Information Security at Carlton Fields

Carlton Fields is ISO 27001:2013 CertifiedFollowing a rigorous certification and audit process, Carlton Fields has earned ISO/IEC 27001:2013 Certification, the most widely adopted information security standard in the world, and the highest level of security-related accreditation a business can achieve.

This certification, which was achieved for all of the firm’s offices and data centers in the United States, ensures that formal security and risk management controls are in place to protect sensitive company, client, and employee information.

Our clients, particularly in the financial services sector, are increasingly concerned about information security. ISO 27001 certification is an important part of our firm’s overall security strategy, and demonstrates our commitment to investing in the technology and training necessary to protect our clients’ confidential business matters.

Carlton Fields places a high priority on the security and management of our clients’ data. We understand the importance of keeping pace with changes to security threats, vulnerabilities, and business impacts.

12.2016

IntroductionAt Carlton Fields, we believe that maintaining the confidentiality of client information depends in part on a robust data privacy and information security program. We consider information security a fundamental aspect of doing business and are committed to protecting client information and personal data. To support this view, we employ many technological and security processes.

This document summarizes the components of our information security program.

Physical Data CentersOur primary computing systems are located at our Tampa, Florida offices. Access to the server space is limited to a subset of information systems (IS) employees on an as-needed basis. Both a keycard and a PIN code are required to gain entry.

Our disaster recovery systems are located at a top-tier commercial data center in Dallas. Physical access is highly restricted. The entrance is guarded and there are additional keycard and lock systems leading to the server cage.

Both systems have redundant power/uninterruptible power supplies and generator backups.

Backups/AvailabilityWe maintain multiple backups, through varied systems, including near real-time synchronization between the Tampa and Dallas data centers.

We use Zerto, with near real-time replication of virtual machines, for primary backup. We use Microsoft Data Protection Manager and CommVault systems for secondary backup, which is disk-based. Critical servers also have tape backups. Backups are saved to local storage for 15 days and copied to tape weekly. The tapes are stored offsite at Iron Mountain for one year.

We also use Shadow Copy backups for file shares within our Windows server infrastructure.

We test our recovery capabilities—email, Shadow Copy, Zerto replication, and SQL database dumps—quarterly.

Attorneys and staff have access to virtual desktop systems, ensuring that work can continue should a local system or site be unavailable. Our Business Continuity Program, which includes firmwide incident plans, office-specific incident management plans, and department-level business continuity plans, addresses this possibility.

We test our business continuity and disaster recovery plans annually.

Information Security at Carlton Fields 1

NetworkAccess to our computer network from outside the firm is protected by multiple Cisco intrusion detection system (IDS) and next-generation firewall systems. All internet connectivity goes through these systems. We use a tiered filtering system to limit access to internet sites as appropriate within our workplace.

We permit BYOD access to the network, subject to the following: (a) managed devices, running MobileIron MDM, can access a subset of the network, plus the internet; (b) unmanaged devices can only access the internet.

We permit remote access to our systems to authorized individuals via Citrix, VPN, and VMware Virtual Desktop. We are standardizing VMware Virtual Desktop, and deprecating other remote access methods. All remote access methods, including web-based access to corporate email, require two-factor authentication.

Wireless NetworkingWe provide three wireless networks:

• For corporate devices, via certificate authentication, we provide full access to our systems.

• For BYOD devices managed under mobile data management (MDM) control, we permit access to a subset of the network, and the internet.

• For unmanaged and guest devices, we provide a guest network with internet access and no access to internal systems.

All our wireless networking systems are encrypted using 256-bit WPA2 (AES).

Vulnerability and Penetration TestingWe employ third-party penetration testing of our internet-facing systems, internal servers, and wireless networks, annually.

We operate vulnerability and alerting software within the IS department.

PatchingWe patch our physical and virtual desktops, and our servers, on a rolling basis each month based on the nature of the patch and any necessary testing. We maintain records of our patch efforts’ success rates.

2 Information Security at Carlton Fields

EncryptionOur virtual desktop users have their virtual machines stored on a secured storage area network (SAN), and all communication between the client and the virtual machine server is encrypted.

Our SANs use encryption at rest.

We provide email encryption, as appropriate, in the following ways:

• Opportunistic transport layer security (TLS); if your email server supports TLS encryption, we will default to encrypted.

• Permanent TLS; we will happily work with your IS department and ensure that all traffic between us is TLS encrypted.

• Mimecast Closed Circuit Messaging; available on demand to all Carlton Fields users, this encrypts a message and requires you to access it via a secure web portal.

Any attorney or staff member with the ability to write CDs, DVDs, or USB drives, is provided software and training to allow the encryption of the media. We allow unencrypted media for delivering certain presentations, public-record court materials, and so forth.

Cloud-Based ComputingWe have a business associate agreement with box.com and use it as our only approved cloud data storage provider. If directed by you, we will retrieve information from Dropbox or other providers, or file transfer protocol (FTP), but will in almost all circumstances be unable to return data in this format without explicit written instructions to do so, and sign-off from our risk management partner.

GeneralAll attorney and staff systems have metadata removal tools installed, and these are automatically run on all attachments when an email is sent.

All desktops, laptops, and virtual machines require username/password login, with complex passwords changed at not more than 60-day intervals. Users cannot change screensaver timeouts and systems lock after a specified period of inactivity. We disable accounts after six incorrect login attempts.

Laptops and mobile devices managed by IS have location tracking and remote wipe capability.

Information Security at Carlton Fields 3

We provide an annually updated “Security Awareness Guide” to all attorneys and staff; to new hires as part of their onboarding; and to all others as part of an annual process requiring their explicit acknowledgment of the guide. We also provide annual awareness training in person in all offices, and as-needed security training/notifications.

All attorneys and staff acknowledge several other policies annually, including confidentiality and HIPAA obligation policies.

PersonnelOur Chief Information Officer oversees our security program. On a day-to-day basis the program is managed by our Manager, IS Process & Security. Their contact details are below.

4 Information Security at Carlton Fields

David W. BaileyChief Information Officer

dbailey@carltonfields.comdirect 813.229.4225

https://www.linkedin.com/in/david-bailey-b926491

Gary K. Slinger, MBCS, GSLC, GLEG, C)DREManager, IS Process & Security

gslinger@carltonfields.comdirect 813.229.4363

https://www.linkedin.com/in/garyslinger

Note: Specific products named in this document are correct at press time, but may be replaced as technology and operational practices develop.

Tallahassee 215 S. Monroe Street | Suite 500 Tallahassee, Florida 32301-1866 main 850.224.1585 fax 850.222.0398

Los Angeles2000 Avenue of the Stars Suite 530 North TowerLos Angeles, California 90067-4707main 310.843.6300 fax 310.843.6301

Miami Miami Tower100 S.E. Second Street | Suite 4200Miami, Florida 33131-2113main 305.530.0050 fax 305.530.0055

West Palm Beach CityPlace Tower 525 Okeechobee Boulevard | Suite 1200West Palm Beach, Florida 33401-6350main 561.659.7070 fax 561.659.7368

Tampa Corporate Center Three at International Plaza4221 W. Boy Scout Boulevard | Suite 1000Tampa, Florida 33607-5780main 813.223.7000 fax 813.229.4133

Atlanta One Atlantic Center 1201 W. Peachtree Street | Suite 3000 Atlanta, Georgia 30309-3455 main 404.815.3400 fax 404.815.3415

Orlando 450 S. Orange Avenue | Suite 500Orlando, Florida 32801-3370main 407.849.0300 fax 407.648.9099

New YorkChrysler Building405 Lexington Avenue | 36th FloorNew York, New York 10174-0002main 212.785.2577 fax 212.785.5203

Hartford One State Street | Suite 1800 Hartford, Connecticut 06103-3102 main 860.392.5000 fax 860.392.5058

Washington, DC 1025 Thomas Jefferson Street, NW Suite 400 WestWashington, DC 20007-5208main 202.965.8100 fax 202.965.8104

Carlton Fields practices law in California through Carlton Fields Jorden Burt, LLP.

www.carltonfields.com