DFIN Security Overview Identify, Protect, Detect, Respond, Recover - The NIST Cybersecurity Framework is the backbone of DFIN security. DFIN understands the importance of maintaining a comprehensive and robust Information Security Program and maintains committed excellence towards our world class Information Security Program, data protection and the overall cybersecurity effectiveness. Talk to an expert Our systems, processes and experts leverage numerous tools to secure our clients data SOC2 Type II audits Secure Software Development support via static and dynamic application testing (SAST/DAST), code reviews, and software release analysis Industry leading perimeter controls and next-gen firewalls Comprehensive, ongoing vulnerability scans are conducted across all applications to quickly identify and mitigate cyber vulnerabilities Commitment to GDPR and other data protection regulations Extensive employee security awareness and training AES 256-bit encryption is used to protect data at rest AES 256-bit encryption is used to protect data in transit 24/7/365 security monitoring and alerting Advanced email and threat prevention technologies Use of next-gen antivirus, anti-malware, and advanced endpoint protection technologies Annual third-party penetration testing with each finding’s remediation effort independently validated Rigorous governance and compliance controls WHITE PAPER How to secure today’s digital workplace CISOs play a critical role in today's digital workplace, guiding executive leadership teams on how to align cybersecurity initiatives with business objectives. Download white paper IT governance, risk and compliance SOC 2 Type II Annual SOC 2 Type II ActiveDisclosure Audit and Report Annual SOC 2 Type II Global Investment Companies (GIC) Audit and Report Annual SOC 2 Type II Venue + HiTrust Audit and Report Annual SOC 2 Type II Global Capital Markets (GCM) audit and report AICPA Trust Service Principles Rigorous Governance Program in Place Leveraging the AICPA Trust Service Principles of Security, Availability, and Confidentiality ISO 27001 certificate for the Enterprise DFIN maintains ISO 27001 certification for the Enterprise NIST CSF Comprehensive IT Risk Management Processes Dedicate Supply Chain Security and Third-Party Risk Management IT Governance over Policy, Procedures and Standards IT GRC Reports Directly to the Chief Information Security Officer Application security Encryption Data transmission is encrypted while in transit via TLS v1.2 Static and Dynamic Application Security Testing technologies AES 256-bit encryption is used to protect data while at rest AES-256-bit encryption is used to protect database files Identity Access Management Multifactor Authentication and customer Single Sign-On integration fully supported Azure Key Vault used for key storage Zero Trust internal system Privileged Access Management Identity Lifecycle automation implemented internally Threat Management Performed continuously, leveraging state-of the-art threat management tools Penetration testingAnnual third-party Penetration Testing for independent verification of DFIN product’s security postureComprehensive penetrating testing leveraging independent 3rd party for ongoing and routine network and system testingPenetration testing includes externally facing products and network infrastructureRemediation validation conducted by independent third-party Application development Code reviews Performed multiple times throughout the development process Rigorous QA Testing process is in place to identify potential issues early in the development process including SAST and DAST testing SDLC and Continuous Integration / Deployment DFIN embraces modern Software Development Life Cycle (SDLC) and Continuous Integration & Continuous Deployment (CI/CD) best practices aligned to a multi-environment (Integration, Quality Assurance, Staging, and Production) release promotion process Infrastructure Comprehensive Network Security Infrastructure Security controls are in place (firewalls, IDS & IPS, logging, and security monitoring) Technology Oversight Regular network and server vulnerability scans Regular OS patching (Microsoft security patches are applied each month) Regular backup schedule Hosted in Microsoft Azure On Premise Data Hosting From the desk of the CISO Led by Dannie Combs SVP, Chief Information Security Officer Enterprise Security team supporting Security Incident and Response, Application Security, Network Security and Security Governance, Risk and Compliance, further supporting: The use of security tools and utilities to scan and monitor DFIN assets Security Response Team and process in place to address any potential vulnerabilities or events Security monitoring and logging Policy management - comprehensive policies including Information Security Policy and Security Awareness annual employee training Cybersecurity incident response Frequent, ongoing employee training programs and best practices We can provide additional information including our SOC 2 Type II report, once a Non-Disclosure Agreement is signed Talk to an expert or call +44 203 047 6100