Emerios Platform Security Program Overview
Beyond Blue Holdings (‘BBH’ or ‘The ‘Company’) develops a broad array of enterprise software solutions including business process outsourcing, business analytics, mobile sales engagement, third party verification and workforce management via its VMBC SA and Emerios subsidiaries. They are a “Solution as a Service” provider, delivering specific, highly configurable solutions for businesses of all sizes from ‘Inception to Delivery’ (“I2D”). They currently operate internationally with a 100-person workforce trained to deliver rapidly on projects covering all aspects of technology, product and graphic design, marketing, competitive research, user experience, workflow management, business process management and other support services. This ensures our clients achieve greater market share and a strategic competitive advantage.
The Product Development and Quality Assurance teams are mainly in Buenos Aires, Argentina, with additional independent contractors based in different Latin-American countries. The Executive and Sales & Marketing teams are in the United States of America at its of Aliso Viejo, California Corporate Headquarters. The Talent Development and Administration, Finance, Customer Experience & Operations, Information Technology (‘IT’) and Governance, Risk, Compliance & Security teams have shared responsibilities in the US and Argentina teams, with additional independent contractors working from other Latin-American countries.
The Company’s Customer Engagement and Verification System is hosted from servers in two co-location datacenters in Irvine, California and Las Vegas, Nevada – separate from The Company’s headquarters.
The Company’s Customer Engagement and Verification System is built upon the Emerios Inc. proprietary ES4 Business Process Management Software Suite. ES4 moves beyond models like Platform as a Service (PAAS) and Software as a Service (SAAS), or Solution as a Service - wherein the key deliverable is the ultimate solution and process of gathering requirements and detailing our vision for the solution creates both the Service and the supporting documentation.
ES4 is an omni-channel solution that collects information provided by our clients to process and verify with licensed third-party software/services such as NLAD and/or Lexis/Nexis for on-premise validations. It also provides an interface where the customer can review their order status and what steps needs to be completed in order to full fill the process.
ES4 is centered on security: all the data is stored using encryption services that prevent the information to be accessed by any party does not authorize by the user that complete its.
ES4 support both custom and configurable rules allowing to the system adapt to several industries as well as to maintain the system aligned with the new compliance regulations that are continuously changing the given industries that ES4 is currently operating.
ES4 is an auditable system: we can trace users and customers activities as well third-party integrations to make sure we can analyze and optimize the processes that are built in place.
Technology Overview (ES4):
To work in a service-oriented architecture that support easy configuration schemas and allow the reusability of isolated services and components that are loosely coupled, without dependencies between them.
The ES4 suite offers set of modules of custom productivity tools that ensure continued optimal maintenance, guaranteeing long-term viability as program objectives and rules change. These tools include:
- Public Site Channel: This flow allows to process and check enrollment statuses in a web browser application.
- Mobile Channel: This flow allows to process and check enrollments statuses in a mobile device
- CSR Channel: This flow allows you to review order status and give feedback of any issue during the order creation and evolution lifetime
- Agent Onboarding Channel: this flow allow you can add in an easy way new member to you team ensuring that they acquire the necessary knowledge, skills, and behaviors to become effective organizational members.
Vault Audit and Operations:
- Talent Management Module: Invite, onboard and enable Agents to work with the ES4 platform
- Order Management Module: Review order status summary and audit information.
- Real Time Review Backoffice Module: Capture and review of customer information, plans, and identity verification.
- Quality Assurance Module: This module enables different check and balance rules that allow to detect potential inconsistencies in operations behavior and notify the administrators for further analysis
- Vault Insights Module (new): Analytics dashboards that show the overall operation activity through different channels.
SECURITY PROGRAM AND RISK GOVERNANCE
The Emerios security program is designed to protect the entire Emerios Platform. Each component takes advantage of common application development security best practices as well as infrastructure security and high availability designs and configurations. Emerios works hard to maintain the privacy of data our Clients entrust with us and as such, we put our security program in place to protect it and use it ONLY to provide the Emerios service to our Clients. We never share data across customers, and we never sell it.
Emerios invests the appropriate resources and controls to protect the platform that services our customers. This includes the implementation of critical security systems and a dedicated security personnel.
The GRCS Team is responsible for the Company’s comprehensive Governance, Risk, Compliance & Security program. This team is responsible for implementing and managing the Emerios security framework as well as providing a support structure to facilitate effective risk management. It is responsible for defining new controls and reviewing, modifying existing ones as part of continuous improvement processes.
Our Chief Security Officer (CSO/COO) manages the Security Team.
OUR SECURITY AND RISK MANAGEMENT OBJECTIVES
Our security framework has been developed using industry standard best practices. Our key objectives include:
delivering best in class services while proving the ability to protect the privacy and confidentiality of our Clients their information.
ensuring that our Clients and their Customers information is never altered outside of standard business requirements approved by the client and never corrupted.
ensuring ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity
implement controls and processes to align with current regulatory and industry best practice guidance. Our security program is designed around best practices and standards such as NIST, CIS.
SECURITY OBJECTIVES AND CONTROLS
We have implemented an array of security controls to minimize risk while allowing our staff to perform at their best. The following sections provides a small, but key, sample of our service and controls:
THE EMERIOS PLATFORM
Emerios outsources hosting of its product infrastructure to leading datacenter colocation providers. Principally, the Emerios Platform uses Switch and Intelishift for infrastructure hosting with all production services operating out of the continental United States of America. These provide vendor and geographic diversity and high levels of physical and network security and both providers maintain an audited security program, including HIPAA, SOC 2, PCI compliance and more. Emerios does not host any production software systems within its corporate offices.
These colocation providers leverage advanced infrastructure such as power, networking, and security. These facilities guarantee uptime 99.95% and 100% and ensure redundancy to all power, network, and heating, ventilation, and air conditioning services.
Physical access as well as logical access through public and private networks is highly restricted in order to eliminate any unwanted interruptions in our service to our Clients and their workforce.
The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II certifications.
Certifications are available at the following locations:
Switch maintains certifications and AOC’s for: HIPAA, PCI, SOC, NIST, ISO 27001_2013
INTELISHIFT (SIDUS): https://sidusgroup.com/data-centers/compliance/
Intelishift maintains certifications and AOC’s for: HIPAA, PCI, SOC
Intelishift was acquired by the SIDUS group in late 2021 and is currently transitioning ownership.
NETWORK SECURITY & PERIMETER PROTECTION
The Emerios Platform infrastructure is built with security in mind. In particular, network security protections are designed to prevent unauthorized network access and includes the use of enterprise-grade routing and network access control lists as part of the firewall system.
Network-level access control lists are implemented using security groups and firewall rules, which applies port- and address-level protections to each of the server instances in the infrastructure. This allows for finely grained control for network traffic from a public network as well as between server instances on the interior of the infrastructure. Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate.
Changes in the network security model are actively monitored and controlled by standard change control processes. All existing rules and changes are evaluated for security risk and captured appropriately.
Potential security events are prevented with a consistent, and well-designed access control model. Access to Emerios systems are strictly controlled. Emerios staff members are granted access to corporate services, and product infrastructure based on their jobs, using a role-based access control model.
For access to infrastructure tools, servers, and similar services, access is minimized to only the individuals whose jobs require it. For emergency access and access to administrative functions, the technical staff is required to authenticate first through a "jump box" before accessing pre-production and production environments. Server-level authentication uses Active Directory and token-based two factor authentication. Connecting via insecure protocols is prohibited.
CONFIGURATION & CHANGE MANAGEMENT
Emerios maintains a Configurations & Standards process. Emerios uses automated systems to detect application and configuration changes, managed deploys and activations. Each package we deploy to production is versioned with the ability to roll back through our release management system at the platform application level.
IT Changes to the configuration and standard images are managed through a controlled change management process.
Each system type within Emerios production environments includes its own hardened configuration – using industry standard best practices as recommended by CIS and NIST.
Systems are kept up to date with critical system updates/patches and reviewed frequently for compliance.
ALERTING & MONITORING
Emerios invests heavily in monitoring, alerting and response technologies to continuously address potential issues. The Emerios Platform infrastructure is tuned to alert our administrators and management when anomalies occur. Error rates, application attacks, process terminations, etc and other anomalies trigger automatic responses and alerts to the appropriate teams to engage, investigate and resolve the issue.
The power behind Emerios’ ability to detect and respond to anomalies is our 24x7x365 monitoring program and extensive logging.
Our systems capture and store logs that include all the technologies that comprise our products. In the infrastructure back-end, we log authentication failures, unexpected changes for operating systems, infrastructure health and more. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.
WEB APPLICATION DEFENSES
As part of its commitment to protecting Client and Customer data and portals, Emerios implemented an industry recognized Web Application Firewall (WAF). The WAF automatically identifies and protects against attacks aimed at the Emerios Platforms. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP) in the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, improving availability.
DEVELOPMENT & RELEASE MANAGEMENT
One of greatest advantages of the Emerios platform is our agile/rapid deployments. We are continuously innovating and improving our products and services.
The development teams perform code reviews and quality assurance is performed by specialized teams of engineers with intimate knowledge of the Emerios platform. All code is tracked in a ticketing system and approval is controlled at the Senior Management level in a proper change management lifecycle. When the code passes all testing, the package is deployed across the application tier.
All code deployments create archives of existing production-grade code in case failures are detected. If a failure occurs, rollback is immediately performed.
VULNERABILITY SCANNING, PENETRATION TESTING
The Emerios Security team manages a multi-layered approach to vulnerability scanning, using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack.
We perform vulnerability scanning and penetration testing activities against ourselves on a regular basis and includes vulnerability scanning against our internal networks, applications, and corporate infrastructure. Network-based and application-level vulnerability scans run on a regular basis against the Emerios Platform.
External vulnerability scans are performed by an independent Approved Scanning Vendor (ASV)
The goal of these programs is to iteratively identify flaws that present security risk and rapidly address any issues. Penetration tests are performed against the application layers and network layers of the Emerios technology stack, and penetration testers are given internal access to the Emerios Platform and/or corporate networks in order to maximize the kinds of potential vectors that should be evaluated. In addition to internal vulnerability scanning and independent penetration testing,
CLIENT AND CUSTOMER DATA PROTECTION
CONFIDENTIAL INFORMATION IN THE EMERIOS PLATFORMS
The information collected in with our products is data gathered through our client’s use of mobile and web applications, our API, and secure file transfer protocols. At this time, the Emerios Platform is not used to collect or capture sensitive data such as credit or debit card numbers or personal financial account information. Social Security numbers, driver’s license numbers or similar identifiers, or employment information may be collected depending on our client’s needs.
CREDIT CARD INFORMATION PROTECTION
Emerios does not process credit card transactions and Emerios does not store, process or collect credit card information submitted by our Clients workforce using our tools. The applications and API’s we use are handled by trusted PCI compliant payment processing services. This ensures that security of our Client’s Customer data, reduces liability for us while ensuring card information is processed under our Clients business agreements and any applicable Laws & Regulations.
All sensitive interactions with the Emerios Platforms (e.g., API calls, login, authenticated sessions to the customer's portal, etc.) are encrypted in-transit and at rest. The physical and virtualized hard drives used by Emerios Platform server instances as well as long-term storage solutions use high-bit encryption. Additionally, production database information is encrypted at rest, based on the sensitivity of the information. For instance, non-Active Directory user passwords are hashed, and certain email features work by providing an additional level of both at-rest and in-transit encryption.
USER AUTHENTICATION & AUTHORIZATION
The Emerios Platforms enforce a uniform, complex password policy. In a multi-tenant environment, the minimum requirement is fixed and cannot be changed on a per-client basis.
Clients can assign finely grained permissions to the users in their portals and limit access to the portal’s content and features.
For more information about user roles, please see the Emerios User Roles and Permissions Guide.
API (Application programming interface) access requires authentication and authorization.
Emerios’ OAUTH implementation is a stronger approach to authenticating and authorizing API requests. Additionally, OAUTH is required of all featured integrations. Authorization for OAUTH-enabled requests is established through defined scopes. For more information about API use, please see the Developers portal at Emerios.com.
EMERIOS STAFF ACCESS
Emerios controls individual access to data systems within its production and corporate environment. A very small subset of Emerios’ team members are granted access to production data based on their role in the company through role-based access controls (RBAC).
Engineers and members of Operations teams may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyze information for product investment decisions as well as product support. Access to the product infrastructure is limited by network access and user authentication and authorization controls. Access to networking functions is strictly limited to individuals whose jobs require that access, and access is reviewed on a continual basis. Customer Support, Services, and other customer engagement staff with a need-to-know may be granted access.
DATA RETENTION POLICY
Client and Customer data is retained for as long as you remain a customer and until impractical, your data will remain in the Emerios system indefinitely. Former customers’ core data is removed from live databases upon a customer’s written request or after an established period following the termination of all customer agreements. In general, former customers’ data is purged 90 days after all customer relationships are terminated. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. Emerios reserves the right to alter the data pruning period and process at its discretion in order to address technical, compliance, or statutory needs.
PRIVACY PROGRAM MANAGEMENT
BUSINESS CONTINUITY & DISASTER RECOVERY
Emerios maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems, and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, Emerios’ goal is to quickly and transparently isolate and address the issue.
SYSTEM AVAILABILITY & RECOVERY
Business continuity testing is part of Emerios business process. We use procedures to recover from impaired environments and other failures easily.
Emerios primarily relies on infrastructure redundancy, real time replication and backups. Critical Emerios Platform services are built with full redundancy. Server infrastructure is strategically distributed across geographically diverse zones with our infrastructure providers, and all web, application, and database components are deployed with in each datacenter colocation.
Emerios ensures data is replicated and backed up in multiple durable data-stores. The retention period of backups depends on the nature of the data. Data is also replicated across infrastructure locations in order to provide fault-tolerance as well as scalability and responsive recovery, when necessary. In addition, the following policies have been implemented and enforced for data resilience:
- Customer (production) data is backed up leveraging online replicas of data for immediate data protection. 14 days of backups are kept for any database in a way that ensures restoration can occur easily. Real-time replication is used for High Availability. All production data sets (related to files) are stored on a distributed file storage system.
- Emerios does also not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
- By default, all backups will be protected through access control restrictions on Emerios Platform infrastructure networks, access control lists on the file systems storing the backup files and/or through database security protections
- Emerios logs all media transported to and from our datacenter colocations.
EMERIOS CORPORATE SECURITY
INTERNAL STAFF AUTHENTICATION & AUTHORIZATION
Emerios enforces a corporate password policy that includes settings equal to or greater than industry standard system hardening requirements. Emerios prohibits account and password sharing by multiple staff members.
Staff authenticate to the Emerios Platform infrastructure through a series of security protections including, but not limited to multiple firewalls, remote management systems and multi-factor authentication.
Emerios has automated authentication and authorization procedures for staff access to Emerios systems, including the sales platforms. Most frequently, access is granted based on a role-based access control model. Just in time access is built into automated procedures around a set of rigorous authorization mechanisms.
We built an extensive set of support systems to streamline and automate our security management and compliance activities. In addition to many other functions, the system sweeps our product and corporate infrastructure several times daily to ensure that permission grants are appropriate, to manage staff events, to revoke accounts and access where needed, to compile logs of access requests, and to capture compliance evidence for each of our technology security controls. These internal systems sweep the infrastructure validating that it meets approved configurations on a 24-hours basis.
All Emerios staff undergo an extensive 3rd party background check prior to formal employment offers. In particular, employment, education, and criminal checks are performed for all potential candidates for hiring. Reference verification is performed at the hiring manager's discretion. All staff receive security training within the first month of employment as part of the Emerios security program along with role-specific follow-up training. All staff must comply with Non-Disclosure Agreements and Acceptable Use Policy as part of access to corporate and production networks.
We leverage a small number of 3rd party service providers who augment the Emerios Platforms’ ability to meet your marketing and sales needs. We maintain a vendor management program to ensure that appropriate security and privacy controls are in place. The program includes inventorying, tracking, and reviewing the security programs of the vendors who provide production services to Emerios.
Appropriate safeguards are assessed relative to the service being provided and the type of data being exchanged. Ongoing compliance with expected protections is managed as part of our contractual relationship with them. Our Security team, General Counsel, and the business unit who owns each contract coordinate unique considerations for our providers as part of contract management.
SECURITY AWARENESS & SECURITY POLICIES
To help keep all our engineering, support, and other staff on the same page with regard to protecting your data, Emerios has developed and maintains a formal Information Security Policy. The policy covers data handling requirements, privacy considerations, among many other topics.
Multiple levels of security training are provided to Emerios staff, based on their roles and resulting access. General security awareness training is offered to all new staff and covers Emerios security requirements. Development specific training and secure coding practices is provided to the development team on a recurring basis. Technical & Development Staff are required to additional training related to their positions, which keeps our staff well trained.
Emerios maintains a ‘whistleblower policy’ that allows our team members and clients to report potential instances of fraud, abuse and waste anonymously and without the possibility of retaliation.
to aid in their development of security best practices. Awareness material (posters, blog entries, in person training) is provided on at least a quarterly basis.
The Emerios critical incident response team is available 24x7x365 to respond to all security, availability and privacy incidents that may arise. Many automated processes feed into the incident response process, including alerts for anomalies, malicious activities, privacy events and more.
In responding to any incident, we first determine if there is an exposure of information and determine the culprit in order to isolate the problem and resolve it. We communicate the Client via email to give periodic updates as needed until the incident is resolved. When complete, we perform an incident review with all involved team members, the Director of IT and our COO/CSO to determine root cause and prepare an action plan in attempts to eliminate repeat occurrences of issues.
COMPLIMENTARY USER ENTITY CONTROLS
Emerios does not wholly manage our services on behalf of our Clients and operates under a shared responsibility model. There are several aspects of use of the systems that Emerios cannot perform. This is primarily around compliance processes that is the responsibility of the parties who own the data being stored in our system.
CLIENTS ARE RESPONSIBLE FOR:
- understanding and complying with their contractual obligations to Emerios.
- notifying Emerios of changes made to technical or administrative contact information.
- maintaining their own system(s) of record.
- ensuring the supervision and control of the use of Emerios services by their personnel.
- all Identity and Access Management control of their employee and agent workforce.
- developing their own disaster recovery and business continuity plans that address the inability to access or utilize Emerios services.
- providing Emerios with a list of approvers for security and system configuration changes for data transmission.
- immediately notifying Emerios of any actual or suspected information security breaches, including compromised 'critical or administrative' user accounts and those used for integrations and secure file transfers.
- the quality, integrity of data collected on their data subjects.
- all state, federal privacy requirements (e.g. notice, choice, consent, objectives, use, disclosures) for their data subjects.
Systems that connect to the platform must be secure and if there are any security issues (ie. Security Breach) that arise on the side of the Client that could possibly jeopardize our environment or the quality and integrity of our data, the Client should contact us immediately on our 800-EMERIOS hotline to report the issue.
DATA CENTERS ARE RESPONSIBLE FOR:
- maintaining their own system(s) of record.
- notifying Emerios of changes made to technical or administrative contact methods.
- notifying Emerios of changes made to technical systems.
- notifying Emerios of problems occurring to technical systems impacting Emerios.
- managing protection of systems, security, environmental controls of their facilities in a manner compliant with PCI DSS, AICPA SOC 2 and HIPAA.
- all Identity and Access Management control of their employees and vendor workforce.
- developing their own disaster recovery and business continuity plans that address customer availability.
- maintaining updated PCI DSS, AICPA SOC 2 and HIPAA certifications annually.
- immediately notifying Emerios of any actual or suspected information security breaches, including compromised 'critical or administrative' user accounts and those used for integrations and secure file transfers.
THIRD PARTY EMERIOS SECURITY CONTROL AUDITS AND CERTIFICATIONS
Emerios has achieved the following certificates and attestations of compliance from independent, 3rd party auditors/assessors:
- AICPA SOC 2 Type II: Service Organization Controls Home Page
- PCI DSS 3.2: Payment Card Industry Home Page
Emerios agrees to maintain all applicable AICPA SOC, PCI DSS and HIPAA HiTECH controls and requirements to the extent that we possess or otherwise store, process, transmit and protect sensitive data (cardholder data, PHI, etc) on behalf of our clients.
While Emerios maintains third party certifications and attestations of compliance, these do not automatically transfer to our clients and their use of the licensed applications. They are meant to prove that our internal systems, policies, procedures, and personnel all meet or exceed the standards and controls identified as required by the various governing bodies/agencies.
For more information on the certifications and attestations on compliance that Emerios holds, or for more information on how they may apply to your Organization, please visit the links above.