Network Security Policy

Purpose and Scope

The purpose of this document is to define basic rules and requirements for network security and ensure the protection of information within

and across networks and supporting information processing facilities.

This document applies to the security of all services, architecture, software and systems that make up Transmit's product/service.

Users of this document are all employees and applicable contractors who work on network engineering, security, and maintenance at

Transmit.

Network Controls

Transmit manages, controls, and secures its networks, the connected systems, applications, and data-in-transit to safeguard against internal

and external threats.

Firewalls & Threat Defense

Transmit must utilize network firewalls, web application firewalls, and/or equivalent mechanisms to safeguard applicable internet connections,

internal network zones, and applications from threats. Transmit configures appropriate firewall alerts and alarms for timely response and

investigation. This also applies to applicable wireless networks.

Transmit ensures networking ports and protocols are restricted based on the principle of least functionality. Ports and network routes should

only be open when there is proper business justification. Firewall configurations and rulesets are maintained. Firewall rules are implemented

to minimize exposure to external threats. Significant changes to network services and configurations should be tracked in accordance with the

Change Management Policy.

As an additional layer of defense, Transmit utilizes monitoring solutions to detect and alert on network-based intrusions and/or threats.

Network Diagramming

Transmit maintains network and data flow diagrams. Diagrams are reviewed and updated when significant network infrastructure changes

occur.

Network Access Control

In addition to the Network Security Policy, Transmit establishes, documents, and reviews the Access Control and Termination Policy based on

business and security requirements. This policy also encompasses network access control.

Transmit segregates networks based on the required groups of information services, users, and systems.

Transmit utilizes firewall configurations to restrict connections between untrusted networks and trusted networks.

Additionally, Transmit may utilize security groups and network access control lists (NACLs) to improve network security for individual virtual

machines.

Network Engineering

Transmit implements security functions in a layered approach, minimizing interactions between layers of the design and avoiding any

dependence by lower layers on the functionality or correctness of higher layers.

Transmit utilizes a defense-in-depth (DiD) architecture to protect the confidentiality, integrity, and availability of information systems and

data, i.e. placing information systems that contain sensitive data in an internal network zone, segregated from the DMZ and other untrusted

networks.

Transmit synchronizes clocks of all applicable information systems to the same time protocol to enforce consistent and accurate

timestamping.

Network Service Level Agreements (SLAs)

Security mechanisms, service levels and management requirements of all network services should be identified and included in network

services agreements, whether these services are provided in-house or outsourced.

Exceptions

Transmit business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Transmit

policy. If an exception is needed, Transmit management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Transmit policy or procedure may result in disciplinary action, up to and including termination of

employment. Transmit reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in

any investigation of such activity. Transmit does not consider conduct in violation of this policy to be within an employee’s or contractor’s

course and scope of work.

Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal

complaint to his or her manager or any other manager of Transmit as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security

policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Transmit reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements

at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are

communicated across the organization.

This document is maintained by Transmit Network Security Administration.

This document was last updated on 07/26/2022.