THIS IS A PRIVATE COMPUTER SYSTEM.

Valuation Connect is committed to protecting both its proprietary and customer data. To do this, Valuation Connect has established a formal information security program to ensure appropriate controls are in place to safeguard sensitive data from unauthorized access or disclosure. The Valuation Connect security program is comprised of both technical and procedural controls. Valuation Connect has employed advanced next generation firewalls with Intrusion Prevention System (IPS) at the network perimeter configured in pairs for high availability. Public facing systems are segmented within a DMZ, isolated from internal systems by a pair of next generation firewalls protecting the intranet. All servers reside within either Valuation Connects primary or secondary data center. Data centers are enterprise class co-location providing air handling, power and network connectivity. Valuation Connect maintains its own cage with access controls. Datacenters maintain SOCI/II reports which Valuation Connect reviews on an annual basis. Both data centers and operational facilities provide physical security controls including, video monitoring, access controls, environmental monitoring and alerting, and visitor policy and procedures. Valuation Connect is a Microsoft shop utilizing Active Directory for centralized user account management. Users are assigned a unique user name and password. Passwords are required to be complex, changed frequently and will lockout after a predetermined number of invalid attempts. User sessions are required to re-authenticate after periods of inactivity. Valuation Connect performs routine user account review to ensure appropriate entitlements and the removal of dormant accounts. All servers and workstations are built and hardened to the Valuation Connect baseline standard with servers performing a single role (e.g. IIS). Valuation Connect employs antivirus on all desktops and servers. Antivirus is centrally managed with definition updates pushed daily. Valuation Connect performs routine vulnerability scans and monthly patch management. A third party external penetration test is performed annually. Valuation Connect requires all sensitive data transmissions to be encrypted through the web (e.g. HTTPS), bulk file transfer (e.g. Secure FTP) and email transmission (e.g. TLS) using industry recognized algorithms. Sensitive data is encrypted within the database. End users are restricted from writing to USB and CD-R. Valuation Connect has deployed Security Incident Event Manager (SIEM) throughout the environment. The SIEM generates alerts which are reviewed by designated members of IT. Valuation Connect maintains an Incident Response Policy and Procedure to ensure incidents are investigated, resolved, and remediated.

Valuation Connect clients are required to ensure its policies, procedures and technical controls are in place to ensure the connection/transfer of sensitive data remains secure and reduce risk of the transfer of malicious software into Valuation Connect. The client is to maintain a secure computing environment including the use of: up to date (patched) operating systems, centrally managed antivirus, user access through a proxy, and next generation firewalls at the perimeter. Access to Valuation Connect environment shall be secure using industry recognized encryption algorithm agreed upon by Valuation Connect and the client. The client shall maintain procedures to include the timely notification of employee’s change of status to Valuation Connect and periodic access reviews to address user entitlement changes. In the event of a security incident within the client environment, the client is required to notify Valuation Connect in a timely manner and to provide necessary access to system logs, user interviews and relevant information of the event in question. Users can access Support Services by contacting Mortgage Connect at 866-789-1814 x501 or by email at Techsupport@valuationconnect.com. This channel can be utilized to report technical issues, operational failures, incidents, problems, concerns and complaints.

This computer system including all related equipment, network devices (specifically including Internet access), is provided only for authorized use. All computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of any such unauthorized use collected during the monitoring may be used for administrative, criminal or adverse action.