Information Risk Workforce Orientation

This is a summary of Company Information Security Policies to assist new workforce members. Workforce members include any employee, agent or third party who utilize AEGON companies internal resources on behalf of the Company. It is not intended to be an all-encompassing document, but a quick overview to provide initial direction until new workers have time to become better acquainted with the full Information Risk Program.
AEGON - Internal Use Only

Information Risk Workforce Orientation Topics

Topics

Introduction Information Assets Information Risks Information Risk Management Information Management and Classification Program Records Retention Program General Information Security Policies & Safeguards Recognizing and Reporting a Security Incident Business Continuity Planning Summary / Key Takeaways Need More Information? My Information Security Acknowledgement
AEGON - Internal Use Only 2

Introduction
Your Commitment As a new workforce member of the AEGON companies, it is important for you to understand that maintaining a secure and reliable environment is vital to protecting Company information assets. Your commitment is important to the Company as well as its customers, business partners, stockholders, and employees. Why is this Important?

A large amount of the information handled by those working at the Company can be

Your awareness and proper handling of information assets both internally and

considered business critical and confidential, and should be handled appropriately. externally to the Company is essential in order to minimize risks (e.g. unauthorized disclosure or modification). affect the business interests of the Company or its customers, business partners, stockholders or employees.

An impact to business critical and confidential information assets could adversely

Policies and programs are in place to safeguard Company information assets. All workforce members are responsible for the understanding and complying with these policies and programs, and are accountable for reporting any known or suspected violations. In this orientation, you will be introduced to some of those policies and programs.
AEGON - Internal Use Only

Information Assets
What is an Information Asset? An information asset is any data owned and/or maintained by the Company for business purposes. Information assets can originate from our business units, partners, customers or employees and may include data elements such as:

Customer/Employee Names and Social Security Numbers Account/Policy Numbers Merger/Acquisition Information
Personal Data

Credit Card Numbers New Product Information Policy Information Company Financial Data

Some Company information assets are protected by federal and state laws. Special precautions need to be taken when handling and combining customer/employee names with other sensitive data elements such as:

Health Information (e.g., lab results, health condition, medications used, etc.) Personal Information (e.g., Social Security Number, drivers license number, Date of Financial Information (e.g., policy number, bank account and credit card numbers,
etc.)
AEGON - Internal Use Only 4

Birth, etc.)

Information Assets
What is an Information Asset? Those working at the AEGON companies are exposed to information assets on a daily basis. If you are in contact with any of the following, you are exposed to Company information assets:

Billing Information Employee/Personnel Data Internal/Confidential

Memos/Reports/Documents

Customer Account/Policy Records eCommerce Websites Product Development Plans Financial Statistics and Statements

An information asset can be accessed, maintained and stored in electronic (digital) or paper form. Common forms include computer hardware, software, storage media, and portable devices, for example:

Computers/Laptops/Servers Cell Phones/Blackberry Devices Emails/Faxes Memos/Reports/Documents

AEGON - Internal Use Only

USB Storage Devices Tape/Cartridge Storage Media CD/DVDs Websites

5

Information Assets

Information Asset Confidentiality Classification The sensitivity and handling of an information asset is determined by its confidentiality classification. An information asset that is labeled or categorized with any of the following classifications is considered to be sensitive:

Strictly Confidential The most sensitive. Compromise would lead to financial, legal Confidential
or competitive impact or fraud. (Examples include: reorganization plans, merger and acquisition information, new product launches, unannounced financial statements, etc.) Compromise could potentially lead to financial, legal or competitive impact or fraud. (Examples include: customer data, passwords, encryption keys, employee personal and private information, payroll information, business plans, etc.) parties should be avoided to reduce the risk of compromise. (Examples include: interoffice memos, policies and procedures, operational guidelines, bulletins, training material, etc.)

Internal (Proprietary) Disclosure outside of the Company, employees, and third

An information asset that is labeled or categorized with the following classification is considered to be non-sensitive:

Public

Refers to all information determined not to be confidential or internal/proprietary. This information comes from public sources or is provided by the Company to the general public.
6

AEGON - Internal Use Only

Information Assets
Managing Information Assets It is essential to understand how information flows both internally and externally in order to minimize risks associated with information assets. The emergence of more strict industry and regulatory information handling mandates, such as data privacy regulations, require companies to implement reasonable internal controls. It is important to demonstrate that proper protection is always applied to sensitive information assets. Information assets must be managed and protected while:

In Use Information that is currently being accessed and within a persons or

organizations control.

In Motion (or in transit) Information that is being transported from its origin or resting
location to another location.

At Rest Information in storage. Sanitizing or Disposing (Destruction) The process of purging or physically
damaging the information asset so that it is not usable and there is no known method for unauthorized individuals to retrieve the information.
AEGON - Internal Use Only 7

Information Risks

What are the key risks to our Information Assets? The key risks associated with Company information assets are:

Unauthorized Disclosure - The act of making known or revealing sensitive information

(e.g., customer account information, internal corporate knowledge, etc.) to unauthorized groups or individuals.

Unauthorized Modification - To alter or change the structure, condition or meaning of

information (e.g., customer account information, financial data, etc.) without approval.

Unauthorized Destruction - To eliminate the existence, structure, or condition of

information (e.g., computer hard drives, web servers, database tables, etc.) without approval.

Loss of Availability -

Inaccessibility of information assets or systems (e.g., customer account information, billing systems, websites, etc.) to users approved for access.

AEGON - Internal Use Only

Information Risk Management

What is Information Risk Management? Information Risk Management helps the AEGON companies analyze the risk to its information assets by conducting risk assessments to determine:

What are the threats or vulnerabilities to our business operations or systems? Should vulnerabilities be proactively addressed to lower the level of risk? What controls do we have in place to protect us from threats and how strong are those
controls?

What is the likelihood that an event or incident will occur given our current level of risk
management?

If an event or incident does occur, what is the impact to the business? What level of risk is acceptable? What mitigation activities need to be resolved in order
to more effectively manage the risks to Company business? The bottom line at AEGON companies risk management is everyones responsibility!
AEGON - Internal Use Only 9

Information Risk Management

How Can I Help Manage Information Risks? As a new workforce member you may be wondering:

How can I help protect Company information assets? What can I do to maintain a secure environment and safeguard
this workplace?

Where can I find more information? Who can I ask if I have questions?
The following will explain how YOU can help manage risks to Company information assets by your:

Knowledge of Information Management and Classification (IM&C); Record Retention. Compliance with General Information Security Policies and applied safeguards (e.g.
Internet Usage, Electronic Communication, Access Controls, User IDs, Passwords, Physical Access, Workplace, Mobile Computing Security, etc.)

Recognition and Reporting of Security Incidents. Awareness in Business Continuity efforts.

AEGON - Internal Use Only 10

Information Management and Classification Program

Information Management and Classification Program (IM&C) Ask yourself these questions:

Would I like my hospital to protect my healthcare information? Would I like my bank to ensure my financial information is complete and accurate? Would I like my bank to ensure my money is available when I need it?
At the AEGON Companies, the IM&C Program focuses on:

Confidentiality Information is accessible only by those who are authorized. IM&C helps to prevent unauthorized access or disclosure of sensitive information which may result in legal liability or customer distrust.
Integrity Information is accurate and complete. IM&C helps to protect critical business information assets from the risks which may compromise accuracy or completeness. Availability Information is available when it is required. IM&C helps to identify the risks which may prevent critical business information assets from being available.

AEGON - Internal Use Only

11

Record Retention Program

Record Retention Federal and State laws and regulations require that the AEGONs companies retain certain records for specified periods of time. In addition, records may need to be retrieved by the Company to assist with its operations. Thus, good recordkeeping practices are an important business function. The Record Retention Program:

Defines guidance for determining what constitutes a Record. Defines record types. Determines retention periods for record types. Defines specific destruction requirements. Facilitates proper classification, indexing and storage methods.
Contact a manager or Record Retention representative for more information about your divisions program and your responsibilities.

AEGON - Internal Use Only

12

General Information Security Policies & Safeguards

General Information Security Policies and Safeguards Throughout your time at the AEGON companies, you will become aware of many different policies and safeguards aimed to protect the confidentiality, integrity and availability of Company information assets. The following sections will make you aware of the key General Information Security Policies and practical safeguards including:

Internet Usage Electronic Communication Access Controls User Identification Basics Password Safeguards Physical Access / Workplace Safeguards Clear Desk / Clear Screen Mobile Computing

AEGON - Internal Use Only

13

General Information Security Policies & Safeguards

Internet Usage Policy When using the Internet, you must follow the Internet Usage Policy which includes:

Use mainly for business purposes and only for incidental or occasional personal use. All Company provided Internet resources remain the property of the AEGON companies
and are subject to monitoring at any time.

Internet use is a privilege, not a right, and access may be revoked at any time. The Company has a right to restrict access to websites it deems inappropriate or a high
risk to information assets.

Do not engage in activities that conflict with Company business interests or operations. Unless specifically authorized by the Company, do not post Company information on public
websites (e.g. Facebook, Twitter, etc.).

If you post to a blog site, your affiliation to the Company is known, and you reference the
Company or the financial services industry in general, a disclaimer must be included that clearly states your post is your opinion only and does not reflect the opinion or position of the AEGON companies.

If you witness Internet usage that you consider to be a violation of this policy, refer to
Recognizing and Reporting a Security Incident for details.
AEGON - Internal Use Only 14

General Information Security Policies & Safeguards

Electronic Communication Policy Applies, for example, to e-mail, Web-Mail, Instant Messaging, Blogging, Voice Mail and Phones (e.g., Landline, Cell, Smart Phones). It is important that you follow the electronic communication policy including, but not limited to:

Use mainly for business purposes and only for incidental or occasional personal use. All electronic communications conducted via Company systems are the property of AEGON
companies and are subject to review at any time.

Sensitive information must never be sent via e-mail or other electronic file transfer methods
unless proper safeguards are applied, such as encryption.

Do not forward internal electronic communications outside of the Company without prior
consent from the originator or information owner.

Do not engage in activities that conflict with Company business interests or operations. E-mail from unknown sources is a risk. As a general rule, do not open e-mail attachments
from those you dont know.

AEGON - Internal Use Only

15

General Information Security Policies & Safeguards

Access Controls All technical and physical access controls at the Company are established to limit the access rights an individual has to information assets including information, systems, business applications and buildings:

Access is granted on a need-to-know basis; being granted access to only what is

needed for your job function.

Requests for access to information assets must be approved by the information asset
owner or his/her authorized designee.

Challenge anyone who does not appear to have a need-to-know.

Once you are granted access to a given system, you must never:

Use any element of the system that you are not authorized to use. Attempt to bypass any access control system.

AEGON - Internal Use Only

16

General Information Security Policies & Safeguards

User Identification Basics To properly identify a user, a unique User Name (User ID) is assigned to each individual. Once you have been assigned a User ID, each system that you access will require you to provide your User ID along with a password. It is important to remember:

User IDs must only be used by those to whom they are assigned; Do NOT share your
User ID!

You are accountable for all activity performed using your User ID. Use Ctrl+Alt+Delete and then Enter (or press the Windows key + L)
desktop or laptop when leaving it unattended for any reason. longer being used.

to lock your

Log out from your desktop or laptop upon leaving the office for the day or when no

AEGON - Internal Use Only

17

General Information Security Policies & Safeguards

Password Safeguards The security provided by a User ID depends on the password being kept secret at all times. Your password is the proof of your identity and should be properly safeguarded.

Never share your password.

If your password is disclosed, contact your DISO immediately. Remember: Keep your password confidential!

Do not ask others to reveal their password to you. Never write down your password. Do not use the remember my password feature on any internet site. Your password must be changed at regular intervals. Create strong passwords using a combination of upper case, lower case, standard
symbols (e.g., +, $, &, etc.), and at least one numeric character.

Your password should be easy for you to remember and

difficult for others to guess.

AEGON - Internal Use Only

18

General Information Security Policies & Safeguards

Physical Access / Workplace Safeguards Physical Access Safeguards are in place at the AEGON companies and must be followed by workforce members at all times. Maintaining good physical security requires the following:

All individuals entering

Company facilities are assigned an ID Card (or Badge) which must be visibly worn at all times.

Each workforce member should use his/her own ID Card to enter secured areas. Do not share your ID Card with anyone. If you forget your ID Card, contact Facilities Security Management to obtain a temporary ID
Card for entry.

ID Cards that have been lost or stolen must be reported immediately to Human Resources or
Facilities Security Management.

All visitors must sign in and be escorted at all times. Be aware of unknown individuals who try to follow you into a secured area without using his/her
own ID Card (also known as piggybacking or tailgating).

Report any suspicious behavior to a local facility security contact, DISO, or to a manager.
AEGON - Internal Use Only 19

General Information Security Policies & Safeguards

Clear Desk / Clear Screen When at your workplace or leaving the office follow these simple safeguards to assist in protecting information assets:

Do not leave sensitive information accessible within your work area or on printers or fax
machines. Use password function when available.

At the end of the day, secure all sensitive paperwork in a locked drawer or cabinet. Secure mobile devices including your laptop, cell/smart phones, PDA, USB drives, etc. Remove sticky notes from your desk that contain sensitive information. Do not leave sensitive information in your waste bin. Use Company provided locked
disposal bins to discard sensitive items (e.g., papers, diskettes, CDs, etc.).

If you are unsure if something should be recycled or

shredded, use the locked disposal bins as a precaution.

Use Ctrl+Alt+Delete (or Windows L) to lock your desktop

or laptop when leaving it unattended for any reason.

Log out from your desktop or laptop upon leaving the

office for the day or when no longer being used.
AEGON - Internal Use Only 20

General Information Security Policies & Safeguards

Additional Safeguards

Physical security personnel located at the various entrances into the building are
there for your protection. Be cooperative with their requests for identification.

Do not discuss Company business or other information that may be considered

confidential or sensitive in public places where you may be heard.

Clean meeting rooms including tables, waste bins and whiteboards. Do not prop doors open. This may allow unauthorized entry and trigger an alarm.
.
For additional information on Information Security Policies, including safeguards, reference the following Enterprise Information Risk Management Intranet site:
http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx

Contact the Division Information Security Officer (DISO) for supplemental information referencing Information Security Policies and safeguards.

AEGON - Internal Use Only

21

General Information Security Policies & Safeguards

Traveling, Telecommuting, Mobile Computing Today, most business professionals use laptops and other mobile equipment while at home, traveling, and as a part of their normal business routine. This equipment may include laptops, cell phones, personal digital assistants (PDAs), Smart Phones, pagers, VPN tokens, USB drives, etc. This type of equipment is extremely vulnerable. To minimize the risk extra precautions are required while in the office, working remotely or traveling.

All Company policies, programs and safeguards still apply outside Company facilities
and must not be bypassed.

Do not conduct Company business or access information that may be considered as

confidential or sensitive in public places where it may be seen by unauthorized individuals (e.g., airports, planes, restaurants, hotel lobbies, etc.).

Obey all applicable state and local laws regarding the usage of this type of equipment
while traveling.

AEGON - Internal Use Only

22

General Information Security Policies & Safeguards

All Mobile Devices (including laptops, cell phones, Smart Phones, PDAs, etc.)

You are accountable for all activity performed with any Company mobile device assigned
to you.

Company mobile devices assigned to you must not be used by anyone but you. Company equipment must not be left unattended or unsecured in public areas. (e.g.,
hotel rooms, automobiles, restaurants, airports, etc.)

Always use a cable lock to secure your laptop in unsecured locations. Loss or theft of Company mobile devices must be reported immediately. Refer to
Recognizing and Reporting a Security Incident for more details.

Your mobile devices, such as laptops and USB drives, must employ Company standard
encryption.

Do not communicate sensitive information using Text or Instant Messaging. The Company does not allow synchronizing e-mail to a personal PDA (a Company
issued Blackberry is permissible).

All business critical files stored on local drives must be backed up to Company network
drives to prevent unintentional or malicious loss of data.
AEGON - Internal Use Only 23

Recognizing and Reporting a Security Incident

Recognizing and Reporting a Security Incident All workforce members are responsible for compliance with the Company Information Security Policy and are accountable for reporting any known or suspected violations. Reporting a security breach as soon as it is noticed is paramount. Quick reporting can help to minimize potential damage to the Company or to its customers, business partners, stockholders, and employees. Be on the lookout for the following:

Files or systems that should be accessible to you are suddenly unavailable or missing. Output of sensitive and confidential information found in printer trays, left unprotected in
the work area, or sent to the wrong person or group.

Unauthorized persons or personnel are discovered in the work area. Files appear, disappear, or undergo significant and unexpected changes in size. Your password has been changed without your knowledge or involvement.
Report these or any other anomalies to a manager, the Divisional Information Security Officer (DISO), S.H.A.R.E. hotline (1-866-263-7787), AIT Customer Service Center (18888524357) or the Enterprise Information Risk Management Intranet site: http://intranet.ds.global/transamerica/enterprise/irm/Pages/report-an-incident.aspx
AEGON - Internal Use Only 24

Business Continuity
Business Continuity Business Continuity is about keeping the AEGON companies operating during any planned or unplanned business disruption. Business Continuity helps the Company to be proactively prepared for such an event. Events can be caused by natural or man made disasters and may include; floods, hurricanes, blizzards, earthquakes, terrorists, power outages or technology failures. The Business Continuity framework is divided into three phases:

Assessment - Ensures that the Company assumes the correct level of risk, since not
all risks can be totally eliminated or controlled. Understanding the critical processes and their associated risks will help protect against unanticipated losses that could significantly affect personnel, property, revenues and the ability to fulfill responsibilities to customers, employees, shareholders, and the public. Ensures that the Company is able to recover from potential disruptive events. This is accomplished by having a comprehensive Business Continuity Plan that includes strategy, recovery and testing phases. Execution of Business Continuity Plans. In the event of an outage, quick response and recovery are critical. This phase ensures that relief and restoration activities are performed to restore the business functions to a pre-event status.
25

Preparedness -

Event Management -

AEGON - Internal Use Only

Business Continuity

Business Continuity At the AEGON companies your participation is critical in many ways. We have plans, but its your responsibility to become familiar with the departmental emergency response plan by doing the following:

Know where the emergency shelter area is within the building. Know where the meeting place is when you evacuate the building. Identify the floor marshal. Identify the BCP coordinator in the department and discuss your role. Maintain your current contact information to preserve the integrity of essential
emergency communication channels.

AEGON - Internal Use Only

26

Summary / Key Takeaways

Summary / Key Takeaways Protecting Company property and information is one way the AEGON companies demonstrate Corporate Responsibility and minimize risk. It is essential that you are familiar with the Company information security policies, threats, vulnerabilities, mitigating controls and the appropriate use of the Companys information assets. In summary:

You are the key to protecting and preserving the confidentiality, integrity and availability of
Company information assets.

Handle sensitive/business critical/confidential information assets appropriately. Act in accordance with General Information Security Policy. Comply with applied system, physical access, workplace and mobile computing
safeguards.

Report incidents and/or violations of Information

Security Policy and safeguards.

Information Risk Management is everyones responsibility!

AEGON - Internal Use Only

27

Need More Information?

For More Information Visit the Enterprise Information Risk Management Intranet Site for additional information, including Information Security Policies, Business Continuity, Disaster Recovery and much more. Check out the website today! http://intranet.ds.global/transamerica/enterprise/irm/Pages/default.aspx Divisions may have additional information including information security procedures, guidelines and resources available (e.g. intranet sites). Contact the Divisional Information Security Officer (DISO), Risk Manager, or Business Continuity Planning (BCP) Manager for questions regarding topics covered in this orientation. http://intranet.ds.global/transamerica/enterprise/irm/Pages/contact-us.aspx

AEGON - Internal Use Only

28

My Information Security Acknowledgement

(Use only if there is NO signed Non-Disclosure Agreement with the individual, contractor or entity)
Violations of the Information Security Policies, Standards and Procedures jeopardize the Company in a number of ways. Issues will be investigated and if a violation occurred corrective action may include, but not be limited to:

Loss of access privileges to information assets Termination of working relationship Other actions as deemed appropriate by management

Corrective action will be consistent with the nature of the incident in the context of all relevant circumstances. I acknowledge that: I have viewed the AEGON Companies Information Risk Workforce Orientation about Information Security; Confidential business information is an important asset of the Company; It is my responsibility to protect the confidentiality, integrity and availability of Company information; I must report any suspected security incident to the manager, the Divisional Information Security Officer , S.H.A.R.E. hotline, AIT Customer Service Center or the Enterprise Information Risk Management Intranet; Information security breaches are investigated and it is my responsibility to cooperate fully in any investigation; Any violation of Information Security Policies, Standards or Procedures may result in termination of the work relationship; e-mail and the Internet are primarily for business use and may be monitored by the Company.

PLEASE SIGN HERE TO ACKNOWLEDGE: Name (print) ______________________________________ Signature ________________________________________ Date ____________________________________________
AEGON - Internal Use Only 29