IT Management Services Infrastructure Services Controls Wells Fargo Technology Controls Cube Security Controls Business Controls Regulatory Controls The Technology Controls Cube defines controls across three dimensions to establish clear accountability and ensure completeness of coverage Controls – Defines the requirement Operations – Defines how the control is implemented and who is responsible for implementing the control Technology Stack – Defines where the control is implemented in the technology stack Applications Data Services Security Services IT Management Services Platform Services Infrastructure Services Operations Tech Stack

Full Stack Automation (FSA) Scope for DevSecOps Controls deployed in a uniform manner across the technology stack by leveraging Full Stack Automation Cross-organizational, engineering practice and capability that breaks down barriers and establishes collaboration between development, security, and operations organizations using automation to focus on rapid, frequent delivery of secure infrastructure and software to production Encompasses intake to release of software and manages those flows predictably, transparently, and with minimal human intervention/effort – from Sunrise to Sunset Provides built-in security controls through automation of the software development lifecycle along with enablement of security monitoring and integration with cyber threat management

Full Stack Automation (FSA) for DevSecOps IT Management Servceis Supply Chain / Vendor Management Change Management Asset/ Configuration Management Incident, Event/ Problem Management Knowledge Management Release/ Deploy Management IT Financial Management Full Stack Automation Artifact Repository Environment App Infrastructure Platform (middleware) Security Accounts, sub- nets, network isolation, Encryption, IAM IaaS PaaS Virtual Perimeter App CI CD Testing Orchestrator VCS Images Libraries Templates Configs Security Services Application Information Security Cyber Defense Management Center Identity / Access Management Information Security Risk Management Infrastructure Information Security Third Party Information Security Vulnerability Management Workforce Accountability

Controls Security Controls Business Controls Regulatory Controls The Security Controls are a baseline of the FedRAMP controls in NIST SP 800-53 tailored to Wells Fargo’s environment, standards, and responsibilities in developing and maintaining our cloud services. FedRAMP is a highly regarded controls framework in the security and risk community that allows for traceability to our various regulatory requirements and industry-recognized risk management frameworks. The Security Controls form the baseline of controls from which business controls and regulatory controls can be layered. Security Controls Business Controls Regulatory Controls Technical, operational, and managerial controls to identify, mitigate, and manage security risks. Process-oriented controls to ensure the enterprise actualizes the benefits of technology and optimizes costs Industry and regional requirements for conducting certain types of business in certain regions Access Control Audit and Accountability Awareness and Training Security Assessment and Authorization Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Security Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Financial Management and Cost Optimization Customer Engagement and Business Alignment Business Continuity Data Governance GDPR FFIEC PCI SOX

Technology Stack and Operations The “Technology” and “Operations” components of the Technology Controls Cube are in alignment with the services and capabilities outlined in the Wells Fargo IT Service Model and the Wells Fargo IT Capability Model Technology Stack Operations Infrastructure Services Platform Services Applications IT Management Services Security Services Data Services Data Center Data Center Network Physical Compute Virtual Compute Storage End User Devices Logical Network Configuration Operating System Middleware Database Runtime API Custom Applications COTS and Open Source Applications Cloud Service Configuration Collaboration Tools Supply Chain / Vendor Management Change Management Asset and Configuration Management Incident, Event, and Problem Management Knowledge Management Release and Deployment Management Facilities Management IT Financial Management Application Information Security Cyber Defense Management Identity and Access Management Information Protection Information Security Risk Management Infrastructure Information Security Third Party Information Security Vulnerability Management Workforce Accountability Data Governance Data Architecture Transaction Processing Data Integration and Management

Cost of Fixing Defects Across the Lifecycle