Effective Date: 1 July 2022
The objectives of this comprehensive written information security program (“WISP”)
include defining, documenting, and supporting the implementation and maintenance of the administrative,
technical, and physical safeguards Ethos Collective (the “Company”) has selected to
protect the personal information it collects, creates, uses, and maintains. This WISP has been developed
in accordance with the requirements of laws applicable to the Company at the international, national,
state, and local level, including, without limitation, the Colorado Revised Statutes sections 6-1-713,
713.5, and 716.
If this WISP conflicts with any legal obligation or other the Company policy or procedure, the provisions
of this WISP shall govern, unless the Company’s chief executive officer or lead information security
professional specifically reviews, approves, and documents an exception.
- Purpose. The purpose of this WISP is to:
- Ensure the security, confidentiality, integrity, and availability of personal and other sensitive
information the Company collects, creates, uses, and maintains.
- Protect against any anticipated threats or hazards to the security, confidentiality, integrity, or
availability of such information.
- Protect against unauthorized access to or use of the Company-maintained personal information and
other sensitive information that could result in substantial harm or inconvenience to any customer or
employee.
- Define an information security program that is appropriate to the Company’s size, scope, and
business; its available resources; and the amount of confidential, personal, or other sensitive
information that the Company owns or maintains on behalf of others, while recognizing the need to
protect both customer and employee information.
- Scope. This WISP applies to all employees, contractors, officers, and directors of
the Company. It applies to any records that contain personal information or other sensitive information
in any format and on any media, whether in electronic or paper form.
- For purposes of this WISP, “personal information” means either an individual’s first and last name
or first initial and last name in combination with any one or more of the following data elements,
or any of the following data elements standing alone or in combination, if such data elements could
be used to commit identity theft against the individual:
- Social Security number;
- Driver’s license number, other government-issued identification number, including passport
number, or tribal identification number;
- Account number, or credit or debit card number, with or without any required security code,
access code, personal identification number, or password that would permit access to the
individual’s financial account, or any personally identifiable financial information or consumer
list, description, or other grouping derived from personally identifiable financial information,
where personally identifiable financial information includes any information:
- a consumer provides the Company to obtain a financial product or service;
- about a consumer resulting from any transaction involving a financial product or service
with the Company; or
- information the Company otherwise obtains about a consumer in connection with providing a
financial product or service.
- Health information, including information regarding the individual’s medical history or mental
or physical condition, or medical treatment or diagnosis by a health care professional/created
or received by the Company;
- Health insurance identification number, subscriber identification number, or other unique
identifier used by a health insurer;
- Biometric data collected from the individual and used to authenticate the individual during a
transaction, such as an image of a fingerprint, retina, or iris; or
- Email address with any required security code, access code, or password that would permit
access to an individual’s personal, medical, insurance, or financial account.
- Personal information does not include lawfully obtained information that is available to the
general public, including publicly available information from federal, state, or local government
records.
- For purposes of this WISP, “sensitive information” means data that:
- The Company considers to be highly confidential information; or
- If accessed by or disclosed to unauthorized parties, could cause significant or material harm
to the Company, its customers, or its business partners.
- Sensitive information includes, but is not limited to, personal information.
- Lead Information Security Professional (“LISP”). The Company has designated our Web
Development Team to implement, coordinate, and maintain this WISP. The LISP is responsible for:
- Initial implementation of this WISP, including:
- Assessing internal and external risks to personal information and other sensitive information
and maintaining related documentation, including risk assessment reports and remediation plans;
- Coordinating the development, distribution, and maintenance of information security policies
and procedures;
- Coordinating the design of reasonable and appropriate administrative, technical, and physical
safeguards to protect personal information and other sensitive information;
- Ensuring that the safeguards are implemented and maintained to protect personal information
and other sensitive information throughout the Company;
- Overseeing service providers that access or maintain personal information and other sensitive
information on behalf of the Company;
- Monitoring and testing the Company’s information security program on an ongoing basis;
- Defining and managing the Company’s incident response plan; and
- Establishing and managing enforcement policies and procedures for this WISP, in collaboration
with the Company human resources and management.
- Engaging qualified information security personnel, including:
- Providing them with security updates and training sufficient to address relevant risks; and
- Verifying that they take steps to maintain current information security knowledge.
- Employee, contractor, and (as applicable) stakeholder training, including:
- Providing periodic training regarding this WISP, the Company’s safeguards, and relevant
information security policies and procedures for all employees, contractors, and (as applicable)
stakeholders who have or may have access to personal information or other sensitive information,
updated as necessary or indicated by the Company’s risk assessment activities;
- Ensuring that training attendees formally acknowledge their receipt and understanding of the
training and related documentation, through written (which may be electronic or part of an
interactive training or application) acknowledgement forms; and
- Retaining training and acknowledgment records.
- Reviewing this WISP and the security measures defined here at least annually, when indicated by
the Company’s risk assessment or program monitoring and testing activities, or whenever there is a
material change in the Company’s business practices that may reasonably implicate the security,
confidentiality, integrity, or availability of records containing personal information or other
sensitive information.
- Defining and managing an exceptions process to review, approve or deny, document, monitor, and
periodically reassess any necessary and appropriate, business-driven requests for deviations from
this WISP.
- Periodically reporting to the Company’s management in writing regarding the status of the
information security program and the Company’s safeguards to protect confidential, personal, or
sensitive information.
- Risk Assessment. As a part of developing and implementing this WISP, the Company will
conduct and base its information security program on a periodic, documented risk assessment.
- The risk assessment shall:
- Identify reasonably foreseeable internal and external risks to the security, confidentiality,
integrity, or availability of any electronic, paper, or other records containing personal
information or other sensitive information and include criteria for evaluating and categorizing
those identified risks;
- Define assessment criteria and assess the likelihood and potential damage that could result
from such risks, including the unauthorized disclosure, misuse, alteration, destruction, or
other compromise of the personal information or other sensitive information, taking into
consideration the sensitivity of the personal information and other sensitive information; and
- Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to
control such risks, in areas that include, but may not be limited to:
- Employee, contractor, and (as applicable) stakeholder training and management;
- Employee, contractor, and (as applicable) stakeholder compliance with this WISP and
related policies and procedures;
- Information systems, including network, computer, and software acquisition, design,
implementation, operations, and maintenance, as well as data processing, storage,
transmission, retention, and disposal; and
- the Company’s ability to prevent, detect, and respond to attacks, intrusions, and other
security incidents or system failures.
- Following each risk assessment, the Company will:
- Design, implement, and maintain reasonable and appropriate safeguards to minimize identified
risks;
- Reasonably and appropriately address any identified gaps, including documenting the Company’s
plan to remediate, mitigate, accept, or transfer identified risks, as appropriate; and
- Regularly monitor the effectiveness of the Company’s safeguards, as specified in this WISP.
- Information Security Policies and Procedures. As part of this WISP, the Company will
develop, maintain, and distribute information security policies and procedures in accordance with
applicable laws and standards to relevant employees, contractors, and (as applicable) other stakeholders
to:
- Establish policies regarding:
- Information classification;
- Information handling practices for personal information and other sensitive information,
including the storage, access, disposal, and external transfer or transportation of personal
information and other sensitive information;
- User access management, including identification and authentication (using passwords or other
appropriate means);
- Encryption;
- Computer and network security;
- Physical security;
- Incident reporting and response;
- Employee and contractor use of technology, including acceptable use and bring your own device
to work (BYOD); and
- Information systems acquisition, development, operations, and maintenance.
- Detail the implementation and maintenance of the Company’s administrative, technical, and physical
safeguards.
- Safeguards. The Company will develop, implement, and maintain reasonable
administrative, technical, and physical safeguards in accordance with applicable laws and standards to
protect the security, confidentiality, integrity, and availability of personal information or other
sensitive information that the Company owns or maintains on behalf of others.
- Safeguards shall be appropriate to the Company’s size, scope, and business, its available
resources, and the amount of personal information and other sensitive information that the Company
owns or maintains on behalf of others, while recognizing the need to protect both customer and
employee information.
- The Company shall document its administrative, technical, and physical safeguards in the Company’s
information security policies and procedures.
- The Company’s administrative safeguards shall include, at a minimum:
- Implementing and periodically reviewing technical and, as appropriate, physical access
controls to:
- Authenticate and permit access to personal information and other sensitive information only to
authorized users; and
- Limit authorized users’ access only to personal information and other sensitive information
that they need to perform their duties and functions, or in the case of customers, to access
their own personal information;
- Identifying and managing the data, personnel, devices, systems, and facilities that enable the
Company to achieve its business purposes according to business priorities, objectives, and the
Company’s risk management strategy;
- Encrypting personal information and other sensitive information that the Company holds when it
is at rest or in transit over external networks, unless the Company determines that applying
encryption is currently infeasible for its circumstances and the information security
coordinator reviews and approves effective compensating controls under the Company’s exceptions
process;
- Adopting secure development practices for the in-house developed applications and procedures
for evaluating, assessing, or testing the security of externally developed applications that in
either case the Company uses to transmit, access, or store personal information or other
sensitive information;
- Implementing multifactor authentication for individuals accessing personal information or
other sensitive information or systems that handle personal information or other sensitive
information unless the information security coordinator reviews and approves the use of
reasonably equivalent or more secure controls under the Company’s exceptions process;
- Developing, implementing, and maintaining procedures for securely disposing of personal
information and other sensitive information in any format, including:
- Disposing of customers’ personal information no later than two years after the last date
the Company uses it for provisioning a product or service to the relevant customer unless it
is necessary for business operations or other legitimate business purposes, retention is
otherwise required by law, or targeted disposal is not reasonably feasible due to the way
the Company maintains it; and
- Periodically reviewing data retention policies to minimize the unnecessary retention of
personal information and other sensitive information.
- Adopting change management procedures;
- Implementing policies, procedures, and controls to monitor and log authorized users’
activities and detect unauthorized access to, use of, or tampering with personal information
or other sensitive information by them.
- Identifying reasonably foreseeable internal and external risks, and assessing whether existing
safeguards adequately control the identified risks;
- Training employees in security program practices and procedures, with management oversight;
- Selecting service providers that are capable of maintaining appropriate safeguards, and
requiring service providers to maintain safeguards by contract; and
- Adjusting the information security program in light of business changes or new
circumstances.
- The Company’s technical safeguards shall include maintenance of a security system covering its
network (including wireless capabilities) and computers that, at a minimum, and to the extent
technically feasible, supports:
- Secure user authentication protocols, including:
- Controlling user identification and authentication with a reasonably secure method of
assigning and selecting passwords (ensuring that passwords are kept in a location or format
that does not compromise security) or by using other technologies, such as biometrics or
token devices;
- Restricting access to active users and active user accounts only and preventing terminated
employees or contractors from accessing systems or records; and
- Blocking a particular user identifier’s access after multiple unsuccessful attempts to
gain access or placing limitations on access for the particular system.
- Secure access control measures, including:
- Restricting access to records and files containing personal information or other sensitive
information to those with a need to know to perform their duties; and
- Assigning to each individual with computer or network access unique identifiers and
passwords (or other authentication means, but not vendor-supplied default passwords) that
are reasonably designed to maintain security.
- Encryption of all personal information or other sensitive information traveling wirelessly or
across public networks;
- Encryption of all personal information or other sensitive information stored on laptops or
other portable or mobile devices, and to the extent technically feasible and reasonable under
the business circumstances, personal information or other sensitive information stored on any
other device or media (data-at-rest);
- Reasonable system monitoring for preventing, detecting, and responding to unauthorized use of
or access to personal information or other sensitive information or other attacks or system
failures;
- Reasonably current firewall protection and software patches for systems that contain (or may
provide access to systems that contain) personal information or other sensitive information; and
- Reasonably current system security software (or a version that can still be supported with
reasonably current patches and malicious software (malware) definitions) that (1) includes
malware protection with reasonably current patches and malware definitions, and (2) is
configured to receive updates on a regular basis.
- The Company’s physical safeguards shall, at a minimum, provide for:
- Defining and implementing reasonable physical security measures to protect areas where
personal information or other sensitive information may be accessed, including reasonably
restricting physical access and storing records containing personal information or other
sensitive information in locked facilities, areas, or containers;
- Preventing, detecting, and responding to intrusions or unauthorized access to personal
information or other sensitive information, including during or after data collection,
transportation, or disposal; and
- Secure disposal or destruction of personal information or other sensitive information, whether
in paper or electronic form, when it is no longer to be retained in accordance with applicable
laws or accepted standards.
- Service Provider Oversight. The Company will oversee each of its service providers
that may have access to or otherwise create, collect, use, or maintain personal information or other
sensitive information on its behalf by:
- Evaluating the service provider’s ability to implement and maintain appropriate security measures,
consistent with this WISP and all applicable laws and the Company’s obligations.
- Requiring the service provider by contract to implement and maintain reasonable security measures,
consistent with this WISP and all applicable laws and the Company’s obligations.
- Monitoring and periodically auditing the service provider’s performance to verify compliance with
this WISP and all applicable laws and the Company’s obligations.
- Monitoring. The Company will regularly test and monitor the implementation and
effectiveness of its information security program to ensure that it is operating in a manner reasonably
calculated to prevent unauthorized access to or use of personal information or other sensitive
information. The Company shall reasonably and appropriately address any identified gaps. The Company’s
testing and monitoring program shall address the effectiveness of the Company’s safeguards, specifically
their key controls, systems, and procedures, including those the Company uses to detect attempted and
actual attacks on or intrusions into its networks and systems that handle personal information or other
sensitive information. Specifically, the Company will implement and maintain as appropriate for its
networks and systems that handle personal information or other sensitive information either:
- Continuous monitoring or other systems to detect on an ongoing basis changes that may create
vulnerabilities; or
- A combination of the following according to the Company’s risk assessment:
- Annual penetration testing; and
- Periodic vulnerability assessments, including scans or reviews reasonably designed to identify
publicly known security vulnerabilities, conducted at least every six months and whenever there
are material changes to the Company’s operations or business arrangements or circumstances occur
that may have a material impact on the Company’s information security program.
- Incident Response. The Company will maintain written policies and procedures
regarding information security incident response. Such procedures shall include:
- Documenting the response to any security incident or event that involves a breach of security.
- Performing a post-incident review of events and actions taken.
- Reasonably and appropriately addressing any identified gaps.
- Defining:
- The incident response plan’s goals;
- the Company’s incident response processes;
- Roles, responsibilities, and levels of decision-making authority; and
- Processes for internal and external communications and information sharing.
- Identifying remediation requirements to address any identified weaknesses in the Company’s systems
and controls.
- Documenting and appropriately reporting information security incidents and the Company’s response
activities.
- Performing post-incident reviews and updating the plan as appropriate.
- Enforcement. Violation of this WISP or other related or referenced policies and
procedures can result in disciplinary action, up to, but not limited to, termination of employment.
- Program Review. The Company will review this WISP and the security measures it
defines and references at least annually, when indicated by the Company’s risk assessment or program
monitoring and testing activities, or whenever there is a material change in the Company’s business
practices that may reasonably implicate the security, confidentiality, integrity, or availability of
records containing personal information or other sensitive information. The Company shall retain
documentation regarding any such program review, including any identified gaps and action plans.
- Effective Date. This WISP is effective date may be found atop this document.