Security Configurations and Standards

SOC2

Proformex System Description

Proformex takes the Security of our Client’s data very seriously. We have set the following Security Configurations and Standards and our data is hosted by Rackspace, a firm we have vetted to confirm their a data hosting services are in line with industry best practices.

1.1 PASSWORD PARAMETERS

Password must have at least eight (8) characters containing at least one digit, one upper case letter, one lower case letter, and one special symbol ("@#$%").Passwords cannot be reused. Passwords are locked out after 5 incorrect attempts and Proformex must be contacted for a new password. Passwords must also be entered with a correct Captcha challenge.

1.2 PASSWORD CONFIGURATIONS STANDARDS AND COMPLIANCE

When a service provider and/ or users are first granted access to Proformex, the system automatically sends them their user name (their email address) and a temporary pass code. When the service provider or user enters Proformex for the first time, they are immediately directed to change their pass code based on our established criteria. The system will not let them set a password that does not confirm to the password format standards.

2.1 SECURITY CONFIGURATIONS: HARDWARE

  • Cisco ASA 5508 X AnyConnect Plus VPN License- ASA 5508 Using Duo token
  • Maintained and Operated by our Third Party hosting provider –Rackspace

2.2 SECURITY CONFIGURATIONS: SOFTWARE

  • Cisco ASA 5508 X Series Adaptive Security Appliances
  • Windows 2012 R2 64Bit Windows Firewall
  • Maintained and Operated by our Third Party hosting provider -Rackspace

2.3 IT SECURITY STANDARDS: ANTI-VIRUS AND MALWARE

  • Sophos Antivirus
  • Maintained and Operated by our Third Party hosting provider –Rackspace
  • Security updates by Microsoft directly

2.4 SECURITY POLICIES AND PROCEDURES OVER REMOTE USERS

Every person that has access to Proformex is considered a "Remote User". Our remote users can be software licensees (typically an office which sells insurance), the advisors (attorneys, cpa’s, etc.) they work with, and policy contacts (policy beneficiaries, policy owners, policy trustees, etc.).

Policy Owners or licensed Policy Agents are given the ability to grant Proformex access to desired advisors and policy contacts (‘Authorized Users’) by enabling Proformex access to specific ownerships (individually owned, corporate owned, and trust owned policies). Policy Owners or Agents can authorize further viewing rights to particular documents that can be uploaded, stored, and viewed. At any time, the Policy Owner or Agent can modify the user's ability to see uploaded documents as well as completely deactivate them from seeing the policy information all together.

Authorized Users will have the ability to view policy information and stored documents for policy ownerships they have been authorized for to view. Authorized Users will not have access to any clients that they are not authorized to view.

Each remote user will have one login username and pass code. Based on what they are authorized to see, their Proformex Platform will house those particular policy ownerships (clients) and the ability to view related policy information and documents.

3.0 THIRD PARTY SERVICE PROVIDERS COMPLIANCE TO PROFORMEX STANDARDS

See our Proformex IT Confidentiality Statement (attached).

3.1 PROCEDURES TO ADD/REMOVE AND MODIFY USERS

Users consist of software licensees, advisors and policy contacts.

Our procedure for adding software licensees starts with gathering their contact information and logo. Their Proformex Platform will be established and branded to their firm. A specific URL will be provided to them so that they can gain access to their newly created Platform. This URL is tied to a stand alone database for their clients only and information will not be co-mingled with any other software licensees. We will provide them with the necessary information to link this URL (their Proformex log in page) directly to their website if they so desire. They will have the ability to manually populate the Platform with client and policy information or we will also provide them with an information bulk loading alternative. If a software licensee chooses to not renew their license, their Platform will be deactivated and their stored data will destroyed.

Advisors and Policy contacts can only be enabled by the software licensees. Furthermore, the licensee can only enable users associated with particular ownerships (clients) and/or policies. At anytime, the software licensee can activate or deactivate viewing rights as well as modify what particular documents that advisor or policy contact can or cannot see.

Access for all Users is set up via the System Access Request Form. Proformex Employees and Proformex Users must complete and submit the System Access Request Form. Users must submit the form to their Customer Service Representative, who confirms authenticity and submits for processing. Employees submit the form to their manager.

3.2 STANDARDS AND PROCEDURES FOR IT SECURITY PROCESS (INVALID ACCESS ATTEMPTS / UNUSUAL ACTIVITY)

Any user trying to log into Proformex will be granted five attempts. If their fifth attempt is unsuccessful, the system will lock them out for one hour. At any time the user can click on “I forgot my password” which will prompt them to enter their email address. The system will send them out a secure link within 15 minutes so they can change their password.

Each software licensees’ site has its own event log which can be viewed upon request. The event log tracks all activity associated with their Platform.

Proformex will perform semi-annual reviews of all the access levels for the system: application, production servers, VPN, database, and client Users.& These audits will occur in March and September of each year. The CTO will produce the master list of access and review access with each department head and appropriate actions, such as access termination, shall be performed. The CTO will provide a log of each audit which contains any actions taken as a result of the audit.

3.3 DATA UPON LICENSE EXPIRATION OR TERMINATION

Software licenses can expire or users can request to be terminated. Before termination, a data dump of their database can be forward to them prior to us deleting their Platform. Once their Platform is deleted, their data is not able to be restored as a safeguard of their information.

4.0 DATA BACK UP STANDARDS AND PROCEDURES

The data in Proformex is backed up nightly and saved on the server. The server is then backed up to the cloud nightly and once over the weekend. The nightly backup is run between 11:00 p.m. and midnight so that if the system ever needs to be restored it can be done with the prior night's backup. The weekend backup is in place as a disaster recovery safeguard should the daily back up fail.

4.1 ENCRYPTED STORED DATA: IN USE AND AT REST

All protected data within Proformex is encoded (plaintext) into a form (ciphertext) that conceals the data’s original meaning to prevent it from being known or used by unauthorized persons.

4.2 ENCRYPTED DATA: TRANSMITTED DATA

All transmitted data is encoded (plaintext) into a form (ciphertext) that conceals the data’s original meaning to prevent it from being known or used by unauthorized persons.

4.3 DATA MASKING

The Proformex application provides options for information masking to prevent, if appropriate, the display of an entire piece of information, such as using xxx-xx-1234 for a social security number.

4.3 BACK-UP CRITICAL DATA

All data is backed up on a daily basis to an off-site location and available/accessible to our technology organization in real-time if needed. We leverage the back-up services provided by our hosting and cloud service provider, Rackspace. Rackspace is 27001 certified.

4.4 DATA CHANGES OR ADJUSTMENTS

Much of the data received directly into the Proformex system is read-only and cannot be adjusted, but there may be occasions in which the database needs corrected or adjusted to properly reflect the data. These adjustments may only be performed by either the Proformex CTO or by a Proformex developer and only when requested directly by a Proformex Customer Service Representative and the request approved by Management. The Proformex Customer Service Representative must confirm that they change is needed and is requested by an authorized User. The change is then staged and reviewed by Management prior to release to production.

4.5 LOG MANAGEMENT

Proformex logs every interaction each user executes within the system to provide, if necessary, a detailed transcript of user actions; starting from the login process, through every available interaction. Logs are available if necessary for audit purposes within 48 hours of a specific data request.

4.6 DATA ACCESS

Proformex is a role-based application with explicit (rather than implicit) permissions assignments to ensure that users have access to a limited body of data based upon their individual data rights.

4.7 THIRD PARTY HOST BACK UP STANDARDS AND PROCEDURES

Our Third Party hosting provider (Rackspace) has backups that are extended snapshots. A “Gold Image” of each software licensees’ data will be kept. These will be static and as the backups occur, the oldest image will fall off. We can specify how often we like to back up information (see our specs on this in the “Data Back Up Standards and Procedures” section).

Content saved on their Cloud Files are saved into the same datacenter, but multiple copies of the data is placed on at least three different devices in two distinct zones of the datacenter. Each datacenter zone uses separate power and network connections as well.

If a software licensee’s data needs restored, a new server will be fired up and the data will be restored to it so that the required information can be restored for them.  Once the data is restored, the new server will be erased and shut down.

4.8 PERSONNEL BACK UP STANDARDS AND PROCEDURES

  • All personnel are required to acknowledge and sign our "Proformex IT Confidentiality Statement". A copy is contained in this packet.
  • The application software is self-documenting and written in the standard Microsoft ASP.Net framework with Microsoft SQL database. Any developer that is ASP.Net certified will be able to learn the code and begin maintaining the software within a matter of days.
  • We employ a CTO (Chief Technology Officer) who oversees our development team and is in charge of long range planning and software enhancements.

5.0 FIREWALL: EGRESS FILTERING

A dedicated firewall is in place and provided by Rackspace which inspects network traffic passing through it and it denies or permits passage based on a set of rules. Egress filtering is a method of filtering and preventing unauthorized traffic from leaving the internal network.

6.0 PERIODIC VULNERABILITY AND PENETRATION TESTING

Proformex uses a third party, independent firm to test the security of our platform. Vulnerability Scan testing is performed three times per year and Credentialed and Non-Credentialed Penetration testing is performed once a year. Results letters from the firm are available upon request.

7.0 CHANGE MANAGEMENT PROCESS

Proformex uses the process below to ensure that a standardized method and procedure is used to provide efficient changes to the Proformex IT infrastructure and reduce the number and impact of any such changes to Proformex users and services.

  1. Request comes in from customer and/or management
  2. IT reviews request and approves change
  3. IT documents change for developer
  4. Developer implements change
  5. Developer checks in work into source control system
  6. Developer indicates change complete
  7. CTO builds software and deploys to staging platform
  8. Software tested by change management
  9. Change approved
  10. CTO moves build to production environment
  11. Change management performs final QA
  12. Customer/management notified on change implement
  13. Change management process complete