Information Security WhitepaperAn overview of information security, business continuity,disaster recovery and cybersecurity controls.Published: October 2014Last Updated: May 2018Executive Summary:This whitepaper contains summary details regarding the controls in place at ISS to protect firm data, andmore importantly, data entrusted to us by the clients. The Information Security Office has grouped thesecontrols into three programs: Information Security Management System (ISMS), Business ContinuityManagement System (BCMS), and Cybersecurity Management and Defense System (CMDS) 2015 ISS Institutional Shareholder Services

Information Security WhitepaperRevision HistoryThe author identified is accepted as an electronic signature that concludes this document has been reviewed andapproved. The date identified in the “Date Published” column reflects the approval date.Date Published09/12/2016AuthorTheresa HudsonVersion2016Q301/02/2018Theresa Kitchel2018Q105/10/2018Theresa Kitchel2018Q2DescriptionRevised 2.6Most Recent TestingRestructure of documentationAddition of Key Points in several sectionsClarification to encryption at restAppendix A – Updated revision datesAppendix A – Updated revision datesFormatting updatesUpdated Key Points with current initiativesAdded KnowBe4 trainingAdded Data Loss Prevention narrativeEnabling the financial community to manage governance risk for the benefit of shareholders. 2018 ISS Institutional Shareholder Services2 of 37

Information Security WhitepaperTable of Contents1. INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS) . 51.1 Information Security Policies . 51.1.1Management Direction for Information Security . 51.1.2Responsibilities . 51.1.3Risk Management . 51.2 Organization of Information Security . 61.3 Personnel Security . 61.3.1Prior to Employment / Background checks . 61.3.2During Employment / Security training for all employees . 61.3.3Termination of Employment or Change in Role . 71.4 Information Asset Management . 71.4.1Responsibility for Assets . 71.4.2Information Classification . 71.4.3Media Handling . 71.5 Access Control. 71.5.1Requirements for Access Controls . 81.5.2User Access Management . 81.6 Cryptography . 81.7 Physical and Environmental Security . 91.7.1Secure Areas. 91.7.2Equipment . 101.8 Operations Security. 101.8.1Operational Procedures . 111.8.2Protection from Malware . 111.8.3Backups . 111.8.4Logging and Monitoring . 111.8.5Technical Vulnerability Management . 111.9 Communications Security . 121.9.1Network Security Management . 121.9.2Information Transfer . 121.10 System Acquisition, Development and Maintenance . 131.10.1 Software Development Life Cycle . 141.10.2 Security in Development and Support Processes . 141.11 Third-Party Provider Relationships . 141.12 Information Security Incident Management . 151.13 Independent Review . 151.14 Compliance . 15Enabling the financial community to manage governance risk for the benefit of shareholders. 2018 ISS Institutional Shareholder Services3 of 37

Information Security Whitepaper2. BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) . 152.1 Business Impact Analysis . 162.2 Business Continuity Plans . 162.3 Disaster Recovery Plans . 162.4 Crisis Management Plan . 172.5 Pandemic Plan . 172.5.1Employee Well-Being and Support . 172.5.2Service Continuity. 172.5.3Communications. 182.6 Information Security Aspects of Business Continuity Management . 182.7 Testing . 183. CYBERSECURITY MANAGEMENT & DEFENSE SYSTEM (CMDS) . 183.1 SEC OCIE Risk Alert . 193.2 ISS’ Response to the Guidance. 203.3 Security Tools and Technologies . 203.3.1Complete Data Protection Suite . 203.3.2Complete Endpoint Protection Suite . 203.3.3Content Security Suite . 203.3.4Database Security Suite . Error! Bookmark not defined.3.3.5Server Security Suite . 213.3.6Enterprise Security Manager . 213.3.7Vulnerability Manager . 213.3.8Next-Generation Firewalls . 21APPENDIX A: INFORMATION SECURITY POLICIES . 22APPENDIX B: INFORMATION SECURITY STANDARDS . 27APPENDIX C: INCIDENT RESPONSE PLAN SUMMARY . 36Enabling the financial community to manage governance risk for the benefit of shareholders. 2018 ISS Institutional Shareholder Services4 of 37

Information Security Whitepaper1. INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)The foundation for developing the Information Security Management System (ISMS) is modeled from theISO 27001, the international standard addressing information security controls. The ISS ISMS consist ofcontrols for all clauses and control objectives contained in the most recent version of the internationalstandard. This section provides an overview of the Firm’s approach to information security and reflectsthe ongoing commitment to protect information that has been entrusted to the care.1.1 Information Security PoliciesKey Points Directed globally by the Chief Information Security OfficerTop down approach with direct communication with ISS LeadershipSecurity presentations at office staff meetingsQuarterly Information Technology Town HallsWeekly Information Security team meetingsQuarterly Corporate Security Council (CSC) - Coordinates corporate security initiatives at the executivelevel to enable the organization to optimize spending, manage infrastructure and minimize security risk.Quarterly Security Task Force (STF) - Coordinates corporate security initiatives and response at thetechnical level to enable the organization to implement and manage security programs consistent withIndustry best practices and commitments.ISS information security policies are modeled against ISO 27001. Out of the 114 controls identified in the“Annex A” of the International Standard, 113 have been deemed as applicable to ISS. Policies apply to all ISSbusiness units, although localized standards may be developed to provide further details on theimplementation of these policies. While the Information Security Policies are classified as Internal Use Onlyand not available for external distribution, Appendix A of this whitepaper contains the tables of content anddocument history/approval for each policy document.This suite of policies is supported by issue-specific information security standards for which the tables ofcontent and document history/approval is included in Appendix B of this whitepaper.1.1.1 Management Direction for Information SecurityThe goal is to ensure adequate protection of client and ISS information assets in accordance with internalpolicy controls, business requirements, and relevant laws and regulations. The information and controlscontained in the ISMS support the commitment to, and are intended to exemplify clear managementdirection for information security at ISS.1.1.2 ResponsibilitiesThe Information Security Office (ISO), with cross-functional support, is responsible for establishing andmaintaining information security policies and standards for the Firm. Business units are responsible forensuring the implementation of controls within their respective areas of responsibility. Each user isresponsible for abiding with the intent of controls to protect Firm assets and those of the clients.1.1.3 Risk ManagementKey PointsISS incorporates assessing risk in many of the key areas owned by Information Security and InformationTechnology. Keys areas include (not all inclusive): Change Approval Board (CAB) – Weekly meeting to review and approve all emergency or plannedchanges to the production environment. The CAB along with the change facilitor are jointly evaluating allchanges for risk and consequence.Enabling the financial community to manage governance risk for the benefit of shareholders. 2018 ISS Institutional Shareholder Services5 of 37

Information Security Whitepaper Vulnerability Management Program - Key Information Security and Information Technology membersattend a weekly vulnerability meeting to ensure scans are reviewed, vulnerabilities are accessed for riskto ISS and the patch cycle/content is adjusted as needed.Self Assessment – Information Security utilizes many organizations for information gathering such as IntelSecurity/McAfee, NIST, SEC, SANS, and Homeland Security. The information is used to assess theenvironment and determine any new or continuing risk to the company.The Information Security Office (ISO) reviews and manages technical and operational risks to the servicesprovided to clients. ISO reviews and manages operational risk to the firm, reviews any mitigation efforts andreports those activities to ISS management teams.Risk assessments are performed periodically to address changes in the information security requirementsand when significant changes occur. ISS performs risk assessments on a variety of assets within theorganization. These may be physical assets, people, processes, software, and information.1.2 Organization of Information SecurityThe Information Security Office is directed globally by the Chief Information Security Officer and is supportedby several local IT and business stakeholders around the Firm. ISO is responsible for information security,physical security, business continuity, disaster recovery and cybersecurity. These core focus areas areleveraged to maintain the ISS control framework. The ISMS is supported by technical expertise of ITinfrastructure teams who work closely with the Information Security Office. ISS also engages third-partyexpertise to ensure a current view of worldwide security issues and industry best practices is maintained.1.3 Personnel SecurityKey Points 1.3.1Central change request system ensures new hire, termination and change in job role requests arehandled consistently.KnowBe4 Phishing training providing continuous reinforcement of training.KnowBe4 Security Awareness Training (K-SAT) – A 2018 enhancement to the ISS security awarenesstraining program, providing new phishing testing and training as well as targeted training for informationtechnology.KnowBe4 Compliance Manager (KCM) – A 2018 enhancement to allow ISS to more efficientlycommunicate corporate policies.Security presentations at office staff meetingsPeriodic all staff emails refreshing key elements of the security awareness training.Prior to Employment / Background checksThe ISS Human Resources department ensures background checks are performed for all new hires, prior tothe first day of employment. Background checks generally include criminal history, Social Security numbertraces, educational verification and past employment verification. All new employees are provided a newemployee package that details ISS’ core corporate policies.1.3.2During Employment / Security training for all employeesISS maintains a Security Awareness program that includes mandatory training, policy acknowledgement andassessments. New employees are required to complete Security Awareness training upon being hired, andannually thereafter.Managers are responsible for ensuring users within their areas of responsibility apply appropriateinformation security controls. ISS policies contain statements regarding disciplinary actions, up to andincluding termination of employment for committing a security breach, or not complying with informationsecurity controls.Enabling the financial community to manage governance risk for the benefit of shareholders. 2018 ISS Institutional Shareholder Services6 of 37

Information Security Whitepaper1.3.3Termination of Employment or Change in RolePolicy controls have been developed to address processes associated with terminating users’ employmentand users changing job roles or function. Processes for access revocation or modification are in place andemployees separating from the Firm are required to return all information assets belonging to ISS on or priorto their last day of employment.1.4 Information Asset Management1.4.1Responsibility for AssetsISS maintains a global asset management program that is used to track hardware and software. Endpointsecurity tools and Systems Center Configuration Manager (SCCM) software are used to assist with andautomate information asset management controls.A policy defining acceptable use of information assets is in place. Users are reminded of acceptable useguidelines and requirements during annual Ethics training and Security Awareness training.1.4.2Information ClassificationInformation is classified into four categories: Public, Internal Use Only, Confidential and Restricted. Eachclassification is based on the value and risk factors of the information being classified. Non-public client datais classified as Confidential.Information asset handling requirements have been identified for each classification and include guidancefor: storage, transmissions, distribution, physical security, destruction, disposal, recycling, reuse, duplication,and security logging, monitoring and auditing.1.4.3Media HandlingISS has implemented both administrative and technical controls to govern and manage removable media.Administrative controls include policy and standard requirements while technical controls are in place toensure users are unable to copy data onto removable media such as a CD or DVD. USB devices are whollyencrypted and only available for use on another ISS-protected machine. Once encrypted, USB devices areunreadable from home PCs or any non-ISS device.Processes have been implemented to help ensure media that has reached “end-of-life” is securely wipedusing DOD standards prior to the media being destroyed. When destruction is performed by a third party,ISS maintains chain of custody and certificate of destruction records.1.5 Access ControlKey Points ISS’ Regulatory Code of Ethics specifically addresses this issue and provides that employees who are privyto non-public proxy voting recommendations are prohibited from sharing such information with anyoneoutside the company. Employees are also prohibited from sharing such information with anyone insidethe company unless with another employee who needs such information in order to perform their duties.ISS monitors access to information by maintaining and reviewing audit trails. ISS’ Information SecurityOffice utilizes role-based access controls to identify, authenticate, and authorize individuals to accesssystems based on their role. This group also applies the use of technology such as stateful inspectionfirewalls and IP based permissions, to limit connectivity to ISS’ hosted services and applications alongwith protection and encryption of confidential data for secure communication.The roles which have authorization to access client data include database administrators who haveresponsibility for administering client databases and client service personnel who have responsibility toservice the client account. In addition, ISS has policies and procedures regarding confidentially containedin its Regulatory Code of Ethics.Enabling the financial community to manage governance risk for the benefit of shareholders. 2018 ISS Institutional Shareholder Services7 of 37

Information Security Whitepaper1.5.1Requirements for Access ControlsThe Access Control Policy identifies requirements for controlling access to ISS and client information assets.Access is authorized based on the principles of least-privilege and need-to-know, and role-based accesscontrols identify and authorize users based on their respective roles. Privileged user accounts are not usedfor day-to-day access of core applications.1.5.2User Access ManagementAccess is provisioned (and de-provisioned) following documented processes that ensure that access isrequested, approved, and implemented as appropriate for users. Unique user IDs and passwordcombinations are used to provide authentication and individual accountability. Authentication is based on aminimum of strong, complex password comprised on alphabetic, numeric and special characters.Passwords are configured to expire every 60 days. Additional technical controls have been implemented toensure accounts are locked after 5 consecutive failed logon attempts and workstations and systems autolock after a 10-minute period of inactivity.User access rights are reviewed at least semi-annually during access control audits. These activities are usedto ensure the effectiveness of the processes in place for disabling access upon termination or otherseparation from the Firm.1.6 CryptographyKey PointsKey areas of data encryption include: Storage encryption at rest meeting FIPS 140-2 Level 1 requirements within the US datacenters.Backup encryption for all replicated data.Email Communication – ISS supports opportunistic email encryption via TLS for the protection of emailtraffic. Currently TLS 1.2 is preferred, TLS 1.0/1.1 are enabled but de-prioritized.All ISS devices that operate outside of secure ISS facilties are encrypted.File servers are protected by network permissions to windows directory.ProxyExchange Application - Encrypts sensitive data (specific to engagements and attend meetings) usingAES256 via Oracle function within the database.Personal information is only collected in the case of meeting attendance, which requires identificationProxyExchange is available only via https to ensure that all application data is encrypted beforetransmission. This applies to all research documents and report documents that are generated oraccessed via the reporting application. Users can also email the documents directly from the applicationand if the client’s email servers support TLS, the email transmission between ISS and the client’s will beautomatically encrypted.Client Communications - Clients have the option of using ISS ftp or sftp server for delivery of reportsdepending on the sensitivity of the reports they want delivered.SCAS Application - Client data is stored in one consolidated database with segregation of client dataachieved through client specific encryption. ISS maintains a passphrase (using a system generated clientspecific Universal Unique Identifier (UUID)) protected 1024-bit asymmetric key per client. Client data issymmetrically encrypted using this client specific key as the data is loaded into the database. As anadditional contextual level of security, ISS uses a system generated row specific authenticator when thedata is encrypted.Cryptography at ISS is centrally managed by the IT Infrastructure organization. A cryptography policy hasbeen implemented to govern the use of cryptographic controls needed for the protection on information.This includes ensuring web interfaces are appropriately protected with SSL certificates and ensuringappropriate encryption is implemented for data at rest. For the SCAS environment, files within theapplication database are encrypted. For the Proxy Exchange environment, files are encrypted whentransmitted via SFTP to ISS, but the downloaded file which remains on the ISS internal network isEnabling the financial community to manage governance risk for the benefit of shareholders. 2018 ISS Institutional Shareholder Services8 of 37

Information Security Whitepaperunencrypted. File servers are protected by network permissions to windows directory but not encrypted orotherwise protected with escalated controls.1.7 Physical and Environmental SecurityKey PointsKey areas of physical security include: 1.7.1Datacenters are located in natural disaster “safe zones”.CCTV video monitoring in place for office and datacenter locations.Physical security badging system provides access established using the principles of least-privilege andneed-to-knowUPS and generator power for continuity at office and datacenter locations.Environmental controls to ensure the safety of personnel including fire detection systems.Regular reviews and updates of building security including drills for applicable environmental situationssuch as tornado, hurricane, and fire drills.Business Continuity planning captures pandemic planning in case of any mass illness.Secure AreasISS hosts its web applications and services using a pair of datacenters in the United States which provideprimary and recovery services. ISS maintains a pair of European Union (EU) datacenters serving only specificclient operations as designated by contractual agreements. ISS’ datacenter facilities and physical securitysystems were designed to provide extremely hardened, state‐of‐the‐art, secure operational locations.US Datacenters: ISS contracts with Switch for rack spaces, power, environmental and network services forthe hosted applications and services. ISS does not share company data, client data or access to such datawith Switch. The infrastructure is hosted in highly secure, Tier IV datacenter facilities. ISS reviews the SOC1,SOC2, and SOC3 reports for Switch on an annual basis.Considerable physical security controls are in place, with well-defined perimeters, blast walls and gates, clearavenues of approach and secondary perimeter barriers. Exterior doors of the datacenter lead to speciallyengineered man-traps built over a fire corridor wall construction. All access points of the man-traps requireadditional biometric authentication of the access card holder and are controlled by 24x7 Security Officersand man-trap relay logic.ISS physical access controls provide additional protection by the Positive Access Control proceduresdeployed at the facilities. Positive Access Control requires that officers in the Security Command Center,staffed 24x7, verify each person gaining access matches a file photo. After confirmation, the officer activatesthe second proximity and biometric readers.Equipment being transferred in and out of the facility is logged by facility management personnel to trackenvironment and power needs. Additionally, equipment is transferred through a special receiving man-trapto manage secure delivery to, or extraction from, the protected environment.Switch provides start-of-the-art environmental systems in the datacenters. Fire protection includes fire,smoke and heat detection solutions that are monitored 24 hours a day. Sensors are located throughout thedatacenters and provide alerts to both infrastructure and physical security personnel for appropriateresponse. Datacenters are also protected with aspirating smoke detectors that are capable andprogrammed to identify smoke at the incipit stage. Additionally, datacenters are equipped with dry-pipesprinklers.Datacenters utilize multiple inbound connections from utility providers. A triple-redundant power source,which balances dual inbound power connection across three sources of power, optimizes power utilization.Backup power is provided by more than 20 uninterruptible power supply (UPS) devices and 19 dieselpowered generators across the campuses. Power distribution units are managed and secured to preventEnabling the financial community to manage governance risk for the benefit of shareholders. 2018 ISS Institutional Shareholder Services9 of 37

Information Security Whitepapertampering. AC and DC cables within the datacenters are color-coded for quick and succinct identification ofcircuit and power feeds.EU Datacenters: ISS contracts with SunGard Availability Services in Europe. Both EU datacenters havecompleted SSAE audits, the reports of which are provided to and reviewed by ISS annually.Network access is redundant with delivery along diverse paths for high-availability routing ofcommunications. Triangulated connectivity to multiple SunGard Availability Services; datacenters providegreater diversity and resilience of communications providers. ISS connects to the EU datacenter via theestablished MPLS network, with internet service provider (ISP) backup connections.Physical security controls are in place, with well-defined perimeters, blast walls and gates, and clear avenuesof approach. External and Internal CCTV cameras provide monitoring and digital recording that is saved todisk. A proximity-based access control system is in place to govern ingress to the facilities. Security guardsare on-site 24x7 and physical security is supplemented by intruder and door alarms with external infrareddetection.There are two main power feeds for each datacenter and the facilities are configured with a minimum of“N 1” power redundancy. There are diverse A and B power supplies in each ISS-dedicated cabinet.Additionally, ISS equipment is protected with over 20 UPS units and on-site backup diesel generators thatwill sustain required power in the event of a power outage. 72 hours of fuel is stored on site for thegenerators with emergency provisions in place for extra fuel, if needed.Fire suppression in the datacenter is achieved through pre-action, dry pipe systems and early warning VESDA(air sampling) smoke detection and alarm systems. VESDA systems are approximately 100 times moresensitive than conventional fire detection systems. Temperature and humidity controls and sensors are alsoemployed to monitor the environment.1.7.2Office EquipmentUsers must lock or logoff workstations, systems or applications before lea

Security/McAfee, NIST, SEC, SANS, and Homeland Security. The information is used to assess the environment and determine any new or continuing risk to the company. The Information Security Office (ISO) reviews and manages technical a