Routing

Routing controls implemented for IPS provide the connection point between the IPS and the Internet Service Provider(s). Border routers are deployed in a redundant, fault tolerant configuration. Routers are also used to enforce traffic policies at the perimeter.

Firewalls

IPS utilizes firewalls to control access and filter traffic between all disparate networks. This ensures that all traffic passing between any external, perimeter, management, or internal IP network crosses a firewall interface. Firewalls are deployed in a layered approach to perform packet inspection with security policies configured to filter packets based on protocol, port, source, and destination IP address, as appropriate, to identify authorized sources, destinations, and traffic types.

Network Controls

Network controls implemented for IPSs address the protection and control of data during its transmission between the customer system and the IPS hosted system. The network security infrastructure is designed to secure the servers from a network-based attack. Redundant, managed firewalls, using stateful packet inspection, provide barriers between tiers of the architecture. Traffic is filtered, and only valid connections are allowed through into the network demilitarized zone. Traffic within each tier is restricted and controlled for security purposes.

Network Intrusion Detection and Prevention Systems

IPS utilizes Network Intrusion Detection Systems (nIDS) to protect the environment. nIDS is deployed in either IPS (Intrusion Prevention Mode) or IDS (Intrusion Detection Mode) on the network, to monitor and block suspicious network traffic from reaching protected networks. nIDS alerts are routed to a centralized monitoring system that is managed by Information Technology operations teams 24x7x365.

Network Vulnerability Assessments

IPS utilizes network vulnerability assessment tools and external third-party services to identify security threats and vulnerabilities. Formal procedures are in place to assess, validate, prioritize, and remediate identified issues. IPSuses vulnerability notification systems to stay apprised of security incidents, advisories, and other related information. IPS takes actions on the notification of a threat or risk once confirmed that a valid risk exists, that the recommended changes are applicable to service environments, and the changes will not otherwise adversely affect the services.

Anti-Virus Controls

IPS employs host-based antivirus software to files on disk. Files that trigger a virus detection are cleaned or removed automatically, and an alert is automatically generated which initiates IPS’s incident response process. Virus definitions are updated daily.

Configuration Audit and Control

IPS uses a centralized system for managing the integrity of network device configurations. Change controls are in place to ensure only approved changes are applied. Regular audits are also performed to confirm compliance with security and operational procedures.

System Hardening

IPS employs standardized system hardening practices across IPS devices. This includes restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and logging.

Physical Security Safeguards

IPS provides secured computing facilities for both office locations and production infrastructure. Datacenters housing information for IPS customer environments hold SSAE 16 Type II and SOC 2 Type II certifications. Common controls between office locations and co-locations/datacenters currently include the following:

• Physical access requires authorization and is monitored.
• Visitors must sign a visitor's register and be escorted and/or observed when on the premises
• Possession of keys/access cards and the ability to access the locations is monitored.
• Entrances are protected by physical barriers designed to prevent vehicles from unauthorized entry
• Entrances are security monitored 24 hours a day, 365 days a year

System Access Control

System access controls include system authentication, authorization, access approval, provisioning, and revocation for employees and any other IPS-defined 'users'. Under normal operating circumstances, IPS does not manage end-user security within customer applications. However, IPS does reserve the right to intercede on behalf of the customer during security contingency events, or upon request of the customer. Customer may configure the programs and additional built-in security features.

Credential Management

Access to IPS systems is controlled by restricting access to only authorized personnel. IPS enforces strong password policies on infrastructure components and management systems used to operate the environment. This includes requiring a minimum password length, password complexity, and regular password changes. Strong passwords or multi-factor authentication are used throughout the infrastructure to reduce the risk of intruders gaining access through exploitation of user accounts.

Review of Access Rights

Network and operating system accounts for IPS employees are reviewed regularly to ensure appropriate access levels. In the event of employee separation, IPS takes prompt actions to terminate network, telephony, and physical access for such former employees. Customer is responsible for managing and reviewing access for its own accounts.

Environment Maintenance

IPS performs critical and security related change management and maintenance as defined and described in the IPS Change Management Policy. For any critical or security update that IPS will deploy for designated IPS applications, IPS will apply and test the update on a stage environment of the applicable application. IPS will apply the update to the production environment of the application upon completion of successful testing.

IPS offers several standard encryption technologies and options to protect data, depending on the particular application, while in transit or at rest. For network transmission, Customers may choose to use secured protocols (such as TLS) to protect their data in transit over public networks. Secured protocols offer strong encryption algorithms. Strong key management policies and processes are employed for all IPS encryption.

Transit of Physical Media

Designated IPS personnel handle media and prepare it for transportation according to defined procedures and only as required. Digital media is logged, encrypted, securely transported, and as necessary for backup archiving vaulted by a third-party off-site vendor. Vendors are contractually obligated to comply with IPS-defined terms for media protection.

Data Disposal

Upon termination of services or at Customer's request, IPS will delete environments or data residing therein in a manner designed to ensure that they cannot reasonably be accessed or read, unless there is a legal obligation imposed on IPS preventing it from deleting all or part of the environments or data.

Secure File Transfer

Secure file transfer functionality is built on commonly used network access storage platforms and uses secured protocols for transfer (such as SFTP). The functionality can be used to upload files to a secured location, most commonly for data import/export on the IPS hosted service, or downloading files at service termination.

Security Incident Response

IPS evaluates and responds to incidents that create suspicions of unauthorized access to or handling of Customer data whether the data is held on IPS hardware assets or on the personal hardware assets of IPS employees and contingent workers. When IPS becomes aware of such incidents and, depending on the nature of the activity, escalation paths and response teams are established to address those incidents. IPS will work with Customer, the appropriate technical teams, and law enforcement where necessary to respond to the incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of Customer's environment, and to establish root causes and remediation steps. Operations staff has documented procedures for addressing incidents where handling of data may have been unauthorized, including prompt and reasonable reporting, escalation procedures, and chain of custody practices. If IPS determines that Customer's data has been misappropriated, IPS will report such misappropriation to Customer within 72 hours of making such determination, unless prohibited by law.