&

INFORMATION SECURITY POLICYVersion 2.0

Published 10/01/2020

1

This document is subject to confidentiality controls. For the most current version, refer to the authorized electronic master document

2

Table of Contents:

Overview, Purpose & Scope 4

Goals 4

Policy Statements 5

1. Employment and Resource Management 5

2. Physical Security 5

3. Information Security 7

4. Security incidents and Response Plan 7

5. Data Transmission Control and encryption 7

6. Access Control 9

7. Data Access Controls 9

8. Source Code Repositories Access 10

9. Availability Control 11

10. Data Input Control 11

11. Cryptographic Controls 12

12. Privacy Requirements 12

13. Vulnerability Management 12

14. Cloud Service Security 12

15. Responsibilities 13

16. Segregation of Duties 13

3

17. Enforcement 14

18. Waivers 14

19. Revision & Revocation 14

20. Policy Maintenance & Compliance 14

Document & Revision Control 15

4

Overview:Quest Software Inc. and One Identity LLC and their subsidiaries and affiliates (each, a “Provider”), having their principal place of business at 4 Polaris Way, Aliso Viejo, CA 92656, are focused on the development of high value software products designed to optimize, organize, manage and protect data and systems on a variety of platforms and environments. Technical support and consulting services are also provided in connection with those products.

Provider has implemented corporate information security practices and standards that are designed to safeguard Provider’s corporate environment and to address business objectives across information security, system and asset management, product development and corporate governance. These practices and standards are regularly reviewed and approved by Quest’s executive management and updated when necessary.

Provider takes the security and confidentiality of their customers’ information very seriously. We are committed to maintaining and improving our information security practices and minimizing our exposure to security risks.

Purpose and Scope:This document states the Policy and best practices required for creating and maintaining a secure environment to protect the information received, collected, stored, processed or used by Provider’s software products or during the performance of technical support and consulting services. It is critical that all team members and service providers are fully aware of this Policy and commit to protecting Quest and One identity information. Common sense and high ethical standards are required to complement the security guidelines.

The Policy and best practices outlined represent the minimum security levels required and must be used as a guide in developing a detailed security plan and additional policies (if required).

This Policy covers the architecture of Provider’s products and services, the supporting systems and infrastructure and the administrative, technical and physical controls applied to those systems and the data they manage/handle.

This Policy also applies to all Provider team members including all employees of any Provider subsidiary or affiliate. Compliance with this Policy is mandatory and conditional on employment, assignment or doing business with Provider.

Objectives:This security policy provides and supports Information Security in accordance with applicable regulations, laws, and contractual obligations. Information Security goals include:• Protecting customer Information• Protecting employee information

5

• Protecting corporate information• Protecting the security and integrity of Quest and One Identity Information Systems and networks

Quest and One Identity has an appointed Senior Director of Information Security who governs plans and programs and ensures security coordination across the full organization. The Security Policy is formulated by the Senior Director of Information Security and approved by Executive Management. Policy effectiveness is reviewed by security control owners annually at a minimum.

Policy Statements:

1. EMPLOYMENT AND RESOURCE MANAGEMENT

It is Provider’s policy to perform thorough background and reference checks for potential employees except where prohibited by law. All Provider employees are bound by a written non‑disclosure obligation. All employees are required to acknowledge and sign this Policy and the Provider’s Code of Conduct which includes an express obligation of confidentiality and protection of Provider information resources and tools. As part of on‑boarding, all new members of staff are informed of security policies and trained on the importance of protection of information resources. Individuals contracting for Provider go through a similar background check and on-board process as employees. Provider personnel responsible for handling classified information from public sector sources are required to have government security clearance (country specific).

Provider employees must complete mandatory training on an annual basis that explains their responsibility to uphold certain global policies and standards for Information Security, General Data Protection Regulation (GDPR), Ethics, Data Privacy, Anti-corruption and Global Trade and Sanctions. This training is delivered annually in the mandatory Code of Conduct training and from time to time through mandatory individual topical training exercises. In addition to this, certain employees are required to follow the Providers’ Secured Source Code policy that covers corporate controls on proper data handling and source code control.

2. PHYSICAL SECURITY

Physical Security Program

Provider’s physical security controls extend to IT systems, infrastructure and architecture supporting Provider’s products and services portfolio. Administrative, technical and physical controls applied to those systems and the data they manage/handle are designed to mitigate security risks to the extent reasonably practicable by staying abreast of known threats, continuous monitoring and access restriction and control. For natural disasters, environmental threats or hazards, malicious attack or accidents, Quest's security team works with each site to

6

identify the risks posed and implement appropriate measures to mitigate those risks to the extent reasonably possible

Physical Access controlsPhysical access controls/security measures at Provider’s facilities/premises must meet the following requirements:

a. Access to Provider’s buildings, facilities and other physical premises shall be controlled based upon business necessity, sensitivity of assets and each individual’s role and relationship to Provider;

b. Where possible, all facilities must be secured by card‑based access control systems;

c. All areas that contain either sensitive/critical information or information processing facilities must be secured at all times by keyed lock or access card control and monitored by centrally managed cameras;

d. Individuals requiring access to facilities and/or resources shall be issued appropriate and unique physical access credentials and instructed not to allow or enable other individuals to access the Provider’s facilities or resources using their unique credentials. Locations that do not have this system are required to have an alternative access security strategy;

e. Visitors who require access to Provider’s facilities must enter through a staffed and/or main facility entrance;

f. Locked shred bins are provided on most sites to enable secure destruction of confidential information and/or personal data;

g. Where possible Provider’s premises must be protected by security alarms with alarm contacts and motion sensors;

h. All visitors must sign‑in at reception and be issued a visitor badge;

i. Visitors must be accompanied at all times.

3. INFORMATION SECURITY

Non Disclosure Agreements

Provider enters into and/or complies with confidentiality undertakings under various standard legal agreements in place as a matter of doing business.

a. All employees and 3rd party contractors are required to sign an NDA before access to confidential information is granted;

b. Regular employment contractual agreements are required with all Provider’s personnel which include code of conduct and confidentiality policy undertakings. Personnel includes all employees, contractors, both corporate and individual.

The above agreements include:

7

a. The protection of Customer Confidential Information within Provider’s environment and/or protection of Customer Confidential information by specific Provider’s personnel; and

b. A prohibition on disclosure of Confidential Information to any other party without specific and unambiguous consent and approval from the Customer prior to disclosure.

4. SECURITY INCIDENTS AND RESPONSE PLAN

Security incident response plan

Incident management responsibilities and procedures have been established to ensure a quick, effective and orderly response to security incidents. Procedures cover all potential types of security incidents, including:

▪ information system failures and loss of service, ▪ denial of service, ▪ errors resulting from incomplete or inaccurate business information, and ▪ breaches of confidentiality.

Provider maintains a security incident response policy, plan and procedures which address the measures Provider will take in the event of loss of control, theft, unauthorized disclosure, unauthorized access or unauthorized acquisition of personal data. These measures may include incident analysis, containment, response, remediation, reporting and the return to normal operations.

Response controls

Controls must be in place to detect and protect against malicious use of assets and malicious software. If a potential breach is identified it must be reported to the Data Protection & Privacy team in the legal department. Please call the legal department. If you must leave a message, indicate that you have an urgent matter to discuss, as well as your name and a number where you can be reached.

Controls may include, but are not limited to information security policies and standards, restricted access, designated development and test environments, virus detection on servers, desktop and notebooks, virus email attachment scanning, system compliance scans, intrusion prevention monitoring and response, firewall rules, logging and alerting on key events, information handling procedures based on data type, e‑commerce application and network security and system and application vulnerability scanning. Additional controls are implemented based on risk.

5. DATA TRANSMISSION CONTROL AND ENCRYPTION

Encryption should be applied to protect the confidentiality of sensitive or critical information.

8

Based on risk the required level of protection should be identified taking into account the type and quality of the encryption algorithm used and the length of cryptographic keys to be used.

Specialist advice should be sought to identify the appropriate level of protection, to select suitable products that will provide the required protection. In addition, legal advice is available to discuss the laws and regulations that might apply to intended use of encryption.

Procedures for the use of cryptographic controls for the protection of information must be developed and followed. Such procedures are necessary to maximize benefits and minimize the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.

When developing procedures the following should be considered: ▪ The management guidelines on the use of cryptographic controls across the organization, ▪ Including the general principles under which business information should be protected, ▪ How the appropriate level of cryptographic protection is to be determined, and ▪ The standards to be adopted for the effective implementation throughout the organization

(which solution is used for which business processes).

Reasonable steps must be taken to ensure that information transmissions or transfers over any public network or network not owned or maintained by Provider cannot be read, copied, altered or removed without proper authority during its transmission or transfer. These steps shall include:

Implementing Provider approved encryption practices when transmitting any of the following data:

(i) Personal Identifiable Data

(ii) Confidential Data

(iii) Source Code Data

Whenever possible, applications must be enabled to support OAuth 2.0 (or greater) for authentication.

9

6. ACCESS CONTROL

Access to Provider’s systems must be restricted to authorized users only. Formal procedures and controls must be implemented to govern how access is granted to authorized individuals and the level of access that is required and appropriate for that individual to perform their job duties. Such procedures must include admission controls (i.e. measures that prevent persons from unauthorized use of data within systems) and access controls (i.e. measures that prevent unauthorized access to systems).

Where possible, multi-factor authentication (MFA) controls must be utilized to govern access to Provider’s environments. If key internal environments do not employ MFA or MFA is not feasible, layered approval, access, and role‑based security to protect the environment must be implemented. User access reviews must be conducted regularly and if necessary, access controls are adjusted accordingly. Remote access to the Provider’s network and systems is permitted only as described in the Quest Remote Access VPN policy.

Additional controls include:

a. Only Quest Information Services managed systems/ services can connect to the Quest production network

b. If a Quest Information Services managed system cannot be utilized, a Quest Information Services managed virtual desktop must be used

c. Firewalls must be placed at strategic points within the network to facilitate segmentation

7. DATA ACCESS CONTROLS

The following controls must be adhered to regarding the access and use of personal data:

a. Only the minimum amount of personal data necessary in order to achieve Provider’s relevant business purposes must be used. Except as contemplated for the delivery of services, and particularly cloud-related, Personal data must never be copied or moved to any storage or electronic device that is not owned or controlled by the Provider;

b. Personnel must not read, copy, modify or remove personal data unless necessary in order to carry out their work duties;

c. All third party use of personal data is governed through contractual terms and conditions between the third party and Provider which impose limits on the third party’s use of personal data and restricts such use to what is necessary for the third party to provide services. Any use outside of these terms is prohibited.

10

8. SOURCE CODE REPOSITORIES ACCESS

i. SystemsQuest will maintain an inventory of approved Source Code Management (SCM) systems which shall be the only systems used for non individual source code storage.

ii. Local StorageWorking copies shall be kept no longer than necessary on company approved assets. Storage on removable media shall be avoided.

iii. ConfigurationSCM Systems will be configured to only allow Quest managed identities.Exception for existing systems:On an temporary basis, existing SCM systems not using Quest Identities will be allowed after approval by the Chief Technology Officer.

A plan needs to be established to either have that system use Quest Identities or retire that system and migrate all source code to an approved SCM.

iv. Access PermissionsThe default Access Permissions are defined as:

– Deny Write by default– Deny Read by default

Approvers will follow a "least privileged" approach that reasonably support business productivity needs.

v. Revocation of AccessAccess shall be revoked upon the following events:

– Termination of Employment– Role change where the new role no longer needs access– Part of disciplinary action– Any other situation that requires a revocation due to policies, processes, overlaying

requirements, or at the determination of a person authorized by an approval authority.

vi. Access AuditAccess permissions shall be reviewed:

– At least yearly by either Director of DevOps, Director of Security, Security Leads of their respective BU or by their delegate determined at that time.

– At out of cycle audits as determined by relevant business events which can be raised by anyone to the Director of DevOps, Director of Security or Security Leads of their respective BU who make a decision at their discretion if an audit is necessary.

11

– At least quarterly by the owner(s) of record. In most cases, these are the Dev Managers

vii. External AccessExternal access shall be facilitated via a Quest managed identity as short lived as possible follow all other guidelines within this policy as well as any overlaying company requirements on external contributor access and collaboration

viii.Logging of Access RightsSystem logs shall be retained for a minimum of 3 years, logging at a minimum:

– Time– Which System and resources– Read or Write– Who changed rights– Who received rights

9. AVAILABILITY CONTROL

Personal data must be protected against accidental destruction or loss by following these controls:

a. Personal data must be retained in accordance with law and customer contract or, in its absence, Provider’s record management policy and practices, as well as legal retention requirements;

b. Hard copy personal data must be disposed of in a secure disposal bin or a crosscut shredder such that the information is no longer decipherable;

c. When disposing of devices that contain electronic personal data, each device must be given to Provider’s IT Asset Management team for proper disposal;

d. Approved backups, UPS (Uninterruptible Power Supplies), hardware redundancy and fault tolerance measures must be in place for data center and server hardware containing data.

10. DATA INPUT CONTROLS

Provider's policy on the control of data input is as follows:

a. Where appropriate, measures must be designed to log/record when, where and by whom, personal data has been entered into data processing systems, and/or whether such data has been modified or removed;

b. All access to relevant applications must be logged/recorded.

12

11. CRYPTOGRAPHIC CONTROLS

Cryptographic controls are designed and implemented to protect the confidentiality, integrity and availability of assets. All employees and service providers much adhere to the IS Business Applications IS Infrastructure Operations Cryptographic Policy.

12. PRIVACY REQUIREMENTS

Where personal information is being processed, all employees and service providers will also adhere to the Data Privacy Policy and the Quest Records Management and Retention Policy.

13. VULNERABILITY MANAGEMENT

Provider's policy on vulnerability management is as follows:

a. Publicly released third party vulnerabilities must be reviewed for applicability to Providers’ environment;

b. Based on risk to Provider’s business and customers, there are predetermined time frames for remediation must be followed;

c. Vulnerability scanning, testing or assessments must be performed on new and key applications or infrastructure or on a regular basis and shall be performed based on risk;

d. Code reviews and testing must be performed in the development environment prior deploying to production to pro actively detect coding vulnerabilities.

14.CLOUD SERVICE SECURITY

To address the specifics of Cloud Services, Providers’ Product Engineering teams have established, as part of their existing Software Development Lifecycle (SDLC), additional policies and practices. These policies are comprehensive, based on industry best practices and reviewed regularly by its leadership. Security and Privacy are key priorities of the Development and Operations teams. This section addresses the provision of Provider cloud services to include the following:

a. Baseline information security requirements applicable to the design and implementation of Provider cloud services;

b. Multi-tenancy and cloud service customer isolation including virtualization and virtualization security;

c. Risks from authorized insiders; Access to cloud service customer assets by Providers’ staff and access control procedures, e.g., strong authentication for administrative access to cloud services;

d. Communications to cloud service customers during change management;

e. Access to and protection of cloud service customer data;

f. Lifecycle management of cloud service customer accounts;

13

g. Communication of breaches and information sharing guidelines to aid investigations and forensics

15. RESPONSIBILITIES

Employees, Contractors, Service Providers :

▪ To adhere to this Information Security policy.

▪ To cooperate with any subsequent investigation of a computer incident.

▪ To report all suspected computer incidents to their supervisors, service desk and

Security@Quest.com

Quest Management:

▪ To communicate this policy to all employees and service providers.

▪ To provide enterprise-wide periodic security awareness training.

16.SEGREGATION OF DUTIES

Duties and areas of responsibility should be segregated in order to reduce opportunities for unauthorized modification or misuse of information or services.

This method of control maybe difficult to universally achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities (where legally permissible to do so), audit trails and management supervision should be implemented.

Care should be taken that no single person can perpetrate fraud in areas of single responsibility without being detected. The initiation of an event should be separated from its authorization.

The following controls must be implemented: a. It is important to segregate activities which require collusion in order to defraud, e.g.

raising a purchase order and verifying that the goods have been received.

b. If there is a danger of collusion, then controls need to be devised so that two or more

people need to be involved, thereby lowering the possibility of conspiracy.

14

17. ENFORCEMENT

Employees who violate this Policy will be subject to appropriate disciplinary action or other remedial measures up to and including termination of employment if warranted under the circumstances and permissible under applicable law. Assigned workers and third parties who violate this Policy are subject to being denied access to Provider facilities, personnel and assets, permission to perform services on Provider’s behalf, or being terminated as a Provider authorized partner.

18. WAIVERS

The provisions of this policy cannot be waived. Individual Provider managers do not have the authority to approve waivers to this Policy.

19 REVISION & REVOCATION

This Policy may be revised or revoked by Provider at any time, without advance notice or cause.

20.POLICY MAINTENANCE & COMPLIANCE

Compliance: Responsible parties will verify compliance with this policy through various methods, including but not limited to, periodic walkthroughs, internal audits and inspection and will provide feedback to the policy owner and appropriate business manager.

Non-Compliance: An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Policy Maintenance: This policy is reviewed and approved annually. Updates are made annually or more frequently as required.

Feedback: Any questions or concerns related to this policy maybe raised by contacting Security@Quest.com.

15

DOCUMENT CONTROL

Version History:

Version 2.0

Functional Ownership Information Security

Author Senior Director of Information Security Ron Johnson

Owner Senior Director of Information Security Ron Johnson

Approver Assistant General Counsel Joseph Burke

Approver General Counsel Brad Haque

Effectiveness Date October 1, 2020

Next Review Date Q4 annually or as required

Version Control:

Version Name Description of Change Revision Date1.0 Lowri Taylor Created and published first edition of policy 3/19/2018

1.2 Lowri Taylor

Q2, 2018 Quarterly review/update: Introduced requirement for employees working with public sector having government security clearance; created a group term for company employees; Added section named Non-Disclosure Agreements under Information Security; improved MFA language in Systems Access Controls section and controlled access by Support staff in Data Access Control section

6/25/2018

1.3 Lowri Taylor

Q3, 2018 Quarterly review/update: Added requirement for mandatory acknowledgment and signature of InfoSec policy; Added new section on Cloud Services Security; Introduced Employee Acknowledgement Section; Improved Data Access Control requirements; Renamed Discipline & Other Consequences section Enforcement

10/10/2018

1.4 Lowri TaylorQ4, 2018 Quarterly review/update: Added new sections - Overview, Policy Maintenance & Compliance, Revision History

3/9/2019

1.5 Ron Johnson Q3, 2019 - periodic review/update; Insertion of sections Goals, 10 and 11; expanded sections 5, 6 and 17

10/2019

2.0 Ron Johnson

Transmission Control Encryption, updated security incident response plan; the following sections were added Source Code Repositories Access, Responsibilities, and Segregation of Duties.

9/15/2020

16

17