Echoworx Security Services
Providing credential management and encryption integration for instant implementation across all platforms.
How Echoworx Ensures Privacy and Security
Echoworx is committed to providing the highest level of security, controls and integrity to support our cloud security services. To that end, we have subjected our business practices to audits covering all aspects of our business in the form of the AICPA/CICA WebTrust Certification, PCI DSS and SOC2 Audit.
- Echoworx’s processes, procedures and controls employed to protect the privacy and confidentiality of users’ have been formally evaluated and tested by an independent accounting and auditing company, as well as the security, availability, and processing integrity of our systems
- Assured integrity of the Echoworx Root CA
- Established key and certificate life cycle management controls
- Controls are maintained and monitored on an ongoing basis
- To access our WebTrust Seal of assurance visit https://www.echoworx.com/about-our-team/ click on the WEB TRUST CERTIFIED link
- A full copy of the Echoworx Root CA2 Certificate Policies and Practices Statement, used as part of the annual audit process can be found here: http://www.echoworx.com/ca/root2/cps.pdf
- An elite group of less than 100 organizations
- Guarantees trust in certificates issued by Echoworx
- Subscribers can be confident that certificates issued are recognized and trusted
- Protects Apple customers from security issues related to the use of public key infrastructure (PKI) certificates
- Guarantees a seamless experience for users on Mac OS and iOS devices who are making secure web connections, generating secure emails and performing other PKI interactions
- Echoworx has data centers in the US, UK, Germany, Ireland, Mexico, and Canada, ensuring customer data stays close to home
- All the data centers are engineered to the highest standards
- They are designed and maintained without compromise for security or redundancy
- Data centers are SOC2, PCI DSS and ISO certified for physical, system, and operational security
- All business processes follow security best practices and limit access to customer information
- Echoworx continuously reviews the security and services provided by their data centers to ensure the best possible security for their customers
Echoworx utilizes the following encryption standards in its products:
- RSA 2048-bit asymmetric encryption
- RSA PKCS cryptographic protocols; PKCS#1, #7, #10, #12
- AES-256 symmetric encryption
- SHA2 hashing algorithm
- ANSI X.509 certificates and certificate revocation lists
- IETF MIME and S/MIME e-mail
Echoworx provides encryption services in the most secure manner.
Cloud-hosted components are deployed and operated in certified, secure tier one datacenters.
Service components are deployed into layered physical security zones, with direct public access restricted to the outermost zone only. Front-end access services are separated from mid-tier operational components which are separated from the most sensitive information assets, such as private key material and hashed access credentials.
Segregation is implemented using multiple firewalls configured with strict policies.
Intrusion detection systems have been deployed with real time alerts to notify personnel of any issues.
Policy and Procedure Highlights
Examples of the Echoworx policy and procedures are highlighted below:
Echoworx maintains a corporate security policy which is published and communicated via the employee security awareness program. The policy defines the objectives, scope, intent and principals of information security and ensures compliance to regulatory requirements.
In particular, the security policy addresses the following areas of information security:
- Compliance with regulatory, legislative and contractual requirements
- Guidance for security training requirements of staff
- Computer security to reduce weaknesses and exposures, g. to prevent software viruses or malicious software and to protect against data loss
- Business continuity and responsibility of management and staff
- Compliance enforcement and consequences of policy violations
The Echoworx Information Security Management Systems is based on a continuous evolution model by:
- Creating Policies, Procedures, and Standards to sustain physical and logical security in the Echoworx facilities
- Performing Annual Risk assessments to identify security implications and security control requirements
- Engaging External Auditors to evaluate and report on our controls and any weaknesses
- Addressing security requirements and responsibilities with contracts and procedures between parties
- Updating Policies, Procedures, and Standards based on the results of the Risks Assessments and Audits
All critical security operations take place within a physically secure facility with at least four layers of security to access sensitive hardware or software. Sensitive system components are physically separated from the organization’s other systems so that only authorized Echoworx employees can access them.
Physical access to the system is strictly controlled and is subject to continuous (24/7) electronic surveillance monitoring. Only trustworthy individuals with a valid business reason are provided access. The access control system is always functional and electronic badge readers in addition to biometric authentication are also used.
All Echoworx security systems have industry standard redundant power and air conditioning systems to provide a suitable operating environment.
All Echoworx security systems have reasonable precautions taken to minimize the impact of water exposure. All security systems have industry standard fire prevention and protection mechanisms in place.
Waste is disposed of in accordance with Echoworx waste disposal requirements. Cryptographic devices are physically destroyed or zeroized in accordance with the manufacturers’ guidance prior to disposal.
Echoworx has a business continuity and disaster recovery plan designed to minimize and vastly eliminate outages following interruptions to, or failure of, critical business processes and systems.
Echoworx services are fully redundant within any given geographical region and data is replicated in real time for disaster recovery.
Effectiveness of business and disaster recovery plans are tested minimum once a year with appropriate methods.
Root Certificate Authority Key Management, including generation, protection and destruction and Subscriber Key Management, including subordinate key generation, storage, backup, recovery and destruction, are performed by a Luna C3 Hardware Services Module (HSM). The device is compliant with FIPS 140-2 Level 3 and has been validated according to the Common Criteria Evaluation Assessment Level 4+ (EAL 4+).
Echoworx services are delivered utilizing a globally recognized and trusted data centre service provider, which has achieved the following audited accreditations:
- Payment Card Industry Data Security Standards – Compliant Level 1 Service Provider
- SSAE 16 SOC2 Type II (replaces the legacy SAS 70 audit)
Security roles and responsibilities for the Echoworx team are documented in detail in company job descriptions. Verification checks on key Echoworx staff members are performed at the time of job application. Echoworx policies and procedures specify that background checks and clearance procedures are required for the personnel filling the trusted roles, and other personnel. All Echoworx employees are required to sign a confidentiality (nondisclosure) agreement as part of their initial terms and conditions of employment.
Contracted personnel controls include the following:
- Bonding requirements on contract personnel
- Contractual requirements including indemnification for damages due to the actions of the contractor personnel
- Audit and monitoring of contractor personnel
All Echoworx employees and contracted staff receive appropriate training to raise awareness and achieve compliance with corporate security policies. This training is aligned with clear role based compliance and training requirements.
A formal disciplinary process exists and is followed for employees who have violated organizational security policies and procedures. Echoworx policies and procedures specify the sanctions against personnel for unauthorized actions, unauthorized use of authority, and unauthorized use of systems. Appropriate and timely actions are taken when an employee is terminated so that controls and security are not impaired by such an occurrence.