Information Security Policy

Information Security Commitment Statement

• Information is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction. Prudent information security policies and procedures must be implemented to ensure that the integrity, confidentiality and availability of Curis Network information are not compromised.

Security Responsibility, Review and Evaluation

• Information Security Committee (“ISC”) is responsible for establishing and managing the security of all systems. ISC will as needed but at a minimum on an annual basis review the most current best practices regarding the use of technology and will amend and/or issue new policies, procedures, and/or controls to reflect the most appropriate solution for security of Curis Network information.

User Responsibility

• Curis Network technology resources are provided to authorized users to facilitate the efficient and effective performance of their duties in a secure electronic environment. The use of such resources imposes certain responsibilities and obligations on users and is subject to all applicable Curis policies. It is the responsibility of every user to ensure that such resources are not misused and to adhere to all Curis security policies and procedures.

Risk assessments will be performed annually to address changes in the security requirements and in the risk situation, e.g. in the assets, threats, vulnerabilities, impacts, the risk evaluation, and when significant changes occur.

Risk assessments will be undertaken in a methodical manner capable of producing comparable and reproducible results using the Information Risk Assessment Tool (05_5.2_006_06)

Risk assessments will have a clearly defined scope in order to be effective.

The outcome of a risk assessment will be a report defining and prioritizing risks, based on vulnerabilities and impact to Curis information

Information Security Infrastructure

Management Commitment to Information Security

• Curis management is fully committed to actively supporting security within the organization through clear direction, demonstrated commitment, explicit assignment, acknowledgment of information security responsibilities, and the support of a Technology Governance Committee developed to provide Governance for all Information Technology policies and procedures.

• The Technology Governance Committee will be comprised of appointed Curis Network leaders and will meet, at a minimum, on a quarterly basis. The committee will:
• review and approve information security policy;
• provide clear direction and visible management support for security initiatives;
• approve the resources needed for information security;
• approve assignment of specific roles and responsibilities for information security across the Curis Network;
• approve plans and programs to maintain information security awareness; and
• ensure that the implementation of information security controls is coordinated across the Curis Network.

Information Security Co-ordination / Allocation of Information Security Responsibilities

• The Technology Resources Administrator will be the focal point for all technology security related matters.
• When required, departments will designate a security liaison to serve as the primary point of contact to the Technology Resources Administrator.
• Departments will implement additional procedures as necessary to meet Curis Network security requirements.

Independent Review of Information Security

• The Curis Network’s approach to managing information security and its implementation (i.e., control objectives, controls, policies, processes, and procedures for information security) will be reviewed on an annual basis.
• Such a review will be carried out both internally and by individuals independent of the area under review such as a third party organization specializing in such reviews. Individuals carrying out these reviews must have the appropriate skills and experience and be approved by the Technology Governance Committee.
• The results of the independent review will be recorded and reported to the Technology Governance Committee. If the independent review identifies that the organization’s approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in this document, corrective actions will be defined and implemented.

Security of third party assets

All prospective third-party agents will be provided with a copy of the Curis Network’s Information Security Policies, must verify in writing acceptance of said polices, and will be required at all times to comply with said policies.

When third-party agents have access to Curis Network-owned technology resources, they must observe the same standards as Curis Network employees and agree to abide by and sign both the Vendor Security Management Policy and the Curis Network’s Acceptable Use Policy.

When third-party agents are working in a Curis Network environment without being directly supervised, Curis Network employees must be vigilant about logging off sessions, logging out or securing PC access, and keeping paper information properly discreet.

Stringent controls must be applied to user accounts using remote login access. Where the third-party access will involve a network-to-network connection, the use of a firewall, access logging and systems monitoring is mandated.

Network connection ports will be constantly monitored for unknown devices and unauthorized connections.

Technology Resources will, on an annual basis, review all required third-party agreements and audit external systems.

Human Resources Strategy

Prior to Employment

Screening / Terms of Employment

• Background checks will be conducted on all Curis Network employees, contractors, and vendors when access to sensitive information dictates.

During Employment

Management Responsibilities

• All managers must attend annual security policy and review training.
• Management will require employees and third party users to apply security in accordance with the Curis Network’s Information Security Policies and Procedures.
• Management responsibilities will include ensuring that employees and third party users: · Are properly briefed on their information security responsibilities prior to being granted access to sensitive information or systems;
• Are required to fulfill the security policies of the Curis Network;
• Achieve a level of awareness on security relevant to their roles and responsibilities within the Curis Network;
• Provide necessary proof of security compliance and sign appropriate verifications;
• Comply with the terms and conditions of employment, which includes the Curis Network’s information security policy and acceptable use policy

Information Security Education and Training

• All employees will be required to complete annual training on information security awareness and concepts.
• All employees will practice security awareness and remain vigilant against fraudulent activities.
• All employees will immediately report incidents involving any Curis Network accounts to their direct supervisor or the Information Security Committee.
• All employees are required to report any incidents, concerns, or suspicious activities to their direct supervisor, Human Resources, or the Information Security Committee. Technology Resources Policies and Procedures
• Users will note and report observed or suspected security weaknesses to systems and services directly to the Information Security Committee. Users will not try to emulate the security breach or attempt to prove the threat as a test. Vendors and contractors who provide services to the Curis Network must agree to follow the applicable information security procedures of the department for which they work.

Disciplinary Process

• A formal disciplinary process, as defined in the Curis Network’s HR Manual, will be followed to deter and discipline employees or third party agents who violate the Curis Network Information Security Policies and Standards.

Termination or Change of Employment

• The overall termination process and will coordinate with the manager of the person terminating and Technology Resources to manage the security aspects of the relevant procedures.
• Return of Assets - All employees, contractors, and third party users must return all of the Curis Network’s assets in their possession upon termination of their employment, contract, or agreement. In cases where an employee or third-party user has knowledge that is important to ongoing operations, that information will be documented and transferred to the Curis Network.
• Removal of Access Rights. The access rights of all employees and third party users to information and information processing facilities must be removed upon termination of their employment, contract, or agreement, or adjusted as necessary upon any change in employment.

Access Control

Access Passwords are issued by the Senior Management. Authorization levels are assigned based on required tasks.