Security Program Charter

August 31, 2016

 Cyber Security Program Charter

Overview
This policy applies to all employees, officers, and contractors of HIC, Inc. and its affiliates (the Company).

Our information and information systems are an essential asset and they are vitally important to our business operations and
long-term viability. In the course of carrying out our activities, we collect many different types of information, including
financial, academic, medical, human resources and other personal information. We value the ability to communicate and
share information appropriately. Such information is an important resource of the Company and any person who uses
information collected by the Company has a responsibility to maintain and protect this resource. Federal and state laws and
regulations, as well as industry standards, also impose obligations on us to protect the Authenticity, Availability,
Confidentiality, Integrity, Possession, and Utility of this information.

We must ensure that its information assets are protected in a manner that is cost-effective and that reduces the risk of a Data
Breach. We have adopted a risk management approach to managing our Company Information and Information Systems.
The risk management approach requires the identification, assessment, and appropriate mitigation of vulnerabilities and
threats that can adversely impact our information assets.

This Cyber Security Program Charter serves as the capstone document for the Companys Information Security Program.
Policies further define the Information Security objectives in topical areas.

I. Scope
This Cyber Security Program Charter and associated policies, standards, guidelines, and procedures apply to all employees,
contractors, part-time and temporary workers, and Vendor Associates who perform work on Company premises or who have
been granted access to Company Information or Systems.

II. Information Security Program Mission Statement

The Company Information Security Program will use a risk management approach to develop and implement Information
Security policies, standards, guidelines, and procedures that address security objectives in tandem with business and
operational considerations.

The Information Security Program will protect information assets by developing policies to identify, classify, define protection
and management objectives, and define acceptable use of Company information assets. The Information Security Program
will reduce vulnerabilities by developing policies to assess, identify, prioritize, and manage vulnerabilities. The management
activities will support organizational objectives for mitigating the vulnerabilities as well as developing and using metrics to
gauge improvements in vulnerability mitigation.

The Information Security Program will counter threats by developing policies to assess, identify, prioritize, and monitor
threats. The monitoring activities will support organizational objectives for deterring, responding to, and recovering from
threats. The monitoring activities also will support the development and use of metrics to gauge the level of threat activity
and the effectiveness of the Company threat detection and response capabilities.

III. Policies and Awareness

The Information Security Program is made up of the following policies:
1. Asset Management: Standards for managing networks, systems, and applications that store, process or transmit
information assets throughout the entire life cycle.
2. Business Continuity: Defines our activities to counteract business interruptions caused by major failures or disasters
and to recover from any interruption with the least business impact.
3. Incident Response: Details the policy and approach to take when a Data Breach (actual or suspected) occurs
4. Information Systems Access Policy: Guidelines and authority for accessing Company Information Systems to ensure
the security of Company proprietary data, systems, and technology.

2 Confidential & Proprietary Printed on 22-Oct-17

 5. Information Systems Policy: contains the policies and procedures of the Company for the use of the Company's
Information Systems
6. Personal Electronic Device Policy: sets forth guidelines and procedures for employees who choose to use their own
personal electronic device(s) for work purposes
7. Physical Security: Defines the precautions required to physically protect our technology infrastructure
8. Regulatory Requirements: Contains all regulatory specific requirements that must be maintained by the Company.
It includes maintaining HIPPA compliance and other regulations.
9. Threat Assessment and Monitoring: Defines our threat assessment activities, like intrusion detection and virus
protections, and our ongoing threat monitoring efforts, penetration tests and contractor account analysis, and
ongoing vulnerability management efforts

In addition to the above policies, the Information Security Program shall also maintain:
1. Security Awareness: Defines the activities to increase security awareness corporate wide, from the new employee
to the long-tenured employee to anyone with physical or logical access

III. Ownership and Responsibilities

The CEO approves the Company Cyber Information Security Program Charter. The Cyber Security Program Charter assigns
executive ownership of and accountability for the Company Information Security Program to the CIO. The CIO must approve
Information Security policies.

The CIO implement and manage the Information Security Program across the organization. The CIO is responsible for the
development of Company Information Security policies, standards and guidelines. The CIO must approve Information Security
standards and guidelines, and ensure their consistency with approved Information Security policies. The CIO also will establish
an Information Security Awareness Program to ensure that the Cyber Security Charter and associated policies, standards,
guidelines, and procedures are properly communicated and understood across the organization.

Company management is accountable for the execution of the Company Information Security Program and ensuring that the
Cyber Security Program Charter and associated policies, standards, guidelines, and procedures are properly communicated
and understood within their respective organizational units. Company management is also responsible for defining, approving
and implementing Information Security procedures in their organizational units, and ensuring their consistency with
approved Information Security policies and standards.

All individuals, groups, or organizations identified in the scope of this Charter are responsible for familiarizing themselves
with the Company Cyber Security Program Charter and complying with its associated policies and following the approved
procedures as appropriate.

IV Enforcement and Exception Handling

Failure to comply with Company Information Security policies, standards, guidelines and procedures can result in disciplinary
actions up to and including termination of employment for employees or termination of contracts for contractors, partners,
consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to Company Information Security policies, standards, and guidelines should be submitted to the
approval authorities designated in the policies, standards, and guidelines. Exceptions shall be permitted only on receipt of
written approval from an authorized approval authority.

V. Review and Revision

The Company Information Security policies, standards, and guidelines shall be reviewed under the supervision of the CIO, at
least annually or upon significant changes to the operating or business environment, to assess their adequacy and
appropriateness. A formal report comprising the results and any recommendations shall be submitted to the CIO.
Approved: _______________________________________________________
Signature

Chief Executive Officer

HIC, Inc.

Definitions
1. Affiliate means a person or entity that directly, or indirectly through one or more intermediaries, controls or is
controlled by, or is under common control with, the Vendor.
2. Authenticity is usefulness of information for a purpose.
3. Availability is making information assets available to authorized users when they need them.
4. Company consists of all employees, officers, and contractors of HIC, Inc. and its affiliates.
5. Confidential means spoken, written, transmitted, stored or kept in strict privacy or secrecy and is not generally
known to the public.
6. Credentials means access codes, passwords, pass codes/pins, security keys, security tokens, key cards and user
accounts that allow access to Information Systems or Company Information.
7. Data means information provided in any form to Vendor by or on behalf of Company in connection with the
Services performed pursuant to the Agreement.
8. Data Breach (also referred to under various state laws as Breach of Security or Violation of the Systems Security)
means the or unauthorized or unlawful:
a. Access to or acquisition of Credentials, Company Information, Personal Information, or Information
Systems;
b. Transmission, disclosure, storage, alteration or disposal of Company Information or Personal Information
in an unencrypted or unsecured format that compromises the security, confidentiality or integrity of
Personal Information; or
c. As otherwise defined under applicable state or federal law.
9. CEO stands for Chief Executive Officer
10. CIO is either the Chief Information Officer or, if none exists at Company, then the executive with overall
responsibility for technology at Company (e.g. Vice President of Information Technology)
11. Company Information means both electronic and physical information, including but not limited to, Data, files,
strategies, lists, plans and knowledge related to Company operations (past, present, or future) and, if applicable,
includes Confidential and Personal Information.
12. Confidentiality is ensuring that information is accessible only to authorized users.
13. Cyber Security Program Charter means the overall mission statement for the Information Security Program. The
charter outlines key program management issues, such as policy enforcement and management responsibility.
14. Information Security Program means all associated policies, standards, guidelines, and procedures related to
securing Credentials, Information Systems to prevent, detect, and manage a Data Breach.
15. Information Systems means electronic systems (e.g., computers, servers, networking devices), operating system,
applications, databases, networks, and configuration settings, whether in a Company licensed or managed system
or in a Vendor managed or Vendor owned system or solution, whether on Companys premises, Vendors premises,
Cloud based or Software as a Service, and the hardware and software necessary to run, maintain or support the
Information Systems whether physical or virtual in nature.
16. Integrity is safeguarding the accuracy and completeness of information and information-processing methods.
17. Personal Information means Data or information that identifies or can be used to identify, contact, or locate the
individual to whom such information pertains, or from which identification or contact information of an individual
person may be derived. It includes an individuals first name or first initial and last name plus one or more of the
following data elements: (i) Social Security Number, (ii) drivers license number or state-issued ID card number, (iii)
account number, credit card number or debit card number combined with any security code, access code, PIN or
password needed to access an account, or any other form of Personal Information as defined by applicable state or
 federal law, and generally applies to computerized data (but also includes information maintained or recorded in
other forms) that includes Personal Information. Personal Information does not include publicly available
information that is lawfully made available to the general public from federal, state or local government records, or
widely distributed media. Personal Information includes Personally Identifiable Information or PII, as it is commonly
understood in the processing of credit and debit cards or for other purposes.
18. Possession refers to holding, controlling, and having the ability to use information.
19. Threats means the activities or actions that could exploit the vulnerabilities in an organization and place
information assets at risk.
20. Utility represents the usefulness of information for a purpose.
21. Vendor Associates means Vendors employees, [staff,] agents, contractors and subcontractors.
22. Vulnerabilities means the holes and weaknesses in information systems and procedures that intruders can
exploit.