INFORMATION SECURITY PROGRAM

PREFACE

The purpose of this program is to document Immediate Credit Recovery, Inc.’s policy to safeguard consumer/debtor information. The objectives of this policy are to ensure the security and confidentiality of consumer/debtor nonpublic information, protect against anticipated threats or hazards to the security or integrity of such information and to protect against unauthorized access to said information which could result in substantial harm or inconvenience to consumers/debtors.

SECURTIY COORDINATOR

In order to ensure compliance with this program a “Security Coordinator” shall be appointed to oversea and help direct security policy. Wendy Bianco, is hereby designated “Security Coordinator.”

REASONABLY FORESEEABLE SECURITY RISKS AND SAFEGUARDS

Whereas this office receives and discloses confidential consumer information it is necessary to identify risks to the confidentiality and integrity of such information from both internal and external standpoints as well as to provide safeguards against such risks.

INTERNAL RISKS

For the purposes of this policy “internal risks” shall be defined as those risks which can result in an employee or office member misusing, misappropriating, or breaching the integrity of consumer and client information.

Whereas certain employees and office members have access to confidential information including but not limited to a debtor’s social security number, credit reports, bank account numbers, debit and credit card information, health and health insurance information, debt information and other personal financial and employment records, risk exists that such information may be negligently used or used for improper and illegal purposes.

Such risks include:

1> Personnel with access to credit and debit card information negligently handling or processing said information or misappropriating said information for personal use, sale, and other intentional misuse of said information.

2> Personnel with access to bank account information negligently handling or processing said information, misappropriating said information for personal use, sale, and other intentional misuse of said information.

3> Personnel with access to social security numbers negligently handling or processing said information, misappropriating said information for personal use, sale, and other intentional misuse of said information.

4> Personnel with access to debt information improperly altering said information to either increase or decrease said debt or otherwise misuse said debt information for improper purposes.

5> Careless handling of nonpublic information in that there is a risk of said information not being properly filed or discarded such that it may inadvertently end up in public view.

INTERNAL SAFEGUARDS

1> Beginning in the interview process informing all prospective employees, office members and independent contractors that this company’s business involves the handling of confidential nonpublic information which must be used only for proper purposes.

2> Upon hiring or contracting with an individual or entity informing them of the importance of safeguarding the above confidential information and ensuring that they understand the importance and necessity maintaining the confidentiality and integrity of such information. Assurance may be based upon company training and education or the person’s prior experience, including having employees acknowledge and sign appropriate confidentiality agreements.

A section on such safeguards has been incorporated into ICR’s confidentiality agreement. In order to further protect against said internal risks a section on the Safeguard Privacy Rule has been created and incorporated into ICR’s intense training program for all personnel, both new and existing. If it appears that a person’s understanding of what is nonpublic information and how to handle it is not sufficient, that person shall not be allowed access to said information until the supervisor of such person is satisfied that they have received sufficient training and have reached an appropriate level of understanding to handle the information they will have access to.

3> Including in the training of personnel the appropriate amount of education regarding the proper use to which they may put such information and the knowledge to use such information properly.

4> Limiting the personnel who can access and use confidential information to those who must necessarily see and use said information in their employment or business capacity. Further limiting access to “on premises access,” excluding key employees who may need to access information from off site.

5> Limiting the personnel who process financial transactions and interact with other financial institutions.

6> Limiting the personnel who can adjust debt information. Adjusting debt information for this purpose means changing rates, fees and amounts owed. It does not include applying payments received on a debt.

7> Maintaining a zero tolerance for intentional and fraudulent misuse of confidential information.

8> Periodically monitoring personnel to ensure compliance.

9> Maintaining good accounting practices and addressing any abnormal or suspicious activity promptly.

10> Requiring employees to adhere to written company policy and procedure.

11> Instructing employees to make sure physical records are properly stored and out of public view and maintaining a secure office environment during off hours; including shredding sensitive documents which are no longer needed and slated for destruction. In accordance with such instructions every ICR staff member has been provided with a separate disposal container for use at their workstations and additional large containers have been placed in strategic locations throughout the office including by copiers, fax machines and in the mail room. ICR has an existing contract with a shredding company which does the shredding on premises and documentation of the process is stored and secured accordingly.

12> The information systems officer shall maintain current electronic and computer security including firewalls, encryption and password security as present standards and prudence dictates.




EXTERNAL RISKS

For the purposes of this policy “external risks” shall be defined as those risks which can result in confidential nonpublic information being accessed by an improper outside source which could cause improper disclosure, misuse, misappropriating, or breaching the integrity of consumer and client information.

Whereas this company receives, maintains and appropriately discloses, hard copy records, electronic records, computer records and other records of confidential information including but not limited to a debtor’s social security number, credit reports, bank account numbers, debit and credit card information, health and health insurance information, debt information and other personal financial and employment records, risk exists that such information may be accessed by an improper outside source and, negligently used and/or used for improper and illegal purposes.

Such risks include:

1> Improper physical storage, transmittal, and disposal of nonpublic information.

2> Improper outside access to electronic, network, or computer information systems containing nonpublic information.

3> Improper transmittal of electronic or computer information.



EXTERNAL SAFEGUARDS

1> Except when in use, physical records of nonpublic information shall be kept out of plain view, meaning in files, folders or an office of which the public does not have access to. Further when nonpublic records are to be discarded they should be shredded or otherwise properly destroyed. In accordance with such policy every ICR staff member has been provided with a separate disposal container for use at their workstations and additional large containers have been placed in strategic locations throughout the office including by copiers, fax machines and in the mail room. ICR has an existing contract with a shredding company which does the shredding on premises and documentation of the process is stored and secured accordingly.

2> Proper care should be used in sending and receiving information, including making sure addresses and numbers are correct and fax cover sheets are used. Likewise proper care should be used in ensuring nonpublic information is not visible to outside agencies.

3> Only key and necessary employees shall have access to computer and network systems from off premises.

4> Proper outside agencies such as clients who have access to nonpublic information shall have their access limited to what they may rightfully see and appropriate electronic security shall be maintained.

5> The information systems officer shall maintain current electronic and computer security including firewalls, encryption and password security as present standards and prudence dictates.

6> Continuous monitoring of computer and network systems to ensure no breach has occurred.

EVALUATION AND ADJUSTMENT OF SECURITY INFORMATION PROGRAM

Information security is an ongoing process which should be evaluated and adjusted as needed. This program ought to be evaluated no fewer than four times per year and adjusted as necessary. Evaluation shall consist of the Security Coordinator discussing the state of the program with the management and the information technology officer and maintaining and/or adjusting policy as is deemed prudent. Upon the discovery of any significant breach the cause of the breach shall be corrected as soon as reasonably possible and adjustments to policy shall always be made if the breach was a result of a problem with the policy.


Date of Implementation: 06-01-03
Date of Last Review: 06-01-04 Policy or Procedure Updated: No

Tracy J. Murphy, Esq.
169 Myers Corners Rd., Suite 115
Wappingers Falls, NY 12590
(845) 297-6670