Retention & Destruction



Similar documents
Supplier Information Security Addendum for GE Restricted Data

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

System Security Plan University of Texas Health Science Center School of Public Health

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SITECATALYST SECURITY

Understanding Sage CRM Cloud

HIPAA Security Alert

Hosted Testing and Grading

Security Whitepaper: ivvy Products

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Central Agency for Information Technology

1 Introduction 2. 2 Document Disclaimer 2

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Supplier Security Assessment Questionnaire

Supplier IT Security Guide

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Security Controls for the Autodesk 360 Managed Services

GE Measurement & Control. Cyber Security for NEI 08-09

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Payment Card Industry Self-Assessment Questionnaire

CYBER SECURITY POLICY For Managers of Drinking Water Systems

FormFire Application and IT Security. White Paper

Data Management Policies. Sage ERP Online

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

UCS Level 2 Report Issued to

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Policy

Controls for the Credit Card Environment Edit Date: May 17, 2007

Autodesk PLM 360 Security Whitepaper

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Newcastle University Information Security Procedures Version 3

Print4 Solutions fully comply with all HIPAA regulations

IT Security Standard: Computing Devices

Support for the HIPAA Security Rule

IBX Business Network Platform Information Security Controls Document Classification [Public]

Network and Security Controls

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

CHIS, Inc. Privacy General Guidelines

Keyfort Cloud Services (KCS)

A Rackspace White Paper Spring 2010

IaaS Request for Proposal Template

Network Security Guidelines. e-governance

BKDconnect Security Overview

Hosted Exchange. Security Overview. Learn More: Call us at

Information Technology Branch Access Control Technical Standard

PCI DSS Requirements - Security Controls and Processes

SaaS Security for the Confirmit CustomerSat Software

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Music Recording Studio Security Program Security Assessment Version 1.1

Hang Seng HSBCnet Security. May 2016

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Information Technology General Controls And Best Practices

Tk20 Network Infrastructure

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Vendor Questionnaire

Specific observations and recommendations that were discussed with campus management are presented in detail below.

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

GoodData Corporation Security White Paper

Telemedicine HIPAA/HITECH Privacy and Security

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Procedure Title: TennDent HIPAA Security Awareness and Training

On-Site Computer Solutions values these technologies as part of an overall security plan:

Work With Genesis Insurance Company

Enterprise Security Model in SAS Environment

PCI Requirements Coverage Summary Table

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

How To Protect Your School From A Breach Of Security

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

QAD CLOUD EDI PROGRAM DOCUMENT

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Standard: Network Security

LogRhythm and PCI Compliance

How To Protect Research Data From Being Compromised

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Client Security Risk Assessment Questionnaire

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

HIPAA Privacy and Security Risk Assessment and Action Planning

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Birst Security and Reliability

White Paper. Support for the HIPAA Security Rule PowerScribe 360

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

1B1 SECURITY RESPONSIBILITY

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Vendor Audit Questionnaire

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Best Practices For Department Server and Enterprise System Checklist

Transcription:

Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of Client Data All data sent to WealthEngine by clients ( Client Data ) for data screening processing is destroyed 120 days after the processing has been completed unless the client has requested in writing a longer retention period. Hard copies of Client Data and other sensitive information are shredded and disposed of. A client s data can only be returned to a client if the client makes a written request to WealthEngine within 120 days of client s receipt of the data screening results. Online search results performed by a client through WealthEngine s online portal are retained within the portal for the duration of the client s subscription. Clients can delete any search results at their discretion; therefore, the retention policy is controlled by the client based on their requirements. All online search results stored in the portal are destroyed 120 days after the expiration or termination of a the client s subscription,. Third Party Access Client Data is maintained exclusively within WealthEngine s security environment except in limited situations. Certain limited data enhancement services are provided by third party data providers. In these cases the provider being used is enumerated in the contract with the client. Client Data is transferred to and returned by the provider via secure encrypted methods. Third party vendors who have access to Client Data are subject to contractual agreements whereby such vendors agree to be bound by security policies and procedures no less rigorous than those of the Company. Security Environment Secure Areas All hardware hosted internally in the Company s headquarters office is protected within a locked data center to which only technical staff has access. The building has motion detectors for the alarm system that is connected to a third party security monitoring vendor and the Montgomery County (Maryland) Police Department. All hardware hosted externally in a third party co-location data center is housed in a locked cage within a secured, disaster-proof building. The exterior of the building is monitored by video cameras to detect unauthorized activities for 24-hour surveillance. All visitors enter WealthEngine buildings through reception areas. Once they pass these areas, employees escort visitors throughout the buildings to ensure that they do not gain access to unauthorized areas. Any internal secure areas are locked to prevent unauthorized access. Page 1

Equipment Security and Disaster Recovery Servers are backed up on a nightly basis and mirrored to duplicate servers to ensure recovery of all data in case of disaster. A fire suppression system and fire extinguishers are located throughout both internal and external data centers. Multiple pull locations exist that trigger the system to spray water throughout the building. All power in WealthEngine buildings come from the same grid and distributed throughout the buildings from the same location. All systems in the internal data center are attached to a UPS system that runs constantly. If the power were to go out, the UPS systems would come on automatically and supply power to the data center. The external data center location has back-up power from multiple sources to provide uninterrupted service. WealthEngine s internal data center has a cooling system. A separate, free-standing air conditioning unit is used to provide additional cooling to all systems in the data center. A thermometer is used and monitored throughout the day to detect heat variances. The external data center has redundant cooling systems. Network Management The network usage and availability is monitored by WealthEngine personnel as well as a third party vendor. Reports on network performance are provided real time and on demand as needed. Intrusion detection systems identify, log and alert on attacks as they occur. Centralized logging and log filtering techniques are used in addition to network-based IDS. The IDS in use is integrated with our firewall. When a new intrusion attack is identified, the attack signature is acknowledged and recorded to prevent future attacks. Critical systems and applications are properly segmented to provide security and traffic oversight. Required management traffic passes over well-segmented management networks, incorporating strong encryption and authentication, where possible. All operating system events are logged in the server event logs. Capacity Planning and Performance Monitoring All servers are continually monitored to ensure that their performance is acceptable to maintain system capacity levels. On a quarterly basis, the IT management team reviews our capacity levels based on current and projected usage and the growth of data. The IT staff performs an analysis of single point of failure on equipment and network prior to deployment. All web and database servers have failover and redundancy. Protection Against Malicious Software and Loss Only IT administrators have access to install software on equipment. All machines in the environment have antivirus protection to ensure that malicious software does not enter the environment. WealthEngine employs an antivirus suite and host-based firewall on all servers and workstations. Full scans of the servers are performed on a weekly basis and real-time scanning is employed for read/writes to the server files. IT administrators receive CERT and other advisories to stay current on vulnerabilities. Page 2

Exchanges of Information and Software WealthEngine uses standard, secure data transfer methods that include SSL and SSH. Files are encrypted with PGP encryption keys upon request. All desktop and laptop hard drives are encrypted as well as any servers used to store Client Data. Once the data is no longer needed for this purpose, it is securely destroyed. Although WealthEngine s preferred method of data transfer is SFTP, clients do submit sensitive data to us via email. WealthEngine has secure email policies in which all employees are educated on what information can and cannot be transmitted via email. Any data that is submitted via email is saved to WealthEngine s internal servers and the email containing the data is destroyed. Change Management for Systems and Applications Prior to applying any change to our network, hardware, software and applications, the changes are reviewed for applicability and appropriateness. All changes are evaluated for potential risks to the availability and security of our systems. Where appropriate, WealthEngine executive management is consulted prior to proceeding. Once a change is approved, all changes are fully tested in our test environments before being rolled into production. Changes are normally applied during regular maintenance windows. All customers are notified of changes and development projects in our monthly newsletter and via announcements on our website during the login process. Data Changes: WealthEngine acquires data from a wide variety of sources. All primary data providers perform their own quality checks prior to sending data to WealthEngine. However, prior to loading any new data or applying data updates, WealthEngine performs a robust series of quality checks to validate the format of the data records. Software Changes, Operating System, Database, and Application: All testing is conducted in a test environment. Tests are then applied to a replica of our production environment and then scheduled for full release into the production environment. Client supplied data is not used for testing. The exception to this is when WealthEngine staff is working to resolve an issue raised by a client and must use their data to recreate the issue. Only IT team members using the test environment have access to the data. Source code for our applications is tightly controlled and managed. Source code is maintained and managed in a source code management system. Permissions to access, check out, or check in source code is maintained by senior engineering management team. Source code is backed up nightly and copies are stored in secure off-sight facilities. Hardware Changes: All changes to hardware components or configuration settings are handled by senior staff members only. These settings are changed on an as needed basis with significant impact assessments performed. Outages caused by inadvertent changes are highly noticeable based on high volume client usage at any given time. WealthEngine maintains manufacturers warranties and service level agreements with 4 hour replacement parts terms on all hardware equipment. Hardware is closely monitored for exceptions, errors and outages. Page 3

Technical Architecture All systems that are accessible from the internet are segregated from internal systems by placing them in a DMZ. The DMZ is on a different physical network and is firewalled. The firewall is configured to all only those inbound ports that are required for normal business operations. There are specific instances where a host in the DMZ must communicate with a host on the internal network, an application server querying a database, for instance. In these cases the firewall rules are configured to allow only the specific ports needed to allow that communication. The firewall configuration is periodically reviewed to ensure that it meets with industry best practices. Business Continuity Management The CEO is responsible for business continuity management along with the executive management team. We have undertaken steps to document and plan for the continuation of our business and the services we provide our clients in the event of local or regional disasters. No disaster recovery events have occurred to date. Clients would be notified via email, mail or telephone should any disaster recovery plans be initiated. B. Employee Access; Confidentiality Employee Confidentiality and Awareness All employees are required to sign and adhere to WealthEngine s confidentiality policy. This policy states, in part Employee shall not at any time or in any manner, either directly or indirectly, divulge, disclose or communicate to any person, firm, corporation, or other entity in any manner whatsoever any information concerning any matters affecting or relating to the business of employer, including but not limited to any of its clients All employees are given a copy of this Security Policy and are aware of the procedures used to ensure a secure environment. All employees are instructed to report security incidents and technical malfunctions to the IT team immediately. All employees are reminded via a login splash screen on their computer of our confidentiality policy and the need to adhere to our data protection policies every time they log into any WealthEngine system. All new employees are subject to a background check prior to joining WealthEngine. Operational Procedures and Responsibilities WealthEngine maintains its own IT and development staff. On an as needed basis, these employees are trained on new systems, or upgrades to existing systems. There is an average of 13 years experience by the systems and network management personnel. Additionally, WealthEngine has a service contract with a third party vendor to perform remote round-the-clock monitoring and management of our network. Their engineers have limited access to the WealthEngine firewalls, routers, and Windows domain / Active Directory. They do not have access rights to any WealthEngine services (including Client Data) or encryption keys. Access rights are restricted to our firewalls, networks, and Windows domain / Active Directory. Page 4

Each server build is configured according to our security standards and updated to provide new security patches as available. All servers are hardened during the build process and updated as needed. We follow best practice guidelines published by the SANS Institute, Center for Internet Security, and the National Institute for Standards and Technology. There is a segregation of duties to ensure that operational personnel do not have excessive network access. Only IT administrators have access to secured servers. WealthEngine has a separate Client Service team that provides support to both internal and external inquiries about access to and use of our services. WealthEngine maintains a detailed inventory of all physical and logical assets (e.g. hardware, software, databases, and applications). Employee Access Control Authorization functionality enables administrators to group employees into roles, and defines specific permissions for each role based on least required privilege. User access privileges are reviewed for appropriateness as needed. IT administrators are responsible for password management (e.g. creation, resets) on system resources. All servers are protected from use by employees other than those on the technical development team needing access for production purposes. Servers use the enhanced password requirements that include minimum length, change intervals, history, etc. Enforced paths are used to keep users from accessing unnecessary network devices. All operating system events are logged in the server event logs. Remote employees whose job function requires access to client data gain access to WealthEngine s internal network via VPN that uses Windows Active Directory authentication. Application Access and Security Because WealthEngine s services are either stand-alone databases with no access to a central storage location where other Client Data is housed, or a web-based service that does not provide an interface for administrative access, no external (client) users have the ability to access internal systems resources. Online client account access is protected with login credentials that are only shared with the organization s main point of contact and those designated as approved account users. There is a time-out function on the web-based product to log out a user after a certain length of inactivity. External client accounts are created by the appropriate Customer Service account representative. The Customer Service team manages the process of resetting passwords upon request from clients. Application and database events, such as user login, are stored in our database. WealthEngine has a cryptography policy which dictates the required cryptographic controls that include using PGP encryption on any mobile devices that may contain sensitive information, and for file transmission as requested by clients. Page 5

C. Policy Oversight The Company s CEO and CFO are responsible for monitoring legal regulations that affect our business, including, among other regulations, Health Insurance Portability and Accountability Act of 1996 ( HIPAA ). We closely monitor any changes to HIPAA and other regulations that would affect our operations. We work closely with our clients to ensure that we follow any regulations that are required of them which may be industry or state and local mandates. The company s external privacy policy is posted on our website at http://www./privacy-policy. WealthEngine performs periodic (at least annually) internal reviews of our security policy, technical compliance, and regulatory compliance matters. The Senior VP of Products and the Chief Security Officer (CSO) manage the security policies to ensure they are enforced through periodic reviews to determine what updates are necessary. The CEO approves all Company security policies. The policies are reviewed on an as-needed basis but at least once a year. D. Contacting Us If you have any questions about this Security Policy, please contact us at: WealthEngine, Inc. 4330 East West Highway, Suite 950 Bethesda, MD 20814 Tele. 301-215-5980 Email: info@ Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information