the environment supporting the services provided to our customers. We implement
commercially accepted technologies and apply appropriate methods of security to ensure
that the integrity and privacy of our customer’s data is protected. Our security program is
reviewed annually and adheres to industry standards and best practices that addresses the
critical requirements of safeguarding information based on:
International Organization for Standardization 27002 (ISO/IEC 17799:2005)
COBIT Framework and Control Objectives
BITS Financial Services Roundtable Shared Assessment Program
Legal Compliance Requirements including but not limited to:
California’s Security Breach Notification Act
Massachusetts Privacy Act
Gramm-Leach Bliley Act (“GLB 501b – Standards for Safeguarding Customer
Information”) and implementing legislation and regulations
Sarbanes Oxley Act (“SOX-404”)
FTC Information Security Requirements for Safeguarding Customer
Information
Other state and federal laws and regulations relating to safeguarding
information
Key Points:
Management Commitment
Review and Evaluation
Industry and Regulatory Standards
Defense in depth via a layered approach
Scope
The scope of the Information Security Program and Requirements at Boston Financial
encompasses Information Security Administration, Security Technology Infrastructure and
Security Policy Management. Consistent monitoring to detect changes in the threat
landscape, allow us to be more proactive with changes to our production environment, and
2. gives us the ability to act in a reasonable manner to address potential exposure to known
or reported risks targeting our information systems.
Information Security Administration includes:
Education and Awareness
Security Incident Response
Audit and Reporting
Information Security Policies includes:
Security Management
Risk Management
Personnel Security
Physical Security
Operations Management
Security Monitoring and Response
Communications Management
Access Control
Network Security
Third Party Services
Application Development
Recovery and Business Continuity
Legal, Compliance and Regulatory
Information Security Technology Infrastructure includes:
Access Controls
Encryption of information in transit through non-dedicated circuits only
Host Security
Data Security
Data Retention
Boston Financial recognizes the need for customer assurance and validation that all private
and sensitive data are being protected. As a result, all security policies must be reviewed
and updated as necessary in accordance to regulatory changes and best practices outlined
in ISO/IEC 27002 (17799:2005). Security policies are confidential and will not be
disseminated to any third-party. Customers can validate the safety of their data and
security principles employed at Boston Financial in one of the following ways:
Clients may review our Information Security policies on premise with
Information Security Officer
Boston Financial will answer follow up questions that remain after client
review of the Standard Information Gathering (SIG) document
Clients can request copy of SSAE16 audit report
Clients can request an executive summary of independent third-party
Network and Application security assessment findings. The report is
confidential and will not be shared with clients
If you have any questions or require any further information please contact your
relationship manager or the Information Security Officer at Boston Financial.