Page 47 - OctDefComp
P. 47

5. Strong access control procedures
          At Empower, access to information is provisioned on the principle of least privilege (PoLP). PoLP is an information security
          concept in which a user is given the minimum levels of access — or permissions — needed to perform their job functions.
          These access controls are widely considered to be a cybersecurity best practice, and they provide a fundamental step in
          protecting privileged access to high-value data and assets. The principle of least privilege extends beyond human access.

           Criteria      DOL cybersecurity                Empower protocols
           responses     best practices


                                                          The principle of least privilege is strictly enforced based on business
                                                          need and management approvals for access to all Empower
                         Access to systems, assets and    informational assets and resources.
                        associated facilities is limited to
                         authorized users, processes, devices,  Unique user IDs are issued and forced password complexity rules
                         activities and transactions      are enabled that include, but are not limited to, minimum length,
                                                          invalid attempts, password history, and a mixture of characters
                                                          and numbers.

                         Multi-factor authentication is used
                         wherever possible, especially to
                         access the internal networks from   Forced multi-factor authentication (MFA) measures are used to
                        an external network, unless a    access Empower’s network Virtual Private Network (VPN), and our
                         documented exception exists based   VPN is always-on.
                         on the use of a similarly effective
                         access control methodology.
                         Policies, procedures and controls
                         are implemented to monitor       Empower uses user and entity behavior analytics (UEBA) technology
                        the activity of authorized       to analyze typical and atypical activity of humans and machines
                                                          within our network and detect unauthorized access and use of
                         users and detect unauthorized
                         access, use of or tampering with   our data.
                         nonpublic information.

                                                          Positive identity is accomplished through the multi-factor
                                                          authentication (MFA) and identity verification measures that are in
                        Confirm the identity of the      place. Notification of participant requested account changes and
                         authorized recipient of the funds.
                                                          fund distributions are sent to the participant’s preferred method
                                                          of contact.



























      6
                                 FOR FINANCIAL PROFESSIONAL AND PLAN SPONSOR USE ONLY.
   42   43   44   45   46   47   48   49   50   51   52