Overview

Policy Statement
TorchLight is committed to ensuring the security of its data, information systems and network.  As part of this commitment, TorchLight has established an Information Security Program to safeguard and protect technology and data resources from unauthorized access, destruction, use, modification, and disclosure, as well as avoiding interruptions to business activities. Cyber security is of critical importance to TorchLight and is a continuous, ongoing effort in which there is no single set of rules or procedures governing the Program. 

Objective
The objective of TorchLight’s Information Security Program is to manage the risks associated with information assets maintained at the firm. The following crucial factors are taken into account in securing the firm’s critical information assets: 

  • Confidentiality: TorchLight data must be restricted only to those who have a legitimate and authorized business need and it must be ensured that information exchanges between locations and with partners (including those supporting business transactions) can be trusted and are not subject to repudiation. 
  • Integrity: Data that resides on TorchLight technology systems must be complete, accurate, and uncorrupted. 
  • Availability: Systems and data must be protected from attacks and available for use when necessary by TorchLight staff members.

Principles
The principles guiding the Information Security Program shall be: 

  • Define preventive, detective, and corrective controls to reduce risk 
  • Leverage need-to-know and Principle of Least Privilege concepts 
  • Utilize Defense in Depth to provide layered protection 

In any case where guidance is not specifically given, these principles shall be considered and adhered to.

Strategy
TorchLight’s information security strategy is to protect and secure its systems, media, and facilities that process and maintain information vital to the operations of the firm through prevention, detection, and appropriate response. TorchLight’s information security strategy considers: 

  • The firm’s mission, objectives, stakeholders, and activities; 
  • Regulatory requirements, risk alerts, and guidance from regulatory bodies regarding cybersecurity; and 
  • Periodic risk assessments and application of best practices.

Process
The Program is ongoing and must be continually adapted to embody a commercially reasonable approach to meet both changing business needs and the evolving cyber threats confronting TorchLight. This process includes:  

  • Assigning roles and responsibilities within TorchLight as it relates to the Program; 
  • Consulting with outside experts as appropriate; 
  • Identifying vulnerabilities and assessing internal and external third-party risks; 
  • Training staff members in cyber security awareness to recognize and address cyber and social engineering incidents, in accordance with applicable law, regulations and best practices; 
  • Developing and/or revising policies, standards, or operating practices, as applicable, to address targeted vulnerabilities and risks;  
  • Implementing and communicating the specific policies, standards and relevant operating practices; 
  • Inventorying, monitoring and testing systems to ensure compliance with policies and standards; and 
  • Communicating with and providing updates to senior management on the status of the program, new initiatives and ongoing projects.

Policies and Procedures
TorchLight has established specific policies and procedures pursuant to the Cyber Security Program. TorchLight may from time to time modify and amend their policies and procedures and additionally develop new policies through its ongoing assessments. The policies and operating practices implemented take into consideration:  

  • The risks presented by failure to achieve the three primary security goals of systems availability, information integrity and confidentiality; 
  • The sensitivity of information and the business requirements for the use of information  
  • TorchLight’s technical infrastructure, hardware, and software security capabilities; 
  • The size, complexity, and capabilities of TorchLight and the associated costs of proposed security measures; and 
  • The need to comply with applicable federal and state laws and regulations, as well as the laws of foreign jurisdictions, which includes those pertaining to security, privacy and other consumer protection laws and disclosure practices.

In order to ensure that TorchLight is prepared for potential events that may affect business continuity, such as power failures, fires, cyber-attacks, etc. TorchLight will develop items such as the following: 

  • Business Continuity Plan 
  • Disaster Recovery Plan 
  • Incident Response Plan 
  • Network Monitoring Procedures 
  • Security Awareness Training Program
Reporting
The CISO will communicate with the Executive Management Team as necessary to implement this Program and report no less than annually concerning the overall status of the Program and compliance with this Policy. Security incidents, suspected security incidents, and other events that may require incident response will be reported on a timely basis to the Cybersecurity Incident Response Team. In accordance with TorchLight’s Cyber Incident Response Plan, incidents will be reported to the appropriate level of management based on the severity and extent of the incident. The CISO will periodically, but no less frequently than annually, assess the need to amend this Policy or to institute other cyber-related procedures. To become effective, the Executive Management Team must approve all proposed amendments to the Policy.

Enforcement
Any employees who fails to comply with the Information Security Policy puts TorchLight at risk and subject to disciplinary action, up to, and including termination of employment.  
Exceptions
In certain circumstances, an exception to the Information Security Policy may be necessary. In these instances, approval from the CISO and/or Executive Management Team is required. Notification in writing of the business case for the exception must be provided.  
For questions regarding this policy, contact the Chief Information Security Officer. 
Relevant Standards
The following standards were considered in the creation of this policy: 

  • NIST CSF: ID.AM-6, PR.AT-5 
  • NIST 800-53: AT-1, AT-2 (1), AT-3 (1), PM-1, PM-2, PM-3, PM-6, PM-7, PM-11, SI-4 (c, 1, 4, 5, 11), IR-4 (2)