Employee Navigator utilizes Rackspace as a subservice organization that provides datacenter and hardware co-location services for the Employee Navigator platform. The subservice organization provides security and environmental controls for the Employee Navigator platform. These controls include providing security equipment, recording and monitoring physical access to the Employee Navigator platform systems, as well as providing environmental controls including power, cooling, flood control, fire suppression and detection. Rackspace also provides the infrastructure supporting the application layer, including: physical and virtual network, storage, computing, operating system, and managed security services.
In an effort to provide Employee Navigator customers with a high level of comfort regarding the security of the data we are entrusted with, we recently successfully completed our first SOC2 Type II audit. A copy of the report can be provided upon request.
Employee Navigator’s Chief Executive Officer (CEO) and Chief Technology Officer (CTO) provide oversight of the direction and objectives for Employee Navigator in accordance with security and availability.
The control environment for Employee Navigator reflects the philosophy of senior management with respect to the importance of proving the most secure and resilient HRIS platform for customers. The commitment to security and availability is demonstrated by Employee Navigator’s security policies, which establish the operating and control framework for Employee Navigator. The development of these policies has taken into consideration industry standards and best practices for security and availability and has been reviewed and approved by the Executive Team. They are enforced by the CTO and Director of IT Security. These policies have been published and communicated to all members of the Employee Navigator Team and is supported through the investment in resources, people, and technologies required for implementation and enforcement.
Employee Navigator follows a strict, formalized hiring practice verifying all potential new employees are qualified for the responsibilities of their job function. Employee Navigator conducts background checks, via a third-party vendor, on all new employees.
Employee Navigator has a Director of IT Security dedicated to protecting and monitoring the security posture of Employee Navigator. The Director of IT Security works in concert with the CEO and CTO to ensure controls are in place and operating effectively.
Access to any and all Employee Navigator resources is tightly controlled and users are only granted access based on minimum level of access required to perform their role. Physical access to the data center and Employee Navigator infrastructure is managed by Rackspace and expressly prohibited.
Network Access is controlled based on an implicit “deny all” network access control strategy. Network access controls have been implemented at all layers of Employee Navigator to allow only required traffic and deny all other network traffic. Perimeter firewall appliances control all ingress and egress network traffic to/from the datacenter and VPN appliances control access to the Employee Navigator systems and internal resources. Employee Navigator customers are only permitted to access their assigned application environment, and all other access is denied.
The Employee Navigator platform technical configurations, supporting security and platform operational capabilities, and procedures provide the required tools and processes to capture and monitor system activity throughout. Key Employee Navigator components have auditing and logging facilities enabled and configured to capture system events, generate log files, and send log files to the centralized system information and event management software for correlation, analysis, and alerting. The data center managed security services team utilize a variety of security tools to identify and detect potential security threats and incidents, including but not limited to, firewall logs, VPN appliance logs, ID alerts, malware alerts, vulnerability assessments, and operating system event log files. These alerts and notifications are analyzed and security engineers respond as necessary 24 hours a day, 7 days a week.
The data center and hardware co-location provider provides daily backups of systems and data via disk to disk replication and backup techniques to an alternate disaster recovery site.
The Employee Navigator application is data-driven and licensees are responsible for uploading and managing their own data within the application. Customers are able to upload their data via HTTPS. Data sent from Employee Navigator to carriers is sent via protocols they define. The protocols available include PGP email, File Transfer Protocol – Secure (FTPS), and Secure File Transfer Protocol (SFTP) providing encryption for all data in transit.
The Employee Navigator team does not access data provided by licensees through administrative and support activities unless explicitly requested by the customer. Employee Navigator does not perform any data classification on behalf of licensees. All licensee data is classified equally as sensitive. Employee Navigator does not share customer data stored in Employee Navigator with external third-parties, unless requested by the customer or required by law.
In connection with efforts to adhere to and maintain a controls environment appropriate for Employee Navigator services to entities that may have specific regulatory obligations as covered entities under the Health Insurance Portability and Accountability Act (HIPAA) as amended by the HITECH Act of 2009 (ARRA Title XIII), Employee Navigator has undertaken an internal review and will be documenting its controls environment as a potential Business Associate. Employee Navigator has undertaken, where appropriate, to provide and document its control environment to meet the substantive requirements of the security rules for clients concerned with these issues.
The documentation, is not a representation of a substantive policy statement for Employee Navigator but rather seeks to provide an overview of measures and processes that Employee Navigator has undertaken in efforts to conform its practices with requirements certain customers may desire in connection with the purchase of Employee Navigator services. Employee Navigator is not a health plan, covered entity, clearinghouse or governmental entity.