True Office ensures both the physical and digital security of its markets and data through leading-edge security technology and processes.
True Office maintains detailed information security policies. All employees are required to read and provide written acknowledgement of relevant policies. Topics covered range from True Office's corporate security and information classification policies to application development standards and password handling. A dedicated Information Security group is responsible for information security operations including; daily reviews, access control requests, incident handling, engineering, consultation, design and implementation of security mechanisms. The policies and procedures are for official use only and are reviewed as part of the testing procedures detailed below within the section “Testing and Audit.”
True Office uses a multi-tiered network architecture with multiple firewall tiers and service silos to isolate different security zones. Intrusion Detection Systems at True Office managed facilities monitor network traffic against industry-standard and True Office-customized network activity signatures.
External screening routers employ access control lists to terminate virus, worm, and common hacking attempts before they reach external True Office firewalls. Firewalls further parse traffic to ensure only specifically permitted sources can reach specific destinations and services. VPN or private line connections terminate outside external firewalls, but independently from Internet connection points.
& DATA INTEGRITY
Strong encryption is used to authenticate and encrypt customer communication to True Office systems. Encryption prevents potential malicious third parties from intercepting sensitive data and credentials in transmission. The controls inherent to SSL and TCP provide additional integrity to ensure content is not tampered with by a third-party during transmission. Participant credentials are never stored unencrypted – they are hashed or encrypted as appropriate to the application.
The True Office Information Security group handles all access control requests for administrative access. These requests and authorization are documented and reviewed.
User ID and password authentication are required by all True Office accounts. Nine-character initial passwords can be randomly generated and assigned by the True Office Helpdesk via phone. Users are prompted to change their password on initial login and instructed to choose a strong password, 8 to 14 characters in length, and including at least 3 of the following attributes: lowercase, uppercase, numbers, and special characters.
All systems follow build standards to ensure standardization and security. The Information Security group monitors, assigns, and tracks patch status to respond to vendor operating system or application alerts.
Application-layer access controls impose strict restrictions on the data available to individual users. Data storage is physically and logically segmented from application servers, and queries can only be formed and executed after access control databases have been queried and credentials are fully verified. These processes ensure that users retrieve data only related to their account. The True Office Information Security group integrates into the SDLC process via security architecture review, vulnerability scans, code analysis, and manual pen testing.
True Office Operations maintains incident-response plans to handle any incident with operational impact -- security or otherwise. It is True Office policy to notify customers if there is a security incident that could compromise customer data.
BUSINESS CONTINUITY PLANNING / DISASTER RECOVERY
All True Office core procedures, systems, and operational tasks are managed in cloud-based datacenters with backups and key equipment redundancy. Business Continuity (BCP) and Incident Response Plans ensure infrastructure is recoverable.
TESTING & AUDIT
True Office conducts regular internal penetration testing and auditing to determine compliance with written policies and to assess vulnerability. In addition, third-party external penetration tests are performed at least annually. The results of these tests are used internally to verify internal audit processes and controls.