AUTOSCRIBE INFORMATION SECURITY POLICY
The Information Security policy is intended to define the controls used to safeguard and centralize information relating to Autoscribe's requirements for secure storage of sensitive and/or confidential information, with an emphasis on customer account data. No part of this policy is meant to conflict with existing federal, state or local laws or regulations. In the event of a conflict, the existing law will take precedence.
This policy applies to the information security aspects of the PaymentVision portal. Similar policies are available for other Autoscribe hosted products.
Where possible, all customer account data is encrypted prior to transmission outside of Autoscribe’s production network and before storage in flat files, temporary directories, databases and other forms. All encryption keys are securely stored in an encrypted form, and key-encryption information is stored separately from data-encryption information.
Customer information that is transmitted for purposes of settlement and cannot be encrypted (e.g., ACH files), is transmitted only through a secure encrypted channel. After transmission, files or data are encrypted for storage or destroyed.
Proven, standard encryption algorithms, such as DES, RSA, and IDEA, are used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. Asymmetric crypto-system keys must be of a length that yields equivalent strength. Autoscribe’s key length requirements are reviewed annually and upgraded as technology allows.
The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the Network Operations team. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.
All customer account data stored on Autoscribe’s network is encrypted. All long-term storage methods, including, but not limited to database tables, files uploaded from clients, transaction logs, and history files are subject to these requirements.
Customer account data is stored on Autoscribe’s network for only the length of time required by law or by Autoscribe’s individual business requirements. The production network is swept on a quarterly basis to ensure that no files are saved beyond the required retention period.
No customer account data will be made available through unsecured Web sessions. HTTPS (SSL) security is required for all Web-based sessions that can view or transmit customer account data. When presenting account numbers during these sessions, all unnecessary digits are masked, leaving only the last four digits (in the case of a credit card number) visible to the user.
All customer account data on external media is encrypted and password-protected. Any media containing customer account data is labeled as Confidential, including media distributed to individuals and media removed from the production facility as part of an offsite backup plan. All media placed in or removed from the facility is logged. Any media transported to an offsite location is sent via secure courier or another traceable mechanism.
All media is stored securely, and periodically inventoried to ensure that all media is accounted for. Any media that is destroyed is subjected to permanent data destruction techniques, such as a military-grade wipe program or degaussing, before it is permitted to leave the production facility.
The possibility exists that unauthorized persons will gain access to Autoscribe’s network, despite our best efforts at preventing intrusions. All security logs on the network are reviewed at least daily, and any exceptions to routine traffic will be followed up. Logs and audit trails are retained for at least one year, online or offline.
PHYSICAL SECURITY INFRASTRUCTURE
All of Autoscribe’s client-facing network and servers are physically and logically separate from Autoscribe’s corporate network. The client-facing infrastructure is co-located at a highly secure and highly redundant facility, provided by an industry leading specialist in data centers.
Access to the secure facility is controlled by a restricted access list, and also by multiple levels of identification and authority. The site is in a restricted and physically secure location, that is independent of Autoscribe and the data center’s corporate infrastructure.
All servers and network devices are in a locked cage.
All access to the secure facility is monitored and logged by the data center provider. All access is monitored 24 hours a day through live and recorded closed circuit cameras.
To ensure the proper functioning of the network, staff may monitor network, data, and statistics. Anomalies are reported and investigated where deemed appropriate.
Autoscribe retains the strictest of confidence and use all confidential information only in conjunction with the services it provides. Confidential information will not be disclosed to any Third Party that does not adhere to Autoscribe’s Confidentiality policies.
Questions regarding this policy should be addressed to:
Attn: Network Operations Team
9801 Washingtonian Blvd.
Gaithersburg, MD 20878