Protection 1 makes your security our #1 priority, whether securing people, property or your data
Foreword: Security Concerns Increasing
Never has security been more top of mind for most individuals, organizations, companies and government officials than in today’s climate. Whether it is an increase in real threats or a perceived rise in violent acts including terrorism and workplace violence, tightening of security measures from the home front to homeland security is a number one priority.
When selecting a security provider to partner with, it is as important to evaluate the technology that will be used to protect your people and property as it is to evaluate the security that the provider institutes for their own business, particularly as it relates to data security.
Along with physical attacks, cyber-attacks are a growing concern that global businesses face today. Hardly a day goes by that there is not a report of hackers breaching company networks and stealing sensitive customer or personal data.
Data Breaches Are on the Rise
According to Identity Theft Resource Center (ITRC), there were 783 known data breaches in 2014, an increase of more than 27% over 2013. Furthermore, the FBI estimates that more than 1,000 retailers may be under assault from the same or similar malware that attacked Target and Home Depot a couple of years ago.
Retailers are not the only at-risk sector for data breaches and cyber-attacks. The risk is real for all types of public and private organizations. As reported in a recent Forbes article, some of the more recent companies and organizations to feel the pain from these breaches include Neiman Marcus, White Lodging Hotel Management, Affinity Gaming, Community Health Systems, UPS, PF Chang’s, JP Morgan Chase, Sony, and even the citizens of New York City, to name just a few on the extensive list, proving that these new types of criminals have a wide and non-discriminating reach.
Securing Your Business, Securing Your Future
At Protection 1, we make your security our #1 priority. Whether it is securing people, property or the information you entrust to us, we offer the latest in technology, the highest levels of customer service and a comprehensive program designed around data security.
For the purpose of this white paper, we will concentrate on the programs, processes and procedures that we have put in place to ensure that your data is safe with us.
The Protection 1 Approach
Dedicated Security Organization, Security Information Policy and Communications
Protection 1 has a dedicated security team with documented roles and responsibilities. The chief security officer reports directly to the Protection 1 CEO. Our security policy is approved by executive management and published and communicated to all employees, contractors and relevant third-parties. Employees and sub-contractors undergo security awareness training upon hire and must take refresher training annually in the following areas:
- Code of ethical business practices
- Information security policies
- Anti-sexual harassment
Via our corporate university and online learning management systems, every employee is assigned ongoing education. Protection 1 has immediate reporting capabilities on completion of all training to ensure that employees are receiving the knowledge and commitment required for our industry and their positions.
Types of Customer Data Collected and Stored
As it relates to the type of information Protection 1 collects on its customers typically include:
- Account information at the time of the sale
- Customer name
- Phone #
- Account and security password (The password the customer will give when we call home after receiving an alarm signal, and for help with customer service.)
- Customer contact list information and phone numbers
- Closest cross street (for police dispatch information)
- Email address
- Panel keypad codes
For residential sales, we also collect credit check and payment information:
- Date of birth
- SSN# (if credit check cannot be obtained with DOB information)
- ACH information (checking account) or credit card Information
Payment and social security number information are not visible to our agents after initial entry. We use a tokenization solution to covert or replace payment card data with a unique ID used for subsequent activity while storing the original data and token conversion scheme in a secure third party data center. Even our authorized agents who have full access to our systems only see the tokens and never have access to the credit card numbers. We retain this information for as long as the customer is active with Protection 1.
Aside from account information, Protection 1 will only have access to customers’ alarm activity data, and under no circumstance will we have access to a customer’s business data.
Security Compliance Policies
Protection 1 is PCI compliant and follows relevant protocols for encryption of sensitive data. Our monitoring centers are also UL Certified and undergo annual UL inspection. We maintain a formal data management program that ensures information is securely stored and maintained. We maintain a formal data classification program and apply technology controls based on classification, and encrypt sensitive data in transit and at rest. Protection 1 utilizes EMC DARE encryption, and data is encrypted on wireless networks. No data is stored on employee workstations.
Data may only be accessed by authorized users and strong passwords must be utilized. Password sharing is not permitted and passwords must be changed every 90 days. As part of our password policy, the following protocols must be followed:
- The password may not contain all or part of the account name of the user
- The password must be at least eight characters long
- The password must contain characters from three of the following four categories:
- Uppercase letters
- Lowercase letters
- Base 10 digits
- Non-alphanumeric characters such as exclamation point (!), dollar sign ($), number sign (#), or percent (%)
Screensavers are configured to lock workstations after a period of inactivity, requiring users to enter credentials to reactivate. Only company-approved VPN software is used for remote access, and remote access requires multi-factor authentication. The network boundary is protected with a firewall with ingress and egress filtering, and network prevention/intrusion protection is implemented and monitored.
Our backend servers/receivers are in our primary and redundant data centers. These servers lie beyond card access system- protected doors and only authorized users have access. Video surveillance is also in place. Data centers are Tier 4 rated.
Protection 1 uses third-party certified scanning vendors to scan web applications on a daily basis to ensure the site is secure and any vulnerabilities such as the identification of malware are eliminated and patched immediately.
We also block direct access to the application servers and use industry standards and best practices in the development of our application code. We adhere to the process of scanning for the Open Web Application Security Project’s (OWASP) top 10 risks to prevent SQL-injection where malicious SQL statements could be inserted into an entry field for execution. We also scan for cross-site scripting (XSS) which is a security breach that takes advantage of dynamically generated web pages, and cross-site request forgery (CSRF), also known as one-click attack that constitutes a malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts, to name a few.
Further safeguards that are built into some of our web-based applications include:
- The expiration of sessions after 30 minutes of inactivity, requiring the user to re-enter his or her credentials in order to access the data.
- Validating new users’ email addresses by clicking a link provided in an email that’s sent when the user account is first set up.
- A two-step authentication process that requires the user to set up three security questions, one of which is required along with a password whenever the user logs on. The user can choose to bypass the security question for a specific computer after it has been answered the first time.
- Locking out users after incorrectly entering their login, password or security question answer three times. That user must then call Protection1 customer service to unlock the account.
- Passwords and security question answers are securely encrypted before being stored using a one-way algorithm that does not allow decryption.
Human Resource Security
Protection 1 has an extensive screening process for all employees and requires any third party contactors to provide proof that they have an equally comprehensive hiring practice. Examples of some of the processes that Protection 1 undertakes before hiring any individual include:
- Past 2 years of employment history plus current year
- County criminal search—last 7 years all names
- Federal criminal search—last 7 years all names
- Statewide criminal search—last 7 years all names
- National database criminal search which also consists of most wanted, money laundering, and sex offender registry—last 7 years all names
Protection 1 has instituted a complete and comprehensive data security program. Copies of our various corporate policies are available for review upon request. We continue to evaluate our policies and procedures and make regular updates based on changing environments. We perform annual risk assessments to determine any new vulnerabilities that may require modifications to our current processes.
We are 100% committed to serving our customers and providing them with the highest level of security, not only to their business and homes, but to the data they entrust to us.