Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Similar documents
The Common Controls Framework BY ADOBE

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Juniper Vendor Security Requirements

Support for the HIPAA Security Rule

System Administrator s Guide Login. Updated: May 2018 Version: 2.4

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Information Security Controls Policy

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Security+ SY0-501 Study Guide Table of Contents

SECURITY & PRIVACY DOCUMENTATION

Managed Administration Service (MAS): Hitachi ID Password Manager

Information Technology General Control Review

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Online Services Security v2.1

IBM SmartCloud Notes Security

Security and Compliance at Mavenlink

SDR Guide to Complete the SDR

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

SFC strengthens internet trading regulatory controls

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

IT Service Upgrades Announcement

Managed Security Services - Endpoint Managed Security on Cloud

SECURITY DOCUMENT. 550archi

emarketeer Information Security Policy

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard

HP Instant Support Enterprise Edition (ISEE) Security overview

IT Services IT LOGGING POLICY

Xerox Audio Documents App

Data Security at Smart Assessor

Introduction to SURE

Trust Services Principles and Criteria

Network Performance, Security and Reliability Assessment

Enterprise Guest Access

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data

April Appendix 3. IA System Security. Sida 1 (8)

Morningstar ByAllAccounts Service Security & Privacy Overview

Awareness Technologies Systems Security. PHONE: (888)

Table of Contents. 1. Background Logging In Account Setup Requests Submissions Discussions...

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

KantanMT.com. Security & Infra-Structure Overview

Projectplace: A Secure Project Collaboration Solution

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

Cyber security tips and self-assessment for business

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

epldt Web Builder Security March 2017

7.16 INFORMATION TECHNOLOGY SECURITY

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

NextGen Patient Portal. User Guide.

smartdata.gen2 Corporate Cardholder Guide February 2014

Information Security Data Classification Procedure

Deltek Touch Expense for Ajera. Touch 1.0 Technical Installation Guide

The Lighthouse Case Management System

Information Security Policy

The following security and privacy-related audits and certifications are applicable to the Lime Services:

Keys to a more secure data environment

Watson Developer Cloud Security Overview

Attachment 3 (B); Security Exhibit. As of March 29, 2016

MigrationWiz Security Overview

Sage 300 People & Web Self Service Technical Information & System Requirements

CIS Controls Measures and Metrics for Version 7

QuickBooks Online Security White Paper July 2017

Version v November 2015

Contents Using the Primavera Cloud Service Administrator's Guide... 9 Web Browser Setup Tasks... 10

HikCentral V.1.1.x for Windows Hardening Guide

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security Principles for Stratos. Part no. 667/UE/31701/004

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Certified Information Systems Auditor (CISA)

Hitachi High Technologies America, Inc. Password Policy

Security Standards for Electric Market Participants

AppPulse Point of Presence (POP)

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

HikCentral V1.3 for Windows Hardening Guide

UNCLASSIFIED. Mimecast UK Archiving Service Description

Application of Cryptographic Systems. Securing Networks. Chapter 3 Part 4 of 4 CA M S Mehta, FCA

# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS

Integrating Password Management with Enterprise Single Sign-On

What can the OnBase Cloud do for you? lbmctech.com

Cloud Security Whitepaper

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

ForeScout Extended Module for Carbon Black

Atmosphere Fax Network Architecture Whitepaper

Security Specification

APA Web Services Access Request

Production Assistance for Cellular Therapies (PACT) PACT Application System User s Guide

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

APA Automatic Nomination System. FTPS Access Request. For Gas Transmission Customers

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Technical Overview. Access control lists define the users, groups, and roles that can access content as well as the operations that can be performed.

PTS Customer Protection Agreement

Ready Theatre Systems RTS POS

Integrated Cloud Environment Security White Paper

Transcription:

Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational Management Controls... 5 Legal and Regulatory Compliance... 5 Terminology... 6 Page 1 of 6 (Last updated 27 April 2017)

Security Overview of the Connect Application This data sheet summarises the security controls for Marsh & McLennan Companies Connect Application. The content of this document is confidential, not to be released without a covering non-disclosure agreement. The data sheet should not be used after 31 July 2018. What is Connect? Connect (referred to as an 'extranet') is our global web-based tool which provides a central, easily accessible repository for information relating to the client and the work we do for them over time. It has been designed to facilitate project management and encourage relationship building through enhanced communication and collaboration with individual clients on a oneto-one basis. Connect is used by internal Marsh & McLennan Companies staff, as well as external clients and is owned by Mercer Services. The Connect application is built on eroom application software that is purchased from EMC. The eroom software is internally branded as Connect. The Connect application runs on HP hardware platforms with Microsoft Windows 2008 Operating System. The front end Web server hosts the Connect application and the backend database server hosts Microsoft SQL Server 2008 and supporting databases. All server hardware is currently located in the Dallas, TX Data Center. The Connect application can be used by Marsh & McLennan Companies and external clients to host most any type of data. The data can be stored in the form of files posted to the site or in Connect objects such as databases, calendars, etc. All data posted to Connect sites is done so at the data owner s discretion. The data can include personally identifiable information or sensitive financial or business information. Data is primarily posted to the Connect site via the Web based interface. The eroom plug-in can also be installed for enhanced functionality. Data stored on the Connect File Store and the SQL databases is encrypted at rest. In addition to providing enhanced Connect functionality, the eroom Plug-in also provides enhanced security features. The Plug-in provides basic encryption, which is augmented by the use of TLS v1.2 via a secure URL. For example, the transmission of data to and from the Connect site is encrypted. Once authenticated to the Connect Server, a random session ID is generated to serve as a secure key for the duration of the session. A Connect Session remains in place until 30 minutes of inactivity has elapsed or the Browser Session is closed. When 30 minutes of inactivity are reached, the user will be prompted to reenter their password before proceeding. Mercer s parent company, Marsh & McLennan Companies has established information security internal controls designed to protect the confidentiality, integrity and availability of clients information. The security controls are outlined in the next sections in this document. Further information can be found in the document titled Summary of Marsh & McLennan Companies Information Security Practices. If you do not have access to this document, please contact your Client/Relationship Manager. Physical Access Controls The Connect application including client data is hosted in Marsh & McLennan Companies regional data centre located in Dallas, Texas. Page 2 of 6 (Last updated 27 April 2017)

Marsh & McLennan Companies Data Centre security uses multi-layered security controls. These include a secure, fenced perimeter and CCTV outside and inside the centre. CCTV images are monitored and recorded. Entry controls to both data centres and office buildings is controlled via security access card for Marsh & McLennan Companies staff and formal access control systems for recording and controlling visitor access. Equipment raised floor areas have additional access controls which includes biometric security in some cases. Network security is managed by Marsh & McLennan Companies. More information can be found in the document titled Summary of Marsh & McLennan Companies Information Security Practices. If you do not have access to this document, please contact your Marsh & McLennan Companies Client/Relationship Manager. User Access Controls User Authentication & Site Access All Connect participants are assigned their own unique user name and password, and are asked not to share this information. When the eroom Plug-in is installed, the user name and password is encrypted before being sent to the Connect Server. Once the Server has authenticated the user, a Connect site Session ID is created and passed to the Browser. (Note when using only the Browser interface, the user name and password is also encrypted by the eroom session. Use of the eroom plug-in is the recommended practice.) User accounts for a Connect site are managed by the Site Coordinator or a member of the Connect Administration Team. Coordinators notify members via email invitation when they are added to a site. For non-mercer Members only, password policies are in place to force a password reset upon initial login. Passwords will expire every three months, the minimum password length is eight characters and complex passwords are required. Mercer members authenticate to Connect via their Network (Active Directory) credentials. These passwords cannot be accessed or reset by the Connect Administration Team. Both Network and Connect passwords are structured according to corporate passwords standards (length, complexity, enforced change, and prevention of re-use). Formal processes are used to control requests for system access. For non-mercer members, Connect sites provide a Password Recovery utility. All Connect login pages have a Forget your password? link. When the link is selected, the user is prompted to enter the email address they used to register with the site and click the OK button. The user is then sent an email message which contains a URL link to a Connect page where the user is prompted for an answer to the security question they chose, when they first accessed a Connect site, then creates a new password which allows the user to access the system again. In the event an automatic password recovery is not possible, members should first escalate the issue to their Site Coordinator. If the Site Coordinator cannot resolve the issue, it can then be escalated to the Connect Administration team. Member accounts are periodically reviewed and updated by Site Coordinators and the Connect Administration team. Mercer accounts, which are populated via an Active Directory, are automatically removed from Connect sites when the corresponding account is removed from the Active Directory. Non-Mercer accounts must be removed by the Site Coordinator in the individual Connect site, or by the Connect Team from all Connect sites. Access to Connect requires an approved Internet browser and a valid login name and password. Access to all sites requires a secure TLS v1.23 URL (https://). All Connect sites have a unique URL, but all sites can also be accessed using a single portal URL. Page 3 of 6 (Last updated 27 April 2017)

Connect sites also provide a logout feature. A logout button is visible in the upper right navigation. When the logout button is clicked, all temporary files and eroom plug-in settings are removed. Upon subsequent logins, the user will again be asked if they wish to use the eroom plug-in. Upon successful authentication to a Connect site, the eroom server generates a random session ID that serves as a secure key for the duration of the session. As long as activity takes place on the Connect site, the session will remain active. In the event there is no activity on the Connect site for a period of 30 minutes, the session will automatically expire. If this happens, it will be necessary to authenticate to the site again. All session information between the user computer and the server is destroyed when the browser window is closed. Access Control The Connect client and/or Marsh & McLennan Companies can limit access to a Connect site to only select team members. Once successfully authenticated into a Connect site, Access Control can also be used to control or limit access to individual items on the site. Access Control is fully implemented at the site level. Even in the unlikely event the client user account was compromised or the server is being spoofed, the server will enforce access. No matter which user is talking to the server, the user will only be able to access or modify information to which the specific logged-in user has rights - this is because the server will never allow any operation that the user does not have rights to perform. Access Control schemas are the responsibility of the site owners and coordinators. The default access control for any given items rests with the item s creator. Careful consideration should be given when determining access control levels, as there are potential ramifications to site access. The Account Locking feature locks user accounts following multiple failed login attempts. Accounts are locked after five failed login attempts within a ten minute time span. Accounts can be manually unlocked by an Administrator. Accounts are also locked after three failed attempts to recover a forgotten password. For more information, please refer to section IT and Information Security in the document titled Summary of Marsh & McLennan Companies Information Security Practices. If you do not have access to this document, please contact your Marsh & McLennan Companies Client/Relationship Manager. Systems Architecture The Marsh & McLennan Companies Connect environment consists of one physical File Store Server, three virtual Web Server, and three Application Index servers which provide the services necessary to support Connect, and an MS SQL Database Server, supporting the Connect database features. Version 7 servers reside on HP hardware running the Microsoft Windows 2008 Operating Systems. The front end Web servers host the Connect application and the backend database server hosts Microsoft SQL Server 2008 and supporting databases. All server hardware is currently located in the Dallas, TX Data Center. The HP hardware is equipped with redundant power supplies, redundant network interface cards and RAID storage devices. Each Server is located in the Dallas Data Center and supported 24 X 7 by Marsh & McLennan Companies Global Technology Infrastructure (MGTI). Page 4 of 6 (Last updated 27 April 2017)

Connect is a Windows application for use within Marsh & McLennan Companies. It is available via Internet connected computers with an approved Internet browser. Marsh & McLennan Companies protects its internal infrastructure through the use of multiple redundant firewalls, anti-virus on all PCs, Windows servers and email gateways, with daily signature updates. Servers hosting the Connect application are managed by Marsh & McLennan Companies and are updated and patched in line with vendor recommendations. New infrastructure is configured using Marsh & McLennan Companies standard OS builds for desktop and server environments. Application Development The Connect application is based on software (eroom) that has been purchased by Mercer from EMC. As a result, Mercer does not perform Application Development for the eroom software. The eroom product does have an API (Application Program Interface) that can be used to enhance and customize the eroom product. Some customizations have been made to reflect Marsh & McLennan Companies internal branding and to present Marsh & McLennan Companies specific verbiage on site pages. All application updates are approved by a management steering committee. Changes to the live production environment are managed by Mercer s formal change control procedure. Business Continuity Management Every Marsh & McLennan Companies office is required to develop and maintain a Business Continuity Plan to ensure continued availability of essential client services. For more information, please refer to section Business Resilience and Disaster Recovery in the document titled Summary of Marsh & McLennan Companies Information Security Practices. If you do not have access to this document, please contact your Marsh & McLennan Companies Client/Relationship Manager. Other Operational Management Controls The Connect application is further protected by operational management controls that protect all of Marsh & McLennan Companies information technology systems, which include but are not limited to: Enterprise firewalls, VLANs, and layered DMZ architectures used to help protect systems from intrusion and limit the scope of any successful attack. Intrusion Detection Systems and other traffic and event correlation procedures which are implemented, maintained and monitored 24x7. Multi-tiered anti-virus and anti-spyware program which is in place for e-mail and network gateways, servers, and desktops. Anti-virus signatures are updated daily. Back-up and recovery programs to ensure the effective back-up of data and recovery of the systems in the event of a system failure or data center outage. Formal change management processes which require that all systems and configuration changes be logged, reviewed, approved and monitored. Security audits and reviews which are performed through a variety of processes including as part of annual reviews conducted by Marsh & McLennan Companies internal Audit department, and through routine risk assessments and system reviews. Legal and Regulatory Compliance The Connect Legal Notice can be viewed at the following URL: Page 5 of 6 (Last updated 27 April 2017)

https://connectv7.mercer.com/connectfiles/connect_legal_notice_en.htm Terminology CCTV Closed Circuit Television (CCTV) is a visual surveillance technology designed for monitoring a variety of environments and activities. eroom Plug-In The eroom Plug-in can be installed on workstations to provide enhanced functionality for Connect. These features include double click editing, drag and drop capability and Outlook synchronization. Marsh & McLennan Companies Marsh & McLennan Companies, Inc. is the premier global professional services firm providing advice and solutions in risk, strategy and human capital. Mercer is a wholly owned subsidiary of Marsh & McLennan Companies. TLS Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network Page 6 of 6 (Last updated 27 April 2017)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback