Technical and Organizational Measures (“TOMs”)

Last updated: December 15, 2023

Measures of encryption of personal data

Data at rest is encrypted using AES 256-bit encryption for all data within FTI Technology direct physical control. When data at rest leaves FTI Technology’s direct control (such as removable hard drives, etc.) the data is encrypted using AES 256-bit encryption. All laptops utilize full disk encryption. Data that is in transit over public networks is encrypted in transit using TLS.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

As FTI Technology assets are provisioned and requested, they undergo a security hardening configuration. This configuration consists of settings, configurations, and modifications assembled as a best of breed from various “Best Practices” guides and publications. FTI Technology provides DDoS resiliency by designing its infrastructure and applications to scale and absorb larger volumes of traffic. FTI Technology’s network-based intrusion prevention systems (NIPS) are able to detect and mitigate web application layer DDoS attacks.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

FTI Technology has a documented standard/policy for business continuity and disaster recovery. That has been approved, communicated, maintained and reviewed annually. FTI Technology’s recovery point objectives and recovery time objectives are evaluated as part of the annual testing. The specific tools used for backups vary by region.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

FTI Technology has access to all major vendor security bulletins and have controls over identifying, scheduling, testing, and deploying patches. FTI Technology maintains controls regarding identification of vulnerabilities, risk ranking, reporting, and remediation for systems connected to their corresponding networks. This includes perimeter vulnerability scanning and internal vulnerability scans that cover workstations, server, and network devices. FTI Technology performs internal penetration tests of its networks to identify flaws in the internal security controls that could allow an attacker to surreptitiously gain access to sensitive data and/or disrupt critical business systems. FTI Technology uses third party vendors to perform external application and network penetration testing of these networks to identify potential vulnerabilities.

Some of FTI's individual internal business teams may manage systems separately from the FTI Technology networks. As such, the measures and controls may vary and the business teams are responsible for addressing processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing.

Measures for user identification and authorization

FTI Technology uses unique IDs. FTI Technology users authenticate its network through Active Directory (AD). Single Sign On (SSO) is used when possible, and remote connection requires two factor authentication and leverages FTI Technology's identity provider for connection to FTI Technology network Both identity providers and SSO platforms provide a unified authentication solution. Remote access to the FTI Technology network is provided via VPN with two factor authentication and Network Access Control (NAC) host checks. Console and remote connections are made using encrypted channels such as SSH or RDP over encryption.

FTI Technology’s standard and admin password complexity (i.e., characters, length), lockout settings, expiration settings meets the following requirements:

• Contain both upper- and lower-case characters (e.g., a-z, A-Z)
• Have digits and punctuation characters as well as letters e.g., 0-9,!@#$%^&*()_+|~-=\`{}[]:”;‟‘’>?,./)
• Contains at least 12 characters for standards accounts and 15 characters in length for admin accounts
• Must be changed at least every 90 days
• Are not words in any language, slang, dialect, jargon, etc.
• Are not based on Confidential Information, names of family, etc.
• User accounts are locked after 5 unsuccessful logins for FTI Technology.
• Account lockout for 30 mins. Reset after 30 mins.
• Password history - 24 passwords remembered
• Passwords are stored protected in an encrypted format.

Some of FTI's individual internal business teams may manage systems separately from the FTI Technology’s networks, and as such are responsible for implementing a secure user identification and authorization process.

Measures for the protection of data during transmission and measures for the protection of data during storage

FTI Technology’s layered defense security model utilizes both network-based intrusion prevention systems (NIPS) and host-based intrusion detection systems (HIDS) within its secure network. NIPS are installed at points of ingress and egress of networks operated by FTI Technology and public networks. HIDS are installed on all Windows and Linux hosts with FTI Technology’s network.

FTI Technology has implemented next generation host based anti-malware software (NGAV) in tandem with legacy signature host based anti-malware and network based anti-malware systems to protect assets on its network from malicious software. Our NGAV platform also provides FTI Technology with an enterprise endpoint detection and response (EDR) platform. FTI Technology utilizes an industry leader in Managed Detection and Response (MDR) services to analyze our endpoint telemetry and alerts using their detection engine composed of thousands of behavioral analytic use cases. Our MDR team employees a team of experts to maintain detection coverage for attacker techniques and investigates potential threats via their proprietary analyst workbench. The MDR provider only alerts us to confirmed threats and provides us detailed reports and the ability to customize automated response actions. Their Security Operations Center is fully staffed 24X7X365 by security analysts and threat hunters.

FTI Technology deploys firewalls, Security Groups, or network Access Control Lists (“ACLs”), as applicable, throughout its networks to allow and deny specific network traffic using key indicators such as source/destination address, source/destination port, etc. An explicit “deny all” rule is utilized as the last rule in the ACLs to deny any traffic that is not explicitly allowed.

FTI Technology has implemented both host based and network-based data loss prevention (DLP) technology. Network based DLP systems monitor traffic leaving the network for potential data exfiltration as data moves from inside FTI Technology’s secure network to the public internet. Host based DLP tools monitor for client data being cut and pasted, screen captured, printed, transferred to local drives and devices, etc. and provides alerts for or blocks traffic accordingly. The host based DLP system is monitored by a MSSP providing a 24x7x365 global analyst team that specializes in data protection.

Additionally, FTI Consulting Inc. protects data in transmission using the following:

• Secure file transfer solutions: Secure file transfer solutions utilize TLS or SSH to allow clients to share data with FTI Technology securely over the Internet. Only TLS 1.2 or TLS 1.3 is acceptable.:
• External Encrypted Drive: FTI Technology uses FIPS 140-2 Level 3 certified / AES 256-bit encryption or stronger drives and recommends clients to do the same. Security exceptions and client risk acceptance are required for FTI Technology to send an external hard drive to clients that do not meet those standards.
• File Stores: Matter/Engagement related files stored centrally on the network are secured so that only those explicitly authorized can access the files.
• Email: Transport Layer Security (“TLS”) Internet protocol, which provides security for all email transmissions over the public internet may be setup with using opportunistic or mandatory TLS connections. Only TLS 1.2 or TLS 1.3 is acceptable.
• "Mailbox to mailbox" encryption: secures email messages and electronic files (using 256-bit AES encryption).

FTI Technology stores data in environments configured to prevent public access. Data is logically segregated from other client data. Different tools may be employed depending upon the nature and/or location of the work.

Some of FTI’s individual internal business teams may manage systems separate from FTI Technology’s networks, and as such are responsible for implementing measures for the protection of data during transmission and measures for the protection of data during storage.

Measures for ensuring physical security of locations at which personal data are processed

For FTI offices, physical security provisions vary depending on office location, however, as per the information security policy, access to company premises, including delivery and loading areas, must require badge access. Badge access is managed by local facilities using a badge kiosk to produce access badges. All badge issuances and updates require management approval.

FTI Technology Data Centers are housed in non-descript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by 24x7x365 professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Access is authorized on a least privilege basis; authorized staff must pass two-factor authentication a minimum of two times to access data center floors.

FTI Technology’s ISO 27001 certification can be verified here: https://www.bsigroup.com/en-GB/validate-bsi-issued-certificates/client-directory-profile/FTI_CO-0047507945-002

Measures for ensuring events logging

FTI Technology has implemented Security Information and Event Management (SIEM) technology to collect logs from assets across the infrastructure and store them in a centralized location for review. These logs are collected in near real time and correlated with other events generated by other information systems. Data is logged at sufficient level (i.e. user ID, activity) and logging is enabled for the entire environment. The logging must provide relevant information (i.e. authorized & unauthorized attempts, remote access).

FTI Technology system event and audit logs should capture the following events as applicable:

• Authentication failures
• Software or service failures
• Logon and use of privileged IDs
• Database changes
• Adding/deleting users
• Password changes
• Adding/deleting groups and/or users associated with groups
• Changing audit log configuration or disabling audit subsystem

Some of FTI’s individual internal business teams may manage systems separate from FTI Technology’s networks, and as such are responsible for implementing measures for ensuring relevant events are logged.

Measures for ensuring system configuration, including default configuration, measures for internal IT and IT security governance and management

FTI Technology requires that servers undergo a system configuration security audit prior to being placed in production. FTI Technology subscribes to threat and vulnerability alert services for expedient notification regarding those threats. This includes a process for newly created device (i.e., checklist), at least annual reviews and hardening, removal of unnecessary/insecure services, and alarms set for key events (i.e., change in security group, configuration).

Some of FTI's individual internal business teams may manage systems separate from FTI Technology’s networks, and as such are responsible for implementing measures for ensuring system configuration, including default configuration, measures for internal IT and IT security governance and management.

Measures for certification/assurance of processes and products

FTI Technology has successfully achieved ISO 27001:2013, ISO 27017:2015, ISO 27018:2019 and Cyber Essentials Plus certified status by implementing a rigorous Information Security Management System (ISMS) for its infrastructure and networks. FTI Technology has also successfully obtained a SOC2 Type2 with HIPAA report attesting that controls are in place, designed effectively and operating effectively while providing a historical view of its environment to further demonstrate its internal controls are designed and operating effectively for its infrastructure and networks. In addition to the SOC2 Type2 controls, FTI Technology has included compliance to the HIPAA Security Rule as additional subject matter for its SOC2 Type2 with HIPAA review. An independent ENX-accredited auditor has completed a Trusted Information Security Assessment Exchange (TISAX) assessment of FTI Technology. This standard provides the European automotive industry a consistent, standardized approach to information security systems. FTI Technology has undergone a third-party Report on Compliance (ROC) for PCI DSS compliance for Service Providers by a Qualified Security Assessor (QSA) for its Card Data Environment (CDE). Our ROC provides a third-party Attestation of Compliance (AOC) outlining FTI Technology’s compliance to the PCI DSS requirements. FTI Technology is listed in the Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) Registry. FTI Consulting Inc. has certified its compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, and FTI Technology is certified as a covered entity (FTI Consulting Technology LLC) under FTI Consulting, Inc.

Some of FTI’s individual internal business teams may manage systems separate from FTI Technology’s networks, and as such are responsible for implementing security measures in line with the aforementioned certification/assurance processes and products, however, they are not in scope for the aforementioned certification/assurance processes and products.

Measures for ensuring data minimization

FTI Technology only acquires data for the intended purpose by working with the client or business partner to ensure only the minimum amount of necessary data is obtained. Further, the terms of our DPA require that the client shall keep the amount of Personal Data disclosed or transmitted to FTI Technology, Sub-Processor and any FTI Affiliate to the minimum necessary to provide the services pursuant to an agreement.

Measures for ensuring data quality

FTI Technology is dedicated to providing clients with high quality services that meet our standards of excellence and integrity. The quality of the work for each of our clients is monitored by the Senior Managing Directors responsible for each engagement along with the colleagues in their practice teams and business segments. On a broader level, FTI sets the tone for our global organization in our Code of Conduct (https://www.fticonsulting.com/~/media/Files/us-files/our-firm/guidelines/fti-code-of-conduct.pdf) which discusses our commitment to quality throughout, and in particular in our Statement of Values.

FTI Technology takes into account the principle of purpose limitation, while making sure that the data is adequate, relevant and not excessive for the legitimate purpose. To the extent permitted by law, FTI Technology enables data subjects to exercise their rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data and keep data accurate, and not retain it any longer than necessary.

Measures for ensuring limited data retention

FTI Technology has various records retention policies which ensure records are retained for the required and necessary periods of time to perform the services; providing that records which are no longer required, after the termination of the applicable engagement, and subject to the terms in the DPA, are properly destroyed or sanitized; and providing that records to be retained are stored and secured in accordance with applicable laws and FTI Technology’ s best practices. FTI Technology has processes in place to return original data upon the end of a contract. Data retained on backups are automatically sanitized when the data retention period expires, sanitizing the data in a manner compliant with the NIST SP800-88 guidelines.

Measures for ensuring accountability

FTI has a defined process to resolve complaints about privacy and its collection or use of personal information in compliance with applicable data protection laws. FTI has measures in place to ensure complaints are resolved within 1 month. Unless otherwise mandated by local law, the exact number of days to comply with a request varies, depending on the month in which the request was made and is calculated based on the day the request is received plus one (regardless of whether the day is a working day or not) until the corresponding calendar date in the next month.

Measures for allowing data portability and ensuring erasure

FTI Technology has procedures, including verifying data subjects, for providing personal data to a data subject. The personal data requested from FTI Technology will be provided in a format and structure which is commonly used and machine-readable.

Some of FTI’s individual internal business teams may manage systems separate from FTI Technology’s networks, and as such, are responsible for implementing processes and procedures to address data portability and ensuring erasure.