Information Security Policy
CrossCheck Inc. maintains a written Information Security policy that defines employee responsibilities and acceptable use of information system resources. The organization receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before providing authorized access to CrossCheck Inc. information systems. This policy is periodically reviewed and updated as necessary.
Our security policies cover a wide array of security related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering internal applications, equipment and information systems.
Information security roles and responsibilities are defined within the organization. The security team focuses on information security, security auditing and compliance, as well as defining the security controls for protection of CrossCheck Inc.’ hardware infrastructure. The security team receives information system security notifications on a regular basis and distributes security alert and advisory information to the organization on a routine basis after assessing the risk and impact as appropriate.
CrossCheck Inc. follows the ISO 27002 & NIST Cybersecurity Frameworks with layered security controls to help identify, prevent, detect, and respond to security incidents. The Chief Information Security Officer is also responsible for tracking incidents, vulnerability assessments, threat mitigation, and risk management.
Physical & Environmental Security
CrossCheck Inc. has policies, procedures, and infrastructure to handle both physical security of its data centers as well as the environment from which the data centers operate.
Our information systems and infrastructure are hosted in data centers that are geographically dispersed to provide high availability and redundancy to CrossCheck Inc. and its customers. The standard physical security controls implemented at each data center include, but are not limited to, electronic card access control systems, fire alarm and sprinkler systems, interior and exterior cameras. Physical access is centrally managed and strictly controlled by Information Systems personnel.
CrossCheck Inc. continually supports the latest recommended secure cipher suites and protocols to encrypt traffic while at rest or in transit. We monitor the changing cryptographic landscape closely and work to upgrade our products to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients or encryption protocols.
Secure Network Connections
HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients. The level of encryption is negotiated to either SSL or TLS encryption and is dependent on what the web browser can support.
Authentication and Authorization
We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password policies enforce the use of complex passwords, which are deployed to protect against unauthorized use of passwords.
Business Continuity and Disaster Recovery
To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, we implement a disaster recovery program at all our locations. This program includes multiple components to minimize the risk of any single point of failure. For business critical applications, application data is replicated to multiple systems within the data center and to a backup site.