Our cloud service data-center provider (AWS) operates state-of-the-art, ISO27001, PCI DSS Level 1, HIPAA, EU-US Privacy Shield & SOC 2 Type compliant data centers. Automated fire detection and suppression systems are installed in networking, mechanical, and infrastructure areas. All AWS data centers are constructed to N+1 redundancy standards.
AWS's Global Security Operation Centers conducts 24/7 monitoring of data center access activities, with electronic intrusion detection systems installed in the data layer.
Each of AWS' Data centers have a controlled Perimeter Layer with 24/7 on-site security teams, restricted and controlled physical access, multi-factor authentication, electronic intrusion detection systems and door alarming.
We employ AWS security groups and IAM controls to lock down communication between components so access to services must be granted explicitly on an as-needed basis. We make it impossible for systems to interact with each other without our explicitly configuring it and planning for it.
DDoS Mitigation, Content Delivery, and Internet Security Monitoring
ESP’s system audit logs are always maintained and checked for anomalies, and we use AWS services to protect from distributed attacks.
Least Privilege Access
Access to hosting servers and live environments are provided on least privilege access. A very limited number of employees have access to live environments, which also require multiple levels of security access.
Security Incident Response
Economic Security Planning continually monitors our cloud services and has a response team on call 24/7 to respond to security incidents. Our hosting provider, AWS, also provides 24/7 global monitoring and support.
Economic Security Planning conducts a third-party penetration test annually or after any major changes to the platform.
Platform & Product Security
We have a team of customer support and subject matter experts who review and test all changes to our code base. For every update or release to the software, testing is performed by development and QA teams with a multi-level approach.
We maintain separate environments for both staging and testing. These environments are logically separated from the live production environment. No customer data is used in testing or development.
In addition to application penetration testing, unit testing, human auditing, static analysis, and functional tests, we perform a minimum of monthly third-party vulnerability scans of our production and test environments.
Mitigating Common Attacks (XSS, CSRF, SQLi)
Our tools have been built to mitigate common attack vectors such as SQL injection attacks and cross-site scripting attacks (XSS). Economic Security Planning’s cloud environments also take advantage of AWS’ enterprise-grade Web Application Firewall (WAF) to automatically block or challenge suspicious requests.
Data at Rest
All customer data is stored encrypted on AWS servers with the AES-256 encryption algorithm.
Data in Transit
Any data that is transmitted into and from the Economic Security Planning platform is encrypted over-the-wire in line with industry best-practices. Web traffic over HTTP is secured by AWS with TLS 1.2 or 1.3 using proven-secure cipher suites.
Single Sign On
There are different configuration options available for SSO enabling you to customize how it interacts with agents/customers. Note: SSO available with a minimum number of licenses purchased.
Two Factor Authentication (2FA)
Economic Security Planning enables 2FA for all administrators of the platform and is provided as an option for all customers.
Availability & Security Incidents
Economic Security Planning maintains a high level of availability on the cloud platform, averaging over 99%.
We use AWS with redundancy over multiple availability zones, with database backups offering 35-days’ worth of point-in-time recovery if needed. Additional encrypted off-site backups are updated weekly.
Responding to Security Incidents
We have established procedures and policies with regards to responding and communicating about security incidents from our Security Team. The level of the security incident will dictate how we communicate and respond to our customers. If a security incident does occur, you will be kept updated via our Customer Success team. They will be on hand to help and support you through the incident regarding updates. All of our procedures and policies regarding responding to security incidents are evaluated and updated on at least an annual basis.
Disaster Recovery and Business Continuity Plan
A business continuity plan has been put in place in the event an emergency or critical incident impacting any facet of Economic Security Planning’s business operations, including the platform, occurs. This was created so that we can continue to function as a business for our customers, no matter the scenario. The business continuity plan is tested and checked on an annual basis for applicability and any additional improvements that could be made.
Personnel & Endpoints
Every employee workstation is set up and monitored to ensure data is encrypted at rest, passwords are strong (managed by a secure password management vault), up-to-date OS patches, and active, up-to-date antivirus.
We perform background checks on all new hires and on commencement of employment at Economic Security Planning, employees and contractors are required to sign a Non-Disclosure and Confidentiality agreement. This is also an up-held post-employment contract.
Security Training Program
All employees at Economic Security Planning are required to participate in our Security Awareness Training that focuses on the educating of users to understand the role they play in protecting data and preventing security breaches. Employees also are required to review the Economic Security Planning security policies to include the acceptable use policy on a recurring annual basis.
Sensitive Information Access
Only certain people within the organization are given access to sensitive information. It is on a need-to-know basis with role-based permissions, to enable employees to perform their job to the best of their ability.
To increase security even further, Economic Security Planning uses Two Factor Authentication (2FA) for systems that contain sensitive or personal data.
As part of our internal password policy, Economic Security Planning provides an approved password manager to all employees. This is to ensure passwords are strong, kept in a secure location, regularly changed, and not re-used. Where necessary, the password manager alerts users to any potential password risks to maintain high-level security at all levels.
In order for Economic Security Planning to run efficiently, we rely on sub-service organizations to help us deliver our services. When selecting a suitable vendor for a required service, we take the appropriate steps to ensure that the security and integrity of our platform are maintained. Every sub-service organization is heavily scrutinized, tested, and security checked prior to being implemented into Economic Security Planning.
Economic Security Planning monitors the effectiveness of these vendors and they are reviewed annually to confirm their continued security and safeguards are being upheld.