- We have an annual risk assessment by our external IT partner to assess the risk against our information assets and have 24/7 external monitoring of our network and all workstations to identify and stop intrusions
- We receive weekly and monthly reporting of intrusion attempts
- We take all steps as we are notified of all highly-critical risks that are found during the regular risk assessments.
- We have amended our policies and procedures to better align with the ISO27001 Information Security Management System. For more information regarding the ISO27001 standards, please visit International Organization for Standardization – https://www.iso.org.
- We have added multiple security control software to ensure our security architecture can prevent and detect threats to our information assets. This security package is custom-designed specifically for us by our IT partner.
- We have an updated Business Continuity and Disaster Recovery Plan in place.
- On a weekly basis, we continually conduct Security Awareness and Education for all FBD staff to ensure they are aware of threats to our environment and understand appropriate handling of information as well as response mechanisms to any information incidents. This includes sending intentionally false attempts to trick our staff into clicking on emails and other attachments that they should know not to open. We have achieved almost a perfect score for all staff as a result, and I highly recommend that this intentional phishing training software be implemented.
- We have committed to continuous monitoring and improvement on a quarterly basis as it relates to information security.
We have upgraded several of our systems and implemented several new ones, including:
External Security –
- Updated firewalls that include a full gateway security suite and website filtering. This product provides the first line of defense against external attacks. We prevent all staff members from being able to connect to all social media, shopping, gaming, pornography, gambling, and other malicious sites. All security events are logged to an internal database that is monitored by our technology partner. It also has a geo-filter that prevents access to/from unauthorized countries. If allowed, the sites are still checked for mal-ware by the firewall and the system described next.
- Redundant firewalls that automatically failover both security rules and internet connections in the event of a hardware or internet failure. We have invested in three different high-speed internet connections for availability, in case one fails, and performance (to balance loads).
- Added an intrusion protection system (IPS). This system not only provides a 2nd layer of protection against external attacks, anti-malware, anti-virus, and anti-spyware, but it also provides safe website application usage for internal staff. This allows users to safely go to websites for business use that would ordinarily be blocked, rather than blocking the sites completely.
- Added an SSL-VPN for securing our remote access. Any remote user must log in through this portal and they are allowed to get to only the resources that they have permission to. Per policy, all client devices are required to have remote monitoring and maintenance with our technology partner to ensure that all security patches, and anti-virus and anti-malware definitions are up to date.
- We have software that allows us to roll back to earlier dates if our systems are hacked and locked.
- We have disabled all USB ports on our workstations.
- We have monitoring software that will instantly alert us if a staff member has started downloading a massive amount of data.
- All SSL-VPN connections require two-factor authentication.
- Utilize ShareFile for communicating files to clients. It is a secure and encrypted file-sharing system provided by Citrix.
- We use Mimecast, managed by our IT partner, to provide external anti-spam and anti-virus filtering before it reaches our network.
Internal Security –
- Strengthened our password policy to require complex passwords and a mandated password change schedule.
- Upgraded our anti-virus suite to Webroot and Sentine1One and have installed it on all servers and workstations, including Macs.
- Added a strong change management policy for updating all systems, not just workstations and servers, but all network devices as well. Programs known to cause the most problems such as Adobe, Java, etc, are updated on a regular basis. With users having a limited amount of rights on their computers, this dramatically lowers the risk of infection and accidental data leakage.
- Combined monitoring and log capture to all workstations, servers, and networks, and managed by our IT partner.
- All workstations are above ground level using stands to prevent water or dust damage.
- Our internal wireless system prevents guests from accessing our network.
Data Protection –
- Our data has been encrypted “at rest and in transit” on our onsite servers.
- Our data is backed up using a state-of-the-art system by our technology partner, branded as Dependable SafeSTOR, utilizing StorageCraft for the underlying backup processes, and sold as a service and managed exclusively by our technology partner. This system takes block level, incremental, back-ups multiple times per day, including all data, and encrypts it with a key. The backup data is saved on a local device in our office for fast retrieval and then transmitted to multiple secure offsite data centers, both of which are located in different states and one of which is located out of state. Since all back-ups are encrypted at rest and in transit, without the decryption key, all back-ups are secure. These backups are tested daily, both onsite and at the remote data centers for quality control. Once a quarter, we restore the entire system to ensure it is working properly.
- Our server room is locked at all times and the entry code is known to only those that require it and the code is changed quarterly.
- We have a physical security monitoring system, requiring key entry, and also video cameras which are stored in the cloud,
- In the server room, there are redundancies for power protection and environmental controls. In the event that one of our independent HVAC units fails, a 2nd unit maintains an appropriate room temperature. These units run 24/7 therefore our servers are always being cooled even when the building air conditioning is shut off. Additionally, our servers will shut down automatically if they get too hot or detect that the power is going to fail. We have our servers maintained in a locked rack which is above ground level and also have a custom-made sheet metal hood installed above the rack to deflect any water leaks from above.
- Access and uptime have been significantly improved by virtualization of our environment using virtual servers running VMware 6.0.0 on redundant servers and a fiber storage area network (SAN). Some of the key benefits of virtualization include: 1) automatic fail-over if a host server fails, 2) more efficient use of hardware resources, 3) lower power consumption, 4) ease of recovery in a disaster, 5) elimination of dependency on specific hardware, and 6) ease of roll-back when performing upgrades.
- We are totally paperless so that in the event of a catastrophic event in our building, all data is safe and protected. We maintain no paper files or folders.
- Our paperless systems allow us to prevent unauthorized access to internal or confidential data. Those without access cannot view the files or folders they are blocked from.
- All employees of the vendor undergo background checks and screening.
For reference, our technology partner is DCG Technical Solutions, Inc. (https://www.dcgla.com/). For questions, we can provide you with their contact info upon request.
Please contact us if you have any questions regarding our information security system.