Security

Click or Call 888-876-5432

eLynxx Solutions has never experienced actual or threatened litigation or regulatory enforcement action pertaining to data privacy, information security, or compliance. We have never experienced a breach of security requiring notification to consumers under federal or state privacy or consumer protection laws or regulations. Nor have any audits have resulted in unsatisfactory findings. No affiliates are used in the provision of eLynxx Solutions services, and eLynxx Solutions does not utilize any off-shore resources.

eLynxx Solutions will complete due diligence or security questionnaires your organization requires. The following is an overview of security policies, practices and features.

Application Security

  • asp.net built-in request validation capability
  • Stored Procedures and Object Relational Mapper (ORM) protected database access
  • Redundant data validation on the client side (jquery.validation), server side and database level
  • Sensitive information protected from view by error handlers
  • Microsoft Internet Information Services (IIS) negotiates and selects highest SSL version
  • Rights and roles privileges provide controlled access to data and functionality
  • Stored passwords secured with minimum length and complexity requirements plus encryption
  • Automatic lockout and notification after three failed login attempts
  • Secure single sign-on (SSO) integration capable
  • Security Assertion Markup Language (SAML) capable
  • Scrum-based agile software development life cycle program
  • Access limitation, non-disclosure and terms of use gateway capability
  • Tamper-proof user login/session functionality
  • Tamper-proof URLs
  • User activity logged in an indelible audit trail
  • Centralized enterprise virus, spyware and malware protection, hostbased intrusion detection/prevention and policy control featuring automated updates and on-access scans with full scans as needed
  • Windows Security and IIS logs maintained and archived indefinitely
  • Redundant remote DBA management and assessment from Oracle certified vendors

Security Management

  • Written policies and procedures maintained for 1) use of personal computing equipment, 2) remote access, 3) acceptable use, 4) file download, 5) information security, 6) password security, and 7) workstation and server deployment
  • Policies modeled on SANS Institute (www.sans.org) framework
  • Security policies reviewed annually and updated as required
  • eLynxx employees required to sign-off on security policies and updates
  • User rights and roles control
  • Windows Server Update Services (WSUS) Oracle Linux based Operating System (OS) patches applied bi-weekly for workstations and monthly for servers
  • Database updates scheduled and applied as needed
  • Application patches prepared, tested and deployed as necessary
  • Written disaster recovery and business continuity programs maintained and regularly reviewed for 1) risk management, 2) business impact analysis and 3) recovery priorities
  • Controlled access to primary and redundant hosting facilities
  • Third parties used only for 1) database performance monitoring, tuning and back-up, 2) round-the-clock IT monitoring and consulting
  • Third parties are U.S. based and operate under strict confidentiality and non-disclosure provisions

Information Security

  • Application hosting restricted to eLynxx applications
  • Employee data access limited to names and contact information
  • No Personally Identifiable Information (PII) access required
  • No physical access to secure customer computer facilities required
  • No network access to secure customer computer facilities required
  • Secure Sockets Layer (SSL) encrypted access via public Internet
  • No requirement for direct file transmission between eLynxx and your network
  • SSL encrypted file transmission via public Internet
  • eLynxx hosts its own cloud software

Network Security

  • Dual Cisco ASA routers and security services modules in active/standby configuration with Adaptive Security Device Manager (ADSM) management
  • Dual Cisco Ironport email gateways with anti-virus/spam integration and available Transport Layer Security (TLS)
  • SSL encryption for all sensitive information and data accessed via the public Internet
  • Access controlled through Media Access Control (MAC) filtering
  • Physical network layers isolated from day to day corporate operations
  • Multi-layer Network Address Translation (NAT)/ Port Address Translation (PAT) Internet Protocol (IP) routing and assignments

Environmental Security

  • Uninterruptible Power Supply (UPS) for all servers
  • Redundant power grid with instantaneous failover
  • Disparate power entry points
  • On-site propane-powered generators for additional power redundancy
  • Dedicated, monitored Heating Ventilation Air Conditioning (HVAC) system in data center
  • Advanced fire suppression systems in data center

Data Security

  • Multiple AES encryptions for off-site back-up devices
  • Database and application level data masking
  • SSL File Transfer Protocol (FTPS) available
  • SSH File Transfer Protocol (SFTP) with PGP encryption available
  • Real-time redundant data back-up
  • Daily redundant local media back-up
  • Consistency-verified, encrypted daily off-site back-up

Personnel Security

  • eLynxx employees with system and data access must pass reference, employment history and criminal background checks
  • eLynxx employees receive security training annually or as-needed
  • eLynxx employees are subject to confidentiality agreements

Physical Security

  • Keypad protocols and 24/7 interior security
  • Data center access limited to authorized personnel
  • Data center personnel hold multiple security clearances

Access Control

  • 10-step set-up process for creation of eLynxx employee accounts
  • 11-step shut-down process for deletion of eLynxx employee accounts
  • Strictly enforced password length and strength requirements
  • Unique user IDs with no shared accounts
  • Stored passwords are salted and then hashed for protection
  • No embedded passwords in production system scripts
  • 15-minute session time-out/lock-out for employees with access to critical or sensitive information
  • Rights and roles based access for segregation of duties
  • Quarterly review of access rights
  • Two-Factor Authentication control for corporate Virtual Private Network (VPN) access
  • VPN access limited only to critical eLynxx employees
  • Administrator access to production servers and systems restricted to internal corporate network

Vulnerability Management

  • Quarterly vulnerability scans of internal and external networks using a variety of tools including Network Mapper (NMAP)
  • Constant monitoring of Microsoft, Oracle and network security notifications for threat and vulnerability identification
  • Auditing and logging via Cisco ASA firewall, Windows Server, IIS, Oracle and eLynxx internal capability
  • System traffic captured for all users including administrators
  • Complete and detailed audit logs for network and software usage
  • Common source time synchronization
  • Security logs audited and archived quarterly
  • Administrative audits performed quarterly
  • Assistance with intrusion testing requirements

System Development and Maintenance

  • Strict enforcement of policies for review, approval and testing of releases, software and servers
  • Ongoing tracking and monitoring of production system performance
  • Servers subject to a standard hardening checklist
  • Separate and distinct environments for development and testing

Click or Call 888-876-5432