1 SCOPE
This document defines Berkshire’s Information Security and Privacy Policy in relation to hosted applications, hosted client data, outsourced client data and company information.
1.1 AUDIENCE
This document is for clients and prospective users who are interested in using applications developed and hosted by Berkshire, users of outsourcing and consulting services provided by Berkshire, attorneys and procurement officers of companies acquiring applications, internal Berkshire staff and IT personnel of Berkshire’s clients and prospective users.
1.2 PURPOSE
This document sets the minimum level of data security and privacy for all Berkshire provided applications and services and client data that is stored on Berkshire’s systems and exposed to Berkshire’s staff. Client data and information may include outsourced services to Berkshire, applications hosted by Berkshire, such as balanceWORKS, balanceAAP, balanceTRAK, balanceREACH, and custom solutions delivered using a Software as a Service (SaaS), Cloud Computing, or Application Service Provider (ASP) delivery model.
1.3 ASSUMPTIONS
Some hosted applications, that are managed but not administered by Berkshire’s clients, have the functionality to reduce password restrictions. Berkshire expects all clients will properly manage access to their application according to their company‘s policies and practices. Berkshire employs controls wherever possible to allow clients maximum control and security in administering their applications.
Clients are aware, unless explicitly noted otherwise, that Berkshire operates all applications in a shared operating environment. Berkshire will ensure all client data is kept isolated and secured in all operating environments.
1.4 CONTACTS
- Karl Hester – IT Director
1.5 RESPONSIBILITY, ACCOUNTABILITY AND ADMINISTRATION OF POLICIES
The IT Director is responsible for creating, maintaining and executing all security policies for Berkshire. Any issues identified with company security policies and/or the implementation of these policies, is their responsibility.
System and network level configuration changes, patches and maintenance is performed by the Systems Administration team under the direction of the IT Director to ensure adherence to the company’s security policies.
2 POLICIES
2.1 EMPLOYEES’ DATA SECURITY AND CONFIDENTIALITY POLICIES
Berkshire has a clearly defined information confidentiality policy and process for any staff that deals with clients or client data. We apply strict standards in providing access to client data. The policy, as outlined in the company’s employee handbook, can be provided upon written request.
Access to client data for outsourcing projects is limited to consultants working on a project and is only given temporarily to other Berkshire staff on an as needed basis for a specific reason. Discretion is used by Project Managers in allocating access to client data.
All requests to allow additional employee access to client data must be submitted through the internal corporate System Support system so that requests can be properly approved and logged. Senior management of Client Services have access to all data and information for the projects in their respective business areas to ensure proper oversight and quality control.
Access to all other data hosted by Berkshire is limited to the Systems Administration team and other senior members of the IT department supporting the specific systems on an as-needed basis. Product Support representatives may only access client data upon request and approval from a client. Clients may also have their application administrators grant access to Berkshire’s Product Support for a temporary basis staff through the application.
Berkshire maintains data retention and data destruction policies which can be provided upon written request. Consultants and other staff members are trained in data destruction procedures supporting this policy at the time they are hired by Berkshire and then are regularly re-trained annually.
2.2 EMPLOYMENT POLICY
Prior to hiring, Berkshire conducts a background check by a third party to screen every employee. The background screening conducted by Berkshire includes education, criminal, and reference checks.
Confidentiality and privacy clauses are part of Berkshire’s Employment Agreement and Employee Handbook. Employees are required to review both agreements and sign an acceptance form as part of their condition of employment. All employees are asked to review security and privacy policies not only upon starting employment at Berkshire but also as policies are reviewed and updated. Changes are communicated to staff via the employee portal, email and staff meetings. Significant changes to any policies are confirmed by having each employee electronically acknowledge receipt in the employee portal.
Employees are also provided annual security training and must acknowledge receipt of the training. Copies of the Employment Agreement and Employee Handbook are posted in Berkshire's employee portal so that they are available for reference by all staff at any time.
Upon termination, either voluntary or involuntary, the Systems Administration team immediately executes the established procedures in the deprovisioning of accounts and retrieval of all assets assigned to the terminated employee.
2.3 REMEDIAL AND NOTIFICATION PROCESS OF BREACH OF DATA
Berkshire maintains and follows an Incident Response Policy and Process. The incident monitoring and response policy and process is managed by the Systems Administration team. The notification process itself is conducted by the Product Support team and both of these functions report to the IT Director. In the event an incident occurs, the situation is evaluated and a course of action is charted jointly by the IT Director, the Systems Administration team, the Product Support Manager and the Product Development Manager.
Unlawful processing of client or corporate data by an employee of Berkshire is grounds for immediate dismissal from the company and possible legal action against any person involved.
2.4 SYSTEMS USAGE POLICY
The employee handbook contains a detailed Systems Usage Policy and is available upon written request. In summary, employees are only given the permissions necessary to perform their job, and are not provided Administrative rights to a laptop, workstation, server, or other device unless required for their position.
An Acceptable Use Policy is also posted for users of all of Berkshire's hosted systems. In summary, this policy is designed to prevent misuse of hosted systems and outlines the expectations for all users as well as the monitoring and enforcement implemented to ensure compliance.
2.5 REMOTE ACCESS POLICY
The Remote Access policy is found in the employee handbook. All external access to Berkshire’s network requires a secured, encrypted connection, utilizing two-factor authentication, and only from their Berkshire assigned device. Corporate email can be accessed from mobile devices but requires the device have strong authentication, encryption, and remote wipe enabled.
2.6 PHYSICAL SECURITY POLICY
Berkshire’s office building is secured and monitored by an alarm system with a multitude of sensors activated during non-business hours. Employee access is controlled via card access and alarm access codes. Both systems log all employee traffic and provide extensive report and auditing capabilities. Video cameras are also used outside the building and in the server room to provide monitoring and alerting.
For the corporate office, all visitors and vendors who will be accessing a non-public area of the building must sign a log upon entering the building and will be issued the appropriate vendor or visitor pass. All visitors must present a government issued ID when signing in if they wish to access a non-public area of the building. Visitors must be accompanied at all times. Pre-approved vendors may access non-restricted areas without being accompanied. If a visitor, vendor or repair person needs access to a restricted area of the building, they must be accompanied by an employee or receive authorization from a manager to access the restricted area, depending on the reason. Visitors and vendors will be asked to log out and return their passes when leaving the building. Visitors arriving for training, interviews, or sales meetings and will only be present in the public area of the building are not required to sign in or out.
Systems containing Berkshire's hosted application environment are kept at a secured data center that has additional extensive security measures including, but not limited to, two factor authentication, biometric scanners and 24/7/365 monitoring.
The employee handbook contains a detailed Physical Security Policy, and is available upon written request.
2.7 THIRD PARTY DATA ACCESS
Berkshire does not have any third party business agreements with any other company to share or process any of our client’s data. We do not hire outside consultants to perform any type of analysis on our client’s data, and therefore, there is no exposure of client data to anyone outside of the company.
Our systems are all maintained and managed internally by our own staff. In the event third party support is required, access will only be provided specifically to the systems on the work being performed. Additionally, all software used for this connectivity must be approved by Berkshire’s Systems Administration team.
Berkshire will, upon client request, provide integration services or provide data to vendors that our client has an independent agreement with and has authorized Berkshire to make this information available. Any data that is transferred to these vendors is always encrypted and transmitted securely.
2.8 DATA DISPOSAL
Berkshire has a formal Data Destruction Policy which is available upon request.
All sensitive data on physical media is disposed of in secured containers shredded by a third party vendor. These secured containers are readily available and placed throughout the office for easy access. Additionally, employees who deal with sensitive client data are trained to securely dispose of all media as outlined in the Data Destruction Policy.
In the case of hard drives that stop functioning properly or otherwise decommissioned, they are destroyed by a 3rd party vendor, and a log is maintained detailing the destruction date of the drive with the corresponding serial number. In addition, drives that are reallocated to a different employee are properly erased by using industry best practices and tools to ensure the data is properly removed.
2.9 RISK ASSESSMENT
Berkshire has risk assessment teams for both the business and technical operations of the business, including members of the Executive Management, Systems Administration, Product Support and Development teams. These risk assessment teams meet twice annually and as part of the risk assessment process, maintains a risk register. Additionally, these teams evaluate any new potential risks to the organization. The risk assessment teams discuss risks that could negatively impact various elements of Berkshire’s business and service and product lines, including, but not limited to: information technology, service level agreements, regulatory changes, state and federal laws and regulations and other standing contracts and agreements.
Once the annual meeting has been held and new and current risks have been evaluated, a list of action items is defined, and adjustments to policy, process and procedure will be made to mitigate risks whenever possible.
2.10 ASSET MANAGEMENT
Berkshire’s Systems Administration team works in conjunction with the Director of Finance and Administration to ensure all information technology resources are tracked throughout its lifespan at Berkshire. Resources are tagged when provisioned and recorded through an established hosted Asset Management application. Any assets that are used to store client data are handled according to the Data Destruction Policy when decommissioned.
2.11 WIRELESS ACCESS POLICY
Berkshire has no wireless access points in the hosted application environment. Wireless access points are in use within the corporate headquarters and provide access to the Internet via a separate network and do not have any direct access to the corporate network that houses client data. Passwords for wireless access points in the corporate headquarters are updated quarterly.
3 TECHNOLOGY
3.1 CORPORATE FIREWALL
Berkshire uses independent firewalls for the hosted application environment, the data environment within the hosted application environment, the disaster recovery environment and the corporate environment. Firewall configuration is backed up after every change and periodic restoration of these settings is performed to ensure the system can be restored in the event of failure. Firmware updates that only provide additional functionality are reviewed by Berkshire’s IT staff and deployed as necessary. Firmware updates that resolve security vulnerabilities are always applied and during normal scheduled maintenance windows. A separate firewall policy that further details the management of company firewalls is available upon written request.
3.2 CLIENT DATA AND SYSTEM DATA ACCESS
Client data for Berkshire hosted applications, including balanceWORKS, balanceAAP, balanceTRAK, balanceREACH, and customized solutions for clients, reside on servers physically located at a secured remote collocation facility (see section 3.3 for facility details). Data for Berkshire’s hosted applications is also encrypted then replicated to servers owned and managed by Berkshire at a separate collocation facility used for disaster recovery.
Client data that resides on any of our servers (internal or hosted) have extremely limited exposure and are controlled by the assigned IT team. Client data within the hosted application environment is placed on servers outside the demilitarized zone (DMZ) that have no access to the public Internet. Client data residing on our internal servers for outsourced projects is handled by our internal consultants specifically assigned to the project. Access to this data is limited to the staff directly responsible for client work and the IT staff responsible for managing the servers. All staff responsible for client data is trained in the proper management of data handling on the network and their personal computers.
Hosted web application data from balanceWORKS, balanceAAP, balanceTRAK, and balanceREACH, is only accessible to the staff responsible for maintaining these applications, which includes the IT Director, Product Support Manager, The Product Development Manager, and the Systems Administration team.
In hosted applications, analyses and reports are not permanently stored on the server. Instead the reports are dynamically created at the time they are run by the users. Any temporary files used to produce results are removed from the servers as soon they are designated as no longer needed to complete a client request.
Direct access to all databases containing client data is restricted to the Systems Administration team, the Product Support Manager, the Product Development Manager, and the IT Director. Senior Product Support staff responsible for these applications do have User and Password management rights within the applications but do not have direct access to the servers and/or databases. Senior members of the programming staff can request additional temporary access to an application if specifically requested by a client to fulfill a development or support request.
The responsibility for the security of client data lies with the IT Director.
3.3 COLLOCATION FACILITY
The data servers for Berkshire’s web based applications and Berkshire’s disaster recovery servers reside with a third party collocation provider. Servers are located at two sites, a primary location for the main operating environment, and a secondary location for disaster recovery. The same collocation provider is used for the primary and disaster recovery sites and provides a secure, private connection between facilities. This provider operates Level 3 secured Network Operating Center (NOC) facilities and provides backup power and redundant Internet connections for increased reliability and availability.
The hosting facilities are staffed 24/7/365, with personnel onsite monitoring the NOC and reviewing identification for all visitors. A set of CCTVs are installed on-premise at all entrances and other important locations; the live action from these cameras is monitored by NOC staff at any time to have immediate visual access throughout the facilities and recordings are kept for a period of time.
All visitors to the NOC must provide identification, must wear a badge and must be escorted into and out of the NOC. Once in the NOC, visitors are being monitored by CCTV at all times by NOC staff, and badges must be clearly displayed and visible to the CCTV. All Berkshire owned equipment stored within the NOC, which is secured by two factor authentication consisting of a proximity card and biometric hand scanner. In addition, the servers are mounted to a locked rack enclosure and all hardware is also equipped with key locks protecting the components within. Collocation facility staff does not have access to any of Berkshire’s data.
3.4 VIRUS SCANNING
Virus Scanning Software is installed on all servers and desktops in Berkshire’s corporate and hosted computing environment and is configured to update virus definition files automatically as they are posted. For Berkshire’s email gateway, additional virus scanning software is used to scan all incoming email for potential virus threats before being delivered to a user’s mailbox. All machines are configured to run a real-time scan as well as a scheduled full weekly scan of the entire machine. Users do not have the ability to disable the virus scan on their machine.
3.5 MONITORING
Using a variety of automated system and application level reporting tools, the Systems Administration team, in conjunction with senior development team members, monitor the hosted and corporate environments on a daily basis and have notifications configured to flag any activity that would compromise either environment.
Issues discovered during monitoring are evaluated for impact and escalated through the proper channels within Berkshire to ensure the issue is handled properly.
Berkshire also has web and network monitoring and scanning enabled within the network and logs all traffic to and from outside networks. An Intrusion Prevention System (IPS) is also employed which identifies any potentially malicious traffic on the network. When malicious activity is identified, the IPS notifies the appropriate personnel at Berkshire and takes action when applicable.
3.6 ARCHITECTURE
All hosted application and data servers use a high-availability architecture with redundancy at each level, including clustering and virtualization, to eliminate any single point of failure. In the unlikely event of a disaster or mass system failure, the disaster recovery site will become active, and the hosted environment will return to full operation within 24 hours.
3.7 DATA BACKUP
Berkshire performs daily backups of all production environments that contain client data and mission critical corporate information. Daily backups are stored to disk on backup servers within the same operating environment in both the hosted and corporate environments for quick restoration. Hourly back-ups of transactional data for hosted applications are run 24/7/365, and kept 24 hours to allow for restoration within one hour of a disaster.
The disaster recovery site stores on disk a copy of backups for the hosted and corporate environments.
The schedule and content for each backup is included in the Backup and Recovery Policy and maintained by the IT Department. In the event a production system fails, data is recovered from the immediately prior hourly backup.
3.8 BUSINESS CONTINUITY AND DISASTER RECOVERY
Berkshire maintains a Business Continuity and Disaster Recovery plan that will go into effect in case of a disruption of business operations or if the hosted applications or corporate environments become unavailable.
The plan includes recognition of mission critical systems and processes, the availability of off-site servers, and logistics to allow critical resources to work from home or other facility as quickly as possible in case of a disruption or disaster. Backups that are replicated off site to the collocation disaster recovery facility will be restored to become operational. The estimated time to return to full operation for both mission critical applications and the hosted application environment is within 24 hours.
Berkshire’s Disaster Recovery Plan is designed to recover from the following situations:
- The collocation facility for hosted applications, or the equipment within the facility becomes unavailable for a prolonged period. In this event, the servers at the disaster recovery facility will be brought online. The servers at the disaster recovery facility are kept updated and patched with all software and network updates to ensure they are in a warm, "ready-to-use" condition.
- The corporate environment becomes unavailable due to a technological failure or disaster. In this event, the primary file server will failover to the disaster recovery site and the backups stored on disk will be used to restore client data.
3.9 DATA LOSS PREVENTION
The ability to write to removable media is restricted for staff. If a legitimate business case requires access, removable media will be provided by IT, and then must be returned to IT once no longer needed for proper sanitization as per the Data Destruction Policy.
Monitoring and filtering is in place at the email and Internet gateways to prevent sensitive information from leaving the corporate network. Employee accounts also have a variety of controls in place to properly prevent exfiltration of data based on document classification (i.e. public, private, sensitive, confidential), file content, or target destination.
4 SECURITY IN APPLICATIONS DEVELOPMENT AND DEPLOYMENT
4.1 SYSTEM AND HOSTED SOFTWARE MANAGEMENT
Access Management
All hosted applications are deployed in an environment using industry standard hardware and software. All servers and network devices follow designated hardening policy and procedures. During server installation and configuration, only the necessary services and applications are installed to minimize the points at which vulnerabilities could be present. The firewall is also configured to only let the protocols and services necessary over the specific ports the application is expecting.
The network and database accounts used to run the application are given minimal rights and only have access to the files necessary to operate correctly. At the application level, all hosted applications have extensive configurable permission settings and user administrators can set permissions as needed. At the system level, minimal rights are given to the accounts the application operates under.
Patches and Fixes Management
All machines are patched according to the Patch Management Procedure document. Upon verification, security patches, hot-fixes, and service packs are applied to the system within days of the availability of such relevant updates. In situations where the patches are extremely large in scope, or could affect the overall infrastructure, the updates are performed off hours and all clients are notified of any potential outages. The most recent critical and security updates have been applied to the operating system of each server. The redundancy built into Berkshire’s infrastructure allows patches and updates to be applied without causing disruption to the production environment and also allows for updates to be tested in the actual environment before being brought live. For any updates that cannot be performed without keeping the hosted environment completely operational and online, a regularly scheduled service maintenance window occurs Sunday evenings between 9 PM and 11 PM Eastern Time
to minimize disruptions.
Deployment Management
Berkshire uses a deployment promotion procedure which maintains separate Development, User Acceptance, Test and Production environments. These separate environments allow changes to be tested by the Quality Assurance team and have security evaluations conducted in isolated environments without affecting the production systems. Security updates and bug fixes are generally promoted quickly and clients are notified upon release.
The Development environment is internal to Berkshire and used for the Development team to develop changes to the code and allow for preliminary functional testing by the Quality Assurance team.
The User Acceptance, and Test environments are all housed on equipment that mirrors the production environment, providing a more realistic representation of how the system will operate upon deployment. The User Acceptance testing environment is used for new builds to review features.
The Test environment is an exact replica of the production environment, but does not contain client data, and is used to troubleshoot issues found in the production environment without disrupting the actual production environment itself. The Test environment is also used to verify deployment processes and files before being run against the actual production environment.
Audit Logging
Logging is retained at both at the system/infrastructure level, and also at the application level. The application logs include events such as when users are created, any permissions or permission definitions are modified, key transaction dates and times with User ID, and execution of any other system level functions.
Various system logs are stored for different lengths, but for no less than six months. Application logs are retained at least for two years and as long as the client has an active hosting agreement with Berkshire. An enterprise grade SIEM tool is used to aggregate and collate logs in the event forensic analysis is needed.
4.2 SOURCE CODE MANAGEMENT
Berkshire uses an industry standard code management tool, for version control and change management. The development team must verify all code can be built before submitting to the repository. Changes submitted to the repository must be attached to an associated work item that has already been approved and scheduled by management. A full audit log is kept of all changes made to the source code and a detailed report can be produced to identify any changes made between updates. Only senior level staff has rights to remove or revert changes to the code base to ensure vulnerabilities are not introduced.
4.3 PROGRAMS QUALITY AND SECURITY MANAGEMENT
Berkshire uses an internal peer review process to review all code where senior developers review code submitted to the repository to ensure it meets the internal company standards and process for securing the application. First, a developer will review his own code for any security issues. Second, a senior level team member, with adequate experience, will review the code and report all findings to the first member. Next, the initial developer will make changes to mitigate the reported vulnerabilities, and resubmit the change to the senior level developer to ensure the issues were resolved and no new vulnerabilities were created. In the event additional vulnerabilities were created, the process repeats until the code passes the code review.
4.4 SECURITY AND VULNERABILITY TESTING
Berkshire has integrated security testing, and validation of the authentication and authorization mechanisms, throughout the development and deployment of all applications. Berkshire’s hosted applications use system profiles and roles to manage permissions at the application level, and at each step of development and deployment, these profiles are verified. Several of these applications also allow for the profiles to be modified by the client within their own implementation to provide even tighter control over the security for their organization.
Additionally, Berkshire uses an independent third party provider to perform monthly network vulnerability scans to ensure external facing systems are kept secure against newly discovered threats. Annual application penetration testing is also performed against all hosted applications to ensure no new vulnerabilities have been introduced into the code.
Berkshire’s development team participates in regular security training and covers a variety of topics, including a focus on the OWASP Top 10 and secure coding practices for the elements of the tech stack used for development.
4.5 CRYPTOGRAPHY
Berkshire maintains a Data Encryption Policy that is available upon written request. All application passwords are properly hashed using salt. All information transmitted by the hosted applications, such as query string and cookie values, are encrypted. TLS 1.2 and later is required for the transport of any data for all hosted applications.
All encryption keys used by the application in the production environment are encrypted at the system level and cannot be read outside of the application. Database encryption keys as well as other private keys for certificates at the system level are protected in the production environment using Active Directory. These controls enforce administrator access and are not directly accessible by accounts that are used to run any applications.
Backup of all production keys are kept in a separate network, at a separate physical location, outside the operating environment in a secured location.
Database and file level data is encrypted at-rest at the file system. Additionally, individual databases may be encrypted at the database level at an additional cost.