Security Statement

Statement on Information Security

The security and confidentiality of client (hereinafter “you” and “your”) information is very important to Capitol Services, Inc. and our affiliates (hereinafter the “Company,” “we,” “our,” and “us”). Our commitment to security is reflected through the implementation of physical, procedural, and technical safeguards to preserve the integrity and security of your information. This security statement (the “Statement”) provides a brief overview of the security measures implemented to help protect the information and systems used by us to conduct business. It does not represent all efforts made by us to mitigate potential security risks related to information security.

Security Policy

We provide our employees with written information security and privacy policies that define employee responsibilities and acceptable use of our information systems. We receive a signed acknowledgement of these policies from each employee before providing authorized access to our information systems. Our policies are readily available at all times, communicated to employees on at least an annual basis, and reviewed and updated as necessary.

Our policies cover security related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering internal application and information systems.

Security Committee

We have an information security committee that is responsible for all the security matters of the Company, which is comprised of legal, technology, and security professionals. The information security committee is responsible for maintaining our employee security awareness and compliance program as well as defining security controls for protection of our information and infrastructure. We follow the CIS Critical Security Controls for Effective Cyber Defense framework with layered security controls to help identify, prevent, detect, and respond to information security incidents.

Asset Management

We maintain asset inventory processes for our physical and information assets. Our information is comprised of both client and corporate assets and managed under our information security policies and procedures. Authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by our information security policies. Information subject to legislative or regulatory requirements is identified through our asset inventory processes, and security controls are established to address the relevant requirements. Our employees are regularly provided with instruction on identifying and handling our assets.

Personnel Security

Our employees are required to conduct themselves in a manner consistent with our policies, including those regarding security, privacy, confidentiality, and appropriate usage. Employees acknowledge our policies on a yearly basis, are notified of any updates to our policies as they occur, and participate in an ongoing security awareness training program. Processes and procedures are in place to address employee onboarding and departure from the Company.

  • Employee Onboarding – All newly hired employees are required to acknowledge our policies regarding security, privacy, confidentiality, and appropriate usage, as well as undergo a background check. Employees are required to reset default passwords given for logging in to our information systems during the onboarding process, subject to our password strengthening policy.
  • Departing Employees – All departing employees are required to acknowledge their obligation to maintain confidentiality and return Company property. Upon departure, access to our information systems is disabled, and the departing employee’s user account and records are inactivated or removed, as applicable. We collect the departing employee’s loaned hardware (including external hard drives and jump drives), software, parking pass, office keys, and entry fobs, and inventory these assets.

Physical and Environmental Security

We have procedures and infrastructure in place to handle both physical security of our data, as well as the environment in which the data operates.

Our information systems and infrastructure are self-hosted in a secured data center at our headquarters and supplemented by multiple backup data centers. Data center access is limited to authorized personnel. Visitor and contractor access procedures are established. Access to our headquarters is limited by time-programmed elevators. Visitors of our headquarters are required to sign-in at reception.

Our IT continuity goal of 100% available is achieved via stretch clustering of our multiple data centers allowing for a near zero recovery time and recovery point objectives (RTO/RPO). Our data centers have secured access, temperature and humidity controls, redundant internal and external power supplies, fire suppression systems, and are monitored 24 hours per day, 365 days per year.

Operations Management

  • Vendor and Subcontractor Relationships – We only partner with vendors and subcontractors that operate with the same or similar security values that we do. As part of our review process, we screen our vendors and subcontractors in an effort to ensure the confidentiality, integrity, and availability of data that our vendors and subcontractors may handle.
  • Auditing and Logging – We maintain audit logs on all our systems to provide an account of which employees have accessed our systems. Information security incidents are logged, monitored, and addressed by our trained IT team and information security committee. Organizational responsibilities for responding to information security incidents are defined in our incident response policy and disaster recovery plan.
  • Security Applications – We use a combination of technology tools to provide a secure computer environment that include server and endpoint antivirus, antispyware, firewall, and intrusion protection. We update virus signatures daily and utilize a virtual private network to enable secure remote access to our networks.
  • System Backups – We have backup standards and procedures for performing backup and restoration of data in a scheduled and timely manner. Controls are established to safeguard data at our multiple data centers. Encrypted data is securely communicated to clustered data centers using SAN-to-SAN replication.
  • Network Security – Our servers and software reside behind firewalls and are monitored for detection and prevention of network security threats. Data center access points feature firewall segregation, and firewall logging is enabled to track communications between the internet and our internal network at both our data centers and remote office sites.
  • Vulnerability and Patch Management – We apply the latest security patches and updates to operating systems, applications, and our network infrastructure. Security assessments are performed on a regular basis to determine the effectiveness of patch management to identify threats and vulnerabilities. Each vulnerability is reviewed to determine if it is applicable, ranked based on risk, and assigned to the appropriate team for resolution.
  • Secure Network Connections – We use SSL encryption on our web-based assets to ensure the highest security and data protection standards. We regularly verify our security certificates and encryption algorithms to keep your data safe.

Access Control

  • Role-Based Access – We use role-based access controls for access to our information systems. Access to sensitive data in our databases and systems are set on a need-to-know basis.
  • Authentication and Authorization – We require employees to have an authorized and unique user account for all applicable information systems, databases, and applications. We maintain a password reset and strengthening policy. We require the use of a lock screen that reactivates after a period of inactivity through the use of a password. Users are blocked from accessing our information systems after several unsuccessful login attempts.
  • Computer Security – All employee computers are centrally managed via enterprise management consoles. Employees are required to log off computers at the end of the day, and after a period of inactivity, computers automatically log off the network.
  • Remote Access – Remote access to our information systems is available to a limited number of our employees. These employees must log in through our VPN in order to access our information systems.
  • Mobile Devices – Mobile device access is limited to only a select number of employees. We maintain a bring your own device policy. We have the ability to wipe the device of our software in the event of a lost or stolen device, an employee’s termination, or a violation of our policies.

Development

  • Applications Development – We follow a defined method for acquiring, developing, and maintaining our applications. Security testing is implemented throughout each phase of development that includes vulnerability and penetration testing, as well as product security assessments. We incorporate evolving security awareness practices and measures throughout the development cycle
  • Coding Practices – Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten. The team is trained in secure web application development. We maintain separate development, testing, and production environments. All developments are peer-reviewed prior to deployment into the production environment.

Availability 

  • Power – Our servers have redundant internal and external power supplies. Our primary and backup data centers have backup power supplies and are able to draw power from multiple sources.
  • Connectivity – We maintain fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.
  • Uptime – We continuously monitor uptime and are immediately notified in the event of any downtime.
  • Failover – We utilize high-speed connections between our primary and backup data centers for near instantaneous failover if necessary.

Data Retention 

We maintain business records for a period of seven (7) years, unless the business records are required to be kept for an alternate time period by applicable law.

Data Disposal  

We dispose of business records containing confidential information when the business records are no longer needed for business purposes or required by law for storage. We require paper business records containing confidential information be redacted, burned, pulverized, or shredded so that confidential information cannot be read or reconstructed. Similarly, we require electronic media and other non-paper media containing confidential information be destroyed or erased so that confidential information cannot be read or reconstructed. We conduct periodic reviews of records containing confidential information to identify records that can be destroyed consistent with our policies and in compliance with applicable law.

Incident Management  

We maintain a written incident response policy with documented procedures in the event of an information security incident. Our incident response policy defines the response team’s responsibilities and identifies processes and procedures for notification.

Business Continuity and Disaster Recovery  

We maintain business continuity and disaster recovery plans for our critical operations in order to minimize service interruption due to a natural disaster or hardware failure. While we have taken steps to mitigate the risk of a disaster, we recognize that there are variables beyond our control.

Collection and Use of Personal Data 

Certain jurisdictions require organizations that collect, maintain, or process their residents’ personal data to implement specific procedures and safeguards for that data. We fully comply with the laws of these jurisdictions. For more information about how we handle data that is entered into our information systems, please see our privacy policy, available at www.capitolservices.com/privacy-policy/.

HIPAA 

We do not use or disclose protected health information about an individual covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Cyber Insurance 

We maintain cyber liability insurance coverage to help mitigate risk exposure and offset costs involving recovery after an information security breach.

Audits

We conduct internal audits of the processes and procedures described in this Statement regularly. Additionally, we engage experts in the information security field to conduct external vulnerability audits on a regular basis.

Your Responsibilities 

Although we use reasonable means to protect your personal information, you are also responsible for ensuring your data is kept safe by using strong passwords and storing them safely. You should also maintain the appropriate security features on your information systems.

Our Commitment to Data Protection 

We maintain the appropriate technical and organizational measures that are necessary to ensure a level of security appropriate to the risks associated with the categories of personal information and the processing we undertake. However, no method of electronic transmission or storage is 100% secure. Therefore, while we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security.

Contact Us

If you have questions about our information security procedures or would like more information, please contact us at infosecurity@capitolservices.com.

 

August 2019