Security Architecture

Similar documents
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

SECURITY & PRIVACY DOCUMENTATION

Daxko s PCI DSS Responsibilities

QuickBooks Online Security White Paper July 2017

A company built on security

SECURITY PRACTICES OVERVIEW

Juniper Vendor Security Requirements

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Total Security Management PCI DSS Compliance Guide

WHITE PAPER- Managed Services Security Practices

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

Information Technology General Control Review

The Common Controls Framework BY ADOBE

Managed Security Services - Endpoint Managed Security on Cloud

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Oracle Data Cloud ( ODC ) Inbound Security Policies

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Watson Developer Cloud Security Overview

Layer Security White Paper

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

SFC strengthens internet trading regulatory controls

Checklist: Credit Union Information Security and Privacy Policies

VMware vcloud Air SOC 1 Control Matrix

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Protecting your data. EY s approach to data privacy and information security

University of Sunderland Business Assurance PCI Security Policy

Rich Powell Director, CIP Compliance JEA

TRACKVIA SECURITY OVERVIEW

Online Services Security v2.1

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

WHITEPAPER. Security overview. podio.com

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Google Cloud & the General Data Protection Regulation (GDPR)

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Security and Compliance at Mavenlink

Employee Security Awareness Training Program

Information Security Controls Policy

Twilio cloud communications SECURITY

Projectplace: A Secure Project Collaboration Solution

AUTHORITY FOR ELECTRICITY REGULATION

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

01.0 Policy Responsibilities and Oversight

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

ISO27001 Preparing your business with Snare

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Changing face of endpoint security

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Security Principles for Stratos. Part no. 667/UE/31701/004

Security Fundamentals for your Privileged Account Security Deployment

Compliance with NIST

Vendor Security Questionnaire

LBI Public Information. Please consider the impact to the environment before printing this.

ADIENT VENDOR SECURITY STANDARD

Security Information & Policies

CIS Controls Measures and Metrics for Version 7

Data Security and Privacy Principles IBM Cloud Services

Canada Life Cyber Security Statement 2018

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

The Honest Advantage

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Industrial Defender ASM. for Automation Systems Management

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Trust Services Principles and Criteria

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

CIS Controls Measures and Metrics for Version 7

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

W H IT E P A P E R. Salesforce Security for the IT Executive

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

WHITE PAPER. Title. Managed Services for SAS Technology

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Unleash the Power of Secure, Real-Time Collaboration

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Safeguarding Privileged Access. Implementing ISO/IEC Security Controls with the CyberArk Solution

FairWarning Mapping to PCI DSS 3.0, Requirement 10

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Security Note. BlackBerry Corporate Infrastructure

Baseline Information Security and Privacy Requirements for Suppliers

External Supplier Control Obligations. Cyber Security

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Client Computing Security Standard (CCSS)

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Carbon Black PCI Compliance Mapping Checklist

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Security Specification

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Information Security Policy

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Total Protection for Compliance: Unified IT Policy Auditing

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Transcription:

Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to our organization. This is not a responsibility that RDX takes lightly. RDX s highest priority is to safeguard sensitive customer information. Protecting against unauthorized data access must be an ongoing process. RDX is acutely aware that those individuals desiring to exploit data stored in computer systems for personal means are constantly changing and improving their data access strategies. The fluid nature of external and internal attacks requires RDX to continuously analyze, review and enhance its security infrastructure blueprint. RDX considers this responsibility to be our number one priority. RDX Security Controls RDX s executive management team has committed to maintaining a formal Information security and compliance program consisting of the policies, procedures and controls that govern the security of RDX s information technology infrastructure. The security and compliance program is based on industry best practices and includes a framework of controls to protect RDX s systems. RDX has a dedicated IT, Security, Audit and Compliance team consisting of a manager of information security and senior security analysts responsible for the management of information security throughout the organization. The team is responsible for developing, maintaining, and enforcing RDX s information security policies. The information security policy is reviewed annually by the Manager of IT, Security, Audit and Compliance and the Director of Delivery Operations. The policy is also approved by the executive management team. The IT, Security, Audit and Compliance team monitors for known incidents and patches as well 1

as results from recent vulnerability assessments. The team leverages that information changes to RDX s policies and procedures. These changes can include a reclassification of data, a reassessment of risk, changes in incident response plans, and a verification of responsibilities for authorizing and monitoring accesses. Changes are reviewed and communicated during weekly IT meetings or through system alerts. SSAE16 SOC 2 Type II Report For calendar year 2017, RDX recently achieved their seventh SSAE 16 Service Quality Report. Service Organization Controls (SOC) reports are designed to help service organizations that provide information system services to other entities build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. RDX worked with an accredited, third-party SSAE 16 auditing firm to create a set of audit control objectives that best reflect the key service quality indicators that measure our operating effectiveness. The audit control objectives included all activities related to physical and logical security controls, data privacy, organization and administration, vendor management, work request and ticket management, incident management and monitoring installation and configuration. The most recent auditor s report was issued in early 2018. Security Architecture RDX s network infrastructure has been architected to safeguard against external intrusions. Hardware and software components including advanced firewall implementations and McAfee s network, server and desktop security packages are used in conjunction to create a secure network environment. 100% Onshore Support RDX provides. Tailoring Security to our Customers Needs RDX doesn t adhere to the one size fits all strategy for customers. Many of our customers security procedures, auditing requirements and toolsets have been designed specifically for their shops. RDX works with each customer to custom tailor connectivity and administrative account security configurations that meet their needs. RDX Organizational Processes and Procedures Personnel management is a critical component of any data protection strategy. The key processes in the personnel management lifecycle are employee integration, security training, inter-departmental transfers and termination. RDX utilizes documented Standard Operating Procedures that include line item management sign-offs and dates for key processes: Employee Integration RDX s employee integration workflow begins with the candidate selection and interview process. Standardized and documented procedures are used to generate job postings that highlight required hiring criteria. Once a pool of candidates is selected, a rigorous interview, which includes hands on testing, is performed to select the most appropriate candidate. After the candidate is selected, an industry standard background and credit check is performed by a thirdparty provider before the candidate is hired. The selected candidate is required to sign RDX s security policy documents during the first stage of the employee onboarding process. The new employee is then assigned to a security group that provides them with access to only the information they need to access. 2

Administrative and support personnel that do not support customers directly do not have access to any customer information. Only those personnel that support customers directly are able to access information that is contained in the security group. Security Training All personnel undergo security training during the employee onboarding process. Employees participate in mandatory security training on a regular basis. Employee Transfers RDX s employee transfer policy provides the steps required to transfer an employee from one department to another. Notifications are sent to RDX s Human Resources, Accounting and Security groups to change the transferring employee s security group designation. This ensures that the employee is only able to access information that is contained in their new security group. learn and fully understand how the chosen vendor s configuration and provisioning services are utilized. Employee Termination RDX executes a Standard Operating Procedure that includes line item sign off by management for all employees that have their relationship terminated with RDX for any reason. This process includes the immediate termination of all RDX internal accounts. Customers that are contained in the employee s security group are also immediately notified of the employee termination to deactivate connections to their systems. The customer must define the baseline security standards for outside connectivity that RDX will be required to adhere to. Data Protection is a Joint Effort Safeguarding critical data assets requires that customers partner with RDX to create a security strategy that best fits their unique security needs. The Rules of Engagement contained in the RDX contract outlines the security guidelines the customer should follow when interacting with RDX. Some of the key provisions are as follows: RDX network administrators will work with customers to create secure connections to their systems. The customer must define the baseline security standards for outside connectivity that RDX will be required to adhere to. RDX will only process changes for customer personnel that are designated as Authorized Change Agents by their respective organizations. These personnel must either have accounts in RDX s ticketing system or have a customer contact entry in RDX s Customer Relationship Management System. Changes will not be performed for any other customer personnel. RDX will only process requests originating from their, or the customer s, ticketing systems. RDX personnel that perform changes generated by any other means (phone, e-mail) are subject to disciplinary action including immediate termination. RDX will not store any customer data on their internal systems. RDX administrative personnel will only access customer database data in the rare case when it is required to validate potentially corrupted data. RDX Infrastructure Hardening RDX s network infrastructure has been architected to safeguard against external intrusions. Hardware and software components including advanced firewall implementations and McAfee Network, Server and Desktop security packages are used in conjunction to create a secure network environment. 3

Intrusion Detection and Prevention Systems McAfee IPS and IDS are installed on all key servers and constantly monitors network and system activities for malicious activities or policy violations and prevents them from continuing and/or produces reports to a centralized management station. Security Event Management RDX utilizes the SPLUNK log aggregation software to collect log data from all key servers and critical network components (firewalls, etc.). The logs are sent to a centralized log repository for OSSEC analysis and storage. Automated alerting mechanisms are configured to analyze the data and send alerts when necessary. Automated Security Patching Server The WSUS automated patching server ensures that all hardware components are kept up-to-date with the most recent security patches. Hardened Servers Servers that store sensitive information are hardened according to industry-standard specifications. Two Factor Authentication RDX utilizes Yubico Yubikeys that access a Radius authentication server to provide two factor security. RDX deploys multiple two factor challenges to personnel that are accessing customer environments. The first two-factor challenge is issued when accessing the RDX network. The second two factor challenge is issued when the employee logs in to RDX s Secret Server Secure Password Vault. RDX uses the Secret Server Password Vault to store customer connection information and login credentials. McAfee Endpoint Protection for Business RDX utilizes McAfee Endpoint Protection for Business to provide anti-virus, anti-malware, anti-spam, website filtering, email protection, application control and removable media restrictions. Secret Server Secure Password Vault In order to protect sensitive information, RDX has chosen Secret Server, an industry leading password vault as the storage mechanism. Secret Server allows RDX security personnel to control access to critical accounts and passwords in one centralized and encrypted repository. The software provides users with a secure access mechanism to passwords and other privileged information. Secret Server uses Advanced Encryption Standard 256 bit - AES 256 encryption - The Rijndael algorithm for encrypting data in the SQL database. Secret Server hashes and salts local user passwords using a randomly generated salt and the PBKDF2-HMAC-SHA256 hashing algorithm. Secret Server accommodates organizations needing to adhere to FIPS compliance by using FIPS 140-2 compliant algorithms. RDX has implemented Yubico s Yubikey hard RSA tokens as well as the YubiRADIUS RADIUS server to provide twofactor authentication to the Secret Server Password Vault. When the Request Access feature is applied, an email is sent to everyone on a list notifying them of the request which can then be approved or denied by any of the members. Access can be granted for a set time period. 4

The email notification feature automatically sends notifications to e-mail groups whenever a Secret is viewed, executed or edited. It also allows customers to be notified when RDX personnel access one of their Secrets. RDX utilizes Secret Server s hidden password function to hide passwords from support personnel. If implemented, passwords are only known by the customer and RDX s Security Officer. Support personnel are unable to copy and paste passwords and are only able to use embedded launchers to connect to customer systems. RDX auditing personnel are able to provide customers with auditing reports that show each individual access to their Secrets for the time period specified. The report shows the name of the secret, its description, the time it was accessed, the user and the user s IP address. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback