2020 November Newsletter – Carvajal Technology Group

Security threats are constantly evolving to new ways of infiltrating networks. This email reviews the multiple security measures CTG deploys. These security measures provide comprehensive, redundant protection for your hosted servers and the data within from threats that exist today, and threats that will exist in the future.

We actively provide safeguards in these areas:
• Disaster Recovery
• Patches and Upgrades
• Strict Passwords Policies
• Risk Assessment
• Limiting Elevated Access

These areas require additional action from you:
• Multi-Factor Authentication
• Reviewing system-access of your employees

Disaster Recovery.
SQL backups are performed on your database server every 30 minutes to enable quick recovery to a specific point-in-time. Those backups, along with a full snapshot of the entire server are then backed up nightly to an offsite datacenter for DR purposes.

Your file servers do a similar point-in-time capture twice a day and the entire system snapshot is also transferred nightly along with all of your other servers to an offsite datacenter. As a course of daily support, files are restored from these snapshots for a variety of customers, multiple times a day as well as monthly intervals when an entire server snapshot is restored from offsite backups.

For speed of recovery, backups are spread across 18 dedicated backup servers to enable simultaneous restores without impacting recovery time. As tested earlier this year we are able to run 32 concurrent restores at full speed, even more if only a portion of a system is being restored.

Patching and Upgrade Cadence.
We maintain a 30-day patch cycle to ensure your systems stay up to date. In addition, patches marked Critical are reviewed separately the day they are announced, and fast-tracked based on severity.

Complete Risk Assessment. Know what you have and how to protect it.
Vulnerability scans are performed quarterly against both the public and internal network. We are SOC compliant, audited annually and completed SSAE18/SOC1 Type 2 Certification. We continue to explore new risk assessment alternatives for our customers, and will notify you if any new options become available.

Enforce a Strict Password Policy and ensure all default credentials changed.
CTG employee accounts are subject to a password complexity policy and expire every 45 days. Your pharmacy’s accounts must be changed every 60 days with the same complexity requirements.

Limit Elevated Access. Give minimum access to each username.
All CTG staff operate under a non-admin account and elevate to a separate administrator account when necessary. Admin accounts are prohibited from doing day-to-day work.

Multi-Factor Authentication (MFA).
Multi-factor authentication is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. The Health Insurance Portability and Accountability Act (HIPAA) recommends using two-factor authentication and strong access controls to help mitigate security risks related to remote access to customer data.

Many of our pharmacies have already taken advantage of MFA. CTG offers MFA through a software called Duo. This is a fully managed solution (in other words we take care of implementation and maintenance) to protect your environment and ensure compromised account credentials are not used by attackers. Duo MFA supports tokens, text messages, phone calls, smart phones, and even smart watches!

MFA Pilot Program.
We can work quickly to setup a pilot of Duo so that you experience how easy two-factor can be. Contact us today to learn how Duo works with your existing solution.

Review User Access.
CTG employee administrative accounts are reviewed by CTG in regular, short intervals. All changes to access privileges of CTG employees are logged and retained for audit purposes for one year in accordance with our SOC requirements. To help facilitate your review of your own employees, CTG can assist by providing you with tools that allow you to complete these audits easily on a regular basis. You will be able to assess your active employees, contractors and their access privileges.

LEARN MORE

Contact us today to learn more about our security measures, and the suggested additional action from you or visit carvajaltech.com.