The Sponsor’s Chief Information Security
Officer (“CISO”) is responsible for overseeing the Trust’s cybersecurity practices. The CISO also manages IT affecting
the Trust. The CISO is responsible for overseeing the ongoing adequacy of design and effective implementation of these policies and procedures
and to review these procedures at least annually. The CISO is trained as a computer scientist (Master of Science) with extensive programming
and system administration experience. The CISO’s background includes study of many of the IT building blocks of a modern office
infrastructure, including the study and programming of network protocols, information theory, public key cryptography. Information Systems Security The Sponsor’s CISO oversees the maintenance
of an inventory of information systems (“Information Systems”) employed by the Sponsor of the Trust either directly or through
a vendor. Information Systems include electronic and physical systems used to store, process or transmit information either directly
or through a service provider. This includes all methods of data processing, transmission, and retention, both electronic and physical.
Electronic Information Systems used by on behalf of the Trust must, at a minimum, adequately address security elements consistent with
applicable state and local regulatory requirements and best practices pertaining to: The adequacy of security measures used by service
providers for internal information will be evaluated in connection with the risk assessment process outlined below in the section labeled
Risk Assessment. The CISO is responsible for classifying information, identifying risks, and identifying risk mitigation strategies.
The CISO is also responsible for evaluating the adequacy of risk mitigation strategies prior to deploying any Information System. Externally
hosted applications (those not installed on the Sponsor’s local network and servers) are reviewed by the CISO at least annually
thereafter. Risk Identification The CISO will identify reasonably foreseeable
risks to the security or integrity of each Information System. The risk identification process will consider appropriate internal and
external threat scenarios based on people, process or technology vulnerabilities that could cause the Information System to be compromised,
damaged, tampered with or otherwise impaired. Risk Mitigation The CISO will identify processes or controls
to mitigate identified risks to the security or integrity of each Information System. The computer system security requirements set forth
below in this policy may adequately mitigate certain identified risks. Other processes or controls may be required to adequately mitigate
other risks. Risk Assessment As part of the Sponsor’s ISSP for the Trust,
the CISO will document in a risk assessment the Information Systems for the Trust, risks identified in Information Systems, and related
risk mitigation processes and controls. Included in the risk assessment will be an assessment of each risk’s potential impact on
the operations affecting the Trust, on the security of the Trust’s data, and also potential business consequences of each risk.
The CISO will review and update the risk assessment at least annually. Additionally, at least annually (for external hosted applications)
and following any significant change in operations (for all applications), the CISO is responsible for gathering information about the
operation of previously identified risk mitigation strategies and any changes to information classification, identified risks or risk
mitigation strategies. The CISO must evaluate the risk mitigation strategies for ongoing adequacy. The evaluation must be documented
in a form prescribed by the CISO. If the CISO concludes that risk mitigation strategies are inadequate for an Information System containing
confidential or internal information, action will be taken to either correct the inadequacy in a timely manner or discontinue use of
the Information System. Cybersecurity Procedures The Sponsor has adopted procedures to implement
the cybersecurity policy applicable to the Trust, which include the following:
| |
● |
The Sponsor maintains system access rights and controls for the Trust
including: |
| |
- |
restricting Supervised Persons’ (a “Supervised Person”
is each employee, officer, member, and other persons who are subject to the Sponsor’s supervision and control) network resources
access to the systems which are necessary for their business functions, |
| |
- |
authentication of users, and |
| |
- |
secure remote access protocols; |
| |
● |
The Sponsor maintains its systems carrying Trust data with appropriate
updates and virus protections; |
| |
● |
The Sponsor promptly eliminates access to all networks, devices, and
resources as part of its HR procedures in the event a Supervised Person resigns or is terminated. Such Supervised Person is required
to immediately return all Sponsor-related equipment and information to the CISO; |
| |
● |
The Sponsor has adopted procedures governing the use of mobile devices
for the business purposes affecting the Trust; |
| |
● |
The Sponsor prohibits Supervised Persons from installing software on
company owned equipment without first obtaining approval from the CISO or other designated person(s); |
| |
● |
The CISO or other designated person(s) conducts periodic monitoring
of the networks affecting the Trust to detect potential cybersecurity events; |
| |
● |
The CISO or other designated person(s) conducts periodic monitoring
of the networks affecting the Trust to detect unauthorized data transfers; |
| |
● |
Security procedures to protect information that is electronically stored
or transmitted include authentication protocols; secure access control measures, and encryption of all transmitted files; |
| |
● |
All suspicious activity involving the Information Systems affecting
the Trust recognized or uncovered by personnel should be promptly reported to his or her supervisor and/or the CISO; and |
| | ● | A Supervised Person must immediately notify his or her supervisor and/or the CISO to report a lost or stolen laptop, mobile device, and/or flash drive. | There have been no cybersecurity incidents since
the Trust has been founded.
|