Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to our organization. This is not a responsibility that RDX takes lightly. RDX s highest priority is to safeguard sensitive customer information. Protecting against unauthorized data access must be an ongoing process. RDX is acutely aware that those individuals desiring to exploit data stored in computer systems for personal means are constantly changing and improving their data access strategies. The fluid nature of external and internal attacks requires RDX to continuously analyze, review and enhance its security infrastructure blueprint. RDX considers this responsibility to be our number one priority. RDX Security Controls RDX s executive management team has committed to maintaining a formal Information security and compliance program consisting of the policies, procedures and controls that govern the security of RDX s information technology infrastructure. The security and compliance program is based on industry best practices and includes a framework of controls to protect RDX s systems. RDX has a dedicated IT, Security, Audit and Compliance team consisting of a manager of information security and senior security analysts responsible for the management of information security throughout the organization. The team is responsible for developing, maintaining, and enforcing RDX s information security policies. The information security policy is reviewed annually by the Manager of IT, Security, Audit and Compliance and the Director of Delivery Operations. The policy is also approved by the executive management team. The IT, Security, Audit and Compliance team monitors for known incidents and patches as well 1
as results from recent vulnerability assessments. The team leverages that information changes to RDX s policies and procedures. These changes can include a reclassification of data, a reassessment of risk, changes in incident response plans, and a verification of responsibilities for authorizing and monitoring accesses. Changes are reviewed and communicated during weekly IT meetings or through system alerts. SSAE16 SOC 2 Type II Report For calendar year 2017, RDX recently achieved their seventh SSAE 16 Service Quality Report. Service Organization Controls (SOC) reports are designed to help service organizations that provide information system services to other entities build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. RDX worked with an accredited, third-party SSAE 16 auditing firm to create a set of audit control objectives that best reflect the key service quality indicators that measure our operating effectiveness. The audit control objectives included all activities related to physical and logical security controls, data privacy, organization and administration, vendor management, work request and ticket management, incident management and monitoring installation and configuration. The most recent auditor s report was issued in early 2018. Security Architecture RDX s network infrastructure has been architected to safeguard against external intrusions. Hardware and software components including advanced firewall implementations and McAfee s network, server and desktop security packages are used in conjunction to create a secure network environment. 100% Onshore Support RDX provides. Tailoring Security to our Customers Needs RDX doesn t adhere to the one size fits all strategy for customers. Many of our customers security procedures, auditing requirements and toolsets have been designed specifically for their shops. RDX works with each customer to custom tailor connectivity and administrative account security configurations that meet their needs. RDX Organizational Processes and Procedures Personnel management is a critical component of any data protection strategy. The key processes in the personnel management lifecycle are employee integration, security training, inter-departmental transfers and termination. RDX utilizes documented Standard Operating Procedures that include line item management sign-offs and dates for key processes: Employee Integration RDX s employee integration workflow begins with the candidate selection and interview process. Standardized and documented procedures are used to generate job postings that highlight required hiring criteria. Once a pool of candidates is selected, a rigorous interview, which includes hands on testing, is performed to select the most appropriate candidate. After the candidate is selected, an industry standard background and credit check is performed by a thirdparty provider before the candidate is hired. The selected candidate is required to sign RDX s security policy documents during the first stage of the employee onboarding process. The new employee is then assigned to a security group that provides them with access to only the information they need to access. 2
Administrative and support personnel that do not support customers directly do not have access to any customer information. Only those personnel that support customers directly are able to access information that is contained in the security group. Security Training All personnel undergo security training during the employee onboarding process. Employees participate in mandatory security training on a regular basis. Employee Transfers RDX s employee transfer policy provides the steps required to transfer an employee from one department to another. Notifications are sent to RDX s Human Resources, Accounting and Security groups to change the transferring employee s security group designation. This ensures that the employee is only able to access information that is contained in their new security group. learn and fully understand how the chosen vendor s configuration and provisioning services are utilized. Employee Termination RDX executes a Standard Operating Procedure that includes line item sign off by management for all employees that have their relationship terminated with RDX for any reason. This process includes the immediate termination of all RDX internal accounts. Customers that are contained in the employee s security group are also immediately notified of the employee termination to deactivate connections to their systems. The customer must define the baseline security standards for outside connectivity that RDX will be required to adhere to. Data Protection is a Joint Effort Safeguarding critical data assets requires that customers partner with RDX to create a security strategy that best fits their unique security needs. The Rules of Engagement contained in the RDX contract outlines the security guidelines the customer should follow when interacting with RDX. Some of the key provisions are as follows: RDX network administrators will work with customers to create secure connections to their systems. The customer must define the baseline security standards for outside connectivity that RDX will be required to adhere to. RDX will only process changes for customer personnel that are designated as Authorized Change Agents by their respective organizations. These personnel must either have accounts in RDX s ticketing system or have a customer contact entry in RDX s Customer Relationship Management System. Changes will not be performed for any other customer personnel. RDX will only process requests originating from their, or the customer s, ticketing systems. RDX personnel that perform changes generated by any other means (phone, e-mail) are subject to disciplinary action including immediate termination. RDX will not store any customer data on their internal systems. RDX administrative personnel will only access customer database data in the rare case when it is required to validate potentially corrupted data. RDX Infrastructure Hardening RDX s network infrastructure has been architected to safeguard against external intrusions. Hardware and software components including advanced firewall implementations and McAfee Network, Server and Desktop security packages are used in conjunction to create a secure network environment. 3
Intrusion Detection and Prevention Systems McAfee IPS and IDS are installed on all key servers and constantly monitors network and system activities for malicious activities or policy violations and prevents them from continuing and/or produces reports to a centralized management station. Security Event Management RDX utilizes the SPLUNK log aggregation software to collect log data from all key servers and critical network components (firewalls, etc.). The logs are sent to a centralized log repository for OSSEC analysis and storage. Automated alerting mechanisms are configured to analyze the data and send alerts when necessary. Automated Security Patching Server The WSUS automated patching server ensures that all hardware components are kept up-to-date with the most recent security patches. Hardened Servers Servers that store sensitive information are hardened according to industry-standard specifications. Two Factor Authentication RDX utilizes Yubico Yubikeys that access a Radius authentication server to provide two factor security. RDX deploys multiple two factor challenges to personnel that are accessing customer environments. The first two-factor challenge is issued when accessing the RDX network. The second two factor challenge is issued when the employee logs in to RDX s Secret Server Secure Password Vault. RDX uses the Secret Server Password Vault to store customer connection information and login credentials. McAfee Endpoint Protection for Business RDX utilizes McAfee Endpoint Protection for Business to provide anti-virus, anti-malware, anti-spam, website filtering, email protection, application control and removable media restrictions. Secret Server Secure Password Vault In order to protect sensitive information, RDX has chosen Secret Server, an industry leading password vault as the storage mechanism. Secret Server allows RDX security personnel to control access to critical accounts and passwords in one centralized and encrypted repository. The software provides users with a secure access mechanism to passwords and other privileged information. Secret Server uses Advanced Encryption Standard 256 bit - AES 256 encryption - The Rijndael algorithm for encrypting data in the SQL database. Secret Server hashes and salts local user passwords using a randomly generated salt and the PBKDF2-HMAC-SHA256 hashing algorithm. Secret Server accommodates organizations needing to adhere to FIPS compliance by using FIPS 140-2 compliant algorithms. RDX has implemented Yubico s Yubikey hard RSA tokens as well as the YubiRADIUS RADIUS server to provide twofactor authentication to the Secret Server Password Vault. When the Request Access feature is applied, an email is sent to everyone on a list notifying them of the request which can then be approved or denied by any of the members. Access can be granted for a set time period. 4
The email notification feature automatically sends notifications to e-mail groups whenever a Secret is viewed, executed or edited. It also allows customers to be notified when RDX personnel access one of their Secrets. RDX utilizes Secret Server s hidden password function to hide passwords from support personnel. If implemented, passwords are only known by the customer and RDX s Security Officer. Support personnel are unable to copy and paste passwords and are only able to use embedded launchers to connect to customer systems. RDX auditing personnel are able to provide customers with auditing reports that show each individual access to their Secrets for the time period specified. The report shows the name of the secret, its description, the time it was accessed, the user and the user s IP address. 5