Information Security Policy

Prepared by: The Mentor Method Inc.
Last Modified: March 31, 2022 - The Mentor Method Inc.
Reviewed: 

Overview


The Mentor Method Inc. Security Policy is intended as a set of comprehensive guidelines and policies designed to safeguard all sensitive and confidential data maintained by The Mentor Method Inc.; protect against any anticipated threats and hazards to the security of sensitive and confidential data; and to comply with all applicable laws and regulations on the protection of sensitive and confidential data. 


Protection of The Mentor Method Inc.'s information systems and The Mentor Method Inc.'s customers’ information systems is of critical importance to The Mentor Method Inc. and its customers. The Mentor Method Inc. is committed to protecting the confidentiality of all sensitive data that it maintains. Employees play a key role in protecting the firm and its customers by following appropriate information security practices. 


This document captures The Mentor Method Inc.’s organization-wide policies and explicitly details the minimum requirements for the use and protection of The Mentor Method Inc.'s systems and data and the use of The Mentor Method Inc.’s customers’ systems. The data covered by this policy includes any information stored, accessed or collected at The Mentor Method Inc., such as confidential data, data protected by privacy laws and sensitive institutional data. 


The information security policies set forth herein have been tailored to the nature and scope of The Mentor Method Inc.’s business activities. All employees are directed to ensure that they comply. This Information Security Policy is reviewed annually, and notice will be provided upon substantive changes. 


Additional policies may apply to individuals based on role within the organization.  It is each employee’s responsibility to be aware of and comply with all The Mentor Method Inc. policies, including the policies referenced in this document.


Information Security Responsibilities                


All The Mentor Method Inc. employees have access to at least some The Mentor Method Inc. systems and/or physical sites.  Others have access to customers’ systems.

 

Different roles have different access privileges.  All employees are responsible for upholding The Mentor Method Inc.’s information security policies.


For the purposes of this document, the following roles are enumerated. A single employee may fall under many different roles at any given time.


●    The Mentor Method Inc. system user (also referred to as “user”).  A The Mentor Method Inc. system user is an employee (either full time or contractor) who has access to and operates on at least one The Mentor Method Inc. system. This includes internal systems such as email, file shares, desktop computers, and internal web pages, among others.  It also includes hosted systems within cloud providers.
●    Customer system user. A customer system user is an employee who has access to a customer’s system in one form or another. This includes remote access (either individual or shared with other The Mentor Method Inc. employees), direct onsite access, or any other mechanism for accessing a customer’s systems.
●    Developer. A developer is an The Mentor Method Inc. employee who has access to and ability to modify source code maintained in The Mentor Method Inc.’s source control system.
●    Supervisor. A supervisor is an The Mentor Method Inc. employee responsible for determining and assigning work tasks or initiatives to other employees.
●    All employees are responsible for following the practices outlined below. Violations of any of these policies may lead to disciplinary action, including termination. 
Management Responsibilities
This section enumerates the responsibilities of management and senior personnel.  This section supplements the responsibilities of management identified elsewhere in this document and in the policies referenced herein.
●    Conduct a risk assessment of all The Mentor Method Inc. information networks and systems on a periodic basis to document the threats and vulnerabilities to stored and transmitted sensitive and customer data. 
●    Maintain an executive management team that is comprised of security personnel and executive staff to guide the company in managing security risks.
●    Management will assign the responsibility of the maintenance and enforcement of the security policies and procedures to the CISO.
●    Identify existing vulnerabilities within The Mentor Method Inc. that potentially expose the information resources to the threats. Evaluate the information resources and the technology associated with its collection, storage, dissemination and protection and estimate the risks to the confidentiality, integrity and availability of the information.
●    The frequency of the risk analysis will be determined by management but shall be no less than annual. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.
●    Review and approve this Information Security Policy and verify compliance of the organization with these policies at least annually. 
●    Apply necessary resources to address Critical risks within 30 days and Significant risks within 60 days.   
●    Monitor legislative, regulatory and industry developments with respect to data breach, data security and cross border transfers of personal data to ensure that The Mentor Method Inc. is compliant with applicable laws and regulations. 
●    Review all contracts and agreements with customers to ensure that the Information Security Policy satisfies The Mentor Method Inc.’s contractual obligations.

 

User Responsibilities


This section enumerates the responsibilities of all The Mentor Method Inc. system users.


●    Users may only use systems for approved business and permitted personal purposes only (described in further detail in this document).
●    Users must act to protect data to which they have access.  This includes the policies enumerated in this Policy, as well as using common sense.
●    Users must protect the physical security of devices with access to The Mentor Method Inc. or customer information, including portable devices.
●    Users must not attempt to circumvent access control or auditing systems, including (but not limited to) network access control and filtering systems.
●    Users must ensure that The Mentor Method Inc. data (including intellectual property) is not transferred out of The Mentor Method Inc.’s systems.
●    Users must ensure that customer information to which they have access is not transferred to unauthorized third parties.
●    Users are responsible for maintaining effective passwords and not sharing passwords with others or providing system access to unauthorized users.
●    Users are responsible for reporting misuse or violation of policies, either intentional or unintentional.
●    Users must use industry best practices to prevent the introduction of viruses or other malicious software into an The Mentor Method Inc. environment.
●    Users with access to The Mentor Method Inc. information and information systems are required to complete security awareness training at least annually.  

 

Supervisor Responsibilities


This section enumerates the responsibilities of all The Mentor Method Inc. supervisors.


●    Assign access rights to customer environments only as necessary.
●    Ensure that a periodic review of their team's access to customer environments is performed.
●    Establish and implement appropriate practices and procedures to protect systems and data within their business area.
●    Provide users with appropriate training regarding information security and periodically remind them of their responsibilities in supporting it. 
●    Act on and escalate any reported misuse or violation of any policy to executive management.
●    Update users on legal requirements to protect confidential information and advise regarding any new security risks or possible breaches. 


Developer Responsibilities


This section enumerates the responsibilities of all The Mentor Method Inc. developers.


●    Implement software to achieve the designated business purpose and no other purpose.
●    Developers must not implement techniques to circumvent access control or auditing systems.
●    Know, understand and follow stated quality, build and software development processes.
●    Use industry best practices to prevent the introduction of viruses or other malicious software into The Mentor Method Inc. software.


Third Party Service Providers


The Mentor Method Inc. exercises appropriate diligence in selecting service providers capable of maintaining appropriate security safeguards for confidential information and personal data to which they may have access or control. 


Third party service providers are required to enter into agreements with The Mentor Method Inc. that incorporate standard, contractual protections requiring implementation of appropriate safeguards. All relevant contracts with these third parties are reviewed and approved by an applicable member of management. 


Certain third party service providers may be considered to be high-risk pursuant to The Mentor Method Inc.’s Risk Management Policy. For example, third party providers of datacenter facilities utilized in the provisioning of The Mentor Method Inc.’s colocation services are deemed high-risk. The Mentor Method Inc. monitors, on an annual basis, the information security practices of any such high-risk third party service providers. Monitoring may include reviewing such organization’s SOC2 Type 2 audit reports, as applicable. Any potential risks identified during this process are considered in accordance with The Mentor Method Inc.’s risk management process.


If, in the course of performing business duties, an employee is made aware of a breach or potential breach of security protocols on the part of the third party vendor, the employee must immediately advise a member of management.


Customer Information Protection


Protection of The Mentor Method Inc.’s customers' confidential information is of critical importance. The improper disclosure of customer confidential information poses significant business and reputational risk to The Mentor Method Inc., and all employees must follow all reasonable steps to protect such information. 


To protect The Mentor Method Inc.’s customers’ confidential information, The Mentor Method Inc. strictly prohibits transferring any customer confidential information out of a customer’s systems to any unauthorized third party system.  


Customer confidential information may be transferred to The Mentor Method Inc.’s systems if necessary for the provision of services to our customers and only as permitted under our contractual agreements and in accordance with this Section.


Classification of Customer Confidential Information


For the purpose of identification, set forth in this section are the different types of customer confidential information, classified according to the level of sensitivity and the treatment afforded such information. 


Customer confidential information that is classified as “sensitive information” shall be treated with the utmost confidentiality and may not be transferred outside of a customer’s system.


Customer confidential information that is classified as “internal use information” is still treated as confidential, but may be transferred to The Mentor Method Inc.’s systems.
Customer confidential information that is classified as “personal information” is information that pertains to a specific individual that can be linked to that individual. Personal Information shall be treated with the utmost confidentiality in accordance with the data protection rules set forth in Section: Protection of Personal Information. 


Sensitive Information


The most common form of customer confidential information is the non-public information maintained in that customer’s system. This type of customer confidential information is referred to as “sensitive information.”  Sensitive information may also reside in the underlying persistent data stores (i.e., database) and log and output files in the customer’s system.


Examples of sensitive information of a customer include:


●    Trade records, trading positions or activity
●    Investment strategies and investment holdings
●    Order, RFQ and Quote records
●    Counterparty/customer lists
●    Pricing and quoting rules
●    Users and user credentials
●    Financial account information, account balances

 

The Mentor Method Inc. employees should only access and view sensitive information that they are authorized to access and as required in the performance of their duties. Customer confidential information that is considered sensitive information should not be transferred to The Mentor Method Inc.’s systems without express written authorization from an individual at the customer that has the authority to approve such transfer. 


Additionally, sensitive information may be transferred to The Mentor Method Inc.’s systems solely as, and only to the extent necessary in an emergency support situation as determined by a supervisor.


Internal Use Information 


There are circumstances in which we may transfer limited customer confidential information to The Mentor Method Inc.’s systems. In these instances, the confidential information being transferred is not deemed sensitive information, but rather “internal use information.” The Mentor Method Inc. employees must treat the access, transfer and disclosure of such internal use information with the same degree of care that we treat The Mentor Method Inc. confidential information.
System Diagnostic and Aggregated Data
In certain instances The Mentor Method Inc. is permitted to transfer system diagnostic information or aggregated data to The Mentor Method Inc. systems as internal use information. Such data, even if in aggregated form, is considered confidential and transferable only to The Mentor Method Inc.’s systems. 
Transfer of internal use information from a customer system to The Mentor Method Inc.’s systems will occur with respect to:
●    Software log files strictly for the purpose of software issue identification and resolution.
●    System health information (process status, memory use, disk space, etc.) used strictly for the purposes of early identification and prevention of production software failure.
●    Information to facilitate general improvements of the customer’s software system, system statistics.
●    Information to aid in capacity planning and performance analyses.


There may be instances where data considered internal use information incidentally captures limited portions of sensitive information; however, these occurrences do not change such data’s classification, which remains internal use information and shall be treated accordingly.


Audit and Trading Activity Reports


The Mentor Method Inc. software includes auditing code that generates output log information for the sole purpose of monitoring the scope of usage of The Mentor Method Inc. software. The output log information is considered internal use information. 


The Mentor Method Inc. may generate additional reports about activity on a trading system.  The information contained in the activity reports is considered internal use information.


Trading activity reports may include the following types of information:


The Mentor Method Inc. may also regularly distribute trading activity reports (or other reports as requested) to a customer upon a written request from the customer (and discontinue such distribution upon written request).  


Protection of Personal Information


Purpose


As part of our operations, The Mentor Method Inc. needs to obtain and process information that makes a person identifiable such as names, date of birth, address,digital footprints, photographs, social security numbers, financial data (“Personal Information”).
The Mentor Method Inc. is committed to ensuring that Personal Information is gathered, accessed and stored fairly and transparently and in accordance with applicable laws and regulations, such as the General Data Protection Regulation (GDPR), the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. 
All personnel (including employees, contractors, and consultants) are required to adhere to the data protection policy set forth below in connection with the collection, use, and retention of Personal Information.


Scope


The categories of Personal Information that are implicated by the Data Protection Policy are as follows:


●    Personal Information regarding individuals that visit the The Mentor Method Inc..io website,  including, via third party sites maintained by or on behalf of The Mentor Method Inc. such as employment recruiting portals
●    Personal Information regarding personnel of our third-party service providers  that may be processed for the purpose of managing and administering The Mentor Method Inc.’s business relationships with such third parties,
●    Personal Information regarding personnel of our current, former and prospective customers that may be processed in connection with the delivery of The Mentor Method Inc. services, maintenance of ongoing relationships, and performance of business development activities. 
●    Personal Information regarding current, former, and prospective personnel of The Mentor Method Inc.


Data Protection Measures 


In order to achieve The Mentor Method Inc.’s commitment to collecting Personal Information in a transparent way and with the cooperation and knowledge of interested individuals, all personnel should be familiar with and follow these data protection measures:  


Lawful Basis to Collect, Access and Use Personal Information    : Under the GDPR, for example, there must be lawful grounds (also known as a “lawful basis”) to collect or use Personal Information. At The Mentor Method Inc., personnel typically have a lawful basis to collect or use Personal Information because such collection or use is necessary to perform business activities, such as payroll, benefits and other similar activities for which The Mentor Method Inc. has a legitimate interest. Other legitimate interests are the collection and/or use of Personal Information to perform services under a customer contract or to comply with compliance obligations such as employee training. 


You must obtain the express consent of an individual whose Personal Information you possess before using such Personal Information for direct marketing purposes, or for using (in any way) Personal Information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual's health (“Sensitive Personal Information”). Any such consent must be in writing so that The Mentor Method Inc. can demonstrate compliance with consent requirements if the need requires. Check with Legal before seeking such consent to ensure you are documenting consents appropriately. 


Where an individual has agreed to the collection, processing and/or transfer of their Personal Information for a specific purpose, they are entitled to withdraw their consent at any time. If you receive notification that an individual wants to withdraw consent, please notify management . Unless The Mentor Method Inc. has a legitimate basis for continuing to process such Personal Information, we will be required to stop.


You must also obtain the express consent of an individual before using (in any way) Personal Information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual's health (“Sensitive Personal Information”). However, do not collect or use Sensitive Personal Information unless you have obtained specific approval.


Purpose Limitation:  Prior to collecting any Personal Information, ensure that your use is covered in The Mentor Method Inc.’s Privacy Policy.    


Data  Minimization: Limit the amount of Personal Information you collect or process to the minimum required. The amount of information that you hold about a person should be adequate for its purpose, and no more. While you shouldn't collect Personal Information where it is unlikely that it will be useful in the future, you may be able to justify holding such Personal Information for a foreseeable event that may never occur if the need to have the information can be made clear.


Accuracy:  Personal Information that is stored should be accurate and, where necessary, kept up to date. Should you receive any request from an individual seeking information about their Personal Information, please direct them to management.


Storage: Personal Information should be kept in identifiable form and retained for no longer than is necessary to fulfill the original purpose for which it was collected, including for the purpose of satisfying any legal, regulatory, tax, accounting, provisioning of services, or reporting requirements. The exact length of time you are entitled to retain Personal Information will vary according to applicable rules, regulations, and/or policies. Once the required retention period is over, however, you must take all reasonable steps to erase or destroy the relevant Personal Information.


Store Personal Information in a manner and location that cannot be easily accessed. Ensure that access to Personal Information is appropriately restricted to only those The Mentor Method Inc. employees that require such access.     


Security:  The Mentor Method Inc.’s Information Security Policy incorporates appropriate physical, electronic and managerial procedures to safeguard and secure Personal Information from loss, misuses and unauthorized access, disclosure, alteration and destruction. 


If you are aware or suspect the occurrence of a security incident that may involve the misuse or unauthorized access, disclosure, alteration or destruction of Personal

Information, you should immediately contact management and otherwise follow the steps outlined in this Information Security Policy and The Mentor Method Inc.’s Computer Security Incident Response Plan. 


Distribution to Third Parties:  Do not distribute or transfer Personal Information to third parties.


Personal Information should not be uploaded to any third party tool unless management has approved such a tool for receipt and processing of Personal Information. 
Any vendor or third party service provider that has been approved to access, process and/or store Personal Information covered within the scope of this Data Protection Policy must be approved in accordance with The Mentor Method Inc.’s Vendor Management Policy.


Compliance with Data Protection Policy


All personnel should adhere to the principles described in this policy. If there are any questions with respect to compliance please speak to management. Violation of any of the terms of the Data Protection Policy may result in disciplinary action. 


The Mentor Method Inc. Infrastructure and Access


For the protection of both The Mentor Method Inc. and our employees, The Mentor Method Inc. prohibits the transfer of company intellectual property (i.e. source code, email) or customer information to non-work related devices, with a limited exception for personal phones. 


Software Maintenance and UpKeep


All The Mentor Method Inc. users are responsible for keeping the system they operate in good working condition. This includes both physical condition and the condition of installed software. This includes keeping up to date with security patches and updates.
Disposal and Termination


The Mentor Method Inc. equipment and electronic media must be properly disposed of as outlined by the Data Destruction Policy. Proper disposal includes destruction or removal of sensitive and confidential information from disposed systems, including hard copy, magnetic media, flash media and CD ROM disks. 

Upon the termination of an employee’s relationship with The Mentor Method Inc., an employee is responsible for returning all company property to The Mentor Method Inc.. Passwords and user credentials will be deactivated and access to confidential and sensitive information will be immediately restricted. 


Mobile Phones


A personal phone may be used to access The Mentor Method Inc. email. An employee agrees to abide by the conditions described below when adding The Mentor Method Inc. email access to their phone.

When using a phone to access The Mentor Method Inc. email, whether The Mentor Method Inc. owned or personal, the following measures must be taken to protect the information on the device: enabling passcode locks with a secure passcode, auto-lock, and "find my phone". Employees who do not employ such measures will have their mobile access privileges revoked.

The loss or theft of any phone with access to The Mentor Method Inc. email must be reported to The Mentor Method Inc. technical management immediately so access may be disabled and remote wipe employed where available.


Laptops/Desktop


The Mentor Method Inc. issues laptops to employees when The Mentor Method Inc. deems appropriate.  Employees must make best efforts to protect the physical and electronic security of a The Mentor Method Inc. issued laptop. Additionally, desktop computers located outside of an The Mentor Method Inc. Office are considered Laptops for the purpose of this section.  

 

Employees must take care to protect The Mentor Method Inc.'s equipment and network from malicious software (malware, viruses, etc.).  This includes protecting the software environment of that equipment by maintaining software firewalls, up-to-date virus software and avoiding installation and running of "risky" software.  Risky software is software downloaded from the internet from unreliable sources or running software providing publicly available internet-based services (such as webserver, email servers, etc.).  Additional care must be taken to avoid using The Mentor Method Inc. equipment on networks with potentially compromised or compromised services such as generally available internet-facing services like Telnet servers, FTP servers, Tor servers, chat servers, Torrent servers, etc. 

Network and Endpoint Security


The Mentor Method Inc.’s network and servers are protected in restricted access, climate-controlled facilities. Access to The Mentor Method Inc. equipment is only authorized for designated personnel and authorized vendor technicians. 

Firewall rules are enforced and updated regularly and virus scanning operates throughout the network.

Transmission of Data 


All traffic between The Mentor Method Inc.'s private network and outside networks, with the exclusion of known, whitelisted targets, is passed through a proxy and scanned by our IDS / IPS system in an effort to protect us from viruses and malware.

Data transmitted within The Mentor Method Inc.’s private network (or intranet) is not encrypted, nor are routine email communications leaving the The Mentor Method Inc. network. 

Care must be taken to ensure the safe transmission of data between systems.  Sensitive data must be transmitted in a secure format. Secure formats include standard encryption protocols (such as SSL or HTTPS) or encrypted media or archive files. Access to The Mentor Method Inc.’s intranet and is encrypted via HTTPS.

Unknown Devices


The phrase "unknown devices" is given to such items as kiosks, hourly computing stations for rent, friends and family members computers, or any other types of device for which The Mentor Method Inc. has little to no knowledge regarding its safety and security. These devices are never to be used for storing, processing, accessing or transmitting sensitive and confidential information due to the lack of knowledge of their respective security practices. For the avoidance of doubt, unknown devices may not be used to access The Mentor Method Inc.’s email, VPN, instant messaging and intranet, nor any customer systems

Email


Email is generally considered an unsecure communication format.  Transmission of clear text passwords over email should be avoided. Transmission of domain or system passwords should be avoided; however, where transmission of such password over email is required, the password must be emailed as encrypted and “requiring a password change upon first use.” 

Employees should exercise care when discussing sensitive legal, financial, or personnel matters via external e-mail. E-mail messages are considered evidence by the courts and can easily be taken out of context or misinterpreted. 

Passwords


The Mentor Method Inc. does not permit storing passwords in a web browser.  Passwords shall be stored and shared in a secure manner via The Mentor Method Inc. approved password manager. 

Privileged accounts consist of accounts with elevated access to systems and applications. Employees with privileged accounts must not use the same password for both their normal account and their privileged account and are required to change their password immediately upon issuance for the first-use.

Service accounts must not have non-interactive login permission with a minimum random password generated length of 16 characters. 

The Mentor Method Inc.’s password protocol provides for the following requirements with regard to ensuring secure password selection and use (where applicable):

●    Password must be changed every 180 days (may not apply to service account)
●    Minimum password age is 1 day
●    Password cannot match with any of the user’s previous 24 passwords
●    Minimum length is 10 characters (may not apply to service account)
●    Locked out after 5 failed attempts for 5 minutes.
●    Password complexity requirements:
○    Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
○    Contain characters from three of the following four categories:
○    English uppercase characters (A through Z)
○    English lowercase characters (a through z)
○    Base 10 digits (0 through 9)
○    Non-alphabetic characters (for example, !, $, #, %)

If there are any concerns regarding password selection please speak to a member of management.


Instant Message Platforms


The Mentor Method Inc. utilizes a hosted (Slack) end-to-end encryption instant message system over which sensitive information may be securely transmitted, including transmission from authorized The Mentor Method Inc. devices over the internet. Nevertheless, employees should exercise discretion when utilizing The Mentor Method Inc. Dashboard and Slack instant messaging system. Instant messages can be discoverable in legal proceedings, and can easily be taken out of context or misinterpreted.

Exercise caution when using instant message platforms that are not maintained by The Mentor Method Inc., in order to avoid transmission of sensitive data and confidential information, including passwords, over publicly available instant message platforms. 


VPN Access


The Mentor Method Inc. provides VPN Access to employees to access The Mentor Method Inc. internal systems. The Mentor Method Inc. VPN client may only be run from The Mentor Method Inc. work equipment to access The Mentor Method Inc. systems. Extreme care must be taken when running the VPN client from a The Mentor Method Inc. laptop on a public network. 


Physical Site Access


The Mentor Method Inc. employees may have access to one or more physical office sites. Access mechanism is dependent on the actual physical location, but typically includes a key card used to access the building and a key or key card to access the office suite within the building.
The Mentor Method Inc. employees must 
●    Keep keys and key cards secure.
●    Ensure office premises are locked when no employees are physically present (for those offices without electronic timed locks, the last employee to leave must ensure the door is locked).
●    Ensure that unauthorized individuals do not have access to office facilities. 
●    Challenge unescorted visitors and determine whether they have a legitimate business purpose for being onsite.
●    Immediately report any unknown individuals in the office locations to management.
●    Ensure that no unauthorized access to our server rooms/datacenter is permitted. 
●    Immediately report the loss or theft of any keys or key cards.

Invited visitors are permitted at office locations. Visitors must be escorted at all times. Employees are responsible for the behavior of their authorized visitors and their compliance with all applicable The Mentor Method Inc. policies, including this Policy.

Active physical records, whether official or unofficial, that include personally identifiable information or sensitive data, are maintained in a secured drawer or cabinet with access limited to only those who need to use the information for a business reason. Inactive or unofficial physical records are securely destroyed once they are no longer needed for business purposes


Information Security Risks


There are several reasonable and foreseeable internal and external risks to the security and integrity of confidential information and sensitive data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the security of confidential information.  These risks may include, but are not limited to:


●    Unauthorized access of customer information by individuals not approved for access
●    Compromised system security
●    Interception of data during transmission
●    Loss of data integrity
●    Physical loss of data
●    Unauthorized transfer of confidential or customer information to third parties

Compliance with the policies in this Policy and other applicable The Mentor Method Inc. policies by all employees will minimize any security risks and reduce the likelihood of any security breaches.


Security Incident Response


In the event of an actual or suspected breach, The Mentor Method Inc. will take immediate action to secure any information that has or may be compromised by following the Incident Response Plan. This includes identifying and immediately stopping the source or entity responsible for breach. 

Involved personnel must take immediate steps to identify, preserve and sequester pertinent records, files, and other documents (paper and electronic), which includes review of files and programs that may reveal how the breach occurred. 

A member of the technical management team will immediately be designated to lead the incident response and be the focal point of internal communication during the response. 

The following steps are to be employed (not necessarily sequentially) during incident response:


●    Identify and assess the incident including severity, scope and impact
●    Notify management team 
●    Contain the incident / isolate the impacted systems
●    Collect forensic evidence
●    Implement temporary fix / remediate
●    Implement permanent fix 
●    Post-mortem review 


Reporting of Breaches


Individuals must immediately escalate to a member of the management team incidents involving actual or suspected breaches of systems, policies, and/or improper or unauthorized access to or disclosure, misuse, alteration, destruction or other compromise of information or data covered by this Policy. 

Management shall immediately notify customers if the breach involves their systems or data, regardless of severity. Management will determine in its sole discretion whether it is appropriate to notify law enforcement if breach potentially involves criminal activity or there is evidence that the breach has resulted in identity theft or related harm.

Management will document for internal assessment and recordation, all breaches and subsequent responsive actions taken to mitigate the security breach incident. All such documentation remains confidential information of The Mentor Method Inc. and may not be shared with customers or third parties.


The Mentor Method Inc. Policies


The following policies are cross-referenced herein. All such policies have been provided to The Mentor Method Inc. personnel and are available on The Mentor Method Inc. Wiki.

The Mentor Method Inc. Employee Manual
The Mentor Method Inc. Privacy Policy
The Mentor Method Inc. Risk Management Policy
The Mentor Method Inc. Incident Response Plan
The Mentor Method Inc. Business Continuity Plan