Form I-9 Compliance maintains a high availability, virtualized server application and database environment, back-ended by a RAID enabled storage area network (SAN) in SOC 2 Type 2 datacenters. The application and database environment incorporates redundant web and database servers, and network security appliances to ensure security, scalability and reliability. Additionally, antivirus hardware and software solutions are incorporated on each connected resource.
The web application is written in the latest version of .NET using ASP.NET Web Forms for web elements, advanced web based technology allows for data validation, responsive user interfaces, and security checks on every page and access level. Constant audit trail event logging takes place to comply with Department of Homeland Security (DHS) regulations, rigid electronic signature security standards comply with DHS rules for electronic signatures, scripting languages are not used, Active X controls are not downloaded to client and data is encrypted. (Personally Identifiable Information is encrypted ‘at-rest’ and all data is encrypted ‘in-transit’)
The system is fully redundant with highly availability server clusters, firewall redundancy, and load balancing. All systems are located in datacenters with SOC 2 Type II and SOC 3 certification. The datacenters boast fully redundant power with diesel generators for backup, diverse paths and providers for Internet access and multi-tiered reliable security services.
In order to help ensure the security of our application:
Authorized individuals must show an Access Card to gain entry to the data center. The access card contains a chip that identifies the individual and notifies the NOC. The closed circuit television security system sends a video display of the individual to the security team and compares it to the picture on file.
If an individual shows up at the data center without a badge, the guard will contact the NOC who will then contact the Fi9 INFOSEC Officer to verify whether or not the individual should have access. No one is allowed access to the data center without a badge or SPOC approval.
When authorized personnel sign in, they agree in writing to follow all security procedures.
Biometric scanners (retinal, palm and finger) are not fail-safe due to tolerance settings. As a result, onsite guards are utilized 24×7 with a combination of access card and photo identification to verify access. Cabinets have combination or key locks on all doors.
Fi9 conducts full database backups (full system backups weekly and incremental backups nightly). The backups are stored locally in their SOC 2 and SOC 3 certified data centers. An additional daily backup is stored off-site in order to help ensure that all data can be retrieved in the event of a disaster at the primary site and a fully functional failover hot site.
All hardware is monitored 24/7 and is fully redundant to prevent system failures. Load balancing allows sessions to continue even if one or more web servers fail. In addition, replication software is utilized to synchronize data between the primary and secondary sites in real time and allow failover to a secondary site in the event of an outage at the primary site.
We do all of this in order to help ensure that our clients’ data is always protected and available.
Policies are reviewed at least annually and may be reviewed more frequently if necessary. Members of the Security team are authorized to perform reviews of policies with final approval for changes from the INFOSEC Officer in conjunction with other senior management. Approvals are documented via e-mail as they occur. Any changes to the policies are then communicated to employees via e-mail and are posted on an intranet site accessible to employees.
To mitigate any potential for loss or exploitation of sensitive data, Fi9 maintains a data sensitivity policy to determine whether the appropriate controls are in place for data of higher sensitivity. This policy classifies data into categories and specifies protection accordingly. Policy points are in place to specify privacy treatment of data. The Security team conducts vulnerability assessments of relevant data to ensure compliance with policy points.