Data Security 20121219

Note: This is an outdated record preserved for posterity. Please review the current policy here.

MOTIVATION SCIENCE DATA SECURITY POLICY Overview

Updated December 19, 2012

The purpose of this document is to outline Motivation Science’s practices and procedures in place related to network and data security.

DATA SECURITY POLICY IN BRIEF

Motivation Science focuses on security from the ground up. Our Data Center (managed by Softlayer Technologies, Inc.) is SAS 70 Type II certified, SSAE16 (SOC1) Compliant, and features proximity security badge access and digital security video surveillance. Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. Our servers feature a 1000Mbps Hardware Firewall and run OSSEC for active intrusion monitoring. We use CloudFlare to guard against DDoS attacks, and we run weekly Nessus Vulnerability Assessments on our production environment. Additionally, our network can only be accessed via SSL VPN or multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption. Additionally, all staff members who work with customers and data receive certification as a HIPAA Privacy Associate.

DATA CENTER AND HARDWARE

All Motivation Science application and database servers are physically managed by SoftLayer Technologies Inc. in a secure Data Center in Dallas, TX. Our security procedures utilize industry best practices from sources including The Center for Internet Security (CIS), Microsoft, Red Hat and more. All data center facilities are certified SSAE16 (SOC1) Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. Our servers feature a 1000Mbps Hardware Firewall and receive integrated server hardening, regular full-system virus scanning and systems patching, and regular security profile reviews and upgrades.

Physical Security

All servers are located in a Data Center managed by SoftLayer Technologies Inc. that features proximity security badge access and digital security video surveillance. Motivation Science employees do not have access to physical server hardware.

Data Access and Server Management Security

Motivation Science has SSL and PPTP VPN as well as dedicated VLAN connections to our hosting environment. SSL access to the network utilizes multi-factor authentication from VeriSign Identity Protection (VIP) Authentication Service requiring users to employ a credential such as a hardware security token or security card to access online accounts, in addition to a username and password. The SSL VPN configuration is based on certificate and only white-listed IP addresses can access the network. Only select Motivation Science employees are able to access the server network.

Environmental Safeguards

Our Data Center in Dallas, TX features the following environmental safeguards: 6 x 750 kVA UPS battery backup units, 3 x 2 mW diesel generators with on-site fuel storage, Redundant Liebert 30-ton HVAC units, and Pre-action dry pipe fire suppression. Additionally, we maintain a backup server located in Washington, D.C. that is ready to go online in the event of a disaster that renders our facility in Dallas, TX inoperable.

DATA STORAGE AND BACKUPS

Motivation Science production servers are partitioned using RAID 5 with 24-hour disk backup of all data files. Database backups use a fully disk-based solution (disk-to-disk-to-disk) and full system backups, including database log files, are performed hourly, daily and weekly. Hourly backups are retained for 24 hours, daily backups are retained for 7 days, and weekly backups are retained for 52 weeks. Backup services are provided and hosted by Softlayer Technologies Inc. The most recent database backup is loaded and tested in a virtual production environment on the first Tuesday of every month to ensure data integrity and ability to successfully recover data.

Client Data Policies

Customer Data includes data stored by customers in Motivation Science, information about a customer’s usage of the application, data in their instances the CRM system that we have access to, or data that the customer has supplied to use for support or implementation. Here are the special considerations we take into account when managing Customer Data:

1. Customer Data is not to be disclosed outside of Motivation Science, except to the customer who owns the data or to a Partner who has been contracted by the customer to manage or support their account.
2. Customer Data should only be shared using a secure sending method. Approved sending and sharing methods include Dropbox, Google Drive, emailing of encrypted files or use of a Customer-provided secure transfer method.
3. Customer Data should only be stored temporarily outside of the Motivation Science Application if at all. If you need to archive Customer Data (for example, data provided by a client during implementation or training), please store it on a central file server and delete it from your laptop or desktop. This includes report exports, contact lists, and presentations that contain customer information, and customer agreements.
4. Customer Data should only be accessed on a need-to-know basis. Specifically, a customer’s account should only be accessed to provide support, troubleshoot a problem with that account, or supporting the system as a whole.
5. Customer Data should never be changed except with the explicit permission of the customer, with the exception of repairing data quality issues.

Destruction of Server Data

In order to maintain system integrity, data that has outlived its use is retained up to 60 days before it is destroyed. The data may remain in our backup files for up to 14 months, as it is our policy to maintain weekly backups for a minimum of 52 weeks before those backups are destroyed.

Disposal of Computers and Other Data

Old computers and servers receive a 7-pass erase that meets the U.S. Department of Defense 5220-22 M standard for erasing magnetic media; the devices are then recycled or resold to manufacturers. Paper information in the office is discarded using a cross-cut shredder or a commercial secure document shredding service.

INTRUSION DETECTION AND INCIDENT RESPONSE

Our servers run OSSEC to actively monitor for intrusions. OSSEC uses HIDS (Host-Based Intrusion Detection), log monitoring and SIEM (Security Information and Event Management). Additionally, we use CloudFlare to securely manage our DNS, which monitors and prevents DDoS attacks and other threats (cross site scripting, SQL injection, comment spam, excessive bot crawling, email harvesters).

Incident Response

Motivation Science security administrators will be immediately and automatically notified via email if OSSEC, CloudFlare, or other implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within 1 hour.

Once an incidence is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:

1. Maintain or restore business continuity
2. Reduce the incident impact
3. Determine how the attack was performed or the incident happened
4. Develop a plan to improve security and prevent future attacks or incidents
5. Keep management informed of the situation and prosecute any illegal activity.

Determining the Extent of an Incident

Security administrators will use forensic techniques including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.

Notifying Customers of an Incident

Customers will be notified via email within one hour upon detection of any incident that compromises access to the service, compromises data, or otherwise effects users. Customers will receive a status update every 4 hours and upon incident resolution.

APPLICATION SECURITY

All data transfer and access to Motivation Science applications will occur only on Port 443 over an HTTPS encrypted connection with 256-bit SSL encryption.

System Updates and Security Patches

As a hosted solution, we regularly improve our system and update security patches. No client resources are needed to perform these updates. Non-critical system updates will be installed at pre-determined times (typically 2:00 a.m. Eastern on Thursdays). Critical security patches will be performed at 2:00 a.m. Eastern time the day after notification to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.

Vulnerability and Security Testing

Motivation Science performs Nessus Vulnerability Assessments and creates external security reports of our production environment weekly at 3:00 a.m. Thursdays. Additional internal security testing is performed on the testing environment before code is checked into a master repository.

User Login and Session Security

Individual-level users and company administrators have a strict Access Control Level security implementation, meaning that a user can only access his/her own data. All account and user related data are encrypted using AES-128. Every account has it’s unique identifier to encrypt/decrypt the data accordingly. Company administrators use a wholly separate application to manage population data, ensuring they will never be able to see individual user data. Motivation Science customer support agents have access to the company administrator application and can view population data. Additionally, Motivation Science customer support agents can create a time-delimited, one-time use access PIN to access an individual user’s account for tech support. This access PIN expires after 15 minutes, and once used, the session can only last a maximum of 30 minutes with a session timeout after 5 minutes of inactivity.

Application Password Management

Customer user passwords must have at least 8 characters with at least one number and one letter.

Motivation Science employee application passwords must have at least 8 characters with at least one number and one letter, and either one capital letter and one special character.

HIPAA COMPLIANCE

In addition to the above HIPAA compliant policies for data storage and handling, as well as those set forth in the document Motivation Science Security Policy Overview, the following procedures are in place to ensure HIPAA compliance:

1. All Motivation Science associates are Certified HIPAA Privacy Associates and receive annual recertification.
2. Motivation Science web-based applications receive annual independent HIPAA audits

Revision and Update History:

12/19/2012 – Document formalized based on existing practices.