information & cyber-security

Inventory of Technology Infrastructure

On an annual basis, the CCO of Core Planning, LLC will make an inventory of the following:

  • Physical devices and systems (computers, servers, etc.);

  • Software platforms and applications (email applications, file management, etc.);

  • Systems that house client data; and

  • Third-party contractors that have access to systems, platforms, etc.

Core Planning utilizes cloud-based technology systems, which it believes provide increased information security capabilities including:

  • Ability to leverage the established infrastructure of trusted technology industry leaders; and

  • Improved system alert capabilities including better user activity logging and alerts related to unusual user activity.

Core Planning also recognizes that cloud-based technology systems create a greater reliance on passwords and user login security. As such, we have designed and will continue to develop information security policies with this increased risk as a focus.



Detection of Unauthorized Activity
The CCO is responsible for monitoring on-site and cloud-based systems for suspicious activity.

Such activity may include:

  • Logins to company systems after traditional business hours for the local region;

  • Logins to company systems from non-local regions; and/or

  • Large transfers of files or data.


When suspicious activity is discovered, the CCO will restrict access to the systems and begin to assess what information may have been accessed and what actions need to be taken to remediate the event.

If the unauthorized activity is deemed by the CCO to have led to unauthorized release or use of sensitive client information, the CCO will contact the proper law enforcement and/or regulatory agencies as required by state and Federal law.

Regardless of the severity, the CCO will keep a log of suspected unauthorized activity and note the action taken. This log will include the following information about each incident:

  • Date and time of the incident;

  • How the incident was detected;

  • The nature and severity of the incident;

  • The response taken to address the incident; and

  • Any changes made to the Information Security Policy as a result of the incident

In addition, all staff should immediately alert the CCO of any suspicious behavior or concern.



Prevention of Unauthorized Funds Transfers

Core Planning has implemented the following firm-wide information security polices to help prevent unauthorized funds transfers:

  • Clients must confirm wire requests verbally. Wire requests may not be authorized solely via email; and

  • Wire requests should be reviewed for suspicious behavior (e.g. time of request, atypical amount of request, etc.).


Core Planning is particularly aware of the risk caused by fraudulent emails, purportedly from clients, seeking to direct transfers of customer funds or securities and will train staff members to properly identify such fraudulent emails.



User Login Security

Core Planning has implemented the following firm-wide user login security polices to help prevent unauthorized access to sensitive client data:

  • Computers used to access client data will have antivirus software installed. In addition, the antivirus software must have an active subscription and updates must be scheduled to automatically install;

  • Staff will utilize devices with up to date operating system software with all security patch and other software updates set to automatically install;

  • Staff members are prohibited from accessing firm systems from unsecured or public internet connections;

  • All staff passwords are required to meet or exceed the following guidelines:

    • Contain both upper and lower case letters;

    • Contain at least one number;

    • Contain at least one special character;

    • Be at least 10 characters in length;

    • and may not contain personal information such as pet names, birth dates, or phone numbers.

  • All staff are required to have unique passwords to access each technology system (e.g. desktop computer, CRM system, etc.)

  • All staff are required to update passwords on a quarterly basis;

  • When available, staff is required to utilize two-factor authentication.


User Access Privileges

Core Planning has implemented the following firm-wide user access privilege polices to help prevent unauthorized access to sensitive client data:

  • Staff members will only have access to systems deemed necessary by the CCO;

  • Staff members, besides the CCO or other designated personnel, will not have access to administrative privileges on systems unless deemed necessary by the CCO; and

  • Upon a staff member’s departure or termination, the CCO will immediately remove the former staff member’s access to all firm systems.

Staff members may request additional access to systems by contacting the CCO.


Email Use Security and Guidelines
Core Planning has implemented the following firm-wide email use security polices and guidelines to help prevent unauthorized access to sensitive client data:

  • All staff should only provide sensitive information electronically to clients via a secure email or client portal;

  • All staff should never open or download any email attachments from unknown senders;

  • All staff should never open or download any email attachments from known senders that look suspicious or out of the ordinary;

  • All staff should never directly click on or open any links sent in emails; and

  • All staff should be acutely aware of any attempted “phishing” emails seeking to obtain the staff member’s user login credentials. Some warning signs to look for include:

    • Bad spelling or poor grammar in the email subject or body text;

    • An unfamiliar company or website that the staff member is not familiar with; and

    • A suspicious sender email domain.


When a staff member receives a suspicious email, the CCO should be immediately alerted. The CCO will then determine next steps and communicate to other staff members if deemed appropriate.

Third Party Vendor Security and Diligence

Core Planning has implemented the following firm-wide 3rd party vendor security and diligence polices and guidelines to help prevent unauthorized access to sensitive client data:

  • All 3rd party vendors that have physical access to the office and/or the firm’s systems are required to enter into a non-disclosure agreement (NDA) in order to protect sensitive client information before establishing a business relationship; and

  • Proper due diligence will be performed on all relevant technology vendors prior to establishing a business relationship and then again on at least an annual basis and will include:

    • Review of the firm’s information security policies;

    • Review of the firm’s disaster recovery policies; and

    • Review of the firm’s general capabilities to ensure it meets firm needs.


All of this information will be stored and maintained in Core Planning’s vendor diligence file.


Significant Technology System Disruption Plan
In the event of a significant business disruption that results in a significant interruption in access to the firm’s technology systems, Core Planning will implement its business continuity plan (BCP) as detailed in the Firm Manual.


Testing
On an annual basis, Core Planning will test its current information security policy and capabilities. The test conducted by the CCO will include the following activities:

  • Attempt to access a random sample of firm devices to ensure that proper passwords are in place to prevent access

  • Attempt to access users’ accounts with the proper password to ensure that two-factor authentication prevents system access;

  • Attempt to restore a sample of files and records from the systems listed above to ensure that the restoration process is sufficient and properly configured; and

  • Make a physical inspection of the office to ensure that all workstations have the proper security measures.

The results from the annual test will be documented and utilized as an opportunity to update the Information Security Policy.