FormFire Application and IT Security. White Paper

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "FormFire Application and IT Security. White Paper"

Transcription

1 FormFire Application and IT Security White Paper

2 Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development Team... 4 Operations/Support Team... 5 Data Asset Management... 5 Information Access... 5 Access Control... 6 Personnel Security... 7 Datacenter/Colocation Security... 7 Infrastructure Security... 8 Antivirus... 8 Monitoring... 8 Vulnerability Management... 8 Internal Auditing... 9 External Audits... 9 Incident Management... 9 Network Security... 9 SSL/TLS Data Encryption Operating System Security System Development Disaster Recovery and Business Continuity Conclusion... 12

3 Introduction Security is fundamental to everything we do at FormFire. Therefore, our application, environments and controls are designed from the ground up with security in mind. FormFire is a digital workflow tool that connects employees, employers, brokers, and medical insurance carriers to application, underwriting, and submission data. The sensitive nature of the data collected demands the utmost importance be placed on the security and integrity of user data. The purpose of this white paper is to demonstrate how FormFire, LLC meets and exceeds its clients expectations for data security. Overview FormFire s security strategy provides controls at multiple levels of data storage access, and transfer. The strategy includes the following components: FormFire Corporate security policies Organizational Security Data Asset management Personnel Security Datacenter/Colocation security Infrastructure Security Systems and Software development and maintenance Disaster Recovery and Business Continuity FormFire Corporate Security Policy FormFire s commitment to security is outlined in our Employee Code of Conduct and an extensive employee handbook which outlines how our employees should perform their given duties. These policies cover a wide array of security related topics ranging from general policies relating to account, data, and physical security, to specialized policies covering internal applications and systems that every employee must follow. These security policies are periodically reviewed and updated. Employees receive mandatory yearly training on security topics such as best practices for safety while working remotely as well as safe Internet usage. Organizational Security 3

4 FormFire's support of its application and its customers is comprised of multiple groups. Each group has different responsibilities and all work together to enforce the security policies and procedures FormFire has in place to protect our customers data. Infrastructure and Security Team FormFire has a dedicated Infrastructure and Security Team which develops and oversees all aspects of IT Security. This team is responsible for support of the FormFire s infrastructure, the hardware and software that runs our application every day. Members of this team maintain all internal and external systems to the defined specifications of FormFire s security policies. They also play an important role in helping to shape and develop those policies as well as the documentation. A breakdown of some of the specific responsibilities of this team are as follows: Conduct reviews of FormFire s design and documentation and update as needed. Provide support to the development and operations teams on security risks associated with projects. Monitor for suspicious activity on the networks, systems, and applications for any possible security threats. Engage third party security experts to conduct periodic security assessments of FormFire s infrastructure and applications. Conduct vulnerability management processes to help expose potential problem areas on FormFire s network and ensure the remediation of any issues expediently. Monitor all FormFire systems continuously to ensure availability and proper functionality. Application Development Team The application development team is responsible for spearheading innovation at FormFire by listening to our customers and adapting our application to their needs. This team embeds security practices into its Agile processes to produce the best and most secure software possible. Agile processes usually do not have distinct Software Development Life Cycle (SDLC) phases, which can make traditional approaches to securely releasing software troublesome. However, our Agile workflow allows us to properly define all the requirements and risks of a project and then securely develop, test, and release software securely. It also lets us fix any vulnerabilities quickly. A breakdown of some of the specific responsibilities of this team are as follows: Collaborate with the Infrastructure and Security team to ensure all designs meet the security standards defined at FormFire. Conduct (peer and independent) code reviews regularly. 4

5 Work with accredited third party auditors to conduct formal code reviews to ensure no known security flaws are contained in the application. Use an extensive test environment to vet any changes to the application for not only functionality but security also. Operations/Support Team At FormFire we want to make sure the support we give our customers is highly effective and meets the needs of our customers, while at the same time protects them and their data. All operations staff are trained with the mentality that the security of our customers data is paramount. FormFire has procedures and policies which define how customer data is to be handled and protected during the process of supporting our customers. As the Operations/Support staff are our front line, they interface daily with the Infrastructure and Security team as well as the Application Development team to ensure any potential problems or threats are documented and assigned to the appropriate individuals to be handled. Data Asset Management FormFire s data assets, which are comprised of customer and end-user assets as well as corporate data assets, are managed under our security policies and procedures. In addition to specific controls on how data is handled and defined, all FormFire personnel interacting with data assets are thoroughly trained and required to follow those policies and procedures. Information Access FormFire has controls and practices in place to protect the security of our customers information. FormFire s application runs in a distributed environment specifically designed for redundancy and reliability. FormFire's customer data, as well as FormFire's own data, is distributed among a shared infrastructure composed of many homogeneous machines and located across multiple geo-redundant data centers. Our customers information is stored in different locations throughout the application, and each time one of the application layers or services needs to access this data it has to have the appropriate authentication. Some of the technology that brokers these types of authorization are Secure Sockets Layer (SSL) certificates for specific FormFire servers as well as directory service permissions defined for different parts of the application layer. 5

6 All administrative access to the production environment is strictly controlled and any changes that need to be made must go through a clearly defined change management process with multiple levels of approval. All changes are also peer reviewed to ensure that there are no potential compromises that could be introduced into the production environment. All changes to the production environment are logged to ensure a complete audit trail. FormFire does not allow public access of any sort. Every user must log in using his or her private credentials. Failed attempts are logged and multiple failures result in the account being locked until the user s identity can be verified by a FormFire staff member. Every FormFire account belongs to the individual. Only authorized FormFire users have access to view or modify an individual s data. Authorized users include only FormFire administrative users who must have access to an individual s data for the purpose of aiding the individual to apply for, or maintain, their medical insurance coverage or other expressed purpose. All activity within FormFire is logged. From the time a user logs in, to the time they log out, every action and page viewed is logged and time and Internet Protocol (IP) address stamped. Every error encountered in FormFire is logged and analyzed for suspect activity. Should such activity be detected, the user s account is locked and they are contacted directly. Every modification to data stored within FormFire is stored as a revision - this is referred to as Data Revision Tracking (DRT). Should there ever be a dispute about the integrity of data, the DRT logs can construct a complete picture of how the data was modified, when it was modified, and who made the modification. Access Control FormFire implements a number of authentication and authorization controls that are designed to protect against unauthorized access. FormFire requires the use of a unique User ID for each employee. This account is used to identify each person s activity on FormFire s network, including any access to employee or customer data outside of our application. Upon hire, an employee is assigned the User ID and is granted a default set of privileges. At the end of a person s employment, their accounts access to FormFire s network is disabled. FormFire also has a password policy in place that outlines and enforces password expiration, restrictions on password reuse, and sufficient password strength immediately. FormFire also requires two-factor authentication at multiple points of entry for our employees to access the application and our customers information. Access rights and levels are based on an employee s job function and role, using the concepts of least privilege and need-to-know to match access privileges to responsibilities. FormFire employees are only granted a limited set of default 6

7 permissions to access company resources, such as their . Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves the intervention of the management team. Approvals are tracked in a change management system to ensure auditability and consistency in any request to our customers information. Personnel Security FormFire employees are required to conduct themselves in a manner consistent with the company s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. FormFire will verify an individual s education and previous employment, and perform internal and external reference checks. FormFire also conducts criminal, credit, and security checks. The extent of background checks is dependent on the desired position. Upon acceptance of employment at FormFire, all employees are required to execute a confidentiality agreement and must acknowledge receipt of and compliance with policies in FormFire s Employee Handbook. The confidentiality and privacy of customer information and data is emphasized in the handbook and during new employee orientation training. Employees are provided with security training as part of new hire orientation. In addition, each FormFire employee is required to read, understand, and take a training course on Health Insurance Portability and Accountability Act (HIPAA) and HIPAA compliance. This training is also conducted on a yearly basis along with information security training. Depending on an employee s job role, additional security training and policies may apply. FormFire employees handling customer data are required to complete training that outlines the appropriate use of data in conjunction with business processes as well as the consequences of violations. Every FormFire employee is responsible for communicating security and privacy issues to designated management staff. Datacenter/Colocation Security FormFire s colocation data centers are housed with a best-in-class provider, which operates at the highest level of service and reliability in the industry. FormFire has multiple data centers in different geographical areas. All data center facilities are interconnected with a private 10 Gbps network, which includes access to almost every major ISP available. They also 24x7x365 on-site monitoring and secure access, multiple man-traps, security system with card entry and bio-metric scanning and cameras with motion detection and recording. Predictive monitoring identifies problems before service is 7

8 impacted. Redundant electric utility power feeds and 4 auto-cutover diesel generators ensure complete power redundancy of all network services. Each facility includes multiple cooling systems, a 24-inch raised floor and advanced fire suppression. They also operate reliable data centers that complement a variety of industry and government mandates including HIPAA, PCI DSS, and SOX supported by third-party SSAE 16/SOC attestation reports. Infrastructure Security Antivirus Malware presents a serious risk to security in today s IT environments. FormFire employs the latest in antivirus technologies to constantly scan our network and servers for any suspicious files or malware. We also have antivirus built into our application stack which scans any file uploaded or generated by the system for malicious payloads. Monitoring FormFire's security monitoring program analyzes information gathered from internal network traffic, employee actions on systems, and outside knowledge of vulnerabilities. Internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate malicious activity or a security incident. FormFire uses a combination of open source and commercial tools for traffic capture and parsing. All servers and application layers are also monitored to ensure our application is functioning properly for our customers. Vulnerability Management FormFire has a dedicated process for scanning our infrastructure for security threats. Some of these processes are automated and others require manual processing. At FormFire we believe some of these processes are important enough to have an engineer in front of the screen following the process to its completion and making sure we are thoroughly scanning our environments. The infrastructure and Security team is responsible for identifying and mitigating vulnerabilities that are discovered. Once a vulnerability has been identified, it is logged and prioritized according its severity. The issue is then tracked until remediation is verified. 8

9 Internal Auditing FormFire uses a variety of products to automate daily penetration testing and basic security audits. This ensures that any potential security breach is found and corrected immediately. FormFire staff members regularly audit the system to ensure functionality and the overall security of the system as outlined in this white paper. External Audits FormFire contracts with third party security experts to perform in-depth security audits at least once per year. Incident Management FormFire has an incident management process for security events that may affect the confidentiality, integrity, or availability of its systems or data. This process specifies courses of action and procedures for notification, escalation, mitigation, and documentation. Network Security FormFire has instituted a defense-in-depth approach to network security, this includes industry best practices with regard to firewall implementation, network segmentation, and system configuration. The practice includes the following items: The use of industry standard firewall and ACL technology to segregate the network perimeter and internal networks. Management of network firewall and ACL rules that have gone through a predefined change management and verification process. Restrict access to the production environment to only authorized accounts and individuals, making only changes that have followed the process for approval. Correlation and examination of actual log data for suspicious activity or exploitation and alert upon the discovery of those events to the appropriate individuals. Application servers are configured to process only HTTP & HTTPS requests. All other Internet protocols are disabled. Non-essential ports and services have been disabled. Blended implementation of Host-Based and Network-Based intrusion detection systems. 9

10 SSL/TLS All communication between FormFire servers and client computers is conducted using Secure Socket Layer (SSL) encryption. SSL technology has become the de facto standard for secure communication on the Internet by encrypting data so that unauthorized parties cannot read or modify it during transmission. SSL also uses a digital certificate to verify the identity of entities on the Internet before a users browser will accept the certificate for encrypting traffic. FormFire uses an Extended Validation SSL Certificate, which is only issued according to a specific guideline for verification as defined by a consortium of Certificate Authorities (EV SSL Certificate Guidelines). In addition to encryption, files sent to authorized third party business associates are password protected and digitally signed. FormFire has developed a proprietary system for collecting humanly-generated and legally binding electronic signatures. Tamper- proof digital signatures are also applied to all pieces of data sent from FormFire. A complete description of this technology is available in FormFire s esignature White Paper. Data Encryption At FormFire not only is our customers data encrypted while in transit but it is also encrypted while the data is at rest. Data at Rest is an Information Technology term referring to inactive data, which is stored physically in any digital form. Whether this inactive information is stored in our database or in our proprietary file system it is encrypted with only the strongest ciphers. Ensuring that our customers data is safe even when not in use. Operating System Security All FormFire servers are all built on a standard operating system and deployed with a standard configuration. This includes systems deployed in the extensive testing environment that FormFire s application development team uses to test all code that will be released to production. All changes to servers or infrastructure follow a process for registering, approving, and tracking changes that could impact these systems. This helps reduce any risk of accidental of unauthorized changes to the production environment. System Development 10

11 FormFire was designed from the ground up to be the most private and secure system possible. Every modification or enhancement to the system must adhere to FormFire s standard of application security and each modification is tested to ensure compliance. Some of the key components to our Agile software development process are: Hyper defined design documentation is a prerequisite of the security design process. This allows our teams to outline any potential problems or security issues that might arise from the addition of features to our application. Our developers are educated with respect to applicable vulnerability patterns and their avoidance. A peer review-based development culture emphasizes the creation of high-quality code supports a secure code base. Adherence to FormFire s coding standards policy. Paired coding sessions expand the sphere of knowledge of all developers on our team. This broader knowledge increases the potential for individuals to recognize possible security flaws across the code base. Increased awareness of other parts of the system can also help contribute to a better overall system design. FormFire s objective when developing our application is the quality, robustness, and maintainability of the code that we deploy for our customers to use. FormFire s key development staff are all degreed software engineers, each with expertise and experience relating to specific areas of the system as well as security fundamentals. All staff members understand the importance of maintaining a highly secure environment. Disaster Recovery and Business Continuity Next to security, availability is of paramount importance to FormFire. To that end, all vital FormFire systems are fully redundant, eliminating any single point of failure. FormFire operates geographically distributed data centers that are designed to maintain service continuity in the event of a disaster. FormFire data is replicated to multiple systems within the same data center and also replicated to other data center locations. High speed connections between the data centers facilitate the swift failover of the application in the event of a problem. FormFire servers are load-balanced and designed so that if one server fails, the backup will take over automatically and without downtime. All servers use RAID (Redundant Array of Independent Disks) for storage. Power systems are fully redundant, including multiple external power sources, UPSs (uninterruptible power supplies), and four 750 kilowatt generators. These power systems are also tested regularly. 11

12 Front-end routers are fed by multiple external gigabit connections and are configured in a High Availability cluster. Backups of all customer information are performed routinely to ensure recoverability in case of catastrophic failure. SQL Transaction logs are encrypted and backed up every 15 minutes and replicated offsite real time. Full backups are performed daily, encrypted, and replicated offsite in real time. Also to comply with federal regulations, employee data is maintained for a minimum of two-years of inactivity while electronic signatures and accompanying data is stored for seven years. Only authorized personnel handle backups. All restore requests must follow a predefined procedure and approval process. Conclusion The security and privacy of data is FormFire s number one concern. We have established a very specific set of protocols and policies to ensure customers information is protected and available. As threats to web-based applications grow, FormFire is committed to remain the safest place to store and transact personal and private information. FormFire

Keyfort Cloud Services (KCS)

Keyfort Cloud Services (KCS) Keyfort Cloud Services (KCS) Data Location, Security & Privacy 1. Executive Summary The purposes of this document is to provide a common understanding of the data location, security, privacy, resiliency

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM Las Vegas Datacenter Overview Product Overview and Data Sheet Product Data Sheet Maintaining a Software as a Service (SaaS) environment with market leading availability and security is something that Active

More information

Google s Approach to IT Security. A Google White Paper

Google s Approach to IT Security. A Google White Paper Google s Approach to IT Security A Google White Paper Introduction... 3 Overview... 3 Google Corporate Security Policies... 3 Organizational Security... 4 Data Asset Management... 5 Access Control... 6

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

Security from a customer s perspective. Halogen s approach to security

Security from a customer s perspective. Halogen s approach to security September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

Google s Approach to IT Security. A Google White Paper

Google s Approach to IT Security. A Google White Paper Google s Approach to IT Security A Google White Paper Introduction.... 3 Overview... 3 Google Corporate Security Policies.... 3 Organizational Security.... 4 Data Asset Management.... 5 Access Control....

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

BKDconnect Security Overview

BKDconnect Security Overview BKDconnect Security Overview 1 Introduction 1.1 What is BKDconnect 1.2 Site Creation 1.3 Client Authentication and Access 2 Security Design 2.1 Confidentiality 2.1.1 Least Privilege and Role Based Security

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability Service Organization Controls 3 Report Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability for the period May 1, 2015 through October 31, 2015 Ernst &

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Security Information & Policies

Security Information & Policies Security Information & Policies 01 Table of Contents OVERVIEW CHAPTER 1 : CHAPTER 2: CHAPTER 3: CHAPTER 4: CHAPTER 5: CHAPTER 6: CHAPTER 7: CHAPTER 8: CHAPTER 9: CHAPTER 10: CHAPTER 11: CHAPTER 12: CHAPTER

More information

Security Whitepaper: ivvy Products

Security Whitepaper: ivvy Products Security Whitepaper: ivvy Products Security Whitepaper ivvy Products Table of Contents Introduction Overview Security Policies Internal Protocol and Employee Education Physical and Environmental Security

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1 JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us

More information

Global ediscovery Client Data Security. Managed technology for the global legal profession

Global ediscovery Client Data Security. Managed technology for the global legal profession Global ediscovery Client Data Security Managed technology for the global legal profession Epiq Systems is a global leader in providing fully integrated technology products and services for ediscovery and

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

ProjectManager.com Security White Paper

ProjectManager.com Security White Paper ProjectManager.com Security White Paper Standards & Practices www.projectmanager.com Introduction ProjectManager.com (PM) developed its Security Framework to continue to provide a level of security for

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Famly ApS: Overview of Security Processes

Famly ApS: Overview of Security Processes Famly ApS: Overview of Security Processes October 2015 Please consult http://famly.co for the latest version of this paper Page 1 of 10 Table of Contents 1. INTRODUCTION TO SECURITY AT FAMLY... 3 2. PHYSICAL

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

Overcoming PCI Compliance Challenges

Overcoming PCI Compliance Challenges Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the

More information

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

GiftWrap 4.0 Security FAQ

GiftWrap 4.0 Security FAQ GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

Altus UC Security Overview

Altus UC Security Overview Altus UC Security Overview Description Document Version D2.3 TABLE OF CONTENTS Network and Services Security 1. OVERVIEW... 1 2. PHYSICAL SECURITY... 1 2.1 FACILITY... 1 ENVIRONMENTAL SAFEGUARDS... 1 ACCESS...

More information

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control

More information

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles RMS Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles RMS Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles RMS aims to provide the most secure, the most private, and

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

CONTENTS. Security Policy

CONTENTS. Security Policy CONTENTS PHYSICAL SECURITY (UK) PHYSICAL SECURITY (CHICAGO) PHYSICAL SECURITY (PHOENIX) PHYSICAL SECURITY (SINGAPORE) SYSTEM SECURITY INFRASTRUCTURE Vendor software updates Security first policy CUSTOMER

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

KeyLock Solutions Security and Privacy Protection Practices

KeyLock Solutions Security and Privacy Protection Practices KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout

More information

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 As organizations unlock the true potential of meeting over the web as an alternative to costly and timeconsuming travel,

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

SAS 70 Type II Audits

SAS 70 Type II Audits Thinking from IntraLinks SAS 70 Type II Audits SAS 70 Type II Audits Ensuring Data Security, Reliability and Integrity If your organization shares sensitive data over the Internet, you need rigorous controls

More information

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Secure, Scalable and Reliable Cloud Analytics from FusionOps White Paper Secure, Scalable and Reliable Cloud Analytics from FusionOps A FusionOps White Paper FusionOps 265 Santa Ana Court Sunnyvale, CA 94085 www.fusionops.com World-class security... 4 Physical Security...

More information

StratusLIVE for Fundraisers Cloud Operations

StratusLIVE for Fundraisers Cloud Operations 6465 College Park Square Virginia Beach, VA 23464 757-273-8219 (main) 757-962-6989 (fax) stratuslive.com Contents Security Services... 3 Rackspace Multi Layered Approach to Security... 3 Network... 3 Rackspace

More information

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

CounselorMax and ORS Managed Hosting RFP 15-NW-0016 CounselorMax and ORS Managed Hosting RFP 15-NW-0016 Posting Date 4/22/2015 Proposal submission deadline 5/15/2015, 5:00 PM ET Purpose of the RFP NeighborWorks America has a requirement for managed hosting

More information

QuickBooks Online: Security & Infrastructure

QuickBooks Online: Security & Infrastructure QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Salesforce Security, Privacy and Architecture Documentation

Salesforce Security, Privacy and Architecture Documentation Salesforce.com: Winter 14 Salesforce Security, Privacy and Architecture Documentation Last updated: November 30, 2013 Copyright 2000 2013 salesforce.com, inc. All rights reserved. Salesforce.com is a registered

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Privacy + Security + Integrity

Privacy + Security + Integrity Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0 Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

RL Solutions Hosting Service Level Agreement

RL Solutions Hosting Service Level Agreement RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose

More information

TOP SECRETS OF CLOUD SECURITY

TOP SECRETS OF CLOUD SECURITY TOP SECRETS OF CLOUD SECURITY Protect Your Organization s Valuable Content Table of Contents Does the Cloud Pose Special Security Challenges?...2 Client Authentication...3 User Security Management...3

More information

BEST PRACTICES FOR COMMERCIAL COMPLIANCE

BEST PRACTICES FOR COMMERCIAL COMPLIANCE BEST PRACTICES FOR COMMERCIAL COMPLIANCE [ BEST PRACTICES FOR COMMERCIAL COMPLIANCE ] 2 Contents OVERVIEW... 3 Health Insurance Portability and Accountability Act (HIPAA) of 1996... 4 Sarbanes-Oxley Act

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Level I - Public. Technical Portfolio. Revised: July 2015

Level I - Public. Technical Portfolio. Revised: July 2015 Level I - Public Technical Portfolio Revised: July 2015 Table of Contents 1. INTRODUCTION 3 1.1 About Imaginatik 3 1.2 Taking Information Security Seriously 3 2. DATA CENTER SECURITY 3 2.1 Data Center

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

HOW MX PROTECTS YOUR DATA

HOW MX PROTECTS YOUR DATA HOW MX PROTECTS YOUR DATA Overview MX is passionate about and dedicated to protecting, safeguarding, and securing customer data. To do so, MX has established a strong security program supported by a comprehensive

More information

Information Technology Security Procedures

Information Technology Security Procedures Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information