MNStarter Cyber Security Policy
Preventing Cyber Security Attacks and Data Breaches:
In order to prevent cyber attacks and data breaches, MNStarter will implement Least Privilege and Least Functionality Principles as outlined in NIST 800-53 rev4, as well as industry standard protections for security and data storage.
Users and Administrators will be required to use strong passwords and will be encouraged to use 2-Factor Authentication (2FA) for the site. User accounts and passwords will not be shared by users and multiple failed login attempts will result in the account being locked until the user can complete the lost password/locked account request.
Users and Administrators will not have access to any more data or user information than is minimally necessary to complete the defined tasks of their account’s role. Users and Administrators will also have the functionality of their account limited to only those functions necessary, i.e. users can view and buy securities, but not see administrative areas and Administrators can view administrative areas, but cannot purchase securities.
All issuers on the site will be required to follow these rules and will not be granted waivers from these security policies.
Reporting of a Cyber Security Attack or Data Breach
In the event of a data breach, MNStarter will do the following upon discovery of said breach:
Immediately notify Local Law enforcement and comply with any local, state, or federal investigation that may be conducted. Will notify the Minnesota Secretary of Commerce office of the breach within 60 days and include a report of:
- A general description of the data that were accessed or acquired;
- The number of individuals affected by the breach;
- A description of the steps that will be taken to notify the affected individuals;
- Whether the data were encrypted
- What reasonable steps will be taken immediately and a time frame for remediation of the issue, preferably with assistance from local, state and federal authorities.
Once cleared by Law Enforcement Authorities, MNStarter will e-mail a notice to all affected individuals about the breach to include generally what information was involved and what steps MNStarter is taking to remedy the situation as necessary.
Post a notice in a conspicuous place on the landing page of the portal informing all visitors of the breach and what steps have been taken to remedy the breach.
All other required steps as indicated in MN State Statute 325E.61 not specifically addressed above.