Security

Your Security Is Our Priority

Security by Design

The security of your data has always been a priority for us. Whether you are using MaxiFi® or Maximize My Social Security®, we are committed to protecting and securing your data.

Economic Security Planning is committed to constantly maintaining knowledge of the evolving application security landscape and ensuring that security best practices are upheld across the whole organization.

For our cloud hosting, we use industry-leading Amazon Web Services. View their security page here.

Protecting your Data

The aim of Economic Security Planning’s security practice is to prevent any unauthorized access to customer data.

We are always looking at ways in which we can improve the security of our applications and continuously working to identify, monitor, and mitigate risks in our environment.

Regular management security reviews are in place to address any areas that we believe can be improved upon and further secured. Implementation of this may be through new security certification, compliance, or third-party testing to ensure best practices and improve security across all systems at Economic Security Planning.

Contact us at security@economicsecurityplanning.com if you have any security-related concerns about any of our products or services. Please also see our Privacy Policy and Terms of Service.

Security Highlights

Least Privilege Access Yes
Full Daily Backups Yes
Data Encrypted in Transit and at Rest Yes
Two Factor Authentication Yes
Vulnerability Scanning Yes
Mitigating Common Attacks Yes
Annual Penetration Testing Yes

Physical Security

  • Facilities

    Our cloud service data-center provider (AWS) operates state-of-the-art, ISO27001, PCI DSS Level 1, HIPAA, EU-US Privacy Shield & SOC 2 Type compliant data centers. Automated fire detection and suppression systems are installed in networking, mechanical, and infrastructure areas. All AWS data centers are constructed to N+1 redundancy standards.

  • Server Monitoring

    AWS's Global Security Operation Centers conducts 24/7 monitoring of data center access activities, with electronic intrusion detection systems installed in the data layer.

  • Hard Perimeter

    Each of AWS' Data centers have a controlled Perimeter Layer with 24/7 on-site security teams, restricted and controlled physical access, multi-factor authentication, electronic intrusion detection systems and door alarming.

Network Security

  • Architecture

    We employ AWS security groups and IAM controls to lock down communication between components so access to services must be granted explicitly on an as-needed basis. We make it impossible for systems to interact with each other without our explicitly configuring it and planning for it.

  • DDoS Mitigation, Content Delivery, and Internet Security Monitoring

    ESP’s system audit logs are always maintained and checked for anomalies, and we use AWS services to protect from distributed attacks.

  • Least Privilege Access

    Access to hosting servers and live environments are provided on least privilege access. A very limited number of employees have access to live environments, which also require multiple levels of security access.

  • Security Incident Response

    Economic Security Planning continually monitors our cloud services and has a response team on call 24/7 to respond to security incidents. Our hosting provider, AWS, also provides 24/7 global monitoring and support.

  • Penetration Testing

    Economic Security Planning conducts a third-party penetration test annually or after any major changes to the platform.

Platform & Product Security

Development

  • Quality Assurance

    We have a team of customer support and subject matter experts who review and test all changes to our code base. For every update or release to the software, testing is performed by development and QA teams with a multi-level approach.

  • Separate Environments

    We maintain separate environments for both staging and testing. These environments are logically separated from the live production environment. No customer data is used in testing or development.

  • Vulnerability Scanning

    In addition to application penetration testing, unit testing, human auditing, static analysis, and functional tests, we perform a minimum of monthly third-party vulnerability scans of our production and test environments.

  • Mitigating Common Attacks (XSS, CSRF, SQLi)

    Our tools have been built to mitigate common attack vectors such as SQL injection attacks and cross-site scripting attacks (XSS). Economic Security Planning’s cloud environments also take advantage of AWS’ enterprise-grade Web Application Firewall (WAF) to automatically block or challenge suspicious requests.

Encryption

  • Data at Rest

    All customer data is stored encrypted on AWS servers with the AES-256 encryption algorithm.

  • Data in Transit

    Any data that is transmitted into and from the Economic Security Planning platform is encrypted over-the-wire in line with industry best-practices. Web traffic over HTTP is secured by AWS with TLS 1.2 or 1.3 using proven-secure cipher suites.

Software

  • Single Sign On

    There are different configuration options available for SSO enabling you to customize how it interacts with agents/customers. Note: SSO available with a minimum number of licenses purchased.

  • Two Factor Authentication (2FA)

    Economic Security Planning enables 2FA for all administrators of the platform and is provided as an option for all customers.

Availability & Security Incidents

  • Uptime

    Economic Security Planning maintains a high level of availability on the cloud platform, averaging over 99%.

  • Redundancy

    We use AWS with redundancy over multiple availability zones, with database backups offering 35-days’ worth of point-in-time recovery if needed. Additional encrypted off-site backups are updated weekly.

  • Responding to Security Incidents

    We have established procedures and policies with regards to responding and communicating about security incidents from our Security Team. The level of the security incident will dictate how we communicate and respond to our customers. If a security incident does occur, you will be kept updated via our Customer Success team. They will be on hand to help and support you through the incident regarding updates. All of our procedures and policies regarding responding to security incidents are evaluated and updated on at least an annual basis.

  • Disaster Recovery and Business Continuity Plan

    A business continuity plan has been put in place in the event an emergency or critical incident impacting any facet of Economic Security Planning’s business operations, including the platform, occurs. This was created so that we can continue to function as a business for our customers, no matter the scenario. The business continuity plan is tested and checked on an annual basis for applicability and any additional improvements that could be made.

Organizational Security

Personnel & Endpoints

  • Workstation Set-Up

    Every employee workstation is set up and monitored to ensure data is encrypted at rest, passwords are strong (managed by a secure password management vault), up-to-date OS patches, and active, up-to-date antivirus.

  • Confidentiality

    We perform background checks on all new hires and on commencement of employment at Economic Security Planning, employees and contractors are required to sign a Non-Disclosure and Confidentiality agreement. This is also an up-held post-employment contract.

  • Security Training Program

    All employees at Economic Security Planning are required to participate in our Security Awareness Training that focuses on the educating of users to understand the role they play in protecting data and preventing security breaches. Employees also are required to review the Economic Security Planning security policies to include the acceptable use policy on a recurring annual basis.

Sensitive Information Access

  • Least Privilege

    Only certain people within the organization are given access to sensitive information. It is on a need-to-know basis with role-based permissions, to enable employees to perform their job to the best of their ability.

  • Authentication

    To increase security even further, Economic Security Planning uses Two Factor Authentication (2FA) for systems that contain sensitive or personal data.

  • Password Management

    As part of our internal password policy, Economic Security Planning provides an approved password manager to all employees. This is to ensure passwords are strong, kept in a secure location, regularly changed, and not re-used. Where necessary, the password manager alerts users to any potential password risks to maintain high-level security at all levels.

Vendor Management

  • Sub-Service Organizations

    In order for Economic Security Planning to run efficiently, we rely on sub-service organizations to help us deliver our services. When selecting a suitable vendor for a required service, we take the appropriate steps to ensure that the security and integrity of our platform are maintained. Every sub-service organization is heavily scrutinized, tested, and security checked prior to being implemented into Economic Security Planning.

  • Vendor Compliance

    Economic Security Planning monitors the effectiveness of these vendors and they are reviewed annually to confirm their continued security and safeguards are being upheld.