Retention & Destruction

Transcription

1 Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of Client Data All data sent to WealthEngine by clients ( Client Data ) for data screening processing is destroyed 120 days after the processing has been completed unless the client has requested in writing a longer retention period. Hard copies of Client Data and other sensitive information are shredded and disposed of. A client s data can only be returned to a client if the client makes a written request to WealthEngine within 120 days of client s receipt of the data screening results. Online search results performed by a client through WealthEngine s online portal are retained within the portal for the duration of the client s subscription. Clients can delete any search results at their discretion; therefore, the retention policy is controlled by the client based on their requirements. All online search results stored in the portal are destroyed 120 days after the expiration or termination of a the client s subscription,. Third Party Access Client Data is maintained exclusively within WealthEngine s security environment except in limited situations. Certain limited data enhancement services are provided by third party data providers. In these cases the provider being used is enumerated in the contract with the client. Client Data is transferred to and returned by the provider via secure encrypted methods. Third party vendors who have access to Client Data are subject to contractual agreements whereby such vendors agree to be bound by security policies and procedures no less rigorous than those of the Company. Security Environment Secure Areas All hardware hosted internally in the Company s headquarters office is protected within a locked data center to which only technical staff has access. The building has motion detectors for the alarm system that is connected to a third party security monitoring vendor and the Montgomery County (Maryland) Police Department. All hardware hosted externally in a third party co-location data center is housed in a locked cage within a secured, disaster-proof building. The exterior of the building is monitored by video cameras to detect unauthorized activities for 24-hour surveillance. All visitors enter WealthEngine buildings through reception areas. Once they pass these areas, employees escort visitors throughout the buildings to ensure that they do not gain access to unauthorized areas. Any internal secure areas are locked to prevent unauthorized access. Page 1

2 Equipment Security and Disaster Recovery Servers are backed up on a nightly basis and mirrored to duplicate servers to ensure recovery of all data in case of disaster. A fire suppression system and fire extinguishers are located throughout both internal and external data centers. Multiple pull locations exist that trigger the system to spray water throughout the building. All power in WealthEngine buildings come from the same grid and distributed throughout the buildings from the same location. All systems in the internal data center are attached to a UPS system that runs constantly. If the power were to go out, the UPS systems would come on automatically and supply power to the data center. The external data center location has back-up power from multiple sources to provide uninterrupted service. WealthEngine s internal data center has a cooling system. A separate, free-standing air conditioning unit is used to provide additional cooling to all systems in the data center. A thermometer is used and monitored throughout the day to detect heat variances. The external data center has redundant cooling systems. Network Management The network usage and availability is monitored by WealthEngine personnel as well as a third party vendor. Reports on network performance are provided real time and on demand as needed. Intrusion detection systems identify, log and alert on attacks as they occur. Centralized logging and log filtering techniques are used in addition to network-based IDS. The IDS in use is integrated with our firewall. When a new intrusion attack is identified, the attack signature is acknowledged and recorded to prevent future attacks. Critical systems and applications are properly segmented to provide security and traffic oversight. Required management traffic passes over well-segmented management networks, incorporating strong encryption and authentication, where possible. All operating system events are logged in the server event logs. Capacity Planning and Performance Monitoring All servers are continually monitored to ensure that their performance is acceptable to maintain system capacity levels. On a quarterly basis, the IT management team reviews our capacity levels based on current and projected usage and the growth of data. The IT staff performs an analysis of single point of failure on equipment and network prior to deployment. All web and database servers have failover and redundancy. Protection Against Malicious Software and Loss Only IT administrators have access to install software on equipment. All machines in the environment have antivirus protection to ensure that malicious software does not enter the environment. WealthEngine employs an antivirus suite and host-based firewall on all servers and workstations. Full scans of the servers are performed on a weekly basis and real-time scanning is employed for read/writes to the server files. IT administrators receive CERT and other advisories to stay current on vulnerabilities. Page 2

3 Exchanges of Information and Software WealthEngine uses standard, secure data transfer methods that include SSL and SSH. Files are encrypted with PGP encryption keys upon request. All desktop and laptop hard drives are encrypted as well as any servers used to store Client Data. Once the data is no longer needed for this purpose, it is securely destroyed. Although WealthEngine s preferred method of data transfer is SFTP, clients do submit sensitive data to us via . WealthEngine has secure policies in which all employees are educated on what information can and cannot be transmitted via . Any data that is submitted via is saved to WealthEngine s internal servers and the containing the data is destroyed. Change Management for Systems and Applications Prior to applying any change to our network, hardware, software and applications, the changes are reviewed for applicability and appropriateness. All changes are evaluated for potential risks to the availability and security of our systems. Where appropriate, WealthEngine executive management is consulted prior to proceeding. Once a change is approved, all changes are fully tested in our test environments before being rolled into production. Changes are normally applied during regular maintenance windows. All customers are notified of changes and development projects in our monthly newsletter and via announcements on our website during the login process. Data Changes: WealthEngine acquires data from a wide variety of sources. All primary data providers perform their own quality checks prior to sending data to WealthEngine. However, prior to loading any new data or applying data updates, WealthEngine performs a robust series of quality checks to validate the format of the data records. Software Changes, Operating System, Database, and Application: All testing is conducted in a test environment. Tests are then applied to a replica of our production environment and then scheduled for full release into the production environment. Client supplied data is not used for testing. The exception to this is when WealthEngine staff is working to resolve an issue raised by a client and must use their data to recreate the issue. Only IT team members using the test environment have access to the data. Source code for our applications is tightly controlled and managed. Source code is maintained and managed in a source code management system. Permissions to access, check out, or check in source code is maintained by senior engineering management team. Source code is backed up nightly and copies are stored in secure off-sight facilities. Hardware Changes: All changes to hardware components or configuration settings are handled by senior staff members only. These settings are changed on an as needed basis with significant impact assessments performed. Outages caused by inadvertent changes are highly noticeable based on high volume client usage at any given time. WealthEngine maintains manufacturers warranties and service level agreements with 4 hour replacement parts terms on all hardware equipment. Hardware is closely monitored for exceptions, errors and outages. Page 3

4 Technical Architecture All systems that are accessible from the internet are segregated from internal systems by placing them in a DMZ. The DMZ is on a different physical network and is firewalled. The firewall is configured to all only those inbound ports that are required for normal business operations. There are specific instances where a host in the DMZ must communicate with a host on the internal network, an application server querying a database, for instance. In these cases the firewall rules are configured to allow only the specific ports needed to allow that communication. The firewall configuration is periodically reviewed to ensure that it meets with industry best practices. Business Continuity Management The CEO is responsible for business continuity management along with the executive management team. We have undertaken steps to document and plan for the continuation of our business and the services we provide our clients in the event of local or regional disasters. No disaster recovery events have occurred to date. Clients would be notified via , mail or telephone should any disaster recovery plans be initiated. B. Employee Access; Confidentiality Employee Confidentiality and Awareness All employees are required to sign and adhere to WealthEngine s confidentiality policy. This policy states, in part Employee shall not at any time or in any manner, either directly or indirectly, divulge, disclose or communicate to any person, firm, corporation, or other entity in any manner whatsoever any information concerning any matters affecting or relating to the business of employer, including but not limited to any of its clients All employees are given a copy of this Security Policy and are aware of the procedures used to ensure a secure environment. All employees are instructed to report security incidents and technical malfunctions to the IT team immediately. All employees are reminded via a login splash screen on their computer of our confidentiality policy and the need to adhere to our data protection policies every time they log into any WealthEngine system. All new employees are subject to a background check prior to joining WealthEngine. Operational Procedures and Responsibilities WealthEngine maintains its own IT and development staff. On an as needed basis, these employees are trained on new systems, or upgrades to existing systems. There is an average of 13 years experience by the systems and network management personnel. Additionally, WealthEngine has a service contract with a third party vendor to perform remote round-the-clock monitoring and management of our network. Their engineers have limited access to the WealthEngine firewalls, routers, and Windows domain / Active Directory. They do not have access rights to any WealthEngine services (including Client Data) or encryption keys. Access rights are restricted to our firewalls, networks, and Windows domain / Active Directory. Page 4

5 Each server build is configured according to our security standards and updated to provide new security patches as available. All servers are hardened during the build process and updated as needed. We follow best practice guidelines published by the SANS Institute, Center for Internet Security, and the National Institute for Standards and Technology. There is a segregation of duties to ensure that operational personnel do not have excessive network access. Only IT administrators have access to secured servers. WealthEngine has a separate Client Service team that provides support to both internal and external inquiries about access to and use of our services. WealthEngine maintains a detailed inventory of all physical and logical assets (e.g. hardware, software, databases, and applications). Employee Access Control Authorization functionality enables administrators to group employees into roles, and defines specific permissions for each role based on least required privilege. User access privileges are reviewed for appropriateness as needed. IT administrators are responsible for password management (e.g. creation, resets) on system resources. All servers are protected from use by employees other than those on the technical development team needing access for production purposes. Servers use the enhanced password requirements that include minimum length, change intervals, history, etc. Enforced paths are used to keep users from accessing unnecessary network devices. All operating system events are logged in the server event logs. Remote employees whose job function requires access to client data gain access to WealthEngine s internal network via VPN that uses Windows Active Directory authentication. Application Access and Security Because WealthEngine s services are either stand-alone databases with no access to a central storage location where other Client Data is housed, or a web-based service that does not provide an interface for administrative access, no external (client) users have the ability to access internal systems resources. Online client account access is protected with login credentials that are only shared with the organization s main point of contact and those designated as approved account users. There is a time-out function on the web-based product to log out a user after a certain length of inactivity. External client accounts are created by the appropriate Customer Service account representative. The Customer Service team manages the process of resetting passwords upon request from clients. Application and database events, such as user login, are stored in our database. WealthEngine has a cryptography policy which dictates the required cryptographic controls that include using PGP encryption on any mobile devices that may contain sensitive information, and for file transmission as requested by clients. Page 5

6 C. Policy Oversight The Company s CEO and CFO are responsible for monitoring legal regulations that affect our business, including, among other regulations, Health Insurance Portability and Accountability Act of 1996 ( HIPAA ). We closely monitor any changes to HIPAA and other regulations that would affect our operations. We work closely with our clients to ensure that we follow any regulations that are required of them which may be industry or state and local mandates. The company s external privacy policy is posted on our website at WealthEngine performs periodic (at least annually) internal reviews of our security policy, technical compliance, and regulatory compliance matters. The Senior VP of Products and the Chief Security Officer (CSO) manage the security policies to ensure they are enforced through periodic reviews to determine what updates are necessary. The CEO approves all Company security policies. The policies are reviewed on an as-needed basis but at least once a year. D. Contacting Us If you have any questions about this Security Policy, please contact us at: WealthEngine, Inc East West Highway, Suite 950 Bethesda, MD Tele info@ Page 6