 |
|
|
 |
|
|
|
|
Security Overview
Cataphora takes very seriously its responsibility to ensure the security and confidentiality of customer data. The company is necessarily entrusted with very sensitive data in the normal course of its business. Cataphora's security plans and practices, and also its operational mechanisms and procedures, have been reviewed by two separate security experts with international reputations, both of whom have undertaken extensive work for federal agencies. Security protection measures are applied across three broad categories: network, client data, and physical plant.
Network Security
Cataphora's network comprises three principal sections: client web sites, internal corporate network, and file transfer and email relay servers. Different data protection is appropriate and required for each of these networks, so the company uses separate firewalls for each of them. Data access to each network and to each machine within the networks is limited to that which is absolutely necessary to provide service. The use of separate firewalls and strictly limited access provide separation of business functions and allow defense in depth. In addition, Cataphora offers a variety of encryption and other security methods to ensure appropriate and limited access to data being sent to and from the company's systems, by whatever means and on whatever media.
Cataphora also uses multiple routers in parallel, multiple switches in parallel, and multiple Internet service providers and physical network providers to eliminate single points of failure. Cataphora's tools and configuration methods have been chosen to match or exceed typical industry best practices.
Client Data Security
Cataphora protects client data throughout its entire Cataphora-related lifecycle-from before it is delivered to Cataphora, all the way through its final export and destruction. Data that Cataphora receives from any external source is processed in a limited-access area that is dedicated to data intake. The data intake process always begins with an archive copy of the original client data, so if some later issue shows up on the original media, or the original media have been returned to the customer, Cataphora can still perform its duties. After intake, the company processes the data and places it onto a separate, per-client Internet-accessible web server machine.
At the conclusion of the customer engagement, Cataphora typically returns original media to the client, and purges all internal copies of the data. Cataphora uses US government standard procedures to completely scrub disks and disk arrays of customer data, and to physically destroy any write-once media, as well as all associated papers. Cataphora stores all data on RAIDs, and frequently makes offline backups. In addition, the company ensures that multiple copies of backups exist both on archival media and at secure offsite facilities. Cataphora also keeps baseline backups and multiple generations of differential backups on disk, allowing very rapid restoration, if necessary.
Physical Security
Cataphora protects its locations with security cameras, digital video recording, anomalous-behavior analysis, alarm systems, and trained and vigilant staff. All non-Cataphora employees are subject to a security check-in prior to being allowed onto the premises and are escorted throughout the duration of their visit. A sophisticated computer-monitored card key system controls entry to Cataphora buildings and to specific high-security zones within them. There is a very limited set of physical keys that the company allows to be used only during power outages; use under other circumstances triggers alarms. In order to further safeguard the sensitive customer data housed in server rooms, Cataphora limits access to these areas to just those carefully screened personnel — such as systems administrators — who need such access to perform their duties.
Cataphora requires new employees to pass a comprehensive background check, including drug testing, before they are allowed to start work. The company has a policy of not hiring contract employees, and carefully vets any vendors and service providers who work on its premises. The company performs spot checks on current employees both at random and in the event that the company suspects that there might be a problem with a specific employee. These checks deal with criminality, financial status and dealings, and drug use or abuse.
|
|
|
