FTE offers clients the option to use their own security controls or adopt FTE’s established framework.

‍Option 1:

If clients choose their own controls, they must ensure compliance with their own security standards. We will only provide laptops and physical security at our physical location.

Client-Implemented Security Controls:

• Clients may choose to implement their own security controls tailored to their specific needs. In this case, clients are completely responsible for enforcing and maintaining their security posture and are accountable for documentation and evidence of their security controls.
• FTE may conduct regular audits and assessments to ensure compliance with these standards.

Option 2:

By selecting FTE’s controls, FTE takes full responsibility for maintaining and managing them to meet industry standards and regulatory requirements.

Adoption of FTE's Security Controls

• Clients may opt to adopt the security controls implemented by FTE. By choosing this option, clients agree to adhere to the security policies and controls established by FTE.
• FTE is responsible for facilitating the integration and implementation of security controls for the client and providing support and guidance to help clients maintain these controls effectively.

The following security controls are enforced as a minimum standard:

Risk Assessment and Management:

• FTE is responsible for facilitating the integration and implementation of security controls for the client and providing support and guidance to help clients maintain these controls effectively.

Access Control and User Authentication:

• Access to systems and data is managed using Role-Based Access Control (RBAC) principles and Just-In-Time (JIT) access for sensitive systems. Multi-factor authentication (MFA) is mandatory for critical systems, alongside strong password policies and account lockout mechanisms.

Mobile and Endpoint Security:

• Mobile Device Management (MDM) ensures encryption, remote wipe capabilities, and restricted app installations for company-issued devices. Endpoint Detection and Response (EDR) tools, anti-malware, and endpoint firewalls safeguard devices from unauthorized access and external threats. Virtual Private Networks (VPNs) are required for secure remote access to company resources.

Network Security and Segmentation:

• Networks are segmented to isolate critical systems from general access zones, reducing exposure to potential threats. Firewalls with advanced inspection capabilities and Intrusion Detection and Prevention Systems (IDS/IPS) monitor and control traffic to prevent unauthorized access. Security Service Edge (SSE) solutions are integrated to provide secure access to cloud services and internet resources.

Data Security and Management:

• Data is classified based on sensitivity and encrypted both at rest (AES-256) and in transit (TLS 1.2+). Retention policies comply with regulatory requirements, and secure deletion methods ensure that expired data is irretrievable. Email encryption and Digital Rights Management (DRM) tools protect sensitive communications and documents.

Vulnerability and Patch Management:

• Regular vulnerability scanning and penetration testing identify security weaknesses, which are promptly remediated. A centralized patch management system ensures critical updates are applied within 24 hours, with routine updates performed monthly.

Backup and Disaster Recovery:

• Data is backed up regularly to encrypted onsite and offsite locations. Bi-annually tested DRP, ensure rapid restoration of services following disruptions. Multi-factor authentication protects backup systems to prevent unauthorized access.

Incident Response:

• A dedicated Incident Response Team (IRT) follows defined procedures for detecting, containing, and resolving security incidents. Continuous monitoring via Security Information and Event Management (SIEM) systems ensures timely alerts and reports for effective response.

Auditing, Monitoring, and Logging:

• Real-time alerts and detailed logs are managed using SIEM tools. Logs are retained for one year, with quarterly reviews to ensure compliance and identify potential risks. Periodic audits validate the effectiveness of controls and ensure regulatory adherence.

Employee Training and Awareness:

• Security training is mandatory during onboarding and is conducted annually. Simulations for phishing and social engineering enhance awareness and build a culture of security-conscious behavior among employees.

Third-Party Risk Management:

• Vendors and contractors are evaluated for compliance with FTE’s security policies. Contracts mandate security measures, and periodic assessments ensure ongoing adherence. This reduces risks associated with external partnerships.

Physical Security:

• Access to sensitive areas, such as server rooms, is restricted through biometric authentication or keycard systems. Surveillance systems monitor physical premises, and periodic audits are conducted to ensure physical safeguards remain effective.

IT and Internet Use Policy:

• Team Members must adhere to guidelines for using IT systems, email, and social media responsibly. These policies protect sensitive information and maintain the organization’s reputation, ensuring a secure digital environment.

Code of Conduct and Ethics:

• Team Members are required to act with integrity, fairness, and respect. Unauthorized sharing of confidential data is prohibited, and all actions must align with the organization's ethical standards to maintain a strong culture of accountability.

Compliance and Governance:

• Security policies and practices are reviewed regularly to ensure compliance with industry regulations and standards, including FTC and IRS Safeguards Rules. Governance frameworks provide oversight to maintain a robust security posture.