Supplier Security Standard Effective Date: October 2020 Table of Contents 1.0 Introduction and Purpose ....................................................................................................................... 5 2.0 Supplier Security Requirements ........................................................................................................... 6 2.1 Comprehensive Security Program & Practices ............................................................................ 6 2.2 Supplier Personnel .......................................................................................................................... 7 2.3 Duty of Care & Use Restrictions .................................................................................................... 8 2.4 Return/Destruction/Maintenance of Scoped IT Assets ............................................................. 8 2.5 Physical Security ............................................................................................................................. 9 2.6 Network & Communications Security ......................................................................................... 10 2.7 Infrastructure/Platforms/Services/Desktop/Operations Security ........................................ 10 2.8 Additional Software Provisions .................................................................................................... 12 2.9 Identity and Access Management ............................................................................................... 13 2.10 Log Files ......................................................................................................................................... 14 2.11 Vulnerability Assessment and Penetration Testing .................................................................. 15 2.12 Location of New York Life Data ................................................................................................... 16 2.13 Subcontractors ............................................................................................................................. 16 2.14 Security Event Management ........................................................................................................ 16 2.15 Identity Theft Red Flags ................................................................................................................ 18 2.16 Payment Card Industry (PCI) Data Security Standard ............................................................... 18 2.17 Audits and Verification ................................................................................................................. 18 2.18 Viruses and Disablement .............................................................................................................. 19 2.19 Business Continuity, Disaster Recovery and Resiliency Plan .................................................... 19 3.0 Additional Hosted Services Requirements ..................................................................................... 21 3.1 Comprehensive Security Program & Practices .......................................................................... 21 3.2 Network and Communication Security ....................................................................................... 21 3.3 Infrastructure/Platforms/Services/Desktop/Operations Security ........................................ 21 3.4 Identity and Access Management ............................................................................................... 21 4.0 Additional Outsourced Delivery Center (ODC) Security Requirements ............................... 23 Enhanced Controls .................................................................................................................................... 23 4.1 Comprehensive Security Program & Practices .......................................................................... 23 4.2 Supplier Personnel ........................................................................................................................ 23 4.3 Privileged Access .......................................................................................................................... 23 New York Life Supplier Security Standard Page 2 of 33 4.4 Audits and Verification ................................................................................................................. 23 4.5 Business Continuity, Disaster Recovery and Resiliency Plan .................................................... 23 Dedicated Facilities ................................................................................................................................... 24 4.6 Physical Security ........................................................................................................................... 24 4.7 Network & Communications Security ......................................................................................... 25 4.8 Telephony ...................................................................................................................................... 25 4.9 Infrastructure/Platforms/Services/Desktop/Operations Security ........................................ 25 5.0 End Point Security .................................................................................................................................. 26 5.1 Supplier Managed Device(s) ......................................................................................................... 26 5.2 Supplier Provided Virtual Desktop Interface (VDI) ..................................................................... 27 6.0 Glossary ..................................................................................................................................................... 28 6.1 Access Control .............................................................................................................................. 28 6.2 Accountability ................................................................................................................................ 28 6.3 Applicable Laws ............................................................................................................................. 28 6.4 Approved Encryption .................................................................................................................... 28 6.5 Availability ...................................................................................................................................... 29 6.6 Confidentiality ............................................................................................................................... 29 6.7 End User ......................................................................................................................................... 29 6.8 Hold Order(s) ................................................................................................................................. 29 6.9 Hosted Services ............................................................................................................................ 29 6.10 Integrity .......................................................................................................................................... 29 6.11 High Risk Transaction ................................................................................................................... 29 6.12 Least Privilege ............................................................................................................................... 30 6.13 Multi-Factor Authentication ........................................................................................................ 30 6.14 New York Life ................................................................................................................................. 30 6.15 New York Life Data ........................................................................................................................ 30 6.16 Outsourced Delivery Center (ODC) ............................................................................................ 31 6.17 ODC Supplier ................................................................................................................................. 32 6.18 Personal Data ................................................................................................................................ 32 6.19 Record(s) ........................................................................................................................................ 32 6.20 Risk-Based Authentication .......................................................................................................... 32 6.21 Scoped IT Asset ............................................................................................................................ 32 New York Life Supplier Security Standard Page 3 of 33 6.22 Security Event ............................................................................................................................... 32 6.23 Subcontractor ............................................................................................................................... 32 6.24 Supplier .......................................................................................................................................... 33 6.25 Supplier Managed Device(s) ........................................................................................................