Cyber Security Best Practices

Our information security program is designed to protect the confidentiality, integrity, and availability of our systems and data. The information technology (IT) team works closely with physical security, audit, legal, compliance, and risk management teams to ensure we take a comprehensive approach to maintain compliance with applicable laws and regulations while minimizing risk for our clients and employees.

The Board of Directors has given IT, compliance, and physical security teams the authority, through the policies listed below, to ensure we have proper controls in place. All policies are reviewed and updated by the policy owners and approved annually by the Board of Directors. In addition to these policies, we have several IT standards that are approved at an IT management level.

Alerus Cybersecurity Program Policies

• GLBA – Safeguarding Customer Information Policy
• Information Security Policy
• Data Security Policy
• Physical Security Policy
• Vendor Management Policy
• Asset and Data Classification Policy
• Computer Security Incident Response Plan
• Mobile Device Policy
• Disaster Recovery Policy

As part of our compliance with the Gramm-Leach-Bliley Act (GLBA), we conduct an annual IT risk assessment that considers results from audits and penetration testing engagements, significant changes to technology, improvement suggestions and changes, or observable trends in cybersecurity and account fraud. The results of the risk assessment are reviewed annually by our Information Security Strategy Team, the Board of Directors, and the Enterprise Risk Management Committee. In addition to the risk assessment, each department conducts its own semi-annual risk assessment and presents the results to the Enterprise Risk Management Committee.

As a national bank, Alerus is regulated by the Office of the Comptroller of Currency (OCC). We are audited annually by the OCC and held accountable for meeting the requirements in the Federal Financial Institutions Examination Council’s IT Examination Handbook and in the GLBA. Alerus also engages third-party vendors to perform audits on our information security program throughout the year. Results of the OCC audit, third-party audits, penetration testing, and vulnerability assessments are presented to the Enterprise Risk Management Committee. Exceptions, if any, are tracked to completion by the internal audit department. In addition, we engage an audit partner to produce an annual service organization control report, referred to as the SOC report, which we share with our clients.

The cybersecurity strategy and program are led by our director of information security, who has been in information security leadership positions for the past 15 years. The information security team attends training throughout the year and maintains information security certifications from organizations including the International Information System Security Certification Consortium ((ISC)2) and SysAdmin, Audit, Network, and Security (SANS) Global Information Assurance Certification (GIAC). All employees receive training annually on our information security program and are subject to background checks.

The IT team is responsible for establishing new users with access to applications and systems specific to their department and/or position. When an employee changes departments or a request is received to change an employee’s access, the IT team processes the change based on the request. When an employee terminates, the IT team disables access on the date of termination, mitigating the risk of an employee having access to proprietary information post-termination. A weekly report is run to identify stale users. This report is used to ensure there are no exceptions to the employee termination process and to ensure new user accounts are actively being used.

Multifactor authentication is required for remote access to the network. Separate accounts have been established for IT to perform administrative actions. These administrative accounts do not allow access to email or the internet.

Alerus conducts a three-phase, in-depth permission review performed on business-critical applications annually. The employee’s supervisor, the business application owner, and the IT application owner each review permissions to ensure:

• The least number of privileges are granted to perform the job,
• No shared accounts are in use, and
• No excessive administrative privileges are granted for an application.

The Alerus vendor risk management program assesses the risks associated with third parties and includes a review of information security controls, business continuity and resumption plans, financial health, and cybersecurity insurance coverage, as appropriate based on risk.

Cybersecurity awareness training is updated annually based on activity experienced during the year. All employees are required to successfully complete the training annually. Training on identity theft and fraud techniques is ongoing throughout the year.

Our controls in this topic surround three key areas:

Change Management

Changes to critical applications follow our application change management process. Rework of significant business processes or implementation of new technology requires submission via the Alerus application change management database, which triggers a cross-functional due diligence and security review. The application change management database is used to track development, testing, and approvals through deployment.

The application change management process is utilized to track either existing applications that require modification, or the deployment of new technology to support new or changing business requirements. This process ensures adequate visibility, approvals, and resources are applied.

• Management has a documented process and follows the established “change management” protocol.
• System and application changes are tracked and implemented in a timely manner.
• Employees dedicated to making system and application changes are knowledgeable about those systems and applications.

Oversight

Alerus has a strategic project management practice in place. IT is involved whenever new systems or applications are being researched. Considerations are made regarding the type of data stored in the new system, who will have access, levels of access available, ability to modify system logic, and where the system is hosted (network or web-based), as well as other security considerations.

Approval and implementation of new technology follow our structured project management workflow to ensure involvement with the business unit and IT team and require senior management approval.

The validation phase of each project consists of teams collaborating to review system requirements with the goal of selecting the best possible, most cost-effective solution. The implementation phase occurs when documentation and support needs are identified and resolved.

Package Software Maintenance

Alerus functional business unit owners maintain strong relationships with core application vendors and ancillary product providers to track scheduled system releases and fully understand how these system releases affect the end product and/or processing workflow.

Alerus has a defined strategy that pairs business application owners with technology application owners to coordinate testing of each vendor release, utilizing the appropriate internal resources to move the release to production.

Part of the implementation phase of any software change process, including releases, is a collaboration between the business application owner and the technology owner to ensure documentation is up to date. For products primarily supported by external vendors, interface with their support teams is conducted as needed. In instances where a vendor-driven release is found to affect our business operations negatively, the functional business unit owner and/or the technology application owner will work with the vendor to determine appropriate next steps, ranging from a full roll-back of a release to a hotfix or patch.

The Alerus disaster recovery plan includes steps to identify an incident, notify appropriate parties, and initiate the recovery process. On an annual basis, business impact analysis sessions are held with each department to ensure proper disaster recovery documentation is in place, including recovery point and recovery time objectives for key business processes, required technology, essential staff, and any location-based dependencies. Individual system component tests are scheduled and tested throughout the year. An integrated test involving both business process recovery and technology failover and recovery is conducted annually. Results of the business continuity program testing and program updates are provided to the Enterprise Risk Management Committee annually.

All data housed within Alerus is encrypted in transit and at rest.

Alerus performs daily and weekly vulnerability scans against all remote and local computers, servers, and devices on our network. We scan for missing patches, software and firmware vulnerabilities, and configuration weaknesses. We have scheduled weekly patch deployment to keep all systems up to date. Vulnerability management reports are reviewed by the Enterprise Risk Management Committee as part of each IT risk assessment. Secure system configurations are managed centrally. All firewalls, intrusion detection systems, network devices, servers, and computers are on a replacement lifecycle to stay within the manufacturer’s support. 802.1x-based network authentication is in place, which restricts network access to only Alerus-owned devices.

Malware protection is on a current, supported version and is updated frequently. Nightly backups of data are augmented with asynchronous replication of key systems throughout the day.

Our incident response plan outlines responsibilities to inform law enforcement, our cybersecurity insurance carrier, and the contractual and regulatory notifications to parties involved. Incidents are investigated to identify the root cause, the scope of the issue, remediation steps, and lessons learned.

This information is reflective of practices at a point in time and is subject to change without notice as we respond to new and/or changing laws and regulations that may impact compliance in this area.