Fishman, Block + Diamond, LLP (“FBD”) has made a strong and proactive commitment to information security in order to protect the sensitive information of our company, and that of our clients. This document explains the specific actions that we have implemented, and we recommend that these measures be considered and implemented by our clients and friends to protect their information security as well:
- We have an annual risk assessment by our external IT partner to assess the risk against our information assets and have 24/7 external monitoring of our network and all workstations to identify and stop intrusions.
- We receive weekly and monthly reporting of intrusion attempts.
- We take all recommended steps as we are notified of any highly critical risks that are found during the regular risk assessments.
- We have amended our policies and procedures to better align with the ISO27001 Information Security Management System. For more information regarding the ISO27001 standards, please visit International Organization for Standardization – https://www.iso.org.
- We have added multiple security control software to ensure our security architecture can prevent and detect threats to our information assets. This security package is custom designed specifically for us by our IT partner.
- We have an updated Business Continuity and Disaster Recovery Plan in place. This includes offsite backup in three co-location facilities including two out of state. If the servers in our office are damaged or destroyed, we can access all data via any web browser and be working without interruption.
- On a weekly basis, we conduct Security Awareness and Education provided by IT Partner for all FBD staff to ensure they are aware of threats to our environment and understand the appropriate handling of information as well as response mechanisms to any information incidents. This includes sending intentionally false attempts to trick our staff into clicking on emails and other attachments that they should know not to open. If a user does not complete the required training timely, the user is denied access to the network until the training is completed. We have achieved almost a perfect score for all staff as a result, and I highly recommend that this intentional phishing training software be implemented.
We have upgraded several of our systems and implemented several new ones, including:
External Security
- Updated firewalls that include a full gateway security suite and website filtering. This product provides the first line of defense against external attacks. We prevent all staff members from being able to connect to all social media, shopping, gaming, pornography, gambling and other malicious sites including on mobile devices. All security events are logged to an internal database that is monitored by our technology partner. It also has a geo-filter that prevents access to/from unauthorized countries. If allowed, the sites are still checked for malware by the firewall and the system described next.
- Redundant firewalls that automatically fail over both security rules and internet connections in the event of a hardware or internet failure. We have invested in three different high-speed internet connections for availability, in case one fails, and performance (to balance loads). We also have two separate phone service providers in case one fails with automatic fail over.
- Added an intrusion protection system (IPS). This system not only provides a 2nd layer of protection against external attacks, anti-malware, anti-virus, anti-spyware, it also provides safe website application usage for internal staff. This allows users to safely go to websites for business use that would ordinarily be blocked, rather than blocking the sites completely.
- Added an SSL-VPN for securing our remote access. Any remote user must log in through this portal, and they are allowed to get to only the resources that they have permission to. Per policy, all client devices are required to have remote monitoring and maintenance with our technology partner to ensure that all security patches, and anti-virus and anti-malware definitions are up to date.
- We have software that allows us to roll back to earlier dates if our systems are hacked and locked.
- We have disabled all USB ports on our workstations.
- We have monitoring software that will instantly alert us if a staff member has started downloading a massive amount of data.
- All SSL-VPN connections and wherever possible all software applications require two-factor authentication.
- Utilize ShareFile for communicating files to clients. It is a secure and encrypted file-sharing system provided by Citrix. We also can encrypt data in all emails.
- We use third-party tools, managed by our IT partner, to provide external anti-spam, anti-virus filtering, and URL-Sandboxing before it reaches our network.
- 24/7 MDR monitoring of our Office365 accounts for any suspicious activity.
Internal Security
- Strengthened our password policy to require complex passwords and a mandated password change schedule.
- Automated Patching policies
- Upgraded our anti-virus suite to an Enterprise level NextGen Endpoint Detection and Response service that is monitored by a 24×7 Security Operations Center (SOC), and have installed it on all servers and workstations, including Macs.
- Added a strong change management policy for updating all systems, not just workstations and servers, but all network devices as well. Programs known to cause the most problems such as Adobe, Java…etc, are updated on a regular basis. With users having a limited number of rights on their computers, this dramatically lowers the risk of infection and accidental data leakage.
- Implemented Application level Zero Trust endpoint protection
- Combined monitoring and log capture to all workstations, servers, and networks, and managed by our IT partner.
- All workstations are above ground level using stands to prevent water or dust damage.
- Our internal wireless system prevents guests from accessing our network.
Data Protection
- Our data has been encrypted “at rest” on our onsite servers.
- Our data is backed up using a state-of-the-art system by our technology partner, branded as Dependable SafeSTOR, and sold as a service and managed exclusively by our technology partner. This system takes block level, incremental, back-ups multiple times per day, including all data, and encrypts it with a key. The backup data is saved on a local device in our office for fast retrieval and then transmitted to multiple secure offsite data centers, both of which are in different states. Since all backups are encrypted at rest and in transit, without the decryption key, all backups are secure. These backups are tested daily, both onsite and at the remote data centers for quality control. Once a quarter, we restore the entire system to insure it is working properly.
- Our server room is locked at all times, the entry code is known to only those that require it, and the code is changed quarterly. All servers are kept in a locked rack.
- We have a physical security monitoring system, requiring key entry, and video cameras which are stored in the cloud,
- In the server room, there are redundancies for power protection and environmental controls. In the event that one of our independent HVAC units fails, a 2nd unit maintains an appropriate room temperature. These units run 24/7; therefore, our servers are always being cooled even when the building air conditioning is shut off. Additionally, our servers will shut down automatically if they get too hot or detect that the power is going to fail. We have our servers maintained in a locked rack that is above ground level and has a custom-made sheet metal hood installed above the rack to deflect any water leaks from above.
- Access and uptime have been significantly improved by virtualization of our environment using virtual servers running industry standard hypervisor platforms on redundant servers and a fiber storage area network (SAN). Some of the key benefits of virtualization include: 1) automatic fail-over if a host server fails, 2) more efficient use of hardware resources, 3) lower power consumption, 4) ease of recovery in a disaster, 5) elimination of dependency on specific hardware, and 6) ease of roll-back when performing upgrades.
- Conditional Access Policies to monitor and limit data access
- We are totally paperless so that in the event of a catastrophic event in our building, all data is safe and protected. We maintain no paper files or folders.
- Our paperless systems allow us to prevent unauthorized access to internal or confidential data. Those without access cannot view the files or folders they are blocked from.
- All employees undergo background checks and screening.
- We shred all printed material that is discarded.
Personal Security
- Use a password manager – We recommend tools such as 1Password – https://1password.com/ or Keeper – https://www.keepersecurity.com/. The app can be easily downloaded on any device (phone, iPad and computer). Never write down your passwords unless they are in the password manager.
- Use complex passwords.
- Install a firewall on your home computer.
- Use a malware blocker on your personal computers and a spam blocker – we recommend Malwarebytes and Sophos.
- Always connect to your office network through a VPN
- Do not ever email your social security number, bank account number, credit card number, passwords, or any other private information unless it is encrypted. There is encryption add ins to most email programs, or you can send via Dropbox or other file sharing services that are encrypted.
- Do not link your bank account to payment sites such as Venmo.
- Never use the same password for multiple logins.
- Do not give guests access to your company Wi-Fi. Use a separate guest network with a password that is changed daily and only lasts for one day.
- Use LifeLock to alert you to credit fraud.
- Avoid printing your home address or phone number on a check and use initials instead of your first name.
- Do not sign the back of your credit cards – write photo id required.
- Never put the complete account number on your checks when paying your credit card bills – just the last four numbers.
- Change all important passwords and logins quarterly.
- Never email your bank account or credit card information. You can send encrypted email using programs like iCloud or Dropbox.
- Stay away from posting anything on any social media site and never post birthdates, mother’s maiden name, or first pet’s name on Facebook or linked-in, etc.
- Receive an alert via email for every credit card charge – very easy to do.
- Enable find my phone on your phone and devices – you can then erase them remotely and locate them using GPS.
- Contact your bank(s) and block ACH transfers for all accounts unless pre-approved
For reference, our technology partner is DCG Technical Solutions, Inc. (https://www.dcgla.com/). For questions, we can provide you their contact info upon request.
Please contact us if you have any questions regarding our information security system. You may view a copy of this and other FBD client memos on our website at https://www.fbco.com/publications/.
Your friends at,
FBD