balanceWORKS

Security

System Description for Berkshire Associates’ SaaS Based Applications

Executive Summary

This system description describes the operating environment for Berkshire’s SaaS applications. Specifically, the following applications are included in this description:

  • balanceWORKS
  • balanceAAP
  • balanceTRAK
  • balanceREACH

The operating environment is comprised of the following components:

  • Infrastructure (facilities, equipment, and networks)
  • Software (systems, applications, and utilities)
  • People (development staff, product support, quality assurance personnel, users and managers)
  • Procedures (automated and manual)
  • Data (files and databases)

This system description describes each of these five elements in further detail below.

Infrastructure

The primary infrastructure for Berkshire’s SaaS applications is collocated at a data center in Baltimore, Maryland. The data center contains all of Berkshire’s networking equipment (firewalls, switches), servers, and storage devices. Internet connectivity is a blended offering of multiple ISP’s managed and provided by the collocation facility.

For business continuity purposes, a disaster recovery site is maintained in Pittsburgh, Pennsylvania. This is a warm site used to house a recovery site in the event of a disaster. The primary and disaster recovery sites are connected via a direct private IP network between data centers.

The Systems Administration team is solely responsible for maintaining the systems located both data centers, and have both physical and remote access to the infrastructure. They are responsible for administering the servers that perform all operations for the applications and support infrastructure. The infrastructure is designed so that the number of virtual servers can be quickly expanded if needed, and administration can deploy and monitor the expansion as necessary.

The servers in the operating environment provide the following functions:

  • Web Servers
  • Database Servers
  • File Servers
  • Application Servers
  • System Monitoring Tools
  • Maintenance Applications and Services
  • Systems Administration Tools
  • Backup and Recovery Tools
  • Authentication Services

Software

Industry standard server operating systems supporting virtualization are used to host all servers for the applications. Enterprise grade database and web server software are run on the appropriate servers within the infrastructure. The development framework utilized by the application is optimized to be run on the software selected for this infrastructure.

The Systems Administration team utilizes the tools that are included with these products in conjunction with other system and network monitoring tools for administration and monitoring of the entire infrastructure. Enterprise grade AntiVirus software is running on all servers in the environment. Backup and recovery software is used to generate local backups and replicate backups to the secondary site for disaster recovery purposes. An industry standard SIEM tool is used to aggregate logs, providing threat analysis, monitoring and alerting.

In addition to the software used to deliver and administer the SaaS applications, Product Support personnel utilize a ticket management system that is integrated with the company CRM to log all customer cases. Development staff utilizes an industry standard requirements tracking system that houses all requirements, bugs and enhancements to manage change requests.

People

Berkshire Associates corporate headquarters is in Columbia, Maryland. Berkshire has staff working remotely from various states within the United States, and all employees report into the corporate headquarters.

The systems administration, product development, and product support teams comprise the Information Technology department and are responsible for the SaaS based applications. The entire Systems Administration department is based out of Berkshire’s Corporate Headquarters. All development is performed by Berkshire employees and developers are all based within the United States. All employees have the ability to work remotely on a temporary, occasional or permanent basis depending on job responsibilities, and allows for the company to continue normal business operations in the event an office is unavailable.

  • Systems Administration – the systems administration team performs all configuration, maintenance and support for the infrastructure of Berkshire’s SaaS based applications.
  • Product Support – Product Support has team members for the following activities: customer support, implementation, and quality assurance. Customer support is responsible for handling all client questions and issues surrounding any of Berkshire’s products, and the logging of cases and bugs as reported by clients. Implementation for Berkshire's hosted applications includes providing guidance and configuring systems per customer specifications and requirements. Quality Assurance handles the testing and verification of all hosted systems and is responsible for promoting code to production.
  • Product Development – the product development team is responsible for the requirements analysis, design, development and maintenance to the code for all systems. Product support will work directly with product development when client issues have been escalated beyond the customer support team.

Additionally, Berkshire’s Client Services staff act as subject matter experts for all of the business logic in Berkshire’s applications to ensure the products developed will fill the intended need for clients.

Procedures

Berkshire’s Information Security Policy, in addition to other supporting policies and documents, is used to guide and govern the procedures in place to design, develop, test, deploy, monitor and maintain Berkshire’s hosted applications to ensure system security and compliance.

Systems Administration has established procedures for the following operations:

  • Data Backup and Recovery
  • Disaster Recovery and Business Continuity
  • Server Hardening and Server Deployment
  • Patch Management
  • Code Escalation and Deployment
  • User Administration
  • Incident Response
  • Data Management, Retention and Destruction
  • System Auditing
  • Network Vulnerability and Application Penetration Testing
  • Firewall Management
  • Vendor/3rd Party Management
  • Operational Change Management

Product Support has established procedures for the following operations:

  • Case Management
  • System Implementation
  • Issue Reporting
  • Application Testing and Quality Assurance

Product Development has established procedures for the following operations:

  • Software Development Lifecycle
  • Application Log Review

Data

Data is stored in industry standard RDMBS software, and various flat file formats including XML, text files, Excel™ Spreadsheets, Word™ Documents,and PDF files. The majority of data is kept in the RDBMS software and the system operates in a multitennacy environment, although client data can be further segmented for an addtional cost.

Applications allow for manual data entry or import from many of the file formats listed above. Reports can be generated from all systems, and can be displayed in HTML or PDF format, and allow for printing to hard copy. All applications also allow for export of raw data and reports into the variety of formats listed above.

Certain applications allow users to send and receive emails and text messages from the system, either as part of a workflow, or to deliver information.   All incoming and outgoing communication is recorded by the system for historical reference and auditing purposes.

In addition to application data, basic contact information about users, that may include email or phone number, is kept in the system used for developing tickets for opened cases.

All connections to the hosted applications are encrypted, and the data is fully encrypted while in transit. All data is encrypted at rest at the file level. Passwords and other Personally Identifiable Information that is considered sensitive is encrypted at the column level. Clients who have requested further logical separation of their RDBMS data may also request for the entire database to be further encrypted at the database level at an additional cost.

System logs are kept for every piece of infrastructure, and application error logs are kept for each hosted application to track any exceptions to be later referenced in cases and to aid in resolution.

Differential backups for production databases are created and retained for a 24 hour period.  Daily database and file backups are kept for 6 months.

The following type of information is kept in each application within the suite:

  • balanceWORKS – Overall configuration settings for the balanceWORKS suite, including options such as password settings, as well as user information and passwords that are encrypted as rest.
  • balanceAAP – Affirmative Action Plan data consisting information about the organizational structure of an organization, as well as a listing of employees and personnel activities (e.g. promotions, hires, etc.) related to those employees. This data includes some personally identifiable information for individuals such as name, race, gender, veteran information, and disability status. System also may contain salary data for compensation analysis but the information is optional for general system operation. balanceAAP allows for data files to be securely transmitted and stored between Berkshire and clients during the development of an affirmative action plan.
  • balanceTRAK – Information about job openings and job seekers who are applying for these positions. Organizational information is kept about open positions, which may include information such as the location, hiring manager, and job information. Personally identifiable information is kept about candidates, which may include information such as name, addresses (current and previous), race, gender, veteran information, disability status, social security number, driver’s license number and date of birth.
  • balanceREACH - Information about outreach activities, also known as "Good Faith Efforts" are kept in the system. Outreach sources will include organization name and contact information as publicly provided by that organization. Individual activities are also stored including location and general position information. Finally evaluations are stored that provide results for the outreach sources and their corresponding activities.

Revision History

Date Version Summary of Changes
10/14/2013 1.1 Initial draft of description
10/28/2014 1.2 Annual review of description. Included balancehub information, updated platform information, further defined Product Support roles.
10/20/2015 1.3 Annual review of description. Updated disaster recovery information, backup information and added firewall management to list of established IT processes.
7/08/2016 1.4 Annual review of description. Minor updates to versions of technologies used in platform.
7/30/2017 1.5 Annual review of description.
8/8/2018 1.6 Annual review of description. Description updated to remove sensitive operating information. Product names updated. Encryption and backup information updated.
7/18/2019 1.7 Minor updates. Added information about inbound and outbound communications as part of data section.
8/11/2020 1.8 Data updated to include information about secure data file transmission and storage in balanceAAP during plan development.
8/5/2021 1.9 Annual policy review. Updated People section to clarify work locations for staff and Data section to indicate procedures for Product Development.
8/1/2022 1.10 Annual policy review. Minor updates to infrastructure and people.
7/11/2023 1.11 Annual policy review. Updated list of policies and other minor corrections.

Need more help?

If you are unable to find the answer to your questions or simply wish to speak to a support representative, email Product Support or give us a call at +1(800).882.8904.