HPG is often requested to provide high level details about our cyber security practices and preparedness. These are often requested in the form of a survey and may come from customers or vendors. To help assist employees respond to these types of surveys HPG IT has provided the below information.  Q: Does HPG have a formal information security policy that is reviewed at least annually and approved by senior management? A:  Yes. Employees are trained at least once a year regarding information security and Cyber Security and IT Policies are published and available for employees to view. Senior management is directly involved with review and approval of policies. Q: Does HPG hold any active IT assurance certifications such as ISO27000 or SOC2? A: No, we review these certifications provided by our ERP and Document Management solution on an annual basis as part of our annual cyber security audits. Q: Does HPG support Multi-Factor Authentication on its critical systems? A: Yes, HPG requires Multi-Factor Authentication on all systems where possible, especially remotely accessible systems.   Q: Does HPG have backup and recovery processes in place that include offsite backups for technical assets? A: Yes, all critical assets are backed up with offsite copies of the backups.    Q: Does HPG have documented disaster recovery and incident management plans? A: Yes   Q: Has HPG's disaster recovery and incident management plans been exercised or tested in the last year? A: Yes   Q: Does HPG have a cyber insurance policy? A: Yes Additional information and policy is available for employees to review in the employee handbook and the HPG Cyber Security and IT Policies document.

HPG strongly encourages employees to utilize the use of their smartphones for MFA/2FA authentication, specifically, we suggest that they utilize the Microsoft Authenticator app. Text Message, Phone Call, and Email are no longer supported methods by many services providers including Microsoft 365 and NetSuite, which are the primary services utilized by HPG Employees. Use of an authentication application on a smart phone is both the easiest method for employees and also the least expensive method for both employee and business. Microsoft Authenticator enables the ability for employees to: Sign In without password. Receive Push Notifications when an attempt to sign on occurs. Sign in without internet access on their smart phone. Enable MFA/2FA on other services they use.   Microsoft Authenticator is not required. Users may use any authenticator app on their smartphone. Such as Google Authenticator, DUO mobile, etc.   Employees that opt out of using their smartphone may be assigned a hardware token by the company. Availability of hardware tokens may not be immediate. Employees that opt for the hardware token must understand that: The first token assigned to an employee is provided by HPG without cost. Replacement due to theft, loss, or damage is charged to the assigned employee at full cost of the replacement. Employees need to report loss or theft immediately. Employees may not share their hardware token with other employees or persons.    Employees will need to complete this: MFA Hardware Token Procurement : HPG Brands and confirm they understand this policy before a hardware token is ordered and assigned to them. Question and Answers Q: Why am I being asked to use my own smart phone for something that is clearly managed by the company? A: You own your identification. MFA and 2FA are methods to verify your identification. The most convenient method of verifying YOU is by utilizing something that you are likely to always have with you, your smartphone. Other methods, such as the Hardware Token, are not as convenient and are easily misplaced without proper care by the person the device is assigned to.  Q: What information does HPG receive when I use Microsoft Authenticator? A: Nothing. HPG does not receive any information from your smartphone when you use Microsoft Authenticator for authentication. Authenticator can be used in an entirely offline mode, as well, so if you want to be extra careful, you can block Microsoft Authenticators access to the internet and use it offline only. Note, that when in offline only mode, you will not be able to use advanced functions such as Signing into your Microsoft 365 account with Push or Passwordless authentication.  Q: Can HPG use Microsoft Authenticator lock, block, or erase my smartphone? A: No. The Microsoft Authenticator app is not a device management application and does not give any permissions to HPG to manage or erase any data on your devices.  Q: If I lose or break my Hardware Token what should I do? A: You should report a lost or stolen hardware token immediately. Failing to do so could result in disciplinary action. HPG provides employees with their initial hardware token if you request one, however, any replacement due to theft, loss, or damage will be paid for by the employee that was assigned the hardware token. Employees are fully responsible to ensure that their tokens are safeguarded and cared for properly.