FormFire Application and IT Security

Similar documents
SECURITY & PRIVACY DOCUMENTATION

The Common Controls Framework BY ADOBE

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

A company built on security

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

QuickBooks Online Security White Paper July 2017

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Security and Compliance at Mavenlink

Layer Security White Paper

Juniper Vendor Security Requirements

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Data Security and Privacy Principles IBM Cloud Services

Projectplace: A Secure Project Collaboration Solution

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Watson Developer Cloud Security Overview

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

Awareness Technologies Systems Security. PHONE: (888)

01.0 Policy Responsibilities and Oversight

Google Cloud & the General Data Protection Regulation (GDPR)

HIPAA Security and Privacy Policies & Procedures

Policy and Procedure: SDM Guidance for HIPAA Business Associates

SoftLayer Security and Compliance:

Oracle Data Cloud ( ODC ) Inbound Security Policies

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Information Security Policy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

WHITE PAPER- Managed Services Security Practices

Information Security Controls Policy

ADIENT VENDOR SECURITY STANDARD

Security Architecture

Keys to a more secure data environment

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Security Information & Policies

Carbon Black PCI Compliance Mapping Checklist

HIPAA Compliance Checklist

Checklist: Credit Union Information Security and Privacy Policies

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

What can the OnBase Cloud do for you? lbmctech.com

Education Network Security

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

IBM SmartCloud Notes Security

WORKSHARE SECURITY OVERVIEW

Hosted Testing and Grading

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

SECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Data Processing Amendment to Google Apps Enterprise Agreement

emarketeer Information Security Policy

ISO27001 Preparing your business with Snare

Information Technology General Control Review

Trust Services Principles and Criteria

Cyber security tips and self-assessment for business

InterCall Virtual Environments and Webcasting

Security Audit What Why

Information Security Incident Response Plan

Putting It All Together:

Twilio cloud communications SECURITY

Dooblo SurveyToGo: Security Overview

Information Security in Corporation

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

EXHIBIT A. - HIPAA Security Assessment Template -

Total Security Management PCI DSS Compliance Guide

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Information Security Incident Response Plan

Data Security at Smart Assessor

IBM Security Intelligence on Cloud

Rev.1 Solution Brief

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Sparta Systems TrackWise Digital Solution

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Data Protection Policy

University of Sunderland Business Assurance PCI Security Policy

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Security Policies and Procedures Principles and Practices

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Credit Card Data Compromise: Incident Response Plan

Automating the Top 20 CIS Critical Security Controls

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Security Standards for Information Systems

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

Department of Public Health O F S A N F R A N C I S C O

Sparta Systems Stratas Solution

KantanMT.com. Security & Infra-Structure Overview

Complete document security

CCISO Blueprint v1. EC-Council

Infrastructure Security Overview

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Daxko s PCI DSS Responsibilities

BLACKLINE PLATFORM INTEGRITY

Transcription:

FormFire Application and IT Security White Paper Last Update: 2015-03- 04

Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 4 Infrastructure and Security Team... 4 Application Development Team... 4 Operations/Support Team... 5 Data Asset Management... 5 Information Access... 5 Access Control... 6 Personnel Security... 7 Datacenter/Colocation Security... 7 Infrastructure Security... 8 Antivirus... 8 Monitoring... 8 Vulnerability Management... 8 Internal Auditing... 9 External Audits... 9 Incident Management... 9 Network Security... 9 SSL/TLS... 10 Data Encryption... 10 Operating System Security... 10 System Development... 11 Disaster Recovery and Business Continuity... 11 Conclusion... 12

Introduction Security is fundamental to everything we do at FormFire. Therefore, our application, environments and controls are designed from the ground up with security in mind. FormFire is a digital workflow tool that connects employees, employers, brokers, and medical insurance carriers to application, underwriting, and submission data. The sensitive nature of the data collected demands the utmost importance be placed on the security and integrity of user data. The purpose of this white paper is to demonstrate how FormFire, LLC meets and exceeds its clients expectations for data security. Overview FormFire s security strategy provides controls at multiple levels of data storage access, and transfer. The strategy includes the following components: FormFire Corporate security policies Organizational Security Data Asset management Personnel Security Datacenter/Colocation security Infrastructure Security Systems and Software development and maintenance Disaster Recovery and Business Continuity FormFire Corporate Security Policy FormFire s commitment to security is outlined in our Employee Code of Conduct and an extensive employee handbook which outlines how our employees should perform their given duties. These policies cover a wide array of security related topics ranging from general policies relating to account, data, and physical security, to specialized policies covering internal applications and systems that every employee must follow. These security policies are periodically reviewed and updated. Employees receive mandatory yearly training on security topics such as best practices for safety while working remotely as well as safe Internet usage. 3

Organizational Security FormFire's support of its application and its customers is comprised of multiple groups. Each group has different responsibilities and all work together to enforce the security policies and procedures FormFire has in place to protect our customers data. Infrastructure and Security Team FormFire has a dedicated Infrastructure and Security Team which develops and oversees all aspects of IT Security. This team is responsible for support of the FormFire s infrastructure, the hardware and software that runs our application every day. Members of this team maintain all internal and external systems to the defined specifications of FormFire s security policies. They also play an important role in helping to shape and develop those policies as well as the documentation. A breakdown of some of the specific responsibilities of this team are as follows: Conduct reviews of FormFire s design and documentation and update as needed. Provide support to the development and operations teams on security risks associated with projects. Monitor for suspicious activity on the networks, systems, and applications for any possible security threats. Engage third party security experts to conduct periodic security assessments of FormFire s infrastructure and applications. Conduct vulnerability management processes to help expose potential problem areas on FormFire s network and ensure the remediation of any issues expediently. Monitor all FormFire systems continuously to ensure availability and proper functionality. Application Development Team The application development team is responsible for spearheading innovation at FormFire by listening to our customers and adapting our application to their needs. This team embeds security practices into its Agile processes to produce the best and most secure software possible. Agile processes usually do not have distinct Software Development Life Cycle (SDLC) phases, which can make traditional approaches to securely releasing software troublesome. However, our Agile workflow allows us to properly define all the requirements and risks of a project and then securely develop, test, and release software 4

securely. It also lets us fix any vulnerabilities quickly. A breakdown of some of the specific responsibilities of this team are as follows: Collaborate with the Infrastructure and Security team to ensure all designs meet the security standards defined at FormFire. Conduct (peer and independent) code reviews regularly. Work with accredited third party auditors to conduct formal code reviews to ensure no known security flaws are contained in the application. Use an extensive test environment to vet any changes to the application for not only functionality but security also. Operations/Support Team At FormFire we want to make sure the support we give our customers is highly effective and meets the needs of our customers, while at the same time protects them and their data. All operations staff are trained with the mentality that the security of our customers data is paramount. FormFire has procedures and policies which define how customer data is to be handled and protected during the process of supporting our customers. As the Operations/Support staff are our front line, they interface daily with the Infrastructure and Security team as well as the Application Development team to ensure any potential problems or threats are documented and assigned to the appropriate individuals to be handled. Data Asset Management FormFire s data assets, which are comprised of customer and end- user assets as well as corporate data assets, are managed under our security policies and procedures. In addition to specific controls on how data is handled and defined, all FormFire personnel interacting with data assets are thoroughly trained and required to follow those policies and procedures. Information Access FormFire has controls and practices in place to protect the security of our customers information. FormFire s application runs in a distributed environment specifically designed for redundancy and reliability. FormFire's customer data, as well as FormFire's own data, is distributed among a shared infrastructure composed of many homogeneous machines and located across multiple geo- redundant data centers. Our customers information is stored in different locations throughout the application, and each time one of the application layers or services needs to access this data it has to have the appropriate authentication. Some of the 5

technology that brokers these types of authorization are Secure Sockets Layer (SSL) certificates for specific FormFire servers as well as directory service permissions defined for different parts of the application layer. All administrative access to the production environment is strictly controlled and any changes that need to be made must go through a clearly defined change management process with multiple levels of approval. All changes are also peer reviewed to ensure that there are no potential compromises that could be introduced into the production environment. All changes to the production environment are logged to ensure a complete audit trail. FormFire does not allow public access of any sort. Every user must log in using his or her private credentials. Failed attempts are logged and multiple failures result in the account being locked until the user s identity can be verified by a FormFire staff member. Every FormFire account belongs to the individual. Only authorized FormFire users have access to view or modify an individual s data. Authorized users include only FormFire administrative users who must have access to an individual s data for the purpose of aiding the individual to apply for, or maintain, their medical insurance coverage or other expressed purpose. All activity within FormFire is logged. From the time a user logs in, to the time they log out, every action and page viewed is logged and time and Internet Protocol (IP) address stamped. Every error encountered in FormFire is logged and analyzed for suspect activity. Should such activity be detected, the user s account is locked and they are contacted directly. Every modification to data stored within FormFire is stored as a revision - this is referred to as Data Revision Tracking (DRT). Should there ever be a dispute about the integrity of data, the DRT logs can construct a complete picture of how the data was modified, when it was modified, and who made the modification. Access Control FormFire implements a number of authentication and authorization controls that are designed to protect against unauthorized access. FormFire requires the use of a unique User ID for each employee. This account is used to identify each person s activity on FormFire s network, including any access to employee or customer data outside of our application. Upon hire, an employee is assigned the User ID and is granted a default set of privileges. At the end of a person s employment, their accounts access to FormFire s network is disabled. FormFire also has a password policy in place that outlines and enforces password expiration, restrictions on password reuse, and sufficient password strength immediately. FormFire also requires two- factor authentication at multiple points of entry for our employees to access the application and our customers information. 6

Access rights and levels are based on an employee s job function and role, using the concepts of least privilege and need- to- know to match access privileges to responsibilities. FormFire employees are only granted a limited set of default permissions to access company resources, such as their email. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves the intervention of the management team. Approvals are tracked in a change management system to ensure auditability and consistency in any request to our customers information. Personnel Security FormFire employees are required to conduct themselves in a manner consistent with the company s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. FormFire will verify an individual s education and previous employment, and perform internal and external reference checks. FormFire also conducts criminal, credit, and security checks. The extent of background checks is dependent on the desired position. Upon acceptance of employment at FormFire, all employees are required to execute a confidentiality agreement and must acknowledge receipt of and compliance with policies in FormFire s Employee Handbook. The confidentiality and privacy of customer information and data is emphasized in the handbook and during new employee orientation training. Employees are provided with security training as part of new hire orientation. In addition, each FormFire employee is required to read, understand, and take a training course on Health Insurance Portability and Accountability Act (HIPAA) and HIPAA compliance. This training is also conducted on a yearly basis along with information security training. Depending on an employee s job role, additional security training and policies may apply. FormFire employees handling customer data are required to complete training that outlines the appropriate use of data in conjunction with business processes as well as the consequences of violations. Every FormFire employee is responsible for communicating security and privacy issues to designated management staff. Datacenter/Colocation Security FormFire s colocation data centers are housed with a best- in- class provider, which operates at the highest level of service and reliability in the industry. FormFire has multiple data centers in different geographical areas. All data center facilities are interconnected with a private 10 Gbps network, which includes access to almost every major ISP available. They also 24x7x365 7

on- site monitoring and secure access, multiple man- traps, security system with card entry and bio- metric scanning and cameras with motion detection and recording. Predictive monitoring identifies problems before service is impacted. Redundant electric utility power feeds and 4 auto- cutover diesel generators ensure complete power redundancy of all network services. Each facility includes multiple cooling systems, a 24- inch raised floor and advanced fire suppression. They also operate reliable data centers that complement a variety of industry and government mandates including HIPAA, PCI DSS, and SOX supported by third- party SSAE 16/SOC attestation reports. Infrastructure Security Antivirus Malware presents a serious risk to security in today s IT environments. FormFire employs the latest in antivirus technologies to constantly scan our network and servers for any suspicious files or malware. We also have antivirus built into our application stack which scans any file uploaded or generated by the system for malicious payloads. Monitoring FormFire's security monitoring program analyzes information gathered from internal network traffic, employee actions on systems, and outside knowledge of vulnerabilities. Internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate malicious activity or a security incident. FormFire uses a combination of open source and commercial tools for traffic capture and parsing. All servers and application layers are also monitored to ensure our application is functioning properly for our customers. Vulnerability Management FormFire has a dedicated process for scanning our infrastructure for security threats. Some of these processes are automated and others require manual processing. At FormFire we believe some of these processes are important enough to have an engineer in front of the screen following the process to its completion and making sure we are thoroughly scanning our environments. The infrastructure and Security team is responsible for identifying and mitigating vulnerabilities that are discovered. Once a vulnerability has been identified, it is logged and prioritized according its severity. The issue is then tracked until remediation is verified. 8

Internal Auditing FormFire uses a variety of products to automate daily penetration testing and basic security audits. This ensures that any potential security breach is found and corrected immediately. FormFire staff members regularly audit the system to ensure functionality and the overall security of the system as outlined in this white paper. External Audits FormFire contracts with third party security experts to perform in- depth security audits at least once per year. Incident Management FormFire has an incident management process for security events that may affect the confidentiality, integrity, or availability of its systems or data. This process specifies courses of action and procedures for notification, escalation, mitigation, and documentation. Network Security FormFire has instituted a defense- in- depth approach to network security, this includes industry best practices with regard to firewall implementation, network segmentation, and system configuration. The practice includes the following items: The use of industry standard firewall and ACL technology to segregate the network perimeter and internal networks. Management of network firewall and ACL rules that have gone through a predefined change management and verification process. Restrict access to the production environment to only authorized accounts and individuals, making only changes that have followed the process for approval. Correlation and examination of actual log data for suspicious activity or exploitation and alert upon the discovery of those events to the appropriate individuals. Application servers are configured to process only HTTP & HTTPS requests. All other Internet protocols are disabled. Non- essential ports and services have been disabled. Blended implementation of Host- Based and Network- Based intrusion detection systems. 9

SSL/TLS All communication between FormFire servers and client computers is conducted using Secure Socket Layer (SSL) encryption. SSL technology has become the de facto standard for secure communication on the Internet by encrypting data so that unauthorized parties cannot read or modify it during transmission. SSL also uses a digital certificate to verify the identity of entities on the Internet before a users browser will accept the certificate for encrypting traffic. FormFire uses an Extended Validation SSL Certificate, which is only issued according to a specific guideline for verification as defined by a consortium of Certificate Authorities (EV SSL Certificate Guidelines). In addition to encryption, files sent to authorized third party business associates are password protected and digitally signed. FormFire has developed a proprietary system for collecting humanly- generated and legally binding electronic signatures. Tamper- proof digital signatures are also applied to all pieces of data sent from FormFire. A complete description of this technology is available in FormFire s esignature White Paper. Data Encryption At FormFire not only is our customers data encrypted while in transit but it is also encrypted while the data is at rest. Data at Rest is an Information Technology term referring to inactive data, which is stored physically in any digital form. Whether this inactive information is stored in our database or in our proprietary file system it is encrypted with only the strongest ciphers. Ensuring that our customers data is safe even when not in use. Operating System Security All FormFire servers are all built on a standard operating system and deployed with a standard configuration. This includes systems deployed in the extensive testing environment that FormFire s application development team uses to test all code that will be released to production. All changes to servers or infrastructure follow a process for registering, approving, and tracking changes that could impact these systems. This helps reduce any risk of accidental of unauthorized changes to the production environment. 10

System Development FormFire was designed from the ground up to be the most private and secure system possible. Every modification or enhancement to the system must adhere to FormFire s standard of application security and each modification is tested to ensure compliance. Some of the key components to our Agile software development process are: Hyper defined design documentation is a prerequisite of the security design process. This allows our teams to outline any potential problems or security issues that might arise from the addition of features to our application. Our developers are educated with respect to applicable vulnerability patterns and their avoidance. A peer review- based development culture emphasizes the creation of high- quality code supports a secure code base. Adherence to FormFire s coding standards policy. Paired coding sessions expand the sphere of knowledge of all developers on our team. This broader knowledge increases the potential for individuals to recognize possible security flaws across the code base. Increased awareness of other parts of the system can also help contribute to a better overall system design. FormFire s objective when developing our application is the quality, robustness, and maintainability of the code that we deploy for our customers to use. FormFire s key development staff are all degreed software engineers, each with expertise and experience relating to specific areas of the system as well as security fundamentals. All staff members understand the importance of maintaining a highly secure environment. Disaster Recovery and Business Continuity Next to security, availability is of paramount importance to FormFire. To that end, all vital FormFire systems are fully redundant, eliminating any single point of failure. FormFire operates geographically distributed data centers that are designed to maintain service continuity in the event of a disaster. FormFire data is replicated to multiple systems within the same data center and also replicated to other data center locations. High speed connections between the data centers facilitate the swift failover of the application in the event of a problem. 11

FormFire servers are load- balanced and designed so that if one server fails, the backup will take over automatically and without downtime. All servers use RAID (Redundant Array of Independent Disks) for storage. Power systems are fully redundant, including multiple external power sources, UPSs (uninterruptible power supplies), and four 750 kilowatt generators. These power systems are also tested regularly. Front- end routers are fed by multiple external gigabit connections and are configured in a High Availability cluster. Backups of all customer information are performed routinely to ensure recoverability in case of catastrophic failure. SQL Transaction logs are encrypted and backed up every 15 minutes and replicated offsite real time. Full backups are performed daily, encrypted, and replicated offsite in real time. Also to comply with federal regulations, employee data is maintained for a minimum of two- years of inactivity while electronic signatures and accompanying data is stored for seven years. Only authorized personnel handle backups. All restore requests must follow a predefined procedure and approval process. Conclusion The security and privacy of data is FormFire s number one concern. We have established a very specific set of protocols and policies to ensure customers information is protected and available. As threats to web- based applications grow, FormFire is committed to remain the safest place to store and transact personal and private information. FormFire 2015 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback