.
This commit is contained in:
@@ -368,217 +368,259 @@ The Company hereby designates the following series as exclusive internal shared
|
||||
|
||||
a. **Performance Standards**: Internal service providers must meet or exceed the service level agreements (SLAs) established by the Technology Oversight Committee, which shall:
|
||||
|
||||
i. Be documented in writing and incorporated by reference into this Agreement;
|
||||
i. Be documented in writing and incorporated by reference into this Agreement
|
||||
|
||||
ii. Include specific, measurable performance metrics for each service category;
|
||||
ii. Include specific, measurable performance metrics for each service category
|
||||
|
||||
iii. Establish response time requirements for various service priorities;
|
||||
iii. Establish response time requirements for various service priorities
|
||||
|
||||
iv. Define availability requirements for critical systems;
|
||||
iv. Define availability requirements for critical systems
|
||||
|
||||
v. Include remediation timelines for service disruptions;
|
||||
v. Include remediation timelines for service disruptions
|
||||
|
||||
vi. Specify reporting requirements and cadence; and
|
||||
vi. Specify reporting requirements and cadence
|
||||
|
||||
vii. Be reviewed and updated at least annually.
|
||||
vii. Be reviewed and updated at least annually
|
||||
|
||||
viii. Include security standards and compliance requirements
|
||||
|
||||
b. **Competitive Pricing**: Internal service providers must offer services at pricing comparable to market rates for equivalent services, as verified by:
|
||||
|
||||
i. Annual independent third-party audit;
|
||||
i. Annual independent third-party audit
|
||||
|
||||
ii. Benchmark comparison against at least three comparable external providers;
|
||||
ii. Benchmark comparison against at least three comparable external providers
|
||||
|
||||
iii. Transparent cost-accounting as described in Section 4.6.5; and
|
||||
iii. Transparent cost-accounting as described in Section 4.6.5
|
||||
|
||||
iv. Quarterly pricing reviews by the Audit and Finance Committee.
|
||||
iv. Quarterly pricing reviews by the Audit and Finance Committee
|
||||
|
||||
2. **Enforcement Mechanism**: The Company Committee shall be responsible for enforcing the mandatory use requirement and shall:
|
||||
|
||||
a. Conduct quarterly compliance reviews;
|
||||
a. Conduct quarterly compliance reviews
|
||||
|
||||
b. Promptly investigate any reported violations;
|
||||
b. Promptly investigate any reported violations
|
||||
|
||||
c. Issue formal findings within 30 days of any compliance investigation; and
|
||||
c. Issue formal findings within 30 days of any compliance investigation
|
||||
|
||||
d. Recommend appropriate remedial actions to the Board.
|
||||
d. Recommend appropriate remedial actions to the Board
|
||||
|
||||
3. **Service Provider Dispute Resolution**: Disputes between service providers and series regarding service delivery shall be resolved through:
|
||||
|
||||
a. Initial attempt at resolution between operational leaders of the service provider and series
|
||||
|
||||
b. If unresolved within 15 days, escalation to the Technology Oversight Committee
|
||||
|
||||
c. Formal mediation process as outlined in Schedule H if not resolved within 30 days
|
||||
|
||||
d. Final binding decision by the Company Committee if mediation is unsuccessful
|
||||
|
||||
#### 3.1.3 - Service Provider Failure Remedies
|
||||
|
||||
1. **Failure Determination**: An internal service provider shall be deemed to have failed if it:
|
||||
|
||||
a. Fails to meet established performance standards for two consecutive quarters as documented by the Technology Oversight Committee;
|
||||
a. Fails to meet established performance standards for two consecutive quarters as documented by the Technology Oversight Committee
|
||||
|
||||
b. Experiences a catastrophic service disruption lasting more than:
|
||||
|
||||
i. 48 hours for non-critical services;
|
||||
i. 48 hours for non-critical services
|
||||
|
||||
ii. 24 hours for important services; or
|
||||
ii. 24 hours for important services
|
||||
|
||||
iii. 4 hours for mission-critical services as designated in the applicable SLA;
|
||||
iii. 4 hours for mission-critical services as designated in the applicable SLA
|
||||
|
||||
c. Commits a material breach of its SLA obligations that remains uncured for 30 days after written notice; or
|
||||
c. Commits a material breach of its SLA obligations that remains uncured for 30 days after written notice
|
||||
|
||||
d. Receives substantiated service quality complaints from more than 50% of its series customers within any six-month period.
|
||||
d. Receives substantiated service quality complaints from more than 50% of its series customers within any six-month period
|
||||
|
||||
e. Experiences a material security or data breach that compromises sensitive information or critical infrastructure
|
||||
|
||||
2. **Remedies for Service Provider Failure**: Upon determination of a service provider failure, the following remedies shall be available:
|
||||
|
||||
a. **Initial Remediation Period**: The service provider shall be granted a 60-day remediation period to:
|
||||
|
||||
i. Correct performance deficiencies;
|
||||
i. Correct performance deficiencies
|
||||
|
||||
ii. Restore service levels to required standards;
|
||||
ii. Restore service levels to required standards
|
||||
|
||||
iii. Submit a detailed improvement plan to the Technology Oversight Committee; and
|
||||
iii. Submit a detailed improvement plan to the Technology Oversight Committee
|
||||
|
||||
iv. Implement enhanced monitoring and reporting.
|
||||
iv. Implement enhanced monitoring and reporting
|
||||
|
||||
b. **Enhanced Oversight**: During the remediation period, the service provider shall be subject to:
|
||||
|
||||
i. Weekly performance reviews by the Technology Oversight Committee;
|
||||
i. Weekly performance reviews by the Technology Oversight Committee
|
||||
|
||||
ii. Implementation of additional controls and monitoring;
|
||||
ii. Implementation of additional controls and monitoring
|
||||
|
||||
iii. Potential leadership changes as recommended by the Board; and
|
||||
iii. Potential leadership changes as recommended by the Board
|
||||
|
||||
iv. Requirement to provide daily status reports to affected series.
|
||||
iv. Requirement to provide daily status reports to affected series
|
||||
|
||||
c. **Failure to Remediate**: If the service provider fails to remediate within the 60-day period, the Technology Oversight Committee may:
|
||||
|
||||
i. Grant a single 30-day extension if substantial progress is evident;
|
||||
i. Grant a single 30-day extension if substantial progress is evident
|
||||
|
||||
ii. Implement a service provider replacement plan;
|
||||
ii. Implement a service provider replacement plan
|
||||
|
||||
iii. Authorize temporary external service providers for affected services; or
|
||||
iii. Authorize temporary external service providers for affected services
|
||||
|
||||
iv. Recommend restructuring of the service provider to the Board.
|
||||
iv. Recommend restructuring of the service provider to the Board
|
||||
|
||||
d. **Extreme Failure**: In cases of extreme failure involving critical systems, the Board may:
|
||||
|
||||
i. Immediately authorize use of external service providers;
|
||||
i. Immediately authorize use of external service providers
|
||||
|
||||
ii. Remove and replace service provider leadership;
|
||||
ii. Remove and replace service provider leadership
|
||||
|
||||
iii. Implement emergency continuity plans; and
|
||||
iii. Implement emergency continuity plans
|
||||
|
||||
iv. Take any other actions necessary to protect the TSYS Group.
|
||||
iv. Take any other actions necessary to protect the TSYS Group
|
||||
|
||||
#### 3.1.4 - Innovation Exception Process
|
||||
|
||||
1. **Exception Basis**: A series may request an exception to the mandatory use requirement only on the grounds of:
|
||||
|
||||
a. Specialized technical requirements that cannot be met by the internal service provider;
|
||||
a. Specialized technical requirements that cannot be met by the internal service provider
|
||||
|
||||
b. Demonstrable competitive advantage requiring specialized external solutions;
|
||||
b. Demonstrable competitive advantage requiring specialized external solutions
|
||||
|
||||
c. Regulatory or compliance requirements that necessitate specialized external providers; or
|
||||
c. Regulatory or compliance requirements that necessitate specialized external providers
|
||||
|
||||
d. Client or customer contractual requirements that mandate specific external solutions.
|
||||
d. Client or customer contractual requirements that mandate specific external solutions
|
||||
|
||||
e. Significant cost savings (exceeding 30%) that can be achieved through an external provider while maintaining equivalent security and quality standards
|
||||
|
||||
2. **Exception Request Process**:
|
||||
|
||||
a. Requests must be submitted in writing to the Technology Oversight Committee;
|
||||
a. Requests must be submitted in writing to the Technology Oversight Committee
|
||||
|
||||
b. Requests must include:
|
||||
|
||||
i. Detailed description of the required service;
|
||||
i. Detailed description of the required service
|
||||
|
||||
ii. Documentation of business necessity;
|
||||
ii. Documentation of business necessity
|
||||
|
||||
iii. Analysis of competitive advantage;
|
||||
iii. Analysis of competitive advantage
|
||||
|
||||
iv. Proposed external provider information including due diligence materials;
|
||||
iv. Proposed external provider information including due diligence materials
|
||||
|
||||
v. Security and compliance assessment;
|
||||
v. Security and compliance assessment
|
||||
|
||||
vi. Data integration and protection plan;
|
||||
vi. Data integration and protection plan
|
||||
|
||||
vii. Implementation timeline; and
|
||||
vii. Implementation timeline
|
||||
|
||||
viii. Cost-benefit analysis comparing the external solution to internal alternatives.
|
||||
viii. Cost-benefit analysis comparing the external solution to internal alternatives
|
||||
|
||||
c. The Technology Oversight Committee must respond within 45 days for standard requests and within 15 days for requests designated as time-sensitive with appropriate justification.
|
||||
c. The Technology Oversight Committee must respond within 45 days for standard requests and within 15 days for requests designated as time-sensitive with appropriate justification
|
||||
|
||||
d. The Technology Oversight Committee must provide written justification for any denial.
|
||||
d. The Technology Oversight Committee must provide written justification for any denial
|
||||
|
||||
e. Appeals of denied exception requests may be made to the Company Committee within 15 days of denial
|
||||
|
||||
3. **Exception Implementation**:
|
||||
|
||||
a. If approved, the exception shall:
|
||||
|
||||
i. Be documented in the electronic records system;
|
||||
i. Be documented in the electronic records system
|
||||
|
||||
ii. Include specific scope and duration limitations;
|
||||
ii. Include specific scope and duration limitations
|
||||
|
||||
iii. Require quarterly reviews and renewal evaluation;
|
||||
iii. Require quarterly reviews and renewal evaluation
|
||||
|
||||
iv. Include a transition plan for eventual migration to internal services if feasible; and
|
||||
iv. Include a transition plan for eventual migration to internal services if feasible
|
||||
|
||||
v. Include compliance monitoring to ensure continued adherence to security and integration requirements.
|
||||
v. Include compliance monitoring to ensure continued adherence to security and integration requirements
|
||||
|
||||
b. The Technology Oversight Committee shall maintain a registry of all approved exceptions and provide quarterly reports to the Board.
|
||||
b. The Technology Oversight Committee shall maintain a registry of all approved exceptions and provide quarterly reports to the Board
|
||||
|
||||
#### 3.1.5 - Service Division Operations
|
||||
|
||||
1. **Operational Requirements**: Each service division shall:
|
||||
|
||||
a. Operate as a cost center pursuant to Section 4.6.5;
|
||||
a. Operate as a cost center pursuant to Section 4.6.5
|
||||
|
||||
b. Maintain transparent cost accounting with quarterly reporting to all series;
|
||||
b. Maintain transparent cost accounting with quarterly reporting to all series
|
||||
|
||||
c. Be subject to Board oversight through appropriate committees;
|
||||
c. Be subject to Board oversight through appropriate committees
|
||||
|
||||
d. Select and manage external vendors as needed following procurement guidelines established by the Board;
|
||||
d. Select and manage external vendors as needed following procurement guidelines established by the Board
|
||||
|
||||
e. Develop and maintain appropriate service standards and SLAs;
|
||||
e. Develop and maintain appropriate service standards and SLAs
|
||||
|
||||
f. Conduct annual customer satisfaction surveys among series;
|
||||
f. Conduct annual customer satisfaction surveys among series
|
||||
|
||||
g. Implement continuous improvement processes with measurable objectives;
|
||||
g. Implement continuous improvement processes with measurable objectives
|
||||
|
||||
h. Maintain appropriate cybersecurity and compliance certifications;
|
||||
h. Maintain appropriate cybersecurity and compliance certifications
|
||||
|
||||
i. Establish disaster recovery and business continuity plans;
|
||||
i. Establish disaster recovery and business continuity plans
|
||||
|
||||
j. Conduct quarterly technology and service reviews; and
|
||||
j. Conduct quarterly technology and service reviews
|
||||
|
||||
k. Provide monthly service performance metrics to all series.
|
||||
k. Provide monthly service performance metrics to all series
|
||||
|
||||
l. Undergo annual security audits by qualified third-party firms
|
||||
|
||||
m. Maintain compliance with all relevant industry standards and regulations
|
||||
|
||||
n. Provide regular training to personnel on security and operational best practices
|
||||
|
||||
2. **Board Oversight Responsibilities**: The Board of Directors, through its committees, shall establish and oversee:
|
||||
|
||||
a. Performance metrics and reporting requirements;
|
||||
a. Performance metrics and reporting requirements
|
||||
|
||||
b. Service level frameworks;
|
||||
b. Service level frameworks
|
||||
|
||||
c. Cost allocation methodologies;
|
||||
c. Cost allocation methodologies
|
||||
|
||||
d. Technology and service strategies;
|
||||
d. Technology and service strategies
|
||||
|
||||
e. Vendor selection criteria;
|
||||
e. Vendor selection criteria
|
||||
|
||||
f. Quality control measures;
|
||||
f. Quality control measures
|
||||
|
||||
g. Dispute resolution procedures for service conflicts;
|
||||
g. Dispute resolution procedures for service conflicts
|
||||
|
||||
h. Compliance standards and monitoring;
|
||||
h. Compliance standards and monitoring
|
||||
|
||||
i. Cybersecurity requirements and testing; and
|
||||
i. Cybersecurity requirements and testing
|
||||
|
||||
j. Other operational parameters as needed.
|
||||
j. Other operational parameters as needed
|
||||
|
||||
3. **Service Roadmap Requirements**: Each service provider shall:
|
||||
|
||||
a. Maintain a three-year service development roadmap;
|
||||
a. Maintain a three-year service development roadmap
|
||||
|
||||
b. Conduct quarterly roadmap reviews with all series;
|
||||
b. Conduct quarterly roadmap reviews with all series
|
||||
|
||||
c. Incorporate series feedback into roadmap updates;
|
||||
c. Incorporate series feedback into roadmap updates
|
||||
|
||||
d. Align roadmap priorities with overall TSYS Group strategic objectives;
|
||||
d. Align roadmap priorities with overall TSYS Group strategic objectives
|
||||
|
||||
e. Include specific technology innovation initiatives;
|
||||
e. Include specific technology innovation initiatives
|
||||
|
||||
f. Establish clear timelines for major service enhancements; and
|
||||
f. Establish clear timelines for major service enhancements
|
||||
|
||||
g. Document resource allocation for strategic initiatives.
|
||||
g. Document resource allocation for strategic initiatives
|
||||
|
||||
h. Include contingency planning for emerging technologies and market shifts
|
||||
|
||||
i. Identify potential security and regulatory challenges
|
||||
|
||||
4. **User Experience and Feedback System**: Each service provider shall:
|
||||
|
||||
a. Implement a structured feedback system accessible to all series
|
||||
|
||||
b. Conduct quarterly user experience reviews
|
||||
|
||||
c. Maintain a transparent issue tracking system
|
||||
|
||||
d. Report on issue resolution metrics monthly
|
||||
|
||||
e. Incorporate user feedback into service improvements
|
||||
|
||||
f. Establish a user advisory group with representation from different series
|
||||
|
||||
### Section 3.2 - Electronic Records Requirement
|
||||
|
||||
@@ -588,256 +630,359 @@ All records of the Company and its series shall be maintained exclusively in ele
|
||||
|
||||
1. **Corporate Records**:
|
||||
|
||||
a. Articles of organization and amendments;
|
||||
* Articles of organization and amendments
|
||||
|
||||
b. Operating agreements (Company and series);
|
||||
* Operating agreements (Company and series)
|
||||
|
||||
c. Board and committee meeting minutes and resolutions;
|
||||
* Board and committee meeting minutes and resolutions
|
||||
|
||||
d. Series establishment documentation;
|
||||
* Series establishment documentation
|
||||
|
||||
e. Regulatory filings and correspondence;
|
||||
* Regulatory filings and correspondence
|
||||
|
||||
f. Annual reports and compliance documents;
|
||||
* Annual reports and compliance documents
|
||||
|
||||
g. Consents and certifications; and
|
||||
* Consents and certifications
|
||||
|
||||
h. Governance policies and procedures.
|
||||
* Governance policies and procedures
|
||||
|
||||
2. **Financial Documentation**:
|
||||
|
||||
a. Financial statements and reports;
|
||||
* Financial statements and reports
|
||||
|
||||
b. Tax returns and supporting documents;
|
||||
* Tax returns and supporting documents
|
||||
|
||||
c. Bank statements and reconciliations;
|
||||
* Bank statements and reconciliations
|
||||
|
||||
d. Audit reports and working papers;
|
||||
* Audit reports and working papers
|
||||
|
||||
e. Budget and forecasting documents;
|
||||
* Budget and forecasting documents
|
||||
|
||||
f. Expense documentation and approvals;
|
||||
* Expense documentation and approvals
|
||||
|
||||
g. Investment records and valuations; and
|
||||
* Investment records and valuations
|
||||
|
||||
h. Capital transactions and funding documentation.
|
||||
* Capital transactions and funding documentation
|
||||
|
||||
3. **Member Information**:
|
||||
|
||||
a. Series membership records;
|
||||
* Series membership records
|
||||
|
||||
b. Ownership transfer documentation;
|
||||
* Ownership transfer documentation
|
||||
|
||||
c. Member contact information;
|
||||
* Member contact information
|
||||
|
||||
d. Voting records and proxies;
|
||||
* Voting records and proxies
|
||||
|
||||
e. Distribution documentation;
|
||||
* Distribution documentation
|
||||
|
||||
f. Membership interest certificates;
|
||||
* Membership interest certificates
|
||||
|
||||
g. Accredited investor verification materials; and
|
||||
* Accredited investor verification materials
|
||||
|
||||
h. Member communications and notices.
|
||||
* Member communications and notices
|
||||
|
||||
4. **Contracts and Agreements**:
|
||||
|
||||
a. Service provider agreements;
|
||||
* Service provider agreements
|
||||
|
||||
b. Vendor contracts;
|
||||
* Vendor contracts
|
||||
|
||||
c. Client agreements;
|
||||
* Client agreements
|
||||
|
||||
d. Employment and contractor agreements;
|
||||
* Employment and contractor agreements
|
||||
|
||||
e. Non-disclosure and confidentiality agreements;
|
||||
* Non-disclosure and confidentiality agreements
|
||||
|
||||
f. License and permit documentation;
|
||||
* License and permit documentation
|
||||
|
||||
g. Insurance policies and claims; and
|
||||
* Insurance policies and claims
|
||||
|
||||
h. Settlement agreements and releases.
|
||||
* Settlement agreements and releases
|
||||
|
||||
5. **Operational Records**:
|
||||
|
||||
a. Business plans and strategic documents;
|
||||
* Business plans and strategic documents
|
||||
|
||||
b. Marketing materials and communications;
|
||||
* Marketing materials and communications
|
||||
|
||||
c. Intellectual property documentation;
|
||||
* Intellectual property documentation
|
||||
|
||||
d. Regulatory compliance records;
|
||||
* Regulatory compliance records
|
||||
|
||||
e. Standard operating procedures;
|
||||
* Standard operating procedures
|
||||
|
||||
f. Risk assessments and mitigation plans;
|
||||
* Risk assessments and mitigation plans
|
||||
|
||||
g. Service level agreements and performance reports; and
|
||||
* Service level agreements and performance reports
|
||||
|
||||
h. Incident reports and resolution documentation.
|
||||
* Incident reports and resolution documentation
|
||||
|
||||
6. **Legal and Compliance Records**:
|
||||
|
||||
* Litigation documents and correspondence
|
||||
|
||||
* Regulatory inquiries and responses
|
||||
|
||||
* Compliance certifications and attestations
|
||||
|
||||
* Legal opinions and memoranda
|
||||
|
||||
* Compliance monitoring reports
|
||||
|
||||
* Investigation documentation
|
||||
|
||||
* Whistleblower reports and resolutions
|
||||
|
||||
* Regulatory examination materials
|
||||
|
||||
#### 3.2.2 - Electronic Record System Requirements
|
||||
|
||||
1. **System Architecture Requirements**:
|
||||
|
||||
a. Cloud-based primary storage with geographic redundancy across at least three separate regions;
|
||||
* Cloud-based primary storage with geographic redundancy across at least three separate regions
|
||||
|
||||
b. Real-time backup and disaster recovery systems with recovery time objective of less than four hours and recovery point objective of less than 15 minutes;
|
||||
* Real-time backup and disaster recovery systems with recovery time objective of less than four hours and recovery point objective of less than 15 minutes
|
||||
|
||||
c. Multi-factor authentication access controls for all users;
|
||||
* Multi-factor authentication access controls for all users
|
||||
|
||||
d. Minimum AES-256 encryption at rest and TLS 1.3 encryption in transit;
|
||||
* Minimum AES-256 encryption at rest and TLS 1.3 encryption in transit
|
||||
|
||||
e. Comprehensive API integration capabilities for authorized systems;
|
||||
* Comprehensive API integration capabilities for authorized systems
|
||||
|
||||
f. Automated compliance monitoring and reporting;
|
||||
* Automated compliance monitoring and reporting
|
||||
|
||||
g. System availability of at least 99.9% measured monthly; and
|
||||
* System availability of at least 99.9% measured monthly
|
||||
|
||||
h. Automated system health monitoring with real-time alerts for anomalies.
|
||||
* Automated system health monitoring with real-time alerts for anomalies
|
||||
|
||||
* Data segregation mechanisms to ensure series isolation at the data level
|
||||
|
||||
* Zero-trust security architecture with least privilege access controls
|
||||
|
||||
2. **Audit Trail Requirements**:
|
||||
|
||||
a. Immutable version control with blockchain verification;
|
||||
* Immutable version control with blockchain verification
|
||||
|
||||
b. Comprehensive change logging with user identification;
|
||||
* Comprehensive change logging with user identification
|
||||
|
||||
c. Cryptographically secured time and date stamping;
|
||||
* Cryptographically secured time and date stamping
|
||||
|
||||
d. Complete document access history retention;
|
||||
* Complete document access history retention
|
||||
|
||||
e. Detailed modification tracking with before/after comparisons;
|
||||
* Detailed modification tracking with before/after comparisons
|
||||
|
||||
f. User activity logs retained for a minimum of seven years;
|
||||
* User activity logs retained for a minimum of seven years
|
||||
|
||||
g. Tamper-evident logging mechanisms; and
|
||||
* Tamper-evident logging mechanisms
|
||||
|
||||
h. Regular audit trail verification procedures.
|
||||
* Regular audit trail verification procedures
|
||||
|
||||
* Separation of audit trail storage from primary document storage
|
||||
|
||||
* Real-time anomaly detection for suspicious activity
|
||||
|
||||
3. **Access Control Requirements**:
|
||||
|
||||
a. Role-based access management with principle of least privilege;
|
||||
* Role-based access management with principle of least privilege
|
||||
|
||||
b. Granular permission settings at the document and field level;
|
||||
* Granular permission settings at the document and field level
|
||||
|
||||
c. Secure user authentication with biometric options;
|
||||
* Secure user authentication with biometric options
|
||||
|
||||
d. Automatic session monitoring and timeout after 15 minutes of inactivity;
|
||||
* Automatic session monitoring and timeout after 15 minutes of inactivity
|
||||
|
||||
e. Comprehensive remote access protocols with enhanced security;
|
||||
* Comprehensive remote access protocols with enhanced security
|
||||
|
||||
f. Quarterly access rights review and certification;
|
||||
* Quarterly access rights review and certification
|
||||
|
||||
g. Privileged access management with enhanced monitoring; and
|
||||
* Privileged access management with enhanced monitoring
|
||||
|
||||
h. Separation of duties for critical functions.
|
||||
* Separation of duties for critical functions
|
||||
|
||||
* Emergency access protocols with required post-access reviews
|
||||
|
||||
* Continuous monitoring of access patterns to detect anomalies
|
||||
|
||||
4. **Retention and Archiving Requirements**:
|
||||
|
||||
a. Automated retention scheduling based on document type;
|
||||
* Automated retention scheduling based on document type
|
||||
|
||||
b. Secure archiving protocols with integrity verification;
|
||||
* Secure archiving protocols with integrity verification
|
||||
|
||||
c. Legal hold implementation capabilities;
|
||||
* Legal hold implementation capabilities
|
||||
|
||||
d. Defensible destruction procedures with verification;
|
||||
* Defensible destruction procedures with verification
|
||||
|
||||
e. Archive access controls with separate authentication;
|
||||
* Archive access controls with separate authentication
|
||||
|
||||
f. Retention periods compliant with all applicable regulations;
|
||||
* Retention periods compliant with all applicable regulations
|
||||
|
||||
g. Annual retention policy reviews; and
|
||||
* Annual retention policy reviews
|
||||
|
||||
h. Secure backup archives maintained in geographically separate locations.
|
||||
* Secure backup archives maintained in geographically separate locations
|
||||
|
||||
* Immutable storage for critical records to prevent tampering
|
||||
|
||||
* Regular retrieval testing to ensure archive accessibility
|
||||
|
||||
5. **Data Privacy Requirements**:
|
||||
|
||||
* Compliance with all applicable data privacy laws and regulations
|
||||
|
||||
* Data minimization and purpose limitation controls
|
||||
|
||||
* Data subject access request management capabilities
|
||||
|
||||
* Consent tracking and management
|
||||
|
||||
* Privacy impact assessment documentation
|
||||
|
||||
* Cross-border data transfer compliance mechanisms
|
||||
|
||||
* Data classification and handling procedures
|
||||
|
||||
* Privacy by design implementation in system architecture
|
||||
|
||||
#### 3.2.3 - Compliance and Security Standards
|
||||
|
||||
1. **Required Compliance Standards**: The electronic records system shall comply with:
|
||||
|
||||
a. SOC 2 Type II standards;
|
||||
* SOC 2 Type II standards
|
||||
|
||||
b. ISO 27001 Information Security standards;
|
||||
* ISO 27001 Information Security standards
|
||||
|
||||
c. NIST Cybersecurity Framework;
|
||||
* NIST Cybersecurity Framework
|
||||
|
||||
d. GDPR and other applicable privacy regulations;
|
||||
* GDPR and other applicable privacy regulations
|
||||
|
||||
e. HIPAA requirements for any protected health information;
|
||||
* HIPAA requirements for any protected health information
|
||||
|
||||
f. Applicable industry-specific regulations; and
|
||||
* Applicable industry-specific regulations
|
||||
|
||||
g. All federal, state, and local records retention requirements.
|
||||
* All federal, state, and local records retention requirements
|
||||
|
||||
* PCI-DSS compliance for payment card data if applicable
|
||||
|
||||
* CCPA and similar state privacy laws
|
||||
|
||||
* Records management standards (ISO 15489)
|
||||
|
||||
2. **Security Protocols**:
|
||||
|
||||
a. Quarterly vulnerability assessments;
|
||||
* Quarterly vulnerability assessments
|
||||
|
||||
b. Annual penetration testing by independent third parties;
|
||||
* Annual penetration testing by independent third parties
|
||||
|
||||
c. Continuous security monitoring;
|
||||
* Continuous security monitoring
|
||||
|
||||
d. Incident response plan with testing;
|
||||
* Incident response plan with testing
|
||||
|
||||
e. Employee security awareness training;
|
||||
* Employee security awareness training
|
||||
|
||||
f. Data loss prevention controls;
|
||||
* Data loss prevention controls
|
||||
|
||||
g. Endpoint security management; and
|
||||
* Endpoint security management
|
||||
|
||||
h. Zero-trust network architecture implementation.
|
||||
* Zero-trust network architecture implementation
|
||||
|
||||
* Advanced threat protection measures
|
||||
|
||||
* Regular phishing and social engineering testing
|
||||
|
||||
* Secure development practices for system enhancements
|
||||
|
||||
* Supply chain security assessment for third-party components
|
||||
|
||||
3. **System Administration**:
|
||||
|
||||
a. Centralized administration by Known Element Enterprises;
|
||||
* Centralized administration by Known Element Enterprises
|
||||
|
||||
b. Documentation of all system configurations;
|
||||
* Documentation of all system configurations
|
||||
|
||||
c. Change management processes for system modifications;
|
||||
* Change management processes for system modifications
|
||||
|
||||
d. Segregation of duties for administrative functions;
|
||||
* Segregation of duties for administrative functions
|
||||
|
||||
e. Backup administrator credentials securely stored with the Company Committee;
|
||||
* Backup administrator credentials securely stored with the Company Committee
|
||||
|
||||
f. Automated system health monitoring; and
|
||||
* Automated system health monitoring
|
||||
|
||||
g. Capacity planning and performance optimization protocols.
|
||||
* Capacity planning and performance optimization protocols
|
||||
|
||||
* Regular administrator access reviews and rotations
|
||||
|
||||
* Privileged access monitoring and logging
|
||||
|
||||
* Regular security training for system administrators
|
||||
|
||||
#### 3.2.4 - Implementation and Verification
|
||||
|
||||
1. **System Implementation Timeline**:
|
||||
|
||||
a. Full implementation of all electronic record requirements within 90 days of the Effective Date;
|
||||
* Full implementation of all electronic record requirements within 90 days of the Effective Date
|
||||
|
||||
b. Phased migration approach with priority for critical documents;
|
||||
* Phased migration approach with priority for critical documents
|
||||
|
||||
c. Verification and testing of all system components before full deployment; and
|
||||
* Verification and testing of all system components before full deployment
|
||||
|
||||
d. Post-implementation review within 30 days of completion.
|
||||
* Post-implementation review within 30 days of completion
|
||||
|
||||
* Remediation plan for any identified deficiencies with 15-day completion requirement
|
||||
|
||||
2. **Compliance Verification**:
|
||||
|
||||
a. Quarterly system compliance audits;
|
||||
* Quarterly system compliance audits
|
||||
|
||||
b. Annual third-party security assessments;
|
||||
* Annual third-party security assessments
|
||||
|
||||
c. Bi-annual disaster recovery testing;
|
||||
* Bi-annual disaster recovery testing
|
||||
|
||||
d. Monthly backup verification procedures; and
|
||||
* Monthly backup verification procedures
|
||||
|
||||
e. Continuous monitoring of compliance with regulatory requirements.
|
||||
* Continuous monitoring of compliance with regulatory requirements
|
||||
|
||||
* Regular penetration testing by qualified security professionals
|
||||
|
||||
* Independent verification of encryption implementation
|
||||
|
||||
* Periodic testing of access controls and segregation
|
||||
|
||||
3. **Documentation Requirements**:
|
||||
|
||||
a. Comprehensive system documentation maintained and updated;
|
||||
* Comprehensive system documentation maintained and updated
|
||||
|
||||
b. User manuals and training materials for all series members;
|
||||
* User manuals and training materials for all series members
|
||||
|
||||
c. Recovery procedures clearly documented and tested; and
|
||||
* Recovery procedures clearly documented and tested
|
||||
|
||||
d. Compliance certifications maintained and renewed as required.
|
||||
|
||||
* Compliance certifications maintained and renewed as required
|
||||
|
||||
* Security incident response procedures
|
||||
|
||||
* Business continuity plans
|
||||
|
||||
* System architecture diagrams
|
||||
|
||||
* Data flow maps
|
||||
|
||||
4. **Operational Resilience**:
|
||||
|
||||
* Regular business impact analysis to identify critical functions
|
||||
|
||||
* Multiple redundancy layers for critical systems
|
||||
|
||||
* Periodic failover testing to secondary systems
|
||||
|
||||
* Distributed denial of service (DDoS) attack mitigation measures
|
||||
|
||||
* Alternative access methods for emergency situations
|
||||
|
||||
* Incident response simulations at least twice annually
|
||||
|
||||
* Cross-training of key personnel for system recovery procedures
|
||||
|
||||
* Vendor dependency assessment and alternative provider identification
|
||||
### Section 3.3 - Mandatory Capital Raising Requirements
|
||||
|
||||
#### 3.3.1 - Exclusive Capital Channel
|
||||
|
||||
Reference in New Issue
Block a user