Security Policy
Updated as of February 2019
At WealthForge, we treat our clients’ data with care and take pride that our solutions are trusted by consumers, partners, users, and investors. By leveraging AWS servers and using privacy-and security-by-design principles, we strive to ensure our applications meet or exceed industry standards. Additionally, our cybersecurity framework is a comprehensive strategy that we use to protect our technology and informational assets against unauthorized access, theft, and destruction. In compliance with the Framework, WealthForge lays out an overview of its security controls below.
Administration of Security Controls
WealthForge’s Cybersecurity working group administers the Firm’s cybersecurity framework. The Firm’s Chief Technology Officer and its Corporate Counsel jointly administer the cybersecurity program.
Infrastructure/Physical Security
WealthForge anticipates the need to scale and support WealthForge’s security and availability requirements. As a result, WealthForge needed an infrastructure partner who can scale and support WealthForge’s growth. Amazon AWS is that partner. Amazon runs one of the largest cloud platform services and developed significant expertise in building, operating, and maintaining the worldwide infrastructure required to support their business.
WealthForge leverages and adds security controls on top of Amazon AWS as follows:
- WealthForge leverages the AWS infrastructure and native security.
- WealthForge fine tunes and implements additional controls at the AWS infrastructure layer with security in mind.
- In addition, WealthForge implements additional security on top of the AWS infrastructure.
The infrastructure security – operated collectively by WealthForge and Amazon AWS and further described below – starts with physical security, extends through the computer, network, and storage layers of the service, and is complimented by well-defined security and access policies.
Physical Security
WealthForge leverages AWS physical security for access to its physical servers and implements physical security controls in its offices as part of a comprehensive security strategy. This strategy aims to preserve the confidentiality, integrity, and availability of our services from physical threats.
Data Centers
WealthForge leverages AWS physical security for access to its physical servers. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff utilizes multi-factor authentication mechanisms to access data centers, and all physical access by employees is logged and audited routinely. When an employee no longer has a business need for these privileges, their access is immediately revoked, even if they continue to be an employee of Amazon.
Data center access and information is only provided to employees and contractors who have a legitimate business need for such privileges. All visitors and contractors are required to present identification and are signed in and continuously escorted by staff.
WealthForge Offices
Overview
Physical access to the Company’s property and assets is essential to performing job functions, collaborating with third parties, and building and maintaining client relationships. These rules are in place to protect the employee and WealthForge. All employees are responsible for taking the appropriate steps, as outlined below, to ensure the safety and security of WealthForge facilities, physical assets, documents, and information.
Employees
The main office door is locked during non-business hours.
During non-business hours, access to the building is controlled through the use of electronic pass cards. Employees must have approval to receive a pass card.
Additional access to the office is controlled via electronic keypad entry using a personal identification number (PIN). Employees must submit a ticket for PIN activation. "Piggybacking," which is the practice of allowing another person through the entry after entering your PIN, is not allowed. Upon termination, employee PINs are deactivated.
While using the WealthForge’s facilities, all employees must also follow the Company’s Acceptable Use Policy and Personally Identifiable Information (PII) Policy to ensure proper use, storage, and disposal of WealthForge physical assets, documents, and information.
Access Cards
Access cards and/or keys must not be shared with others.
Access cards and/or keys that are no longer required must be returned to the Technology Department. Lost or stolen access cards and/or keys must be reported to the Technology Department as soon as possible, so that their access may be removed.
Guests
Guests visiting the office are not allowed access to areas that may contain sensitive information. Guests are not eligible for pass cards or PIN activation for access-controlled entry into the office.
Contractors and extended guests may be granted access to the Company's offices for the duration of their visit. Upon completion of the visit, access to the offices is terminated.
Policy Compliance
The Technology Department will verify compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner. Any exception to the policy must be approved by the Technology Department in advance. An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Computer Security
Instance Level Security
WealthForge's Instance Level Security includes:
- File Vault is enabled on all laptops to encrypt data
- Multi-factor authentication is enforced for Gmail and access to AWS.
- All 2017-2019 laptops support biometric authentication.
- Intern laptops do not leave the office; are locked up overnight.
Internal Firewall
Palo Alto dual firewalls with only necessary ports available.
Palo Alto redundant firewalls are located on premise at WealthForge office. Redundancy and fail-over have been tested successfully every 6 months.
SFTP is disabled on the firewall.
Data Security (Data-at-Rest)
WealthForge made multiple investments to ensure customer and investor data is secure and available. The company’s proprietary stores user data in AWS’s S3 storage service. WealthForge limits access to this database to specific individuals and all access attempts are logged. Access to S3, even within AWS, must be encrypted, providing additional insurance that the data is also transferred securely.
When WealthForge is engaged for broker-dealer services, investor data is also stored in compliance with 17a-4 on Citrix’s ShareFile. Access information on ShareFile is limited by job description. Access to ShareFile may only be granted by the super-administrator. By design no data can be deleted from ShareFile, only archived and retrieved.
WealthForge also has additional access controls including limits on the use of portable devices and prevention of the use of removable media.
Employee access to all systems, including third-party software applications is immediately terminated upon resignation or termination.
Network Security (Data-in-Transit Security)
WealthForge made multiple investments to ensure customer and investor data is secure and available. The company’s proprietary stores user data in AWS’s S3 storage service. WealthForge limits access to this database to specific individuals and all access attempts are logged. Access to S3, even within AWS, must be encrypted, providing additional insurance that the data is also transferred securely.
The AWS network provides protection against traditional network security issues, including:
- Distributed denial of service (DDoS) attacks: AWS network infrastructure leverages proprietary DDoS mitigation techniques developed as a result of running the world’s largest online retailer. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
- Man in the middle (MITM) attacks: Amazon EC2 VMs automatically generate new SSH host certificates on first boot and log them into the instance’s console. WealthForge leverages secure APIs to access the host certificates before logging into an instance for the first time.
- IP spoofing: Amazon EC2 VMs running the WealthForge Platform cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure does not permit an instance to send traffic with a source IP or MAC address other than its own.
- Port scanning: Unauthorized port scans of EC2 customers are a violation of the Amazon EC2 Acceptable Use Policy (AUP). Violations of the AUP are taken seriously, and every reported violation is investigated. When unauthorized port scanning is detected, it is stopped and blocked. Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed.
- Packet sniffing by other tenants: It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. Even two virtual instances that are located on the same physical host cannot listen to each other’s traffic. Attacks such as ARP cache poisoning do not work within Amazon EC2.
WealthForge complements AWS network security with specific security controls for its platform and network. These include the use of Palo Alto firewalls, VPN for offsite work, antivirus, encryption, password management, and patching.
Availability and Performance Monitoring
WealthForge monitors the availability of its websites, servers, etc. WealthForge has additionally implemented a back-up internet service provider to minimize internet downtime in the home office.
AWS has multiple data centers for redundancy and reliability, as does Google, which is our email platform.
Personnel Security
Security begins with the people WealthForge employs. WealthForge implements security controls for employees and contractors before, during, and after tenure at WealthForge.
Before Hiring
Before hiring all employees and independent contractors undergo background checks where permitted by law. The background check reviews both criminal and financial background indicators, including any actions that might trigger loss of the private placement exemption under the 506(d) Bad Actor rule. Additionally, all employees are made aware of their responsibilities, including security policies, as well as repercussions for failure to adhere to said responsibilities and policies.
After Hiring
Upon hiring, WealthForge requires all employees to go through an on-boarding process that includes:
- Reviewing and signing a Proprietary Information, Inventions and Non-Solicitation Agreement (“PIINA”) as a condition of employment.
- Completing cybersecurity, confidentiality, and HR training.
- For Registered Representatives working outside the home office, reviewing and signing the Offsite Registered Person Cybersecurity Policy.
- Access to key software applications is logged during the employee’s tenure at WealthForge.
During Employment
WealthForge conducts mandatory annual training for all employees on cybersecurity, confidentiality, and other HR training to clarify to its employees the extent of their obligations over data protection.
When Departing WealthForge
- All employees and contractors are reminded of their confidentiality obligations upon leaving.
- Departing employees and contractors’ user accounts, passwords, hardware, and access are revoked in a strict time frame; on the last day of employment or end of contract.
Least Privilege Access Policy
WealthForge requires that all access to its infrastructure, application, and data be controlled based on business and operational requirements. In all cases, administrative access is based on the concept of least privilege; users are limited to the minimum set of privileges required to perform their required job functions.
Software Development Security
The WealthForge Software Development Lifecycle is designed with precautions to reduce security risks during code development while delivering software functionality.
WealthForge Technologies, LLC’s secure software development lifecycle (S-SDLC) policies and standards align with the Open Web Application Security Project (OWASP) Software Assurance Maturity Model (OpenSAMM). OpenSAMM provides a framework to help organizations implement secure software development that can be customized to each organization’s industry-specific risk profiles.
Integrating security considerations into the software development lifecycle creates a security-focused development environment and a culture that values early risk identification and mitigation as standard operating procedure. WealthForge Technologies’ in-house development team follows the security-focused software development process outlined in this document to consistently provide a product designed to withstand ever-evolving cyber threat conditions. Outsourced development is limited to discrete processes and the code is reviewed in line with this policy before deployment.
Software Development Lifecycle
The WealthForge software development lifecycle uses an iterative approach to development by leveraging the Agile framework.
This iterative approach concentrates on producing frequent new versions of the software in incremental, short cycles. The process loops round with each of the stages being carried out many times in small iterations, or sprints. This results in small incremental releases with each release building on previous functionality. Each release is thoroughly tested to ensure software quality is maintained.
In Agile, development testing is performed in the same iteration as programming. Because testing is done in every iteration – which develops a small piece of the software – users can frequently use those new pieces of software and validate the value.
WealthForge incorporates security into various stages within the Software Development Lifecycle.
Strategy and Metrics
Strategy and Metrics activities include planning for secure software development and gathering data to validate the effectiveness of the plan. WealthForge Technologies has processes in place to address the following activities:
- Establish unified strategic roadmap for software security within the organization.
- Measure relative value of data and software assets and choose risk tolerance.
Policy and Compliance
Policy and compliance activities include establishing a compliance framework and associated auditing practices to ensure adherence to security standards. WealthForge Technologies has processes in place to address the following activities:
- Understand relevant governance and compliance drivers to the organization, which includes identifying and monitoring external compliance drivers and building and maintaining compliance guidelines.
- Establish security and compliance baseline and understand per-project risks, which includes building policies and standards for security and compliance and establishing project audit practice.
- Require compliance and measure projects against organization-wide policies and standards, which includes creating compliance gates for projects.
Construction
WealthForge has implemented three Construction security practices: Threat Assessment, Security Requirements, and Security Testing.
Threat Assessment
The construction phase threat assessment includes identifying possible risks to the organization and facilitating risk management. WealthForge Technologies currently has processes in place to address the following activity:
- Concretely tie compensating controls to each threat against internal and third-party software, which includes explicitly evaluating risk from third-party components.
Security Requirements
To support the security requirements practice, security must be explicitly considered and included at the project level during the requirements gathering process. WealthForge Technologies currently has processes in place to address the following activities:
- Consider security explicitly during the software requirements process, which includes deriving security requirements from business functionality and evaluating security and compliance guidance for requirements.
- Mandate security requirements process for all software projects and third-party dependencies, which includes building security requirements into supplier agreements and expanding audit program for security requirements.
Secure Architecture
Implementing secure architecture promotes a “secure-by-design” framework upon which the software is built. WealthForge Technologies currently has processes in place to address the following activities:
- Insert consideration of proactive security guidance into the software design process.
- Direct the software design process toward known-secure services and secure-by-default designs, which includes identifying and promoting security services and infrastructure and identifying security design patterns from architecture.
Code Review
Code review ensures and enforces code-level security standards to identify and mitigate potential vulnerabilities before code is deployed. WealthForge Technologies currently has processes in place to address the following activities:
- Opportunistically find basic code-level vulnerabilities and other high-risk security issues, which includes performing point-review of high-risk code.
Security Testing
During security testing, the software is tested in its runtime environment to identify any security concerns before deployment. WealthForge Technologies currently has processes in place to address the following activities:
- Establish process to perform basic security tests based on implementation and software requirements, which includes deriving test cases from known security requirements and conducting penetration testing on software releases.
- Make security testing during development more complete and efficient through automation, which includes utilizing automated security testing tools and integrating security testing into development process.
- Require application-specific security testing to ensure baseline security before deployment, which includes employing application-specific security testing automation and establishing release gates for security testing.
Deployment
Deployment entails the processes and activities related to how an organization manages release of software that has been created. This can involve shipping products to end users, deploying products to internal or external hosts, and normal operations of software in runtime environment. WealthForge has implemented three Deployment Security Practices: Vulnerability Management, Environment Hardening, and Operational Enablement.
Vulnerability Management
Vulnerability management establishes processes for handling internal and external vulnerability reports to ensure a consistent response. WealthForge Technologies currently has processes in place to address the following activities:
- Understand high-level plan for responding to vulnerability reports or incidents, which includes identifying points of contact for security issues and creating an informal security response team(s).
- Elaborate expectations for response process to improve consistency and communications, which includes establishing consistent incident response process and adopting a security issue disclosure process.
- Improve analysis and data gathering within response process for feedback into proactive planning, which includes conducting root cause analysis for incidents and collecting per-incident metrics.
Environment Hardening
Environment Hardening includes improving the organization’s operational environment to ensure the security of applications deployed within it. WealthForge Technologies currently has processes in place to address the following activities:
- Understand baseline operational environment for applications and software components, which includes maintaining operational environment specification and identifying and installing critical security upgrades and patches.
- Improve confidence in application operations by hardening the operating environment, which includes establishing routine patch management process and monitoring baseline environment configuration status.
- Validate application health and status of operational environment against known best practices, which includes identifying and deploying relevant operations protection tools and expanding audit program for environment configuration.
Operational Enablement
Operational Enablement provides security standards for operational staff to configure, deploy, and run the organization’s software. WealthForge Technologies currently has processes in place to address the following activities:
- Enable communications between development teams and operators for critical security-relevant data, which includes capturing critical security information for deployment and documenting procedures for typical application alerts.
- Improve expectations for continuous secure operations through provision of detailed procedures.
Web Application Security Controls
WealthForge implements web application security controls in the entire software lifecycle, runtime operations, and monitoring.
Access to WealthForge
WealthForge implements IP blacklisting and other security controls to mitigate the risk of Distributed Denial of Service (DDoS) attacks at the global router level.
WealthForge Security Personnel
Members of the WealthForge Cybersecurity Team proactively monitor the development lifecycle and the infrastructure to keep security controls current. The security personnel work on each stage is described on the Software Development Security and the Security and Penetration Tests sections.
Security and Penetration Tests
Penetration Tests
As part of its security strategy, WealthForge has penetration tests run on its platforms at least once a year.
Monitoring Practices
WealthForge monitors its environments at all times using various third-party services. Monitoring tools include: Threatstack for intrusion/detection, Datadog for network performance and server up-time, various AWS tools.
PII Security
Personally Identifiable Information (PII) Policy
Policy Statement
The Company takes seriously the protection and confidentiality of the Personally Identifiable Information (PII) of its employees, consultants, clients, prospective clients, issuers, partners, independent contractors, and vendors. This Personally Identifiable Information Policy is intended to be a comprehensive statement of the Company’s policies and procedures as they relate to PII, and is a vital component of the Company’s Comprehensive Cyber Security Framework.
This policy applies to all employees and consultants. Departments named in the policy have delegated authority for developing and implementing procedural guidance to ensure that their Departmental responsibilities under this policy are communicated and enforced.
Personally Identifiable Information (PII)
PII is defined as information that can be used to distinguish or trace an individual’s identity (such as their social security number, taxpayer identification number, employer identification number, biometric data, or other similar information) alone, or when combined with other personal information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, or other similar information.
PII may reside in hard copy or electronic records; both forms of PII fall within the scope of this policy.
Regulatory Measures
The Company complies with federal and state law, and Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) regulations governing PII. The Compliance and Legal Departments work jointly to maintain PII security provisions and to oversee regulatory reporting requirements. If any provision of this policy conflicts with a statutory or regulatory requirement governing PII, the policy provision(s) that conflict shall be superseded.
Preventative Measures
PII Retention: The Company retains PII only as long as necessary, in accordance with applicable federal and state law, industry regulations, and the Company's Document Retention Policy. The Compliance, Legal, Technology, and Finance Departments work jointly to maintain organizational record retention procedures, which dictate the length of data retention and data destruction methods for both hard copy and electronic records.
PII Training: New hires who may have access to PII are provided with a copy of this policy, and with introductory training regarding the provisions of this policy and the implementation of procedures for the Department to which they are assigned. All employees whether in positions with regular ongoing access to PII or transferring into such positions are provided with training reinforcing this policy and procedures for the maintenance and protection of PII data.
Other Security Measures: In order to protect the privacy of its PII, the Company ensures that its Network remains secure. The Company maintains a current Network diagram and utilizes strong rules and configuration standards, as well as capable and regularly-updated anti-virus and malware software. The Company ensures that security updates and patches are promptly installed via a comprehensive remote management system. The Company also implements a strong password policy for all of its employees.
Data Management and Handling
Data Access: The Company maintains multiple IT systems where PII data may reside. User access to such IT systems is the responsibility of the Technology Department. The Technology Department has created internal controls for such systems to establish legitimate access for users of data, and access is limited to those approved by the Company. The access for such users is restricted to allow access only to the extent required, and all access to network resources containing PII is tracked and monitored by the Company. Any change in vendor status or the termination of an employee or independent contractor with access results in immediate termination of the user’s access to all systems where the PII may reside.
The Company controls access to paper records containing PII by locking such records in files and data storerooms. The Company carefully maintains its inventory and enforces accountability by following a strict and secure destruction schedule.
Data Transmission and Transportation
On-site Access to PII: The Technology Department manages on-site access of data that may include access to PII. The Legal and Human Resources Departments have operational responsibility for the initial grant of access and the appropriate termination of access. These Department are required to provide timely notice of intended grants and terminations to the Technology Department.
Off-Site Access to PII: The Company understands that employees may need to access PII while off-site or on business travel, and access is permitted provided that the data to be accessed is minimized to the degree possible to meet business needs. Such data shall reside only on assigned encrypted laptops and approved encrypted storage devices that have been secured in advance by the Technology Department. Remote access to the network requires the use of a VPN, installed and supported by WealthForge Technology team.
Vendors and Third Parties: The Company may share data with vendors and third parties who have a business need to have PII. Where such inter-company sharing of data is required, the Technology Department is responsible for creating and maintaining data encryption and protection standards to safeguard all PII that is transmitted to vendors and third parties. Vendors include all external providers of services to the Company and proposed vendors. No PII information can be transmitted to any vendor via any method unless the vendor has been pre-certified by the Legal Department for the receipt of such information.
Portable Storage Devices: In the course of doing business, PII data may also be downloaded to company-provided, encrypted laptops or other encrypted computing storage devices to facilitate Company business. To protect such data, the Company will also require that any such devices use Technology Department-approved encryption and security protection software while such devices are in use on or off Company premises. The Company has disabled the ability to export data to a portable storage device from its computers. In the case that a portable storage device is needed, the Technology Department will create an encrypted device and allow the export. After the export is completed, the ability to export will be disabled again. The Technology Department has responsibility for maintaining data encryption and data protection standards to safeguard PII data that resides on these portable storage devices.
Data Breach and Notification: Databases or data sets that include PII may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, the Company will contain the breach, conduct a forensic investigation of the breach, report the breach to appropriate state and federal agencies, and notify all affected individuals whose PII data may have been compromised. The Company will then implement controls to prevent a similar attack from occurring in the future.
Confidentiality: All Company employees must maintain the confidentiality of PII as well as Company proprietary data to which they may have access and understand that that such PII is to be restricted to only those authorized by this policy. Employees with ongoing access to such data will sign acknowledgement reminders annually attesting to their understanding of this Company requirement as part of the regular training all employees receive related to confidentiality.
Violations: The Company views the protection of PII data to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under the Company’s discipline policy and may include suspension or termination in the case of severe or repeat violations. PII violations and disciplinary actions are incorporated in the Company’s PII on-boarding and training to reinforce the Company’s continuing commitment to ensuring that PII data is protected by the highest standards.
Confidentiality Policy
The Company requires its employees to abide by the following Confidentiality Policy, as set forth in the employee handbook:
At the Company, employees use confidential and proprietary vendor, client, and company information, systems, processes, and resources to complete their jobs. Employees are expected to use, protect, and dispose of such confidential and proprietary information and resources in accordance with WealthForge’s policies and obligations. They are not to discuss the Company’s or its clients’ affairs with, or in the presence of, persons who have no “need to know.” This includes discussions in elevators, taxicabs, restaurants, and other public places.
Each employee is required, as a condition of his or her employment, to sign an offer of employment and a Proprietary Information, Inventions and Non-Solicitation Agreement (“PIINA”) that more specifically discusses employees’ obligation to maintain confidentiality. If an employee has questions or concerns about his or her obligation to maintain confidentiality, or believes that he or she has even inadvertently disclosed the Company’s or its vendors’ or clients’ confidential information, the employee should immediately raise the concern with his or her manager or supervisor or Corporate Counsel.
Information Security
Employees of the Company are expected to adhere to the Company’s Cybersecurity Framework. They must not disable, bypass, circumvent, or otherwise attempt to negate information security measures. If they discover such attempt or actual information security violation, they must immediately notify their manager, immediate supervisor, or HR Representative.
In order to ensure the protection of confidential or proprietary information to which employees have access, they must abide by the following Company requirements:
- Do not share unique User IDs or passwords with anyone. Ensure that their passwords meet the highest standards for protection, in accordance with the Company’s Password Policy.
- Clear their device/computer screen when their need to view it is over.
- Properly log off the network and lock their computer/device with a password when leaving the area.
- When left unattended, secure any confidential or proprietary information. This includes all confidential or proprietary information in both soft and hard copy form. Remove any such information from their desk and lock it in a drawer when their desk is unoccupied and at the end of the work day.
- When hard copies of documents containing confidential or proprietary information are no longer needed, either (1) shred the documents in the official shredder bins; or (2) retain such information in secure, archived files according to their Department’s procedure.
- Close and lock file cabinets containing sensitive information when not in use or when unattended.
- Keys used for access to sensitive information must not be left at an unattended desk.
- Do not leave passwords on sticky notes posted on or under a computer.
- Whiteboards containing sensitive information must be erased immediately after use.
- Portable computing devices, such as laptops and tablets, must be locked away at the end of the work day or when unattended.
- Treat mass storage devices such as CD-ROM, DVD or USB drives as sensitive and secure them in a locked drawer. These devices are used sparingly and only as necessary to complete a specific project and encrypted and protected when possible.
- Immediately remove all papers from the printer as soon as the job has completed. This helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up. If an employee finds papers with content on the printer or fax machine, he or she should place them in the folder provided. At the end of each business day, the contents of the folder will be shredded.
- If an employee is found in violation of this Confidentiality Policy or WealthForge’s Cybersecurity Framework, he or she may be subject to disciplinary action, up to, and, including termination of employment and/or legal action, depending on the severity of the violation.