Neuberger Berman Information Security

Vendor Information Gathering Questionnaire

Released: March 9th, 2016

www.nb.com

Questionnaire Instructions:
1) Complete the Business Information tab.
2) Answer all of the questions on the High Level Assessment tab
by selecting either Yes, No or N/A from the drop-down list provided.
3) Use the "Additional Information" space to provide any pertinent
information. An explanation is required in this space if the response is N/A.

For answers where Yes is selected supporting documents may be requested.

Business Information
0 Total Questions to be Answered 100% Percent Complete
Question/Request Response
Responder Name: Gerardo Orendain Pickering
Responder Job Title: Managing Director
Responder Contact Information: gerardo.orendain@bpbiwm.com
Date of Response: 4/28/2023
Yulyana Vela - Administrative Assistant Director,
List the names and titles of any contributors that assisted in the formulation of the Marcos A. Roldan - (Outsourced IT Services)
responses: Relationship Manager
Company Profile
What is the name of the holding or parent company? BP Admin SA de CV
What is the company/business name? BPBI Alternative Investments SPC
Is this a publicly or privately held company? Privately held
If Public, what is the name of the Exchange?
If public, what symbol(s) are you trading under?
If Asset Management, year registered with FINRA
If Asset Management, please state AUM.
Type of legal entity and state of incorporation? Cayman Islands Exempted Segregated Portfolio
Company
How long has the company been in business? Less than a year
# of Empoyees (overall) 18
# of IT Employees Outsourced Service
Are there any material claims or judgments against the company? No
If Yes, please describe, including any impact it may have on the service being
provided to the institution.
Which regulator supervises or examines the company? Indicate all that apply: ###
- Federal Reserve ###
- OCC ###
- FDIC ###
- Federal Reserve Bank ###
 - OTS ###
- NCUA ###
- SEC ###
- Other, Explained Cayman Islands Monetary Authority
- None ###
Does the company have an internal audit, risk management or compliance
department with responsibility for identifying and tracking resolution of outstanding
internal, external or regulatory issues? No
Service Profile
What is the name and description(s) of service(s) to be reviewed under this
assessment/contracting? Investor and distributor of a Neuberger Berman's
Segregated Management Account. The company,
BPBI Alternative Investments SPC, will create a
Segregated Portfolio in order to distribute among its
UHNW clients participating shares of an investment
portfolio which will solely invest in a Neuberger
Berman's tailor made vehicle domiciled in Cayman as
a Limited Partnership.
Is this a shared service? (A shared service is provided to multiple clients vs. a
dedicated service, which is provided only to one client.) ###
- Shared: Yes
- Dedicated:
Administration, Accounting and Transfer Agency ###
- Other: Please explain Services, and AML & KYC Controls are outsourced###to
Are any aspects of the service outsourced? "Vistra",
Yes a global Fund Administration firm. IT
If yes, describe what is outsourced, name of the contracted party, whether the Services are Outsourced to "Lado B", a Mexican IT
outsourced service involves customer information and the country of operation. Support firm. Audit Services are Outsourced to
"Ernst & Young Ltd".
Has the service been audited in the past year for any of the following?
###
- Privacy No
- Information Security No
- Disaster Recovery No
- Operations No
- Technology No
- Other: ###
Does the company hire an external audit firm to produce a SSAE16 report on the
operations under review? No
If no, has another type of assessment or audit been performed? Explain. No, the company was recently created and will start
operations in 2023.
Have any of the audits addressed above resulted in any exceptions or findings? No
If yes, please provide details:
Provide an explanation of what you are considering target data. Clients/Investors information, Executed agreements
with providers and partners, Internal financial and
operational files
Computer Equipment Details (relative to scope of services provided)
What is the production site physical address? Torre Arcos Bosques I - Paseo de los Tamarindos
400A – Floor 22
Bosques de las Lomas, CDMX, 05120
What is the backup site physical address? Back up is made in Dropbox's cloud
Are there any additional location(s) where target data is stored? No
If so, provide locations (address, city, state, country).
Please provide details in the following areas: ###
- Operating system(s) Windows & Mac OS
- Workstations # of devices 18
- Servers # of devices N/A
- List Applications in scope. Addepar, Office
- Number of employees by function (e.g., development, systems operations,
information security) IT Services are outsourced
 Question (Is the row a
High Level Assessment
12 Total Questions to be Answered 92% Percent Complete

question)
Questionnaire Instructions: For each of the questions provided choose either Yes, No or N/A from the drop-down list provided. If N/A has been chosen then it is
mandatory to supply additional explanation. Use the "Additional Information field to the right of the question. Click on the instruction pop-up box and drag if
necessary.
Ques # Question/Request Response Additional Information
A. Risk Management ###
A.1 Does your company have a risk assessment program? Yes ###
B. Security Policy
B.1 Does your company have an information security policy? Yes ###
B.2 Are the following topics covered by your policies:
B.3 Acceptable use? Yes ###
B.4 Access control? Yes ###
B.5 Application security? Yes ###
B.6 Business Continuity?
B.7 Change control? Yes ###
B.8 Computer and communications systems access and use? Yes ###
B.9 Data handling? Yes ###
B.10 Disaster Recovery? Yes ###
B.11 Email? Yes ###
We have some applications that support
enctyptation. But not an overall encrypatation
B.12 Encryption? No process
B.13 Exception process? Yes ###
B.14 Information classification? Yes ###
B.15 Internet / Intranet access and use? Yes ###
B.16 Mobile computing? No ###
B.17 Network security? Yes ###
B.18 Operating system security? Yes ###
B.19 Physical access? Yes ###
N/A Additional
Information
B.20 Remote access? Provided Only for IT Support, not for users
B.21 Risk management? Yes ###
B.22 Secure Disposal? Yes ###
B.23 Security awareness? Yes ###
B.24 Security incident management? Yes ###
B.25 Use of personal equipment? No ###
B.26 Vulnerability management? Yes ###
C. Organizational Security
Is there an information security oversight function that provides clear direction
C.1 and visible management support for security initiatives within the organization? Yes ###
Is there an individual or group with responsibility for security within the
C.2 organization? Yes ###
Is an individual or group responsible for the implementation / execution of
C.3 security processes in support of policies? Yes group responsible
Is an individual or group responsible for ensuring compliance with security policies.
C.4 Yes group responsible
C.5 Are all constituents required to sign confidentiality agreements? Yes ###
Has there been an independent 3rd party review of the information security
C.6 program? (If so, note the firm in the "Additional Information" column.) No ###
C.7 Do you contract with third party service providers? Yes ###
D. Asset Management
D.1 Does your company have an asset management program? No ###
D.2 Is an inventory of hardware/software assets maintained? Yes ###
D.3 Is ownership assigned for information assets? Yes ###
D.4 Does your organization have an information classification policy in place?
Are documented procedures in place for the disposal and/or destruction of
D.5 physical media (e.g.: Paper documents, CDs, DVDs, tapes, disk drives, etc.)? Yes ###
Are documented procedures in place for the reuse of physical media (e.g.: Tapes,
D.6 disk drives, etc.)? No ###
E. Human Resource Security
E.1 Does your company have a pre-screening policy?
Do you perform any background screening of applicants? This would include
E.2 criminal, credit, professional/academic, references and drug screening.
Are new hires required to sign any agreements that pertain to non/disclosure,
E.3 confidentiality, acceptable use or code of ethics upon hire?:
E.4 Does your organization have a security awareness training program? Yes ###
Are information security personnel required to obtain professional security
E.5 certifications (e.g., GSEC, CISSP)? No ###
 Do you communicate Information Security Policies and procedures to
E.6 constituents? Yes ###
Are your constituents required to re-read and re-accept policies, code of conduct,
E.7 non-disclosure or confidentiality agreements?
Is there a disciplinarily process in place for non-compliance with Corporate Policy?
E.8
E.9 Does your company have termination policy?
Does your HR department notify security / access administration of termination of
E.10 constituents?
Does your HR department notify security/access administration of a constituent's
E.11 change of status? Yes ###
E.12 Does your organization have Asset return procedures or policies in place? Yes ###
F. Physical and Environmental Security
F.1 Does your company have a Physical Security policy?
F.2 Does the building that contains the target data reside on a campus? No ###
F.3 Is the building shared with other tenants? Yes ###
F.4 Do you have a CCTV system monitoring all of your office locations? Yes ###
F.5 Do you have a CCTV system monitoring your data center(s) No ###
F.6 Are all office entry and exit points alarmed? Yes ###
Are all data center entry and exit points alarmed? We do not have a physical data center.
F.7 No Information resides on the cloud.
F.8 Do you use security guards? No Only in the bulding access
F.9 Do you restrict access to your data center facility? Yes ###
F.10 Do you allow visitors in your data center facility? No ###
F.11 Do you restrict access to your offices? Yes ###
F.12 Do you allow visitors in your offices? Yes ###
F.13 Do the target systems reside in a data center? Yes ###
F.14 Does your data center facility contain a Battery/UPS Room? Yes ###
F.15 Does your data center facility contain a Generator or Generator Area? Yes ###
F.16 Do your office facilities contain a Battery/UPS Room? Yes ###
F.17 Do your office facilities contain a Generator or Generator Area? Yes ###
F.18 Does your organization use a printer room to print target data? Yes ###
F.19 Do you have a secured work area where employees access target data? Yes ###
G. Communications and Operations Management
Does you organization have a formal change management / change control
G.1 process? Yes ###
 Does your organization segregate duties between individuals granting access and
G.2 those who access target data? Yes ###
Does your Organization outsource to any third party vendors who will have access
to target data (consider backup vendors, service providers, equipment support
vendors, etc)?
G.3 Yes ###
Are internal users required to pass through a content filtering proxy prior to
G.4 accessing the Internet? No ###
G.5 Do you perform system backups of target data? Yes ###
G.6 Is every connection to an external network terminated at a firewall? Yes ###
G.7 Do you allow the use of wireless networking technology in your organization? Yes ###
G.8 Do you allow wireless access (WiFi) to your corporate network at your facilities? Yes ###
Do you regularly scan your organization's facilities for rogue wireless access
G.9 points? Yes ###
G.10 Is there a list of authorized analog lines within the organization's facilities? No We do not have analog lines
Are any analog modems used or installed in your environment? This would include
G.11 "Phone Home" modems attached to systems. No ###
Are any DSL modems used or installed in your environment? This would include
G.12 "Phone Home" modems attached to systems. No ###
Are any cable modems used or installed in your environment? This would include
G.13 "Phone Home" modems attached to systems. No ###
Does your organization use any removable media (e.g.: CDs, DVD, tapes, disk
G.14 drives, USB devices, etc)? Yes ###
G.15 Does your company use external Instant Messaging? Yes ###
Does your organization use application Servers for processing or storing
G.16 confidential data?
Are logs generated for security relevant activities on network devices, operating
G.17 systems, and applications? Yes ###
G.18 Do systems and network devices utilize a common time synchronization service? Yes ###
Does your company use UNIX or Linux operating systems for storing or processing
G.19 target data? No ###
Does the company use Windows systems for storing or processing confidential
G.20 data? Yes ###
G.21 Does the company use a mainframe for storing or processing target data? No ###
G.22 Does the company use an AS400 for storing or processing target data? No ###
Are network devices periodically monitored for continued compliance to security
G.23 requirements? Yes ###
G.24 Does the company provide Web services? No ###
Does your company use mobile computing devices (laptops, tablets, smart phones
G.25 etc.) to store, process or access target data? No ###
G.26 Does your company use, manage or maintain any encryption tools? Yes Winrar, 7zip, Bitlocker
G.27 Do you require data encryption for confidential data in transit? Yes ###
G.28 Do you require data encryption for confidential data at rest? Yes ###
G.29 Does your company utilize Digital Certificates? No ###
H. Access Control
H.1 Is an access control policy in place? Yes ###
Is access to all systems and applications based on defined roles and
H.2 responsibilities or job functions? Yes ###
H.3 Is multi-factor authentication deployed for “high-risk” environments? Yes ###
Is multi-factor authentication utilized for remote access? No ###
H.4 Does your company utilize unique user IDs to access company systems? Yes ###
Are there formal processes in place to grant and approve access to systems
H.5 holding, processing, or transporting target data? Yes ###
Do you use password to access systems holding, processing, or transporting target
H.6 data? Yes Sometimes depending on the specific activity
Are there formal processes in place to regularly review access to ensure that only
H.7 those people with a need-to-know currently have access? Yes ###
H.8 Do you use electronic systems to store, process, transport, etc. target data? Yes ###
H.10 Is a remote access solution present in the environment? Yes ###
H.11 Is a teleworking/ remote working policy in place? Yes ###
I. Information Systems Acquisition Development and Maintenance
I.1 Does your company perform any type of application development? No ###
I.2 Do you perform any type of application testing? No ###
Does the company have an internal organization that provides project
I.3 management oversight? No ###
Does the company have an independent quality assurance function responsible
I.4 for the testing of software and infrastructure prior to implementation? Yes ###
Does your organization support or maintain a development, test, staging, QA or
I.5 production environment? No ###
I.6 Do you have a documented change control process? No ###
I.7 Does your organization patch systems and applications? Yes ###
I.8 Are systems and networks periodically assessed for vulnerabilities? Yes ###
I.9 Do you support, host, maintain, etc. a web site with access to target data? No ###
 Do you use or have installed on any system penetration, threat or vulnerability
I.10 assessment tools? No ###
J. Information Security Incident Management
J.1 Does your company have an Incident Management policy? No ###
Does your company have a formal information security Incident Response
J.2 Program / Plan? Yes ###
Does your company have a security incident response team with clearly defined
J.3 and documented roles and responsibilities? Yes ###
J.4 Is an Incident Response contact list or calling tree maintained? Yes ###
Is documentation maintained on previous incidents, outcomes and issues and
J.5 their remediation? No ###
K. Business Continuity Management
Does your company have a written policy for business continuity and disaster
K.1 recovery.
L. Compliance
Is your organization required to comply with any legal, regulatory or industry,
L.1 requirements, etc. (GLBA, SOX, PCI)? Yes ###
L.2 Is your organization required to comply with any SEC regulations? No ###
Within the last year, has there been an independent review of the company’s
L.3 security policies, standards, procedures, and/or guidelines? Yes ###
L.4 Has a network penetration test been conducted within the last year? No ###
L.5 Does the organization undergo a SSAE16 Type II examination at least annually? No ###