Unless otherwise specified, this brief will apply to Genworth Mortgage Insurance Corporation (Genworth), its subsidiaries and their employees (includes users, associates, contractors, and temporary workers) and contractors, datacenters, and all business premises. The term "IT" will refer to Genworth Mortgage Insurance Information Technology and may be used interchangeably with Genworth Mortgage Insurance Information Systems.
Employee accounts are disabled at termination of employment or assignment. This action is automated based on the status of the employee (full-time or contract) in the HR/Contractor management system. Employee accounts that are inactive for an extended period of time are disabled or deleted.
Genworth utilizes Network Admission Control (NAC) technology for remote access. Only Genworth owned and managed machines are permitted to establish VPN access to the network. Remote access by non-Genworth devices is limited to our Virtual Desktop Infrastructure (VDI) environment. This technology provides the employee with the appearance of an on premise workstation environment; however, it is encapsulated from the physical connecting device so that no data can be transferred to the physical device.
Remote access accounts are disabled at termination of employment or assignment.
When an employee has a significant change in duties, such as a transfer to another department, the employee's access permissions will be reviewed and modified as necessary. If the employee's new department and responsibilities no longer require access to sensitive consumer data, this access will be revoked.
In general, employees will not have direct access to data files and databases containing sensitive consumer data. Access to the sensitive consumer data will be delivered by way of an application—meaning presentation software and business logic that will determine what the employee may see and do. Applications containing sensitive consumer data will be explicitly secured. These applications will provide a level of security limiting access to sensitive consumer data to those who have access to the application and specific roles. Sensitive data elements will be masked on screens for employees without specific “need to know” roles. Applications will be responsible for the updates to sensitive consumer data and perform appropriate edit procedures to ensure the integrity of the data.
Authorized employees may be permitted to have direct access to data sources such as files and databases. System software logging and audits will be enabled where applicable to explicitly monitor direct access to data files and databases containing sensitive consumer data. Where applicable, systematic “redaction” will be applied to limit the visibility of sensitive data even when direct access to databases is provided.
Excluding email, as explained in the next section, sensitive consumer data transmitted by Genworth on public networks, such as the Internet, will be encrypted by IT systems. Thus, sensitive consumer data transmitted by Genworth on the Internet to and from its websites will be encrypted automatically. The following are examples of our encryption methods.
Additional methods may be used with the approval of the Genworth Mortgage Chief Information Security Officer.
When a third party recipient does not have TLS capability, but does have the technology available, an acceptable and recommended method of encrypting sensitive consumer data is to utilize applications with a "password protection" and associated file encryption option. The encrypted data can be sent as an email attachment. The password should not be included in the email with the attachment and must be exchanged using an alternate communication channel (e.g., telephone). Applications and data protection methods will be approved by the Genworth Mortgage Chief Information Security Officer.
Genworth utilizes its Data Loss Prevention (DLP) capabilities to prevent sending emails with unprotected sensitive consumer data. Any email sent to an unprotected domain (non-TLS) with un-encrypted sensitive consumer data is blocked and returned to the sender for correction.
Private network connections between Genworth and "trusted" partners will be isolated and firewalled such that only required services are open and available on these connections. Genworth will manage the firewalls on its end of the connections to ensure integrity.
Access to servers and network devices (switches, routers, firewalls) will be limited to authorized employees. Configuration changes to servers and network devices will be made by authorized employees only after approval pursuant to the IT Change Control Procedure.
Genworth will run network intrusion prevention devices to identify and automatically block unauthorized or unwanted traffic on its internal network to ensure the integrity of controls (firewalls). All servers will be monitored by host intrusion detection software to detect unauthorized access or unauthorized changes to the system. Network and server events are sent to a SEIM monitored 24/7 by the incident response team.
Genworth will have third party vulnerability tests of the network perimeter performed on at least a quarterly basis.
Genworth applications undergo an annual attestation process requiring business application owners to sign off on the security of their applications. Genworth internal audit staff regularly audits applications and databases to ensure validity of attestations.
Use of production sensitive consumer data is not permitted in non-production systems and databases. Regularly scheduled routines are run against non-production environments to obfuscate any data placed there unintentionally.
Data is replicated to a backup datacenter for disaster recovery purposes on a near real-time basis to ensure minimal data loss in the event of a disaster. The data replication is encrypted on the network, and the data is encrypted in storage at the backup datacenter. Disaster recovery plans for the datacenters have been developed to ensure a timely recovery in event of disaster. Recovery procedures for individual computer systems will be tested on a periodic basis. Recovery of the datacenters will be tested on an annual basis.
Genworth undergoes periodic risk evaluations of vendors receiving sensitive consumer data and performs security assessment of vendor technical environments to ensure compliance with Genworth customer requirements.
Genworth has a Governance, Risk, and Compliance (GRC) council that meets monthly to monitor changing risks within the business. The Chief Information Security Officer is a member of this council with the responsibility of raising IT security issues to the council for review.
Genworth has completed the FFIEC Cybersecurity Assessment Tool (CAT) to better understand its IT security risk relative to the financial services industry, industry peers and customers.
Genworth has adopted the SSAE 16 framework SOC 2 as a standard methodology for attesting our security controls. An annual SOC 2 report is available to customers upon request.