Information Security Policy
BluBØX recognizes the key role played by humans in the security of its systems. Without strict information security policies and control, no amount of technology can provide security for your data. In fact, human error and malice are two of the most frequent causes of information security breaches. That’s why BluBØX has invested in information security policy development and training, augmented by frequent internal reviews and audits.
Our corporate information policies are based on the best practices of financial institutions and managed service providers, and are vetted by industry experts to ensure that they are always complete and up-to-date.
Our 3rd party data centers have more 10,000 security controls and compliance policies formatted for FFIEC reporting and comprehensive practices for SSAE 16 SOC 1, SOC 2, PCI DSS, ISO 27001, Safe Harbor, Global Risk Management, BCDR, and FISMA (NIST 800-53).
Our data center’s accreditations are in addition to BluBØX’s own certifications on its internal controls.
BluSKY has been validated with more than a decade of information security audits as well as the Cloud Security Alliance STAR designation and Safe Harbor certification from the Department of Commerce. We conducted SAS-70 and SSAE-16 audits until 2013. We are in the process of completing our ISO 27001 audit and will comply with the evolving EU-U.S. Privacy Shield framework. BluSKY® is the only cloud-based access control system that is FIPS 201-2 approved and hosted in a FISMA moderate data center.
These audits ensure that BluBØX:
• Utilizes proper administrative controls to protect sensitive information
• Implements the controls in a verifiable and measurable way
• Allows independent auditors to periodically check controls and systems to verify compliance
INFORMATION SECURITY AUDIT OVERVIEW
An information security audit is check to ensure that a service provider has implemented and is following a standard set of security policies or controls. The audit reviews polices and practices that are technical, physical and administrative in nature. Audits are typically based on regulations and guidance from industry groups, government agencies and regulatory entities such as these:
• The International Organization for Standardization (ISO)
• The Cloud Security Alliance (CSA)
• The National Institute of Standards and Technology (NIST)
• Payment Card Industry Data Security Standard (PCI DSS)
Audits cover topics such as the physical security of data centers, the logical security of applications as well as the disaster recovery processes and administrative procedures of service providers.
One common US audit standard is a Statement on Standards for Attestation Engagements (SSAE) No. 16. This is a report on controls at a service organization that is relevant to security and availability. Also known as an SSAE 16 SOC 3 Report.
The recognized international standard is ISO 27001, which is provided by the International Organization for Standardization (ISO) and is a certification and information security management system standard for IT systems. networks.
BluBØX employs independent auditors to verify the following:
• Employees with access to sensitive information undergo background checks and receive enhanced security training
• A risk management strategy is employed and that all risks and the mitigating controls are documented
• BluBØX monitors the activity of systems and employees to ensure the quality and security of products
• There is a clear communication channel between support personnel, management, and customers, and an incident or problem is recorded.
• Changes to the system are reviewed, tested, and recorded prior to implementation
Continuous Vulnerability Scans
BluBØX routinely conducts vulnerability scans with multiple tools to enhance the security of its products. These tests are critical elements of any cloud security program. These tests ensure the privacy and security of customers by detecting, testing, and repairing vulnerabilities that could be exploited by a malicious party.
BluBØX conducts these tests in several layers to isolate problems and to ensure maximum security for our clients. First, each product is scanned during development for known errors. The second phase is to install each product in an isolated security environment with simulated data, and attempt to exploit the discovered or previously known vulnerabilities. Once any discovered weaknesses are addressed, the product is retested and released for general use.
BluBØX has imposed a password management protocol on its employees which ensures that passwords are changed frequently, that they are not likely to be guessable, that they are not written down anywhere, and that they not be shared across multiple servers or security domains.
All BluBØX staff receive information security awareness and policy training on a periodic basis. The training covers general background knowledge of information security threats as well as specific precautions which have been designed into the BluBØX systems. It also addresses issues such as confidentiality, privacy, and social engineering.
The BluBØX Customer Service Representatives (CSRs) are a major focal point of our information security policies.
The customer service group is frequently called upon to verify the identity of callers seeking assistance with their accounts, which, as often as not, will ultimately require sharing of certain information.
The CSRs therefore use an identity verification protocol with all callers so that they can ensure that any requested account changes, forgotten passwords, or other information requests are being made by an authorized party.
Because of the sensitivity of the CSR function, BluBØX’s hiring process for these positions includes extensive screening and background checks.
BluBØX has implemented every major information security precaution available with today’s technology, consistent with the nature of the application and our customers’ desire to be able to use the technology from anywhere, at any time.
We also pay constant attention to human factors. It has been widely reported that most security breaches - whether in the physical world or the world of information, - are a result of human carelessness or malicious intent. While BluBØX can never change that, we can make sure that our staff is held to the highest ethical standards for handling your data, and that our internal audit processes will continue to safeguard vital customer data.