360factors provides enterprise risk management solution, compliance management system, BSA/AML and HDMA compliance, internal audit, information security and various other services
The infrastructure supporting the 360factor’s System resides at Microsoft Azure Networks hosted in the cloud in South Central Zone of US territory.
360Factors Azure cloud is protected and monitored by Microsoft Azure Security Center which provide all the information Learn More
Alerts are sent to 360Factors NOC team for any security breach through Microsoft Security Center
To prevent unauthorized access to the 360factors Microsoft Azure production network, the encrypted Microsoft Azure VPN connection is used for remote access to the 360factors’s systems.
A Cloudflare WAF IPS and IDS is implemented in Production network to prevent and detect network intrusions on 360factors Predict360 app. The Cloudflare Web Application Firewall iSensor IPS monitors the network at the data center, which forwards logs and notifies IT personnel of blocked or attempted intrusions attempts.
360factors has implemented a TimeTrax key code access system to restrict physical access to the facility. Access to certain doors and areas within the facility is provisioned based on job responsibilities and access reviews are conducted semi-annually. A third-party alarm company monitors the facility 24 hours a day and notifies Management and the proper authorities if an incident is detected.
The following provides a summary of systems used to deliver the System:
Zabbix – used to aggregate and analyze syslogs and events from production servers and network equipment.
Microsoft Azure Network Security Center – used to aggregate and analyze syslogs and events from production servers and network equipment, as well as identify potential threats to the systems.
Microsoft Endpoint Protection– used as an antivirus solution on production systems and workstations throughout the environment.
Microsoft Azure – used to manage virtual server infrastructure and simplify backups.
Linux Centos 7, Windows Server 2008 RS and Windows Server 2012 R2 – operating systems on production servers.
Microsoft Windows 7, Windows 8, and Windows 10 – workstation operating systems.
People involved in the operation and use of the system are:
President/Vice President – responsible for leading the organization and managing the day-to-day operations of the 360factors.
CIO – responsible for the IT infrastructure for the organization. Manages policies, compliance, and all IT-related activities for the 360factors.
IT Staff – responsible for providing day-to-day IT operations. Provides internal and external customer support of applications and systems and ensures that systems are maintained and operating as expected.
Check Deposit Processing software QuickBooks – responsible for processing check image deposits, making necessary adjustments and balance transactions for item collection in daily cash letters, handling of exceptions and returned items, and answering calls from credit unions.
Accounting – responsible for the daily maintenance of general ledger balances, including cash held for other’s accounts, operating cash, accounts receivable, accounts payable, fixed assets, and prepaid expenses; reconciliation of balance sheet accounts to subsidiary ledger balances; assisting in budget preparation; and participation in the formation of policies and procedures.
The 360factors Management maintains documented operating procedures and policies involved in the operation of their systems including:
-Information Security Policies and Procedures including:
- Change Control
- Data Classification and Control
- Data Retention and Disposal
- Paper and Electronic Media
- Firewall and Router Security Administration
- System Configuration
- Special Technologies Usage
- Software Development
- Incident Response Plan and Procedures
- Employee Identification
- Logging Controls
- Security Awareness and Acceptable Use
- Risk Assessment
-Check Proofing Requirements (client-specific)
Control activities have been placed into operation to help ensure that actions are carried out properly and efficiently. Control procedures serve as mechanisms for managing the achievement of control activities and are a part of the process by which the 360factors strives to achieve its business objectives. the 360factors has applied a risk management approach to the organization in order to select and develop control procedures. After relevant risks have been identified and evaluated, controls are established, implemented, monitored, reviewed, and improved when necessary to meet the applicable trust services criteria and the overall objectives of the organization.
The 360factors control procedures, which have been designed to meet the applicable trust services criteria, are included in Section 4 of this report to eliminate the redundancy that would result from listing the procedures in this section as well.
The 360factor’s data is generally provided by its member institutions and is controlled by the Data Classification and Control and Data Retention and Disposal Policies. Sensitive and confidential data is to be retained only as long as required for legal, regulatory, or business requirements and logical access to data is configured to deny all by default and provisioned based on job responsibilities.
Confidential data electronically transmitted to or by the 360factors to or from its member institutions and third-party clients is transferred via an SFTP site or Microsoft office365 secure email.
System boundaries, pertaining to collection, use, retention, disclosure, and disposal or anonymization or personalization of data, are governed by contract provisions for particular service engagements. Data is not utilized or disclosed to third parties outside of the scope allowed in such contracts and agreements.
We developed standards to help guide our business units in the optimal use of Recovery Services vault. This included preventing using Recovery Services vault in situations that wouldn’t serve the business groups’ needs. Among the standards we set, the most important included:
- Take full backup every day in off peak hours of all 360Factors Productions\QA servers.
- A 35-day retention period for data. This retention length gave us the best balance between acceptable recovery scenarios and the most efficient use of Recovery Services vault storage and the associated costs.
- Treat all data as high priority and high impact. This standard ensures that we’re using sound backup and recovery practices. Nothing gets treated with less security than it should.
Microsoft Azure created a set of service level agreements (SLAs) for data protection that our business groups could use as a basis with respect to protecting their data. These SLAs provide the business groups with best practices that they are free to adopt. These SLAs included:
- 98 percent backup success. 98 percent of all backups will be completed successfully with one recovery point per day for 35 days.
- 100 percent recovery success. All recoveries will be completed. We didn’t establish recovery time objectives, but we guaranteed that recovery processes would be started within four hours of the restore request.
360Factors uses Geo-redundant storage for Production servers’ backups and for live data:
360Factors uses Azure Geo-redundant storage (GRS) which is designed to provide at least 99.99999999999999% (16 9's) durability of objects over a given year by replicating 360factors data to a secondary region that is hundreds of miles away from the primary region., 360Factors data is durable even in the case of a complete regional outage or a disaster in which the primary region isn't recoverable.
Management is involved with day-to-day operations and is able to provide personnel with an understanding of their individual roles and responsibilities. This includes the ability to provide necessary training so that personnel understand how their daily activities and roles relate to the overall support of services.The 360factor’s Management believes that open communication throughout the organization ensures that deviations from standards are identified, reported, and appropriately addressed.