Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Transcription

1 Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational Management Controls... 5 Legal and Regulatory Compliance... 5 Terminology... 6 Page 1 of 6 (Last updated 27 April 2017)

2 Security Overview of the Connect Application This data sheet summarises the security controls for Marsh & McLennan Companies Connect Application. The content of this document is confidential, not to be released without a covering non-disclosure agreement. The data sheet should not be used after 31 July What is Connect? Connect (referred to as an 'extranet') is our global web-based tool which provides a central, easily accessible repository for information relating to the client and the work we do for them over time. It has been designed to facilitate project management and encourage relationship building through enhanced communication and collaboration with individual clients on a oneto-one basis. Connect is used by internal Marsh & McLennan Companies staff, as well as external clients and is owned by Mercer Services. The Connect application is built on eroom application software that is purchased from EMC. The eroom software is internally branded as Connect. The Connect application runs on HP hardware platforms with Microsoft Windows 2008 Operating System. The front end Web server hosts the Connect application and the backend database server hosts Microsoft SQL Server 2008 and supporting databases. All server hardware is currently located in the Dallas, TX Data Center. The Connect application can be used by Marsh & McLennan Companies and external clients to host most any type of data. The data can be stored in the form of files posted to the site or in Connect objects such as databases, calendars, etc. All data posted to Connect sites is done so at the data owner s discretion. The data can include personally identifiable information or sensitive financial or business information. Data is primarily posted to the Connect site via the Web based interface. The eroom plug-in can also be installed for enhanced functionality. Data stored on the Connect File Store and the SQL databases is encrypted at rest. In addition to providing enhanced Connect functionality, the eroom Plug-in also provides enhanced security features. The Plug-in provides basic encryption, which is augmented by the use of TLS v1.2 via a secure URL. For example, the transmission of data to and from the Connect site is encrypted. Once authenticated to the Connect Server, a random session ID is generated to serve as a secure key for the duration of the session. A Connect Session remains in place until 30 minutes of inactivity has elapsed or the Browser Session is closed. When 30 minutes of inactivity are reached, the user will be prompted to reenter their password before proceeding. Mercer s parent company, Marsh & McLennan Companies has established information security internal controls designed to protect the confidentiality, integrity and availability of clients information. The security controls are outlined in the next sections in this document. Further information can be found in the document titled Summary of Marsh & McLennan Companies Information Security Practices. If you do not have access to this document, please contact your Client/Relationship Manager. Physical Access Controls The Connect application including client data is hosted in Marsh & McLennan Companies regional data centre located in Dallas, Texas. Page 2 of 6 (Last updated 27 April 2017)

3 Marsh & McLennan Companies Data Centre security uses multi-layered security controls. These include a secure, fenced perimeter and CCTV outside and inside the centre. CCTV images are monitored and recorded. Entry controls to both data centres and office buildings is controlled via security access card for Marsh & McLennan Companies staff and formal access control systems for recording and controlling visitor access. Equipment raised floor areas have additional access controls which includes biometric security in some cases. Network security is managed by Marsh & McLennan Companies. More information can be found in the document titled Summary of Marsh & McLennan Companies Information Security Practices. If you do not have access to this document, please contact your Marsh & McLennan Companies Client/Relationship Manager. User Access Controls User Authentication & Site Access All Connect participants are assigned their own unique user name and password, and are asked not to share this information. When the eroom Plug-in is installed, the user name and password is encrypted before being sent to the Connect Server. Once the Server has authenticated the user, a Connect site Session ID is created and passed to the Browser. (Note when using only the Browser interface, the user name and password is also encrypted by the eroom session. Use of the eroom plug-in is the recommended practice.) User accounts for a Connect site are managed by the Site Coordinator or a member of the Connect Administration Team. Coordinators notify members via invitation when they are added to a site. For non-mercer Members only, password policies are in place to force a password reset upon initial login. Passwords will expire every three months, the minimum password length is eight characters and complex passwords are required. Mercer members authenticate to Connect via their Network (Active Directory) credentials. These passwords cannot be accessed or reset by the Connect Administration Team. Both Network and Connect passwords are structured according to corporate passwords standards (length, complexity, enforced change, and prevention of re-use). Formal processes are used to control requests for system access. For non-mercer members, Connect sites provide a Password Recovery utility. All Connect login pages have a Forget your password? link. When the link is selected, the user is prompted to enter the address they used to register with the site and click the OK button. The user is then sent an message which contains a URL link to a Connect page where the user is prompted for an answer to the security question they chose, when they first accessed a Connect site, then creates a new password which allows the user to access the system again. In the event an automatic password recovery is not possible, members should first escalate the issue to their Site Coordinator. If the Site Coordinator cannot resolve the issue, it can then be escalated to the Connect Administration team. Member accounts are periodically reviewed and updated by Site Coordinators and the Connect Administration team. Mercer accounts, which are populated via an Active Directory, are automatically removed from Connect sites when the corresponding account is removed from the Active Directory. Non-Mercer accounts must be removed by the Site Coordinator in the individual Connect site, or by the Connect Team from all Connect sites. Access to Connect requires an approved Internet browser and a valid login name and password. Access to all sites requires a secure TLS v1.23 URL ( All Connect sites have a unique URL, but all sites can also be accessed using a single portal URL. Page 3 of 6 (Last updated 27 April 2017)

4 Connect sites also provide a logout feature. A logout button is visible in the upper right navigation. When the logout button is clicked, all temporary files and eroom plug-in settings are removed. Upon subsequent logins, the user will again be asked if they wish to use the eroom plug-in. Upon successful authentication to a Connect site, the eroom server generates a random session ID that serves as a secure key for the duration of the session. As long as activity takes place on the Connect site, the session will remain active. In the event there is no activity on the Connect site for a period of 30 minutes, the session will automatically expire. If this happens, it will be necessary to authenticate to the site again. All session information between the user computer and the server is destroyed when the browser window is closed. Access Control The Connect client and/or Marsh & McLennan Companies can limit access to a Connect site to only select team members. Once successfully authenticated into a Connect site, Access Control can also be used to control or limit access to individual items on the site. Access Control is fully implemented at the site level. Even in the unlikely event the client user account was compromised or the server is being spoofed, the server will enforce access. No matter which user is talking to the server, the user will only be able to access or modify information to which the specific logged-in user has rights - this is because the server will never allow any operation that the user does not have rights to perform. Access Control schemas are the responsibility of the site owners and coordinators. The default access control for any given items rests with the item s creator. Careful consideration should be given when determining access control levels, as there are potential ramifications to site access. The Account Locking feature locks user accounts following multiple failed login attempts. Accounts are locked after five failed login attempts within a ten minute time span. Accounts can be manually unlocked by an Administrator. Accounts are also locked after three failed attempts to recover a forgotten password. For more information, please refer to section IT and Information Security in the document titled Summary of Marsh & McLennan Companies Information Security Practices. If you do not have access to this document, please contact your Marsh & McLennan Companies Client/Relationship Manager. Systems Architecture The Marsh & McLennan Companies Connect environment consists of one physical File Store Server, three virtual Web Server, and three Application Index servers which provide the services necessary to support Connect, and an MS SQL Database Server, supporting the Connect database features. Version 7 servers reside on HP hardware running the Microsoft Windows 2008 Operating Systems. The front end Web servers host the Connect application and the backend database server hosts Microsoft SQL Server 2008 and supporting databases. All server hardware is currently located in the Dallas, TX Data Center. The HP hardware is equipped with redundant power supplies, redundant network interface cards and RAID storage devices. Each Server is located in the Dallas Data Center and supported 24 X 7 by Marsh & McLennan Companies Global Technology Infrastructure (MGTI). Page 4 of 6 (Last updated 27 April 2017)

5 Connect is a Windows application for use within Marsh & McLennan Companies. It is available via Internet connected computers with an approved Internet browser. Marsh & McLennan Companies protects its internal infrastructure through the use of multiple redundant firewalls, anti-virus on all PCs, Windows servers and gateways, with daily signature updates. Servers hosting the Connect application are managed by Marsh & McLennan Companies and are updated and patched in line with vendor recommendations. New infrastructure is configured using Marsh & McLennan Companies standard OS builds for desktop and server environments. Application Development The Connect application is based on software (eroom) that has been purchased by Mercer from EMC. As a result, Mercer does not perform Application Development for the eroom software. The eroom product does have an API (Application Program Interface) that can be used to enhance and customize the eroom product. Some customizations have been made to reflect Marsh & McLennan Companies internal branding and to present Marsh & McLennan Companies specific verbiage on site pages. All application updates are approved by a management steering committee. Changes to the live production environment are managed by Mercer s formal change control procedure. Business Continuity Management Every Marsh & McLennan Companies office is required to develop and maintain a Business Continuity Plan to ensure continued availability of essential client services. For more information, please refer to section Business Resilience and Disaster Recovery in the document titled Summary of Marsh & McLennan Companies Information Security Practices. If you do not have access to this document, please contact your Marsh & McLennan Companies Client/Relationship Manager. Other Operational Management Controls The Connect application is further protected by operational management controls that protect all of Marsh & McLennan Companies information technology systems, which include but are not limited to: Enterprise firewalls, VLANs, and layered DMZ architectures used to help protect systems from intrusion and limit the scope of any successful attack. Intrusion Detection Systems and other traffic and event correlation procedures which are implemented, maintained and monitored 24x7. Multi-tiered anti-virus and anti-spyware program which is in place for and network gateways, servers, and desktops. Anti-virus signatures are updated daily. Back-up and recovery programs to ensure the effective back-up of data and recovery of the systems in the event of a system failure or data center outage. Formal change management processes which require that all systems and configuration changes be logged, reviewed, approved and monitored. Security audits and reviews which are performed through a variety of processes including as part of annual reviews conducted by Marsh & McLennan Companies internal Audit department, and through routine risk assessments and system reviews. Legal and Regulatory Compliance The Connect Legal Notice can be viewed at the following URL: Page 5 of 6 (Last updated 27 April 2017)

6 Terminology CCTV Closed Circuit Television (CCTV) is a visual surveillance technology designed for monitoring a variety of environments and activities. eroom Plug-In The eroom Plug-in can be installed on workstations to provide enhanced functionality for Connect. These features include double click editing, drag and drop capability and Outlook synchronization. Marsh & McLennan Companies Marsh & McLennan Companies, Inc. is the premier global professional services firm providing advice and solutions in risk, strategy and human capital. Mercer is a wholly owned subsidiary of Marsh & McLennan Companies. TLS Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network Page 6 of 6 (Last updated 27 April 2017)