Data Storage, Recovery and Security Policy
Last Updated: February 15, 2021
Revision No.: 1.0.4
Overview
LoanCirrus is a cloud-based lending platform that offers small lenders a simple and easy way to manage their loan portfolio. Managing loan portfolio means that our clients will be collecting personal and financial data for customers, so it is important that the information remains accessible and secure. Given this critical nature of our customer base, we have partnered with one of the most reputable cloud providers in the industry – Amazon Web Services (AWS) – to make this happen. Amazon Web Services (AWS) provides a world class infrastructure that enables us to deliver a cutting-edge cloud solution to our clients. It is our number one priority to ensure that the infrastructure we use is safe and secure as well as guarantee 99.9999% of uptime, that is, approximately 31.5 seconds of downtime per year and 2.59 seconds of downtime per month.
Security Management
Our applications and infrastructure require a secure environment to keep the business running strong. To achieve this, it is vital that everyone involved clearly understands the processes and the proactive and reactive measures that need to be put in place.
Amazon Web Services (AWS) provides security and compliance services designed to help us protect information and physical resources. This effort also focuses on ensuring that Amazon Web Services (AWS) has controls in place to manage the risk of interruptions that may impact their service level commitments to us their client.
Security Organization
The security organization, Amazon Web Services (AWS) Global Security Services, is responsible for setting objectives for information security management to preserve their commitment to customers, such as us (“LoanCirrus, Ltd.”). This includes setting policies in the following areas:
Security Policy
The policy establishes our direction and support for information security and sets a risk management framework that is in accordance with business requirements and relevant laws and regulations. These policies include:
- Develop and maintain a framework to measure and identify attainment with security-related objectives;
- Managing customer assets (logical or physical), in a mutually agreed manner;
- Maintaining the confidentiality, integrity and availability of (customer and business) assets;
- Investigating all known breaches of business security, actual or suspected inline with our security management controls and procedures;
- Providing robust formal methods for risk assessment, management and treatment;
- Applying appropriate risk controls in all relevant situations;
- Ensuring all relevant security communications are made to stakeholders (internal or external) to inform, advise and encourage best practices;
- Ensuring that information assets and processing facilities are protected against unauthorized access, misuse and disclosure at all times;
- Ensuring that the requirements, as identified by information owners, for availability of business assets and processing facilities required for operational activities shall be met;
- Ensuring all relevant security-related legal obligations shall be met;
- Ensuring disposals of any media containing sensitive information are conducted in an agreed manner;
- Ensuring suppliers, partners and vendors of products and/or services required of the Security Management System have either signed-up to this policy and its requirements or a suitable risk assessment has been taken;
- Develop, maintain and exercise the business continuity plans of Amazon Web Services (AWS).
Amazon Web Services (AWS) is committed to continually improving its Security Management System and as they do, so do we here at LoanCirrus, Ltd.
Access Control
Framework to ensure only approved users are granted access to appropriate systems and resources. Access to LoanCirrus’s infrastructure requires a password and a token (two-factor authentication) in order to gain entry. Also, our Sandbox and Production servers are IP restricted, which means that any IP addresses that are not on the safe list are not permitted to login to the server without being banned and blacklisted. Our web application and databases are hosted on separate servers for scalability and security reasons. Amazon Web Services (AWS) gives us the ability to have our application and database communicate over an internal private network, so unless you have direct access to the system, which would mean that you’d have to login to the control panel, you would never have contact with any data from the outside.
Asset Management
This area focuses on achieving and maintaining appropriate protection of Amazon Web Services (AWS)’s critical infrastructure required for its service delivery.
Information Security Incident Management
Policies and processes aimed at making sure information security events and weaknesses are communicated in a manner allowing timely corrective action.
Human Resources Security
Controls to ensure that all Amazon Web Services (AWS) employees, contractors and third party users understand our responsibilities, and are suitable for the roles they are considered.
Security Vulnerability Reporting
The LoanCirrus team gives immediate attention to any report of security issues relayed by Amazon Web Services (AWS).
Information Security Controls
To execute the plans defined in the control objectives above, Amazon Web Services (AWS) uses the best practices described in the ISO 27002 security standard. This standard is recognized globally as the most comprehensive framework for establishing and maintaining information security best practices within an organization.
Compliance and Validation
The compliance and validation phase is an important collection of audit and review activities that provide assurances that Amazon Web Services (AWS)’s implemented controls are designed and operating effectively and aligned with the policies set by the security organization.
Security certifications and standards
Amazon Web Services (AWS), our infrastructure provider adheres to the following information security and related certifications and standards.
- ISO 27002
- ISO 27001
- PCI-DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD)
- SSAE16
- SOC 1
- SOC 2
- SOC 3
- SAFE HARBOR
- CONTENT PROTECTION AND SECURITY STANDARD (CPS)
ISO 27002
ISO/IEC 27002 (formerly known as ISO/IEC 17799:2005, based on BS 17799) is the standard for information security controls published by the International Organization for Standardization (ISO). The standard includes advice on aims and implementation of the controls, but does not mandate specific controls because each organization will have unique requirements based on a specific risk assessment. The Amazon Web Services (AWS) information security program is based on ISO/IEC 27002 policies and procedures
ISO 27001
The ISO/IEC 27001 standard provides a framework for managing a business’ security responsibilities and provides external assurance for customers as to the scope and scale of our secure environment via our Business Security Management System.
Since 2011, our system has provided the foundation for an integrated and sustainable security model working in tandem with our other security controls such as PCI-DSS. It is subject to ongoing external assessments with a full reassessment every three years.
PCI-DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD)
The Payment Card Industry Data Security Standard is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI-SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store or transmit cardholder information.
You have to secure your network, implement secure data management policies, maintain a vulnerability management program and implement strong access-control measures. And then you have to monitor, manage and test these policies.
We’re here to help you navigate this challenging process. Relying on our breadth of experience, we can provide you with infrastructure and solutions that can help reduce the complexity of compliance.
Compliance can be a complex and costly undertaking that involves everything from infrastructure to processes.
Amazon Web Services (AWS) is accredited with MasterCard Europe* and Visa USA accredited Amazon Web Services (AWS) Hosting as compliant to the following levels:
LEVEL 1 PAYMENT CARD INDUSTRY (PCI) PCI SERVICE PROVIDER
Amazon Web Services (AWS)’s PCI certification scope of coverage is for the following locations:
- All US & UK offices
- US data centers (DFW1, DFW2, DFW3, IAD1, IAD2, IAD3, and ORD1)
- All UK data centers
- Hong Kong data center
- Sydney data center
SSAE16
SSAE16 is an AICPA (American Institute of Certified Public Accountants) auditing standard intended to provide customers and prospects with third party validated visibility of a service provider’s controls.
SOC 1
Reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, the AICPA attest standard, which is an audit conducted over internal controls over financial reporting, management of the user organizations, and management of the service organization.
Service Organizations’ continue to define their control objectives and controls, but the service auditor is responsible for evaluating those control objectives to ensure they are reasonable.
A Type 2 report also includes the service auditor’s opinion on whether the controls were operating effectively and describes tests of the controls performed by the service auditor to form that opinion and the results of those tests.
SOC 2
Reports on controls at a service organization relevant to Security, Availability, Privacy, Confidentiality and Processing.
SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs.
These reports are intended to meet the needs of a hosting provider customer that needs to understand the internal controls at a service organization.
SOC 2 framework is a reporting option specifically designed for entities such as data centers, IT managed services, software as a service (SaaS) vendors, and many other technology and cloud computing based businesses.
A Type 2 report also includes the service auditor’s opinion on whether the controls were operating effectively and describes tests of the controls performed by the service auditor to form that opinion and the results of those tests.
SOC 3
Due to the restrictions of distribution to current and potential customers for the SOC 1 and SOC 2 reports, Amazon Web Services (AWS) has obtained a SOC 3 report. The difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the auditor’s opinion on the description of the service organization’s system. A SOC 3 report provides only the auditor’s report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system.
SAFE HARBOR
Safe Harbor is the US Department of Commerce framework for meeting the European Union’s Data Protection requirements. Amazon Web Services (AWS) complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Amazon Web Services (AWS) has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement, with respect to the personal data we collect from EU and/or Swiss data subjects or receive from our affiliates located in the EU and/or Switzerland, such as information regarding service requests, service orders, handling orders, delivering services and processing payments.
CONTENT PROTECTION AND SECURITY STANDARD (CPS)
The Content Protection and Security Standard (CPS) is sponsored by the Content Delivery & Security Association (CDSA). CDSA is an international association that advocates the innovative and responsible delivery and storage of entertainment, software, and information content. CDSA has focused its activities on anti-piracy and content protection standards to protect the security and integrity of intellectual property and related assets.
The Content Protection and Security Standard assists organizations in managing its security and piracy risks. The CPS framework focuses primarily on the security management of media content in all of its forms across the entire supply chain. It is comprised of an independent and impartial audit of risk management, personnel resources, asset management, logical and physical security, and disaster recovery planning.
Security Operations
Amazon Web Services (AWS) has invested significant resources to ensure it can detect and respond to security events and incidents that impact its infrastructure. It is key to point out that this function does not involve actively monitoring individual customer solutions, but the overarching networking and physical environment including the monitoring of internal networks and employee access customer environments.
Security operations at Amazon Web Services (AWS) ensure that:
- Incidents are responded to in a timely manner and communication is disseminated to the relevant parties
- Corrective actions are identified and executed
- Root cause analyses are performed
- Lessons learned are fed back to the policy and planning functions
This function of our security management system drives continuous improvement of the practices and models we implement to protect Amazon Web Services (AWS) infrastructure.
An effective mitigation of risks of a cloud solution requires a combination of a secure application architecture and security management disciplines within the service provider. Security Management at Amazon Web Services (AWS) involves the coordination of the security organization, security controls, and compliance.
Security Solutions and Services
Cloud Threat Protection
Maintaining a secure environment for applications and infrastructure is a common concern of companies of all sizes. When building an application and its cloud infrastructure, how should one incorporate security considerations into the design, particularly when there are numerous kinds of attacks, all with varying levels of sophistication?
Though business, application, and infrastructure needs can vary widely across industries and workloads, Amazon Web Services (AWS) provides us with common tools and expertise that can effectively mitigate the risk of cyber security breaches to our hosted systems.
Denial of Service Attacks
DoS or Distributed DoS (DDoS) attacks seek to bring systems or networks down by exhausting resources or exploiting vulnerabilities. These attacks tend to be sophisticated and complex. With names such as Flood, Ping of Death, SYN, Teardrop or Smurf attacks, these can be classified in terms of the target resource: network bandwidth, server sockets, web server threads, and CPU resources. Attacks targeting the application layer are becoming more prevalent. Because of their complexity, different types of DoS attacks require different defense mechanisms. There is really no single approach to defend against each different type of DDoS attack. However, there are steps you can take to mitigate the risks. From a technology standpoint, there are several options. Firewalls and load balancers provide a level of protection by analyzing network traffic; intrusion detection and prevention systems can look for patterns in network traffic to detect and in many cases prevent an intrusion; Web Application Firewalls are able to look at HTTP and HTTPS traffic and learn about normal patterns of traffic and disable abnormal ones.
Vulnerability Assessment
Vulnerability scans are considered an essential tool in your efforts for a secured computing environment. By having an assessment performed on your systems, you will know that it is properly configured and secured from thousands of known vulnerabilities that can allow intruders to take control of your servers and access sensitive information essential to your business. Ideally, scans should be done periodically, as new vulnerabilities are constantly evolving on different operating systems. While vulnerability scans do not provide protection, they are intended to proactively notify you of the existence of a vulnerability such that remedial action can be taken as soon as practical.
A scan produces a prioritized list of discovered vulnerabilities. Typically, this process is done by interacting with the active hosts and checking for specific vulnerabilities against active services and ports. The prioritized list serves then as a guide for decision making, and typically leads to certain configuration and actions to address each vulnerability.
Sensitive Data Protection
Traditional security controls are no longer sufficient to protect customers from today’s cyber attacks, because they focus on network perimeter defense and not on controls that guard against unauthorized access and misuse of sensitive data.
Organizations should examine a different model of sensitive data protection—the data-centric model—that focuses on protecting the asset (data) that we care most about, using technologies like database access monitoring, and encryption and key management solutions.
Data Backup and Recovery
LoanCirrus’ backups are performed incrementally on a daily basis at 1:30 UTC (8:30 PM EST); and at around the same time every Friday (UTC) full database backups are created. Our database backup retention policy is set to keep two copies of the full backups when it runs at the end of every week. When the third full automated backup is performed, the oldest full automated backup and its child incremental backups are deleted.
In addition to the daily incremental backups, our system runs an additional full backup every fifteen (15) minutes for all the tenants and also in that fifteen minutes window we do transaction logging to ensure that no data lost.
Restoration of backups are just as easy as creating the backups themselves. From our cloud database control panel we would just identify the tenant to restore the data for and issue a single command that will take care of the rest.
If you have any questions or comments, please feel free to reach out to our VP of Technology, Infrastructure & Security at karey@loancirrus.com.