EXP understands that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and our own success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems, and processes to meet the growing demands and challenges of security.
* Items can be adjusted based on individual customer Service Level Agreement.
Our service is collocated in top-tier data centers. These facilities provide carrier-level support, including:
Access Control and Physical Security
- Our datacenter facilities throughout North America and Europe have been certified according to SSAE 16, ISO 27001:2005, ISO 14001:2004 and OHSAS 18001:2007 requirements.
- These facilities are designed to meet the stringent standards for security processes and operational controls that Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley and other regulations require.
- These facilities are designed to maintain the processes and controls for security, network, power, redundancy, cooling and fire suppression.
- 24×7 onsite security staffing and site access.
- CCTV surveillance.
- Dual authentication biometric and badge access control, and mantraps.
- IPSec VPN via vShield Edge.
- Cloud Connect for Direct MPLS/P2P.
- Fully Managed Intrusion Detection Systems/Intrusion Prevention Systems.
- Firewall services.
- Dedicated Sonicwall NSA series are deployed in Active Failover with High Availability and Load Balancing. High Frequency Stateful Packet Inspection and Intrusion Prevention secures the infrastructure and applications. VPN Layer allows for secure access to Servers, Applications and Databases.
- Cloud security:
- Role-based access controls.
- VM compliance, log monitoring & reporting.
- Data encryption.
- Stateful Deep Packet Inspection and Intrusion prevention is configured within our hardware firewall.
- VPN Layer allows only authorized personnel access to the servers network.
- N+1 or greater redundancy on power and cooling.
Applications & Data Security
EXP security teams are dedicated to ensuring your applications and data stay secure and available.
- 3-Tier application environment.
- Environments are only accessible via VPN firewall.
- Strong internal controls and policies dictate access to environments.
- Customers have the option of shared or dedicated environments.
- Security patches are regularly applied to operating system, database and other server applications.
- EXP Direct Authentication:
- Authentication direct to EXP applications uses forms authentication to SQL Server and ASP.Net SQLMembershipProvider.
- Customer Provided Authentication:
- AD/LDAP/ADFS options available.
- Windows Authentication options available.
- HTTPS & SSL Security with Industry Standard Policies.
- Connection to EXP applications is via SSL 3.0/TLS 1.2, using SSL certificates from Go Daddy Secure, ensuring that our users have a secure connection from their browsers to our application.
- Individual user sessions are identified and re-verified with each transaction, using a CSRF token created on each form.
- IP filtering can be enabled to ensure denial of access.
- Backups are encrypted.
- Frequency – Daily / every 24 hours.
- Retention – Daily backup for 7 days, Weekly backup for 4 weeks and Monthly backup for 6 months.
- 48 hour recovery after complete failure (maximum allowable downtime).
- Disaster recovery tests verify our projected recovery times and the integrity of the customer data.
- EXP maintains and extensive set of internal controls and procedures to ensure compliance and operate in a proactive nature.
Application Vulnerability Threat Assessments
- Network vulnerability threat assessments.
- Penetration testing and code review.
- Security control framework review and testing.
- Our Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.
Testing and Control
- EXP has regular code reviews to ensure proper security standards are followed to prevent security vulnerabilities such as XSS, CSRF Spoofing and SQL Injections. Exception management in production environment are handled securely (e.g. stack traces, SQL statement fragments, table and database names).
Copyright © 2017. EXP. All Rights reserved