|
How does CFA handle your
company’s security?
Information Security Policies and Procedures
CFA leverages a comprehensive set of best practices to assure protection of physical and digital assets.
Administrative and User Access Rights
Only administrators are allowed to manage physical machines. Physical access is required. Data is however accessible to data operators.
Electronic Data Retention and Destruction Policies/Procedures
Data is persisted during lifetime of promotion. Once data is delivered to customer, all collected data is purged. This is done to both protect the customer but to also reduce our data storage requirements.
Change Management & Incident Management
All change requests are subject to a 24 hour deployment cycle. Changes are deployed off hours to minimize disruption. Depending on importance of incident, changes could be pushed within minutes if critical or if not critical, they follow the typical change request process.
Facility Profile:
_______________________________________
Server location
CFA's servers are professionally hosted and co-located in telco building that includes AT&T and Level 3 as tenants.
Security (both physical and technical)
Server room building front door is locked with only keyed access. Server room is protected by proximity badge and corresponding 5 digit access code. Access in the server room must be re-authenticated with proximity badge and 5 digit code every 15 minutes. Badges are unique to employee and are used to track access to server room. Cameras are installed in facility to record activities.
All web deployments are protected with virtual IPs and load balanced to assure high availabilty. All ports accept 80 and 443 (SSL 3.0) are disabled by default. Mcafee Secure (scanalert) is used to detect any security and PCI vulnerability on production servers. Antivirus and Antirookit software is run on the machines. All database requests are protect from SQL injection through use of store procedures and prevention of script in web input to prevent cross site scripting. Servers are locked down to only allow physical access.
Disaster recovery plan
All database servers are backed up nightly and data is stored encrypted in offsite location.
Hardware:
_____________________________________
Described below are hardware configurations and capacity available for use by all clients:
CPU Capacity
CFA uses multiprocessor Windows Intel machines with multi-gigabyte RAM.
Disk space
Web servers have abundant disk space to run web site and have multi-disk configurations to separate Windows system files from web server files. Database servers run multi-disk configurations depending on space needs as well as filegroup distribution to assure low disk queue lengths. Database servers are optimized for write operations.
System availability service level agreement
99.9% availability
Networks (local and wide area)
Isolated networks are used to assure protection of database access and limit resource availability to need basis. Servers are configured with multiple network cards. Network is TCP/IP based.
System Architecture for Online Sweepstakes
System architecture is proprietary and not disclosed to limit external knowledge of deployments. This is a security measure to protect our customers.
Dynamic Programming Language(s) Utilized
CFA leverages Microsoft scripting languages including VBScript and Javascript. Scripting languages are only used when necessary for data collection.
Online simultaneous user capacity
CFA leverages many servers to handle scalability. All servers are stateless and are optimized to handle hundreds of thousands of users simultaneously.
Scalability
CFA’s server infrastructure is both vertically and horizontally partition-able and scalable. Load balancers are used to equally distribute load. Both bandwidth and machines are configurable to your deployment needs.
|
