Cliffson Solutions, LLC, Security Policy

last revised November 13, 2013
effective starting February 20, 2011

Overview

We take the privacy and protection of our clients, their data, their customers, and our site visitors very seriously. In addition to the provisions in our Privacy Policy, we also take a wide range of steps to keep our servers, Web sites, databases, and other services secure and free from unauthorized access and tampering. Our security measures include physical, electronic, and procedural safeguards, system integrity and security monitoring tools, encryption of stored and transmitted data, and documented security policies and procedures.

Scope

This policy applies to the Web sites www.cliffson.com and www.cliffsonsolutions.com. By default this policy also applies to all other sites hosted on our servers, although specific sites may have their own privacy policies which take precedence.

Servers

All of our servers are protected by several layers of firewalls and intrusion detection utilities. All e-mail passed through a greylist server and is scanned for spam and malware. Services are carefully restricted and secured using unprivileged system accounts. Servers are configured and hardened according to industry standard practices.

The configuration of all networks, servers, and protection measures are thoroughly documented. Any modifications to these protection measures must be approved in writing by our security team and thoroughly tested and documented.

All relevant operating system and software patches are applied within seven (7) days of their availability in common software repositories or vendor patch distribution services.

Our servers are constantly monitored for unusual activity, open ports, running services, and unauthorized file changes. System audit and activity logs are maintained and archived.

Individual user accounts are created for employees and clients who need access to Web site development areas, project management tools, or internal discussion forums. Such user accounts are never shared among multiple people, and system-wide access controls are used to limit what these accounts can access and modify. All system and Web user accounts are logged. Passwords are never distributed via e-mail, and employees will never ask a user for his password. Rules governing password complexity, frequency of changes, and reuse are documented and enforced.

We run a number of system and Web services vulnerability scans at least weekly to proactively identify and fix potential issues before they become problems.

Applications

All Web applications are written with data validation routines in both the Web forms themselves (client-side validation) as well as parsing and processing scripts that handle form submission (server-side validation). All input data is parsed and sanitized, particularly before being submitted to databases.

Personal data, passwords, and credit card information are never stored in browser cookies or text files. Variables are passed as POST variables whenever possible in preference to GET variables (which appear in the URL). A number of server-side precautions are used to prevent cross-scripting vulnerabilities.

Simple access controls may be implemented as Apache rules using digest-based user authentication and network address restrictions. Stronger server-side access controls using LDAP or database authentication and role-based access rules are used whenever sensitive data or client confidentiality is involved. All such logins are logged, as are any attempted violations of access controls.

All database connection parameters are stored in separate include files and never directly in running scripts.

Precautions against credit card abuse and brute-force validation attacks include time-based limits on transactions for a given card or from a given network address range, as well as unique transaction tracking numbers.

Privacy Protection

Refer to our Privacy Policy for more information.

Client Protection

All development and prototyping work is done in password-protected areas of our server to allow confidential offsite review and testing of Web pages and applications before they go public. Project tracking tools and project-specific discussion forums and Wikis may be used for some projects. Access to these services are limited to our employees or contractors working directly on those projects and to authorized client representatives.

Data Security

All Web forms and log-in services that require personally identifiable information (PII), credit card information, account information (user name and password), and other sensitive data are always transferred using secure (SSL) network connections based on industry standard encryption methods and certificates from registered certificate authorities.

We encrypt all sensitive information stored on our servers using strong encryption methods with carefully controlled keys. Passwords and encryption keys are never stored in clear text in files or databases on our servers.

Access to all sensitive data is restricted to our employees and to our clients on a need-to-know basis. All employees with access to client data are required to sign confidentiality agreements. Changes to access rules require written approvals by our General Manager and by authorized client representatives, if applicable.

All critical data files and databases are backed up at least daily. Backup copies of system logs, audit logs, scanner results, and system configurations are maintained on read-only media for at least 12 months. All backup media are securely stored and tracked by chain-of-custody logs. Full system backups are stored off-site in a fireproof safe.

External Links

Some of our Web pages contain links to other independently maintained Web sites outside the cliffson.com and cliffsonsolution.com domains. We are not responsible for the privacy or security practices or the content of these external Web sites.

Modifications

Cliffson Solutions, LLC, reserves the right to update and change this policy periodically. The current, posted version of this document applies whenever a visitor accesses any page on the sites described in "Scope" above. Substantial (non-trivial) changes to the policy will be announced on the Company News page.

Contact Information

This document highlights our security philosophy and methodology. The details of our security policies and procedures are specified in internal documents, which of course are not available to the general public. These documents may be requested by and provided to our clients or to certification entities, although we reserve the right to restrict circulation of such documents.

If you have questions or concerns about this policy or the way it is implemented on our servers, please contact