Compliance and Security
C4 OPERATIONS SECURITY OVERVIEW
DIGITAL PERIMETER SECURITY
INTRODUCTION
C4 Operations has implemented industry best practices for handling and storage of sensitive personal and credit card data. C4 Operations’ InstaScreen™ background screening software is certified compliant with EI3PA and PCI-DSS. EI3PA and PCI-DSS certifications are among the most stringent in the industry and C4 Operations is proud of its certifications. Our infrastructure provider has a number of other relevant certifications including AICPA SSAE16 SOC 2/3.
APPLICATION INFRASTRUCTURE
The InstaScreen application is a cloud services application that provides instant background screening data to the company requesting background-checking services. The background screening data comprises criminal, credit, driver’s license, and other background records information from trans-jurisdictional sources, both public and private.
User passwords are protected in the system using sophisticated hashing schemes. Passwords must be reset at least every 90 days, differ from the previous four passwords, be at least 12 characters in length and contain at least one letter and one digit. The password recovery feature allows a user to retrieve his or her login ID and/or reset a forgotten password after correctly answering several pre-configured security questions.
The InstaScreen application itself runs in a secure, state-of-the-art, PCI-DSS and SSAE16-compliant cloud infrastructure platform provided by Amazon Web Services (AWS). AWS is one of the world’s largest IT infrastructure provider and has data centers in different geographic regions around the US, as well as data centers all over the world.
DIGITAL PERIMETER SECURITY
The InstaScreen application follows industry best practices, beginning at the network perimeter. All communications with clients are authenticated and encrypted through the most up-to-date versions of Transport Layer Security (TLS) protocols. External access into the application servers is governed by an enterprise-level perimeter security system that limits incoming connections to only minimum ports needed for application access.
Incoming requests route to load balancers that only answer incoming calls on limited, specific ports. Load balancers forward requests into the application security group. That security group contains the servers that process incoming requests and that security group only allows incoming requests from the load balancer group and the database instance. And then, only across limited ports.
Application servers talk to database servers only over specific, secure ports. These database servers reside in secured internal network zones and have no direct connection to the outside world. Incoming administrative logon attempts are monitored and recorded and screened for signs of intrusion. The results are emailed to system administrators for investigation.
NETWORK SECURITY
Only authorized users can gain access to production servers. Users are limited on a “need to use” basis and granted permissions on the lowest access level possible for completion of specific tasks.
Users logging onto equipment require validation through multi-factor authentication. When a user attempts to log onto the system, not only must the user know his/her username and password, but the user must also receive a confirmation key that is transmitted to a device that only that user has access to.
All user passwords conform to complex password standards and user passwords must have lengths at or in excess of 12 characters, to improve resiliency against password cracking. All equipment is patched to the most recent iterations of their operating systems and only the minimal set of application software that allows the server to perform its mission is installed.
USER SECURITY
System administrators are all career C4 Operations employees and undergo periodic background screening to ensure that their profiles are current. Users all undergo training in secure network usage and use complex password convention, along with multi-factor authentication with industry best practices for password storage and changes.
DOCUMENT DESTRUCTION POLICY
C4 Operations practices a reasonable and appropriate rule to prevent the unauthorized access to – or use of – information in a consumer report. We have established and comply with these policies:
Burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule.
MAINTENANCE & SUPPORT
As C4 Operations grows, management continually appraises the need to keep the production environment ahead of foreseeable growth. C4 Operations is constantly evaluating server performance and uses an industrial-strength, scalable production environment to host its application.
In addition, C4 Operations provides in-depth continuing education and training of its support staff to ensure that support personnel are the most competent, helpful and secure support staff in the industry.
SOFTWARE APPLICATION
Security is a high priority and an integral part in the design and development of C4 Operations’ InstaScreen™ applicant screening system. Attention is given to high publicity threats such as viruses, denial of service attacks and other malicious activities over the Internet, as well as maintaining the integrity and confidentiality of sensitive application data such as credit reports, social security numbers, dates of birth and other personal identifying information.
C4 Operations’ development staff uses industry-leading technology to secure InstaScreen™ and its operating environment, including client authentication (password-controlled access), data encryption, public-private key pair, intrusion detection systems, fail-over systems and data backups. Each of these components act as a layer of protection to safeguard information from unauthorized users, deliberate malfeasance and inadvertent loss.
User authentication: Password-controlled access requires users to authenticate with a private login ID and password before accessing the system. After authenticating to the system, sessions remaining inactive for a period of time will expire and require the user to re-authenticate before continuing. In addition, user accounts that remain unused for an extended period of time are automatically disabled.
User passwords are protected in the system using sophisticated hashing schemes. Passwords must be reset at least every 90 days, differ from the previous four passwords, be at least 8 characters in length and contain at least one letter and one digit. The password recovery feature allows a user to retrieve his or her login ID and/or reset a forgotten password after correctly answering several pre-configured security questions.
IP Restrictions: System access can be further restricted at the client or user level by IP address. Any attempt to access InstaScreen™ from an IP address outside the authorized range is rejected. Any login requests originating from an IP address outside North American (Canada, United States of America, or Mexico) will be required additional multi-factor authentication.
Encryption: All transactions are performed in a secured environment. Access to InstaScreen™ requires the use of HTTPS. Supported web browsers automatically secure the session communications using the Transport Layer Security (TLS) using a minimum of 128-bit encryption. All data is encrypted as it travels between the client web browser and the InstaScreen™ servers and can only be decrypted with a public and private key pair to protect against eavesdropping, server impersonation and stream tampering.
Physical Security: The physical server machines are hosted by AWS in data centers that are unavailable to general public. Only AWS staff has access to the data centers. Those centers have redundant power, HVAC systems and Internet service providers. Those locations are SSAE SOC 2/3 and PCI compliant.
Business continuity – C4 Operations’ footprint in the AWS cloud infrastructure is located in two different geographic regions. As a result, if there is an outage in one of the geographic regions, the application can fail-over to a presence in a separate geographic region. Each of the AWS data centers has redundant Internet connections with backup power generators and on-site fuel.
Client Responsibility: Clients are expected to guard their password carefully and not share it with or disclose it to anyone for any reason. C4 Operations staff will never ask a client for their password. Clients must also ensure the security of their InstaScreen™ sessions by completely logging out of the system when finished and not leaving active sessions unattended. Paper and electronic copies of reports must be carefully controlled to prevent the unauthorized distribution or disclosure of personally identifying applicant information.
A robust and secure system requires a multi-faceted solution with hardware, software and education. Critical to the success of any secure system is the education of its user community and employees on the importance and sensitivity of information. Knowledge of why and how data is secured and the permissible uses of all information, is essential in maintaining the integrity of the system and its contents.
10/24/2016