Is Your Records Request Management Vendor Secure?

Security should be a top priority for your agency. You set up firewalls, install antivirus protection, secure the network and devices, and ensure strong passwords for users. While you are doing everything in your power to manage the security of your systems, both physical and cloud-based, it is important to make sure you are properly evaluating new and ongoing vendors.

Here at CivicPlus®, security is our top priority, too. We have best-in-class security, compliance, and data protection for our customers, including mapping to CJIS & HIPAA Security Rule controls and a SOC 2 Type II security audit. Rest assured, knowing your data is safe with NextRequest. It is important to make sure you have the same confidence in all your vendors.

Learn more about the security behind the security.

Why is Vendor Security Evaluation Important?

The number of cloud-based services used by organizations has gone up 15 percent year-over-year, according to McAfee. They report the average organization uses around “1,935 cloud services… most think they use only 30.” While your government agency may or may not use upwards of 2,000 cloud services, chances are you are using more than you think. Regardless, that number will only increase over time.

There is too much sensitive information out there not to be deliberate about how you choose vendors. It is critical that you make sure your vendors are secure and that they work diligently to stay ahead of developing threats. At CivicPlus, all of our employees are trained on data security best practices to ensure the utmost safety of our customers’ data. We make security not just a standard but a priority.

What Your Government Should Look for in a Vendor

Evaluating your current and future vendors might be a tedious process, but it will increase the health of your cybersecurity. To make the job a little easier, we created a checklist of what to look for in a vendor. This can serve as a base for your evaluations, but you know best what your needs are. For additional help preparing criteria, check out this guide from Atlassian, or UC Berkeley’s assessment questionnaire.

Vendor Assessment Checklist

1. Ensure that your third-party vendor conducts regular security assessments.
   For Example, CivicPlus’ NextRequest solution follows regular updates for security vulnerabilities and updates the codebase as appropriate. And our architecture allows security updates to be made to all customers in real-time, preventing delays in the patching of security vulnerabilities.
   ‍

2. Make sure vendors have written information security policies and procedures in place.
   For example, You can find a list of our security measures here.
   ‍

3. Verify that your vendors encrypt data in transit, including data stored on laptops, external hard drives, and application databases.
   For example, The NextRequest application uses AES-256 encryption and encrypts all documents at rest. These documents can only be accessed through a valid token which expires. Additionally, all data is encrypted at rest and in transit.
   ‍

4. Check that vendors enforce role-based access for information systems that contain PII.
   For example, the NextRequest production database is hosted on Heroku, and developers use two-factor authentication for accessing the Heroku platform. Individual NextRequest users interact with the database at the application level, where access is controlled through role-based permissions. Any interactions with the database happen through common web forms within the application.
   ‍

5. Ensure that third-party vendors have a disaster recovery program in place.
   For example, We have a step-by-step plan in place to take precautions and minimize the effects of a disaster. This enables us to provide consistent operations and quickly resume mission-critical functions.
   ‍

6. Look for vendors that have industry-leading security certifications or attestations (SOC 2, Type II).
   For example, NextRequest has successfully completed a SOC 2 Type II audit. This third-party audit evaluates our internal controls, policies, and procedures and reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy of our services.

How CivicPlus Makes Security a Priority

Security is embedded into the fabric of our organization. These are the measures we take within our NextRequest solution to guarantee the security behind our FOIA software product.

CivicPlus’ Internal Measures for Security of our NextRequest Solution

• Code Access: Access to the NextRequest codebase is limited to NextRequest employees. Employees must authenticate before accessing or changing any code within the codebase. Any changes to the production or development environment are logged; these logs include a timestamp and the user name of the person making the change.

• Individual Computers: All individual computers are password protected, and employees must encrypt all the data on their individual computers. Any lost or stolen computers are reported immediately. Additionally, all employees are required to use two-factor authentication.

• Application Access: Access to NextRequest is limited to administrators and members of the development team, which is logged by user name and the time of the access.

• Database Access Controls: Access to the NextRequest production database and backups is limited to NextRequest developers. Each developer has unique login credentials, and access to the database is logged in the database log files. The NextRequest production database is hosted on Heroku, and developers use two-factor authentication for accessing the Heroku platform. Individual NextRequest users interact with the database at the application level, where access is controlled through role-based permissions. Any interactions with the database happen through common web forms within the application.

• Confidentiality Agreements: All employee contracts include a confidentiality agreement.

• Background Checks: All NextRequest employees undergo comprehensive background checks.

NextRequest’s External User Security Protocols

In addition to our internal standards, we adopt the following standards for users accessing NextRequest.

• User Authentication: Users accessing the system must authenticate through a standard user name/password challenge. All user passwords are encrypted at rest. Randomly generated tokens that expire are used for password resets. Additionally, user access is controlled at the application level by the use of application roles. Each user is assigned a specific role, which is used to allow read, edit, and delete access to actions within NextRequest.

• Two-Factor Authentication: Two-factor authentication can be turned on by application administrators to improve security at the user level.

• Single Sign-On (SSO): NextRequest can add SSO integrations, including Active Directory and OAuth, to improve password security and access controls across the enterprise organization.

• Password Complexity Standards: Password strength is tested at creation, and common passwords, as well as passwords below the length limit, are denied. Additionally multiple incorrect authentication attempts result in the account being locked. We enforce strong passwords based on the NIST 800-63B guidelines.

NextRequest Compliance: Policy and Controls

• SOC 2 Type II Audit: NextRequest has successfully completed a SOC 2 Type II audit. This third-party audit evaluates our internal controls, policies, and procedures and reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy of our services.

• CJIS: NextRequest maps to Criminal Justice Information Services (CJIS) security controls.

• Encryption: The NextRequest application uses AES-256 encryption and encrypts all documents at rest. These documents can only be accessed through a valid token which expires. Additionally, all data is encrypted at rest and in transit.

• Codebase: The NextRequest codebase is built on the latest version of Ruby and Ruby on Rails, one of the most common and well-documented modern web development languages and frameworks. Ruby and Ruby on Rails provide robust internal tools to mitigate common attack patterns such as SQL injection and cross-site scripting (XSS). NextRequest follows regular updates for security vulnerabilities and updates the codebase as appropriate.
  NextRequest employs Github to manage all code that comprises the production platform securely. GitHub provides collaboration, distributed revision control, and source code management functions. NextRequest uses an agile development process with frequent, incremental testing and changes, rather than large-scale infrequent releases.
  NextRequest uses GitHub and makes changes to its repositories via GitHub Pull Requests (PRs). All code is tested in a development environment prior to deployment to the production platform. Code changes are peer-reviewed and approved. Logs of changes are stored in Github, with the ability to revert to prior versions easily.

• HTTPS and SSL: All web requests between web clients and NextRequest are secured by TLS (Transport Layer Security) version 1.2. TLS is an industry-standard that is used by millions of websites to secure web transactions.

• Monitoring: NextRequest contains several layers of monitoring at the application level. NextRequest uses two services for monitoring performance and error tracking. Errors are logged within the application, and NextRequest administrators are immediately notified when errors do occur. Standard application logs are collected daily and weekly. Individual user access is logged within the application and kept in application logs.System status reports are available 24/7 here.

• Auditing and Scanning: Our codebase and all dependencies are scanned for vulnerabilities every time we make changes. Additionally, we perform weekly automated vulnerability scans of every part of our application, which includes checks for SQL injection, XSS, and other common attack vectors. Logs are secured and archived for one year.

• PCI Payment Processing: All payments are processed through Stripe, a PCI Level 1 Service Provider. NextRequest does NOT store customer credit card information on our servers.

• Data Deletion/Destruction: At the request of a customer, we will expunge all customer data from NextRequest servers.

• Real-Time Security Updates: NextRequest’s architecture allows security updates to be made to all customers in real-time, preventing delays in the patching of security vulnerabilities.

NextRequest Infrastructure You Can Trust

• Application Security: NextRequest servers and databases are hosted on Amazon, which implements industry-leading physical, technical, and operational security measures. Amazon has received ISO 27001 certification and Federal Information Security Management Act (FISMA) Moderate Authorization. Accreditation from the U.S. General Services Administration, and is SOC-compliant. Amazon’s infrastructure is suitable to host CJIS, FIPS, FedRAMP, and FERPA-compliant applications.More on Amazon’s compliance.

• Storage Security: NextRequest uses Amazon S3 to store customer image assets and documents. S3 is an industry-leading simple storage service that offers software developers a highly scalable, reliable, and low-latency data storage infrastructure. Access to resources within Amazon S3 is controlled through Access Control Lists (ACLs) and query string authentication.More on Amazon Web Services compliance and security.

• Reliability: Your data is backed up daily, weekly, and monthly to ensure your data remains secure and protected.

• Data Center Security: Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.

• Redundancy: Our platform maintains redundancy to prevent single points of failure, is able to replace failed components and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images, and data is restored from backups.

• Disaster Recovery Plan: We have a step-by-step plan in place to take precautions and minimize the effects of a disaster. This enables us to provide consistent operations and quickly resume mission-critical functions.