Hotline System Security

At EthicsPoint, network security for our business ethics system is a crucial element of our success. In order to mitigate risks and threats, our security needs are embedded in our physical structure and business processes and are reinforced to our suppliers and partners. EthicsPoint integrates business and network continuity best practices into the strategic and operational fabric of the organization to address an ever-changing mix of risks and vulnerabilities. Maintaining complete security, high availability, and exceptional service levels are the central focus of managing our operational risks. The foundation of our operations is a continuous investment in capabilities that enable privacy, security, control over reliability, and availability of critical business operations and systems. These plans have the full attention and support of EthicsPoint’s senior management.

EthicsPoint’s Security and Business Continuity plans identify and address the stability of time-sensitive business and service functions, as well as their complex internal and external interdependencies. EthicsPoint’s web site and Software-as-a-Service (SaaS) application delivery are supported by a network architecture designed to provide users with a high quality, secure, and private experience.

Our network architecture includes multiple firewalls, redundant servers, load-balancing equipment, and a database cluster for redundancy, scalability, and reliability. To ensure our system is secure and limited to authorized users, a combination of firewalls, intrusion prevention systems, anti-virus protection, and OS hardening procedures are utilized. EthicsPoint employs a combination of IT & software industry standards including SAS 70, ISO 17799/27002, BS 7799, SANS, PMI PMP, and a formal SDLC. We also contract with a nationally recognized independent service that utilizes separate hosted server sites located in multiple cities to test all EthicsPoint web sites simultaneously. The collected data is then used to provide a comprehensive view of web site performance and availability.

The ability to maintain EthicsPoint’s service levels depends upon our ability to predict the need for information availability and the ability to manage risk within the digital enterprise. Our planning is designed to prepare for emergencies, respond to major disruptions by mitigating their effects, and recover from their consequences. We maintain a security and recoverability model that protects our employees, business operations, and the information assets of each and every customer.

EthicsPoint bases its disaster preparedness guidelines on the recommendations of the Association of Corporate Counsel, Crisis Management International, and the US Department of Homeland Security. These plans are supported by appropriate insurance coverage, risk management, and constantly updated mitigation efforts.

• Availability: The EthicsPoint web site and its service offerings operate with consistently high web site availability and responsiveness; support current and projected visitor growth; and allow the addition of new site features quickly, without disrupting the overall architecture of the EthicsPoint site.
• System Monitoring: EthicsPoint performs active monitoring on all critical systems within the production environment. Upon failure of any monitored component or software, EthicsPoint’s technical staff is notified immediately for resolution. In the event of an equipment failure, the hosting provider will initiate repair.
• Disaster Recovery: Our hosting provider supports our disaster recovery plan for our server environment and provides a safe and stable environment with continuous power, air conditioning, and multiple Internet feeds in a fully redundant environment. Backups are stored in an off-site facility through encrypted and secure channels using the latest encryption technologies. Backups are available at all times. In the unlikely event of a critical disaster, EthicsPoint’s technical staff would restore all systems to ensure online service as soon as possible. In the event of a serious disaster, EthicsPoint contracts with a third-party vendor who will provide temporary facilities for our Contact Center and servers, including a phone system, PCs, servers, generators, and a satellite uplink for phone and internet communications.
• High-Security Hosting: EthicsPoint web sites are hosted and protected by equipment owned and maintained by EthicsPoint staff in a secure facility maintained by a top-tier hosting provider. Sites are protected by multiple firewalls, Host- and Network-based Intrusion Prevention Systems, load balancing, failover equipment, a web server farm, and a database cluster for redundancy, scalability, reliability, and security.
• Secure Network Topology: EthicsPoint maintains multiple firewalls supporting standard Internet firewall technologies that meet ICSA Firewall, IPSec, and cryptography standards to protect the EthicsPoint systems and data. EthicsPoint deploys multiple Host- and Network-based Intrusion Prevention Systems (HIPS/NIPS) that detect and defend against attacks in real time.
• Secure Operating Environment: All EthicsPoint server configurations utilize the latest server implementations and updates. These servers are implemented using best practices and are hardened beyond the manufacturer’s original configuration.
• Secure and Private Data: EthicsPoint protects sensitive data (passwords, credit card numbers, etc.) in several ways:
• Encryption of the information when stored in the database (e.g. passwords),
• Use of non-persistent cookies (cookies are never written to a user’s hard drive),
• Requiring communication encryption between the client and our servers, and
• Following best practices guidelines (e.g. ISO 17799/27002, OWASP).
• Security Audits: EthicsPoint’s sites are audited on a periodic basis by an outside organization. Site security is tested with automated and manual tools to scan the web server farm for potential vulnerabilities. Process controls are tested to confirm the EthicsPoint web farm is working as designed.
• Encryption: All communications between the EthicsPoint site and a user’s web browser are accomplished using 128-bit SSL encryption and VeriSign™ certificates to protect confidential data. EthicsPoint does not allow clients to transfer or receive confidential information unless they are using a validated 128-bit encrypted session.