Site Security and Privacy

FAQs regarding SES site security and privacy.

  • How is the data secured while in flight and at rest?
    • Data in flight is encrypted using FIPS-199 validated encryption modules. Connections are secured using TLS 1.2. Internal tunnels between the back-end and front-end are IPSec encrypted using AES.
    • Data at rest is encrypted at the volume level using AES with keys managed and rotated automatically by Amazon KMS.
  • What types of security measures are in place for provisioning, deprovisioning, and changes to access?

    SRR operates on the principle of least privilege for who has access changes to the system, including access. There are a limited number of people with access to deploy releases and all releases go through a change review and control process. Everything is documented and tested before being approved. All access and changes are logged centrally.

  • What processes are in place to manage CSPs (Cloud Service Providers – AWS, Azure, etc.)?

    CSPs are required to be FedRAMP authorized. We review their FedRAMP packages to understand the controls, and monitor updates, logs, and alerts related to that package.

  • What is the underlying technology infrastructure?

    AWS and Appian

  • What type of MFA (Multi-Factor Authentication) is in place?
    • Multifactor access for CSBS personnel is managed through single sign-on integration with Duo.
    • Non-CSBS personnel use time-based tokens (TOTP), such as Google Authenticator, for MFA.
  • How are vulnerabilities managed? How often are vulnerabilities scanned?

    Vulnerabilities are tracked in a ticketing system with end-point scanning occurring every four hours.

  • What network security controls are in place?

    The CSPs both send logs to our central SIEM. We also have network monitoring sensors from Darktrace.