I-9 Custom

Form I-9 Compliance maintains a high availability, virtualized server application and database environment, back-ended by a RAID enabled storage area network (SAN) in SOC 2 Type 2 datacenters. The application and database environment incorporates redundant web and database servers, and network security appliances to ensure security, scalability and reliability. Additionally, antivirus hardware and software solutions are incorporated on each connected resource.

The web application is written in the latest version of .NET using ASP.NET Web Forms for web elements, advanced web based technology allows for data validation, responsive user interfaces, and security checks on every page and access level. Constant audit trail event logging takes place to comply with Department of Homeland Security (DHS) regulations, rigid electronic signature security standards comply with DHS rules for electronic signatures, scripting languages are not used, Active X controls are not downloaded to client and data is encrypted. (Personally Identifiable Information is encrypted ‘at-rest’ and all data is encrypted ‘in-transit’)

The system is fully redundant with highly availability server clusters, firewall redundancy, and load balancing. All systems are located in datacenters with SOC 2 Type II and SOC 3 certification. The datacenters boast fully redundant power with diesel generators for backup, diverse paths and providers for Internet access and multi-tiered reliable security services.

In order to help ensure the security of our application:

• Fi9 utilizes a third party verification (TPV) security service to perform penetration testing and vulnerability scanning to identify potential system and network security risks
• All Personally Identifiable Information (PII) is encrypted at-rest and in-transit.
• Fi9 systems require two-factor authentication and encrypted VPN connections for approved personnel

Physical Security 
Onsite and Remote Security Personnel

• The data center is staffed 24×7 with industry certified security and network operations personnel.
• The Network Operations Center (NOC) has access to all security operations data and monitors the data center for external and internal security. Closed Circuit Television Security System.
• There is a closed circuit television security system at all entrances that is monitored by security guards 24×7. Security cameras move along tracks to allow security guards to monitor specific aisles and track the movements of people in the data center.

Combination Access Card and Photo Identification System

Authorized individuals must show an Access Card to gain entry to the data center. The access card contains a chip that identifies the individual and notifies the NOC. The closed circuit television security system sends a video display of the individual to the security team and compares it to the picture on file.

If an individual shows up at the data center without a badge, the guard will contact the NOC who will then contact the Fi9 INFOSEC Officer to verify whether or not the individual should have access. No one is allowed access to the data center without a badge or SPOC approval.

When authorized personnel sign in, they agree in writing to follow all security procedures.

Biometric scanners (retinal, palm and finger) are not fail-safe due to tolerance settings. As a result, onsite guards are utilized 24×7 with a combination of access card and photo identification to verify access. Cabinets have combination or key locks on all doors.

• Federal Emergency Management Agency (FEMA)
• UL 478/1950
• National Electric Code (NEC)
• National Electric Manufactures Association (NEMA)
• Occupational Safety and Health Act (OSHA)
• American National Standards Institute (ANSI)
• National Fire Protection Association (NFPA)
• Federal Information Processing Standards (FIPS)
• The building is designed and built to withstand earthquakes of 8.0 magnitude.
• The design is based on the building code requirement for Zone four (4) specifications.
• Since Fi9 operates in a high seismic zone of Southern California, fire suppression systems have a separate incoming water line that is protected from the potable water system by a backflow preventer. This system is designed by licensed professionals to comply with NFPA and local code requirements and is approved by the local Fire Marshals.

• A multi-level approach to fire prevention, involves the use a Very Early Smoke Detection Alarm (VESDA), however, this approach is backed up by a state of the art fire control system, consisting of early warning alarms, smoke detectors and sprinklers as a last resort for fire suppression. If engaged, the sprinkler system localizes the spray to a 6-8 foot diameter (the diameter of localized spray varies by location).
• Water, rather than gas and foam is used, because of the danger posed by gas and foam to human beings. In addition, gas and foam only temporarily suppress the fire – once the doors are opened, the fire can flame back up.
• The dry pipe system keeps the water outside of the data center location rather than in the pipes. This prevents the sprinkler system from spraying water in case of accidental damage to the sprinkler head or pipe. This also ensures that the water doesn’t become dirty or corrosive over time from sitting in the pipes.

Disaster Contingency and Business Resumption Planning

Fi9 conducts full database backups (full system backups weekly and incremental backups nightly). The backups are stored locally in their SOC 2 and SOC 3 certified data centers. An additional daily backup is stored off-site in order to help ensure that all data can be retrieved in the event of a disaster at the primary site and a fully functional failover hot site.

All hardware is monitored 24/7 and is fully redundant to prevent system failures. Load balancing allows sessions to continue even if one or more web servers fail. In addition, replication software is utilized to synchronize data between the primary and secondary sites in real time and allow failover to a secondary site in the event of an outage at the primary site.

We do all of this in order to help ensure that our clients’ data is always protected and available.

Fi9 has the following security-related procedures & policies in place, which are owned by the INFOSEC Officer:

• Acceptable Use Policy
• Mobile Device Management
• Backup and Disaster Recovery Manual
• Data Encryption
• Remote Access
• Security Incident Response Information Classification and Security Business
• Continuity
• Password Requirements
• Network Configuration Diagram Patch Management
• Acceptable Usage
• User Account Management
• Wireless Communications
• Software Development Change Management (DevOps) Vulnerability
• Management
• Content Filtering
• Network Configuration Management

Policies are reviewed at least annually and may be reviewed more frequently if necessary. Members of the Security team are authorized to perform reviews of policies with final approval for changes from the INFOSEC Officer in conjunction with other senior management. Approvals are documented via e-mail as they occur. Any changes to the policies are then communicated to employees via e-mail and are posted on an intranet site accessible to employees.

To mitigate any potential for loss or exploitation of sensitive data, Fi9 maintains a data sensitivity policy to determine whether the appropriate controls are in place for data of higher sensitivity. This policy classifies data into categories and specifies protection accordingly. Policy points are in place to specify privacy treatment of data. The Security team conducts vulnerability assessments of relevant data to ensure compliance with policy points.