Emerios Platform Security Program Overview
Last Updated: 2020/01/20
Emerios (or ‘The ‘Company’) develops a broad array of enterprise software solutions including business process outsourcing, business analytics, mobile sales engagement, third party verification and workforce management via its Emerios and VMBC subsidiaries. They are a “Solution as a Service” provider, delivering specific, highly configurable solutions for businesses of all sizes from ‘Inception to Delivery’ (“I2D”). They currently operate internationally with a 100-person workforce trained to deliver rapidly on projects covering all aspects of technology, product and graphic design, marketing, competitive research, user experience, workflow management, business process management and other support services. This ensures our clients achieve greater market share and a strategic competitive advantage.
The Development and Quality Assurance organizations are located in Buenos Aires, Argentina. Marketing, Corporate Finance, Sales Leadership, and Executive and Account Management functions are located in the United States of America at its Aliso Viejo, CA corporate headquarters; whereas the Infrastructure (IT) Support, Talent Development (Human Resources) and Customer Support/Operations have shared responsibilities in both locations.
The Company’s Customer Engagement and Verification System is hosted from servers in two co-location data centers in Los Angeles, California and Irvine, California - separate from The Company’s headquarters.
The Company’s Customer Engagement and Verification System provides the business processes that allow applicants (“User Entities”) to purchase goods or enroll in services and verify information provided as accurate - e.g. address or program eligibility. It also provides workforce engagement and compliance reporting for all supported process flows.
The Customer Engagement and Verification System can be configured through multiple channels, including:
- Mobile Applications (iOS, Android)
- Apps are developed with accessibility in mind
- Internet-based Website
- Call Center Representatives
- Interactive Voice Response Systems (IVR)
The Customer Engagement and Verification System can be configured on a client-by-client basis and tailored to industry-specific goods or services. Common system components are as follows:
- Application: personal information from “User Entities” is entered and validated by the system according to established rules
- Verification and Qualification: qualification information related to program participation - e.g. income level, State Agency approval, Whitelists and/or Blacklists. Information is submitted and verified, either through automated systems or through back-office processes
- Activation: Notifications, data submission, call center services, provisioning and delivery
- Recertification: Primarily for services. Eligibility into Programs can be reviewed - e.g. Benefits are discontinued when eligibility requirements are no longer met, or proof of eligibility cannot be obtained
The Company’s Customer Engagement and Verification System is built upon Emerios Inc. (BBH) proprietary ES4 Business Process Management Software Suite. ES4 moves beyond models like Platform as a Service (PAAS) and Software as a Service (SAAS), to conceive a new model - Solution as a Service - wherein the key deliverable is the ultimate solution and process of gathering requirements and detailing our vision for the solution creates both the Service and the supporting documentation.
ES4 is founded on a system of Blocks, heavily-tested and fully-configurable code supporting specific individual tasks and commands that are subsequently linked together to produce a given Service. This combination of Blocks and Services results in a custom Application that does not require a vast number of hours of new coding to achieve the product requirements. This allows for very fast, cost-effective, and user-friendly solutions to complex business processes with quick and easy manipulation of business models with our dynamic “drag and drop” process configuration system.
ES4 is a workflow management tool; an enrollment and verification system; the foundation for tablet applications that can be used by widespread teams to track and update data on a real-time basis; a platform for creating and updating mobile applications without having to constantly resubmit for app store approvals; and much more.
The ES4 suite offers additional modules of custom productivity tools that ensure continued optimal maintenance, guaranteeing long-term viability as program objectives and rules change. These tools include:
- A Business Process exists that enables the analyst to develop independent sets of business rules
- A Configuration Manager web tool is used to intuitively point and click configuration of the modules to modify settings for security, encryption, application interface credential and local configuration on behalf of the Client
- A Report Authoring Tool that enables users to dynamically build, test, publish custom reports leveraging prebuilt reports, ad-hoc queries and executive dashboards
- A Service Level Monitor that effectively manages the monitoring of service levels and quality of service of all applications and transactions being processed within the ES4 framework
- The ES4 platform is exclusively available for use by the BBH’s family of companies
The Emerios Platforms are offered as Software-as-a-Service (SaaS) solutions. These solutions are available to customers through purpose-built web applications, application programming interfaces (APIs), and email plugins.
SECURITY PROGRAM AND RISK GOVERNANCE
The Emerios security program is designed to protect the entire Emerios Platform. Each component takes advantage of common application development security best practices as well as infrastructure security and high availability designs and configurations. Emerios works hard to maintain the privacy of data our Clients entrust with us and as such, we put our security program in place to protect it and use it ONLY to provide the Emerios service to our Clients. We never share data across customers and we never sell it.
Emerios invests the appropriate resources and controls to protect the platform that services our customers. This includes the implementation of critical security systems and a dedicated security personnel.
The GRCS Team is responsible for the Company’s comprehensive Governance, Risk, Compliance & Security program. This team is responsible for implementing and managing the Emerios security framework as well as providing a support structure to facilitate effective risk management. It is responsible for defining new controls and reviewing, modifying existing ones as part of continuous improvement processes.
Our Chief Security Officer (CSO/COO) manages the Security Team.
OUR SECURITY AND RISK MANAGEMENT OBJECTIVES
Our security framework has been developed using industry standard best practices. Our key objectives include:
Customer Protection & Trust – delivering best in class services while proving the ability to protect the privacy and confidentiality of our Clients their information.
Service & Information Integrity – ensuring that our Clients and their Customers information is never altered outside of standard business requirements approved by the client and never corrupted.
Availability & Continuity of Service – ensuring ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity
Compliance with Standards – implement controls and processes to align with current regulatory and industry best practice guidance. Our security program is designed around best practices and standards such as NIST, CIS.
SECURITY OBJECTIVES AND CONTROLS
We have implemented an array of security controls to minimize risk while allowing our employees to perform at their best. The following sections provides a small, but key, sample of our service and controls:
THE EMERIOS PLATFORM
Emerios outsources hosting of its product infrastructure to leading datacenter colocation providers. Principally, the Emerios Platform uses Switch and Hosting.com for infrastructure hosting with all production services operating out of the continental United States of America. These provide vendor and geographic diversity and high levels of physical and network security and both providers maintain an audited security program, including SOC 2 compliance. Emerios does not host any production software systems within its corporate offices.
These colocation providers leverage advanced infrastructure such as power, networking, and security. These facilities guarantee uptime 99.95% and 100% and ensure redundancy to all power, network, and heating, ventilation and air conditioning services.
Physical access as well as logical access through public and private networks is highly restricted in order to eliminate any unwanted interruptions in our service to our Clients and their workforce.
The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II certifications.
Certifications are available at the following locations:
- SWITCH: https://www.switch.com/audit-reports/
- Switch maintains certifications and AOC’s for: HIPAA, PCI, SOC, NIST, ISO 27001_2013
- HOSTING: https://www.hosting.com/products-and-services/compliant-hosting/
- Hosting maintains certifications and AOC’s for: HIPAA, PCI, SOC
NETWORK SECURITY & PERIMETER PROTECTION
The Emerios Platform infrastructure is built with security in mind. In particular, network security protections are designed to prevent unauthorized network access and includes the use of enterprise-grade routing and network access control lists as part of the firewall system.
Network-level access control lists are implemented using security groups and firewall rules, which applies port- and address-level protections to each of the server instances in the infrastructure. This allows for finely grained control for network traffic from a public network as well as between server instances on the interior of the infrastructure. Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate.
Changes in the network security model are actively monitored and controlled by standard change control processes. All existing rules and changes are evaluated for security risk and captured appropriately.
Potential security events are prevented with a consistent, and well-designed access control model. Access to Emerios systems are strictly controlled. Emerios employees are granted access to corporate services, and product infrastructure based on their jobs, using a role-based access control model.
For access to infrastructure tools, servers, and similar services, access is minimized to only the individuals whose jobs require it. For emergency access and access to administrative functions, the technical staff is required to authenticate first through a "jump box" before accessing pre-production and production environments. Server-level authentication uses Active Directory and token-based two factor authentication. Connecting via insecure protocols is prohibited.
CONFIGURATION & CHANGE MANAGEMENT
Emerios maintains a Configurations & Standards process. Emerios uses automated systems to detect application and configuration changes, managed deploys and activations. Each package we deploy to production is versioned with the ability to roll back through our release management system at the platform application level.
IT Changes to the configuration and standard images are managed through a controlled change management process.
Each system type within Emerios production environments includes its own hardened configuration – using industry standard best practices as recommended by CIS and NIST.
Systems are kept up to date with critical system updates/patches and reviewed frequently for compliance.
ALERTING & MONITORING
Emerios invests heavily in monitoring, alerting and response technologies to continuously address potential issues. The Emerios Platform infrastructure is tuned to alert our administrators and management when anomalies occur. Error rates, application attacks, process terminations, etc and other anomalies trigger automatic responses and alerts to the appropriate teams to engage, investigate and resolve the issue.
The power behind Emerios’ ability to detect and respond to anomalies is our 24x7x365 monitoring program and extensive logging.
Our systems capture and store logs that include all the technologies that comprise our products. In the infrastructure back-end, we log authentication failures, unexpected changes for operating systems, infrastructure health and more. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.
WEB APPLICATION DEFENSES
As part of its commitment to protecting Client and Customer data and portals, Emerios implemented an industry recognized Web Application Firewall (WAF). The WAF automatically identifies and protects against attacks aimed at the Emerios Platforms. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP) in the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, improving availability.
DEVELOPMENT & RELEASE MANAGEMENT
One of greatest advantages of the Emerios platform is our agile/rapid deployments. We are continuously innovating and improving our products and services.
The development teams perform code reviews and quality assurance is performed by specialized teams of engineers with intimate knowledge of the Emerios platform. All code is tracked in a ticketing system and approval is controlled at the Senior Management level in a proper change management lifecycle. When the code passes all testing, the package is deployed across the application tier.
All code deployments create archives of existing production-grade code in case failures are detected. If a failure occurs, rollback is immediately performed.
VULNERABILITY SCANNING, PENETRATION TESTING
The Emerios Security team manages a multi-layered approach to vulnerability scanning, using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack.
We perform vulnerability scanning and penetration testing activities against ourselves on a regular basis and includes vulnerability scanning against our internal networks, applications, and corporate infrastructure. Network-based and application-level vulnerability scans run on a regular basis against the Emerios Platform.
External vulnerability scans are performed by an independent Approved Scanning Vendor (ASV)
The goal of these programs is to iteratively identify flaws that present security risk and rapidly address any issues. Penetration tests are performed against the application layers and network layers of the Emerios technology stack, and penetration testers are given internal access to the Emerios Platform and/or corporate networks in order to maximize the kinds of potential vectors that should be evaluated. In addition to internal vulnerability scanning and independent penetration testing,
CLIENT AND CUSTOMER DATA PROTECTION
CONFIDENTIAL INFORMATION IN THE EMERIOS PLATFORMS
The information collected in with our products is data gathered through our clients use of mobile and web applications, our API, and secure file transfer protocols. At this time, the Emerios Platform is not used to collect or capture sensitive data such as credit or debit card numbers or personal financial account information. Social Security numbers, driver’s license numbers or similar identifiers, or employment information may be collected depending on our Client’s needs.
CREDIT CARD INFORMATION PROTECTION
Emerios does not process credit card transactions and Emerios does not store, process or collect credit card information submitted by our Clients workforce using our tools. The applications and API’s we use are handled by trusted PCI compliant payment processing services. This ensures that security of our Client’s Customer data, reduces liability for us while ensuring card information is processed under our Clients business agreements and any applicable Laws & Regulations.
All sensitive interactions with the Emerios Platforms (e.g., API calls, login, authenticated sessions to the customer's portal, etc.) are encrypted in-transit with TLS 1.2/256-bit keys or better.
Emerios leverages several technologies to ensure stored data is encrypted at rest. The physical and virtualized hard drives used by Emerios Platform server instances as well as long-term storage solutions use AES-256 encryption. Additionally, production database information is encrypted at rest, based on the sensitivity of the information. For instance, non-Active Directory user passwords are hashed, and certain email features work by providing an additional level of both at-rest and in-transit encryption.
USER AUTHENTICATION & AUTHORIZATION
The Emerios Platforms enforce a uniform password policy. The password policy requires a minimum of 12 characters that include a combination of lower and upper-case letters, special characters, whitespace, and numbers. The minimum requirement cannot be changed on a per-client basis.
Clients can assign finely grained permissions to the users in their portals and limit access to the portal’s content and features.
For more information about user roles, please see the Emerios User Roles and Permissions Guide.
API (Application programming interface) access enabled through either API key or OAUTH (version 2) authentication and authorization.
Emerios’ OAUTH implementation is a stronger approach to authenticating and authorizing API requests. Additionally, OAUTH is required of all featured integrations. Authorization for OAUTH-enabled requests is established through defined scopes. For more information about API use, please see the Developers portal at Emerios.com.
EMERIOS EMPLOYEE ACCESS
Emerios controls individual access to data systems within its production and corporate environment. A subset of Emerios’ employees are granted access to production data based on their role in the company through role-based access controls (RBAC).
Engineers and members of Operations teams may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyze information for product investment decisions as well as product support. Access to the product infrastructure is limited by network access and user authentication and authorization controls. Access to networking functions is strictly limited to individuals whose jobs require that access, and access is reviewed on a continual basis. Customer Support, Services, and other customer engagement staff with a need-to-know may be granted access.
DATA RETENTION POLICY
Client and Customer data is retained for as long as you remain a customer and until impractical, your data will remain in the Emerios system indefinitely. Former customers’ core data is removed from live databases upon a customer’s written request or after an established period following the termination of all customer agreements. In general, former customers’ data is purged 90 days after all customer relationships are terminated. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. Emerios reserves the right to alter the data pruning period and process at its discretion in order to address technical, compliance, or statutory needs.
PRIVACY PROGRAM MANAGEMENT
BUSINESS CONTINUITY & DISASTER RECOVERY
Emerios maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, Emerios’ goal is to quickly and transparently isolate and address the issue.
SYSTEM AVAILABILITY & RECOVERY
Business continuity testing is part of Emerios business process. We use procedures to recover from impaired environments and other failures easily.
Emerios primarily relies on infrastructure redundancy, real time replication and backups. Critical Emerios Platform services are built with full redundancy. Server infrastructure is strategically distributed across geographically diverse zones with our infrastructure providers, and all web, application, and database components are deployed with in each datacenter colocation.
Emerios ensures data is replicated and backed up in multiple durable data-stores. The retention period of backups depends on the nature of the data. Data is also replicated across infrastructure locations in order to provide fault-tolerance as well as scalability and responsive recovery, when necessary. In addition, the following policies have been implemented and enforced for data resilience:
- Customer (production) data is backed up leveraging online replicas of data for immediate data protection. 14 days of backups are kept for any database in a way that ensures restoration can occur easily. Real-time replication is used for High Availability. All production data sets (related to files) are stored on a distributed file storage system.
- Emerios does also not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
- By default, all backups will be protected through access control restrictions on Emerios Platform infrastructure networks, access control lists on the file systems storing the backup files and/or through database security protections
- Emerios logs all media transported to and from our datacenter colocations.
EMERIOS CORPORATE SECURITY
EMPLOYEE AUTHENTICATION & AUTHORIZATION
Emerios enforces an industry-standard corporate password policy. That policy requires changing passwords at least every 90 days. It also requires a minimum password length of 12 characters and complexity requirements including special characters, upper and lower-case characters, and numbers. Emerios prohibits account and password sharing by multiple employees.
Employees authenticate to the Emerios Platform infrastructure Active Directory through a “jump box”. The password policy requires 12-characters, upper/lower case and special characters. Additionally, many of the capabilities we use to build the Emerios Platforms leverage multi-factor authentication or are protected by single sign-on solutions that enforce multi-factor authentication.
Emerios has automated authentication and authorization procedures for employee access to Emerios systems, including the sales platforms. Most frequently, access is granted based on a role-based access control model. Just in time access is built into automated procedures around a set of rigorous authorization mechanisms.
We built an extensive set of support systems to streamline and automate our security management and compliance activities. In addition to many other functions, the system sweeps our product and corporate infrastructure several times daily to ensure that permission grants are appropriate, to manage employee events, to revoke accounts and access where needed, to compile logs of access requests, and to capture compliance evidence for each of our technology security controls. These internal systems sweep the infrastructure validating that it meets approved configurations on a 24-hours basis.
All Emerios employees undergo an extensive 3rd party background check prior to formal employment offers. In particular, employment, education, and criminal checks are performed for all potential employees. Reference verification is performed at the hiring manager's discretion. All employees receive security training within the first month of employment as part of the Emerios security program along with role-specific follow-up training. All employees must comply with Non-Disclosure Agreements and Acceptable Use Policy as part of access to corporate and production networks.
We leverage a small number of 3rd party service providers who augment the Emerios Platforms’ ability to meet your marketing and sales needs. We maintain a vendor management program to ensure that appropriate security and privacy controls are in place. The program includes inventorying, tracking, and reviewing the security programs of the vendors who provide production services to Emerios.
Appropriate safeguards are assessed relative to the service being provided and the type of data being exchanged. Ongoing compliance with expected protections is managed as part of our contractual relationship with them. Our Security team, General Counsel, and the business unit who owns each contract coordinate unique considerations for our providers as part of contract management.
SECURITY AWARENESS & SECURITY POLICIES
To help keep all our engineering, support, and other employees on the same page with regard to protecting your data, Emerios has developed and maintains a formal Information Security Policy. The policy covers data handling requirements, privacy considerations, among many other topics.
Multiple levels of security training are provided to Emerios employees, based on their roles and resulting access. General security awareness training is offered to all new employees and covers Emerios security requirements. Development specific training and secure coding practices is provided to the development team on a recurring basis. Technical & Development Staff are required to additional training related to their positions, which keeps our staff well trained.
Emerios maintains a ‘whistleblower policy’ that allows employees and clients to report potential instances of fraud, abuse and waste anonymously and without the possibility of retaliation.
to aid in their development of security best practices. Awareness material (posters, blog entries, in person training) is provided on at least a quarterly basis.
The Emerios critical incident response team is available 24x7x365 to respond to all security, availability and privacy incidents that may arise. Many automated processes feed into the incident response process, including alerts for anomalies, malicious activities, privacy events and more.
In responding to any incident, we first determine if there is an exposure of information and determine the culprit in order to isolate the problem and resolve it. We communicate the Client via email to give periodic updates as needed until the incident is resolved. When complete, we perform an incident review with all involved team members, the Director of IT and our COO/CSO to determine root cause and prepare an action plan in attempts to eliminate repeat occurrences of issues.
SECURITY RESPONSIBILITIES FOR OUR CLIENTS
Emerios does not wholly manage our services on behalf of our Clients and operates under a shared responsibility model. There are several aspects of use of the systems that Emerios cannot perform. This is primarily around compliance processes that is the responsibility of the parties who own the data being stored in our system. A couple examples are:
- Privacy requirements from a Legal & Regulatory perspective – Emerios is not responsible for the quality of information collected and opt-in, opt-out of (notice, choice, right to amend) data owned by our Clients. These are all processes that must be managed by our Clients.
- Identity & Access Management of our Clients Workforce. Those are items that are wholly the responsibility of the Client and Emerios can take no responsibility for any
- General Security Requirements – Systems that connect to the platform must be secure and if there are any security issues (ie. Security Breach) that arise on the side of the Client that could possibly jeopardize our environment or the quality and integrity of our data, the Client should contact us immediately on our 800-EMERIOS hotline to report the issue.
THIRD PARTY EMERIOS SECURITY CONTROL AUDITS AND CERTIFICATIONS
Emerios has achieved the following certificates and attestations of compliance from independent, 3rd party auditors/assessors:
- AICPA SOC 2 Type II: Service Organization Controls Home Page
- PCI DSS 3.2: Payment Card Industry Home Page
- HIPAA/HiTech: GOV HIPAA Home Page
Please note that Emerios will discontinue annual HIPAA certification after the Company achieves advanced HiTRUST certification (2020).
Emerios agrees to maintain all applicable AICPA SOC, PCI DSS and HIPAA HiTECH controls and requirements to the extent that we possess or otherwise store, process, transmit and protect sensitive data (cardholder data, PHI, etc) on behalf of our Clients.
Emerios agrees to ensure all applications are developed in accordance to all relevant HIPAA, SOC, PCI DSS and HiTRUST requirements.
Emerios agrees to ensure all relevant HIPAA, SOC, PCI DSS and HiTRUST requirements are to be documented with any significant changes to systems and networks (new or changed).
Emerios agrees to only contract with datacenter colocation service provider who maintain AICPA SOC, PCI DSS and HIPAA certifications (or attestations) on an annual basis. If any datacenter colocation service provider fails to obtain any of the aforementioned certifications/attestations within 6 months of expiration, Emerios agrees to replace the provider.
While Emerios maintains third party certifications and attestations of compliance, these do not automatically transfer to our clients and their use of the licensed applications. They are meant to prove that our internal systems, policies, procedures and personnel all meet or exceed the standards and controls identified as required by the various governing bodies/agencies.
For more information on the certifications and attestations on compliance that Emerios holds, or for more information on how they may apply to your Organization, please visit the links above.
Emerios agrees to maintain compliance and abide by the rules and regulations of the California Consumer Privacy Act and all subsequent iterations.
For more information about our products, services and/or support, look us up!