Information Security

Our Mission:

Our Information Security Practices are designed to protect end user information in our possession. These steps include, but are not limited to, maintaining information security controls such as data encryption, firewalls, logical and physical access controls, and continuous monitoring. These controls are regularly evaluated for effectiveness by our Banking Clients against industry-standards for Financial Data and by independent security auditors.

 

System Overview

  • SOC 1
    • View report
  • Controls Assessment
    • Download report
      • Business Experience • Human Resources and General Ethics • Training • Internal Controls • Business Continuity • Physical and Environmental • Privacy • Media and Vital Records • Inventory Control • Customer Facing • Systems Configuration and Management • Third Party Reliance • Enterprise Data Management • Data Loss Prevention • Information Security Risk and Compliance • Acceptable Use of Technology • Logical Access Management • Threat and Vulnerability Management • Network Management • Mobile Computing • Logging and Monitoring • Incident Management • Change Management • Software Development Life Cycle • Encryption • Cloud Computing • Technology Asset Management
  • SOC 2
    • View report (ORD10)
    • View report (MIA10)
  • Income Verification Express Service (IVES) Participant Certification of Compliance
    • View report (Safeguarding Taxpayer Data)
  • UnitedHealth Group Information Security Risk Audit
    • View Compliance Certification Letter
  • Lexis Nexis PII Audit Certification of Compliance
    • View Certification Letter
  • External Penetration (PEN) Test Report
    • Assessment Report
  • External PCI Certification
    • SecurityMetrics certification
    • BASYS merchant certification
      • View certificate
  • BSI Insurance Policies Summary
    • View Certificates
  • SIG
    • SIG – Critical Vendor questionnaire
  • Information Security and Business Continuity Management Program
    • View report
  • W9 Form
    • View Form
  • Screened Subnet Topology - The most secure (and most expensive) option .In this case, the DMZ is placed between two firewalls.
  • DMZ
    • VPN Firewall
    • Web Server
  • Internal Network
    • VPN Firewall
    • Database Server
    • Data Storage
    • The internal network has no external IPs, so it cannot be accessed from outside the network
  • Extended Validation SSL
  • Uploaded documents are deleted from server - We delete all documents that were uploaded once the order has been successfully delivered to our client's processing center. All processed verification requests are delivered directly to the requestor.
  • Integrated Data Loss Prevention (DLP) solution
    • Advanced Data Discovery
    • Robust Data Classification
    • Secure Email Collaboration
    • Stringent Device Control
    • Proactive Mitigation of Inside Threats
  • HSM (Hardware Secure Module) appliance stores and protects private keys
    • SSL/TLS
    • FIPS 140-2 Level 3 validated
    • Tamper-evident hardware
    • Compliance including GDPR, PCI-DSS, HIPAA, eIDAS, and more
    • HA configuration for redundancy
  • Force encryption to the database Server
    • Connection is encrypted between the Web Server and database Server
  • Host based Anti-Virus
    • Host Intrusion Prevention Software (HIPS)
    • Host Intrusion Detection Software (HIDS)
    • Disable USB port on all hosts
    • Do not allow to boot from any external peripheral device
  • Logs management: Tripwire Log Center
    • Log and Event management for security and compliance
    • Monitor drive space from a centralize location
  • Password policies and security features
    • Must contain 10-30 characters
      • Must include at least one number
      • Must include at least one UPPERCASE letter
      • Must include at least one LOWERCASE letter
      • Must include at least one special character: `~!@#$%^&*()_+={}[]\|:;"<>,.?/-
      • Cannot contain your Login ID
    • Account lockout after 5 failed attempts
    • Block concurrent user connections. Users cannot login with the same login id from different locations simultaneously
    • After 3 months of account inactivity, user needs to verify his/her account
    • Locks end users out after 15 minutes of inactivity
    • New Accounts require an End User to activate by validating the email address and entering temporary login and password, at which time they are prompted to choose a new password
    • BankVOD Administrator can limit access by specifying an IP Address Range
    • Ability to create a BankVOD account can be restricted by Company Name, Valid Company EMail Address and IP Address
    • Passwords are stored using 'salted' SHA2 512-bit hash
    • Password history, users will be prohibited from re-using the last 6 previously used passwords.
  • Logon/warning message displayed during initial logon process
  • Source code is analyzed before uploading to the production environment
  • Summary of the Failover/HA Configuration for Each System (Chicago & Miami)
    • Web server redundancy (DMZ LAN)
      • High Availability (HA) / Failover Cluster Servers (Nodes)
      • High Availability (HA) / Failover Cluster Web servers (Virtual Machines)
      • The web server cluster is configured as an active/passive system. If the active server fails all traffic fails over to the second server automatically. In case of a hardware failure, all VMs are automatically failed over to the working node. With this setup we can minimize the down time in case of a hardware or software failure.
    • Database Server redundancy (Private LAN)
      • High Availability (HA) / Failover Cluster Servers (Nodes)
      • High Availability (HA) / Failover Cluster SQL Servers (Virtual Machines)
      • The SQL server cluster is configured as an active/passive system. If the active server fails all traffic fails over to the second server automatically. In case of a hardware failure, all VMs are automatically failed over to the working node. With this setup we can minimize the down time in case of a hardware or software failure.
    • File Server redundancy (Private LAN)
      • High Availability (HA) / Failover Cluster Servers (Nodes)
      • High Availability (HA) File Server Role (Virtual Role)
      • The file server role is configured as a Highly Available File Shares. There is a virtual network/IP address created by the cluster between both nodes so resources can be hosted on either node providing fault tolerance. So in the event of a hardware failure the File server role can fail over to the other node automatically.
    • Fax Server redundancy
      • 1 Fax server in Chicago
      • 1 Fax server in Miami
      • Each fax server handles half of the BankVOD faxing load, inbound and outbound. If one goes down all fax numbers failover to the other server automatically and all outbound faxes keep faxing from the server that is up and running.
  • FCRA Permissible Use Application