Technical and Organizational Measures (“TOMs”)

Last updated: August 2, 2022

Measures of encryption of personal data

Data at rest is encrypted using AES 256-bit encryption for all data within FTI Consulting Inc. and its subsidiaries direct physical control. All laptops utilize full disk encryption. Data that is in transit over public networks is encrypted in transit using TLS.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

FTI Consulting Inc. and its subsidiaries requires new employees/contractors to acknowledge receipt of the following policies including: Code of Ethics and Business Conduct, Anti-Corruption Policy, Acceptable Use of Technology Resources, Confidentiality Agreement, Employee Handbook Policy on Inside Information & Insider Trading, and Time Recording Policy.

FTI Technology and FTI Consulting, Inc each have a documented standard/policy for business continuity and disaster recovery. That has been communicated, maintained and reviewed annually. FTI Technology’s recovery point objectives and recovery time objectives are evaluated as part of the annual testing. The specific tools used for backups vary by region.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

FTI Technology and FTI Consulting Inc., each have access to all major vendor security bulletins and have controls over identifying, scheduling, testing, and deploying patches. Both FTI Technology and FTI Consulting Inc., maintain controls regarding identification of vulnerabilities, risk ranking, reporting, and remediation for systems connected to their corresponding networks. This includes perimeter vulnerability scanning and internal vulnerability scans that cover workstations, server, and network devices. FTI Technology and FTI Consulting both perform internal penetration tests of their corresponding networks to identify flaws in the internal security controls that could allow an attacker to surreptitiously gain access to sensitive data and/or disrupt critical business systems. Both entities use third party vendors to perform external application and network penetration testing of these networks to identify potential vulnerabilities.

Some of FTI Technology’s individual internal business teams may manage systems separately from the FTI Technology networks. As such, controls may vary and the business teams are responsible for addressing processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing.

Measures for user identification and authorization

FTI Technology uses unique IDs. FTI Technology and FTI Consulting Inc., users authenticate to the applicable. networks respectively through Active Directory (AD), Single Sign On (SSO) is used when possible, and remote connection requires two factor authentication and leverages FTI Technology's identity provider for connection to FTI Technology network and FTI's Corporate two factor technology for connection to FTI Consulting Inc.’s networks. Both identity providers and SSO platforms provide a unified authentication solution. Remote access to the FTI Technology network is provided via VPN with two factor authentication and Network Access Control (NAC) host checks. Console and remote connections are made using encrypted channels such as SSH or RDP over encryption. Privileged and remote access to FTI Consulting, Inc. networks must include multi-factor authentication and secure mechanisms (e.g., TACACs+, RADIUS) must be used on all network devices.

FTI Technology’s password complexity (i.e., characters, length), lockout settings, expiration settings meets the following requirements:

• Contain both upper- and lower-case characters (e.g., a-z, A-Z)
• Have digits and punctuation characters as well as letters e.g., 0-9,!@#$%^&*()_+|~-=\`{}[]:”;‟‘’>?,./)
• Contains at least 12 characters for standards accounts and 15 characters in length for admin accounts
• Must be changed at least every 90 days
• Are not words in any language, slang, dialect, jargon, etc.
• Are not based on Confidential Information, names of family, etc.
• User accounts are locked after 5 unsuccessful logins for FTI Technology and after 10 unsuccessful attempts for FTI Consulting Inc..
• Account lockout for 30 mins. Reset after 30 mins.
• Password history - 24 passwords remembered
• Passwords are stored protected in an encrypted format.

Some of FTI Technology’s individual internal business teams may manage systems separately from the FTI Technology’s networks, and as such are responsible for implementing a secure user identification and authorization process.

Measures for the protection of data during transmission and measures for the protection of data during storage

FTI Technology’s layered defense security model utilizes both network-based intrusion prevention systems (NIPS) and host-based intrusion detection systems (HIDS) within its secure network. NIPS are installed at points of ingress and egress of networks operated by FTI Technology and public networks. HIDS are installed on all Windows and Linux hosts with FTI Technology’s network.

FTI Technology has implemented next generation host based anti-malware software (NGAV) in tandem with legacy signature host based anti-malware and network based anti-malware systems to protect assets on its network from malicious software. Our NGAV platform also provides FTI Technology with an enterprise endpoint detection and response (EDR) platform. FTI Technology utilizes an industry leader in Managed Detection and Response (MDR) services to analyze our endpoint telemetry and alerts using their detection engine composed of thousands of behavioral analytic use cases. Our MDR team employees a team of experts to maintain detection coverage for attacker techniques and investigates potential threats via their proprietary analyst workbench. The MDR provider only alerts us to confirmed threats and provides us detailed reports and the ability to customize automated response actions. Their Security Operations Center is fully staffed 24X7X365 by highly trained security analysts and threat hunters.

FTI Technology deploys firewalls, Security Groups, and network Access Control Lists (“ACLs”) throughout its networks to allow and deny specific network traffic using key indicators such as source/destination address, source/destination port, etc. An explicit “deny all” rule is utilized as the last rule in the ACLs to deny any traffic that is not explicitly allowed.

FTI Technology has implemented both host based and network-based data loss prevention (DLP) technology. Network based DLP systems monitor traffic leaving the network for potential data exfiltration as data moves from inside FTI Technology’s secure network to the public internet. Host based DLP tools monitor for client data being cut and pasted, screen captured, printed, transferred to local drives and devices, etc. and provides alerts for or blocks traffic accordingly. The host based DLP system is monitored by a MSSP providing a 24x7x365 global analyst team that specializes in data protection.

FTI Technology and FTI Consulting Inc., protect data in transmission, using acceptable methods including:

• Secure FTP: FTP utilizes TLS or SSH to allow clients to share data with FTI Technology securely over the Internet. Only TLS 1.2 or TLS 1.3 is acceptable.
• External Encrypted Drive: FTI Technology uses FIPS 140-2 Level 3 certified / AES 256-bit encryption or stronger drives and recommends clients to do the same. Security exceptions and client risk acceptance are required for FTI Technology to send an external hard drive to clients that do not meet those standards.
• File Stores: Matter/Engagement related files stored centrally on the network are secured so that only those explicitly authorized can access the files.

Additionally, FTI Consulting Inc. protects data in transmission using the following:

• Email: Transport Layer Security (“TLS”) Internet protocol, which provides security for all email transmissions over the public internet may be setup with using opportunistic or mandatory TLS connections. Only TLS 1.2 or TLS 1.3 is acceptable.
• "Mailbox to mailbox" encryption: secures email messages and electronic files (using 256-bit AES encryption).

FTI Technology and FTI Consulting Inc., store data in an environment that is not internet facing and segregated from the demilitarized zone by a firewall. The data must be logically segregated from other client data. Different tools may be employed depending upon the nature and/or location of the work.

Some of FTI Technology’s individual internal business teams may manage systems separate from FTI Technology’s networks, and as such are responsible for implementing measures for the protection of data during transmission and measures for the protection of data during storage.

Measures for ensuring physical security of locations at which personal data are processed

For FTI offices, physical security provisions vary depending on office location, however, as per the information security policy, access to company premises, including delivery and loading areas, must require badge access. Badge access is managed by local facilities using a badge kiosk to produce access badges. All badge issuances and updates require management approval.

FTI Technology Data Centers are housed in non-descript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by 24x7x365 professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Access is authorized on a least privilege basis; authorized staff must pass two-factor authentication a minimum of two times to access data center floors.

FTI Technology’s ISO 27001 certification can be verified here: https://www.bsigroup.com/en-GB/validate-bsi-issued-certificates/client-directory-profile/FTI_CO-0047507945-002

Measures for ensuring events logging

FTI Technology and FTI Consulting Inc., have implemented Security Information and Event Management (SIEM) technology to collect logs from assets across the infrastructure and store them in a centralized location for review. These logs are collected in near real time and correlated with other events generated by other information systems. FTI Technology logs are securely stored for at least 3 years. FTI Consulting Inc. logs activity which is stored for 7 years. Data is logged at sufficient level (i.e. user ID, activity) and logging is enabled for the entire environment. The logging must provide relevant information (i.e. authorized & unauthorized attempts, remote access).

FTI Technology and FTI Consulting Inc., system event and audit logs should capture the following events as applicable:

• Authentication failures
• Software or service failures
• Logon and use of privileged IDs
• Database changes
• Adding/deleting users
• Password changes
• Adding/deleting groups and/or users associated with groups
• Changing audit log configuration or disabling audit subsystem

Some of FTI Technology’s individual internal business teams may manage systems separate from FTI Technology’s networks, and as such are responsible for implementing measures for ensuring relevant events are logged.

Measures for ensuring system configuration, including default configuration, measures for internal IT and IT security governance and management

As FTI Technology assets are provisioned and requested, they undergo a rigorous security hardening configuration. This configuration consists of settings, configurations, and modifications assembled as a best of breed from various “Best Practices” guides and publications. FTI Technology requires that servers undergo a system configuration security audit prior to being placed in production. FTI Technology subscribes to threat and vulnerability alert services for expedient notification regarding those threats. FTI Consulting Inc. has processes in place to confirm compliance with configuration standards. This includes a process for newly created device (i.e., checklist), at least annual reviews and hardening, removal of unnecessary/insecure services, and alarms set for key events (i.e., change in security group, configuration).

Some of FTI Technology’s individual internal business teams may manage systems separate from FTI Technology’s networks, and as such are responsible for implementing measures for ensuring system configuration, including default configuration, measures for internal IT and IT security governance and management.

Measures for certification/assurance of processes and products

FTI Technology has successfully achieved ISO 27001:2013, ISO 27017:2015, ISO 27018:2019 and Cyber Essentials Plus certified status by implementing a rigorous Information Security Management System (ISMS) for its infrastructure and networks. FTI Technology has also successfully obtained a SOC2 Type2 with HIPAA report attesting that controls are in place, designed effectively and operating effectively while providing a historical view of its environment to further demonstrate its internal controls are designed and operating effectively for its infrastructure and networks. In addition to the SOC2 Type2 controls, FTI Technology has included compliance to the HIPAA Security Rule as additional subject matter for its SOC2 Type2 with HIPAA review. FTI Technology has undergone a third-party Report on Compliance (ROC) for PCI DSS compliance for Service Providers by a Qualified Security Assessor (QSA) for its Card Data Environment (CDE). Our ROC provides a third-party Attestation of Compliance (AOC) outlining FTI Technology’s compliance to the PCI DSS requirements. FTI Technology is listed in the Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) Registry.

FTI Consulting Inc. holds the Certified Enterprise designation from Verizon Cybertrust and participates in their Security Management Program (SMP). The SMP is a comprehensive security risk reduction and certification program that addresses all aspects of proactive information security, from network and system analysis to physical and policy inspection. The cornerstone of SMP is the International Standards Organization (ISO) standard 27002. Individual business units may hold additional certifications or use tools that are supported by additional certifications.

Some of FTI Technology’s individual internal business teams may manage systems separate from FTI Technology’s networks, and as such are responsible for implementing security measures in line with the aforementioned certification/assurance processes and products, however, they are not in scope for the aforementioned certification/assurance processes and products.

Measures for ensuring data minimisation

FTI Technology and FTI Consulting Inc., only acquire data for the intended purpose by working with the client or business partner to ensure only the minimum amount of necessary data is obtained.

Measures for ensuring data quality

FTI Technology and FTI Consulting Inc., are dedicated to providing clients with high quality services that meet our standards of excellence and integrity. The quality of the work for each of our clients is monitored by the Senior Managing Directors responsible for each engagement along with the colleagues in their practice teams and business segments. On a broader level, FTI sets the tone for our global organization in our Code of Conduct (https://www.fticonsulting.com/~/media/Files/us-files/our-firm/guidelines/fti-code-of-conduct.pdf) which discusses our commitment to quality throughout, and in particular in our Statement of Values.

FTI Technology and FTI Consulting Inc., takes into account the principle of purpose limitation, while making sure that the data is adequate, relevant and not excessive for the legitimate purpose. To the extent permitted by law, FTI enables data subjects to exercise their rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data and keep data accurate, and not retain it any longer than necessary.

Measures for ensuring limited data retention

FTI Technology and FTI Consulting Inc., have records retention policies that ensures records are retained for required and necessary periods of time; providing that records which are no longer useful are properly destroyed or sanitized; and providing that records to be retained are stored methodically and economically. FTI Technology has processes in place to return original data upon the end of a contract. Data retained on backups are automatically sanitized when the data retention period expires, sanitizing the data in a manner compliant with the NIST SP800-88 guidelines. FTI Consulting Inc. uses its reasonable and best efforts to prevent the premature destruction of records. FTI has processes to return data upon end of contract and destroy and/or sanitize data using appropriate mechanisms upon Department of Defense (DoD) and National Institute of Standards and Technology (NIST) standards for all data bearing devices.

Measures for ensuring accountability

FTI Consulting Inc. has a defined process to resolve complaints about privacy and its collection or use of personal information in compliance with applicable data protection laws. FTI Consulting Inc. has measures in place to ensure complaints are resolved within 1 month. Unless otherwise mandated by local law, the exact number of days to comply with a request varies, depending on the month in which the request was made and is calculated based on the day the request is received plus one (regardless of whether the day is a working day or not) until the corresponding calendar date in the next month.

Measures for allowing data portability and ensuring erasure

FTI Technology has procedures, including verifying data subjects, for providing personal data to a data subject. FTI Consulting Inc., receives requested personal data directly or provides access to a tool that allows the requestor to extract the information themselves using a self-service type model. The personal data requested from FTI Technology or FTI Consulting Inc., will be provided in a format and structure which is commonly used and machine-readable.