Maintaining a Safe, Secure Marketplace

ICE ensures both the physical and digital security of its markets, clearing houses, and data through industry-leading security technology and processes. ICE’s Information Security Department consists of diverse and skilled teams that work to protect confidential data from unauthorized access, misuse, disclosure, destruction, modification or disruption.

Policies

ICE maintains detailed information security policies. Employees are required to complete security awareness training upon hire and annually thereafter. The security awareness training modules require employees to read and provide acknowledgement of the Corporate Information Security Policy. The policies are for official use only and are reviewed at least quarterly by ICE Senior Management.

Application Security

ICE employs a dedicated Application Development and Security team which defines and enforces mandatory best-practice secure software development.  The Application Security team maintains a policy which details these practices and works closely with ICE Development teams.

INCIDENT MANAGEMENT

ICE Operations maintains an Incident Management program to handle any incident with operational impact -- security or otherwise. It is ICE policy to notify customers of any confirmed material breaches of customer data.

BUSINESS CONTINUITY PLANNING / DISASTER RECOVERY

A “like for like” Disaster Recovery datacenter is maintained in the Atlanta area and governed by an enterprise wide policy. Per policy, all ICE core procedures, systems and operational tasks are: duplicable in recovery facilities, exercised at least annually, documented in comprehensive Disaster Recovery (DR), Business Continuity (BCP) and Incident Response Plans, and ensure infrastructure is recoverable.

TESTING AND AUDIT

ICE Internal Audit and Information Security Assurance regularly conducts tests utilizing various methods to verify compliance with written polices and to assess vulnerabilities. In addition, ICE teams support examinations from multiple regulatory bodies, and commission independent penetration tests.

A rigorous Service Organization Control (SOC) audit is performed annually to produce independent verification and testing of ICE controls for external parties and auditors that rely on ICE. The scope of this report is evaluated each year and tailored in response to customer feedback and business developments. The report is available to requesting participants and covered by the confidentiality provisions of the Participant Agreement. Potential customers not bound by the Participant Agreement must obtain a separate NDA to receive the report. To request reports send an email request to Reports-IASOC@theice.com.

INQUIRIES INTO INFORMATION SECURITY PROGRAM

Due to the number of requests received from regulators, members, customers of subsidiaries, and other stakeholders, ICE does not respond to individual inquiries or questionnaires from customers regarding the security of ICE systems. Further, to protect the security and integrity of ICE environments, it is company policy that we do not share information related to internal policies and procedures with third parties. We understand that our customers, as part of their internal vendor management procedures, request information related to security process and posture from their vendors from time to time. As such, ICE shares SOC reports with our customers that independently validate our internal information security controls. To obtain a report, please send a request to the email specified in the preceding section of this page.

For questions about this procedure please contact the ICE Information Security, Governance, Risk, and Compliance team at isgrc@theice.com.