NEWFOLD DIGITAL INFORMATION SECURITY PROGRAM OVERVIEW

Newfold Digital and our subsidiaries (“we,” “us” or “Newfold”) take the security of customer data seriously. We have implemented internal policies and controls to try to ensure that customer data is protected and only accessed by authorized Newfold employees in the performance of their duties. Where Newfold engages third parties to process customer data on its behalf, they do so in accordance with our written instructions under a duty of confidentiality, and they are required to implement appropriate technical and administrative measures to ensure the data is secure.

More specifically, Newfold maintains: confidentiality by ensuring that only people who are authorized to use the data can access it; integrity by ensuring that data is accurate and suitable for the purpose for which it is processed; and availability by ensuring that authorized users are able to access and use the data they need for authorized purposes in a timely and reliable manner.

Newfold takes a ‘defense in depth’ approach to secure data on multiple levels, including physical, network, host, software, and user account security, each as further discussed below.

Physical Security

  • Physical access to Newfold’s hosting environment is restricted to specific individuals and uses multiple levels of security as follows:
  • Newfold servers and infrastructure are located in secure data centers where access is limited to authorized personnel and badge access or biometric authentication (e.g., hand scanners and fingerprint IDs) are required to access the facilities.
  • Newfold servers are isolated and secured within the data center in areas dedicated to Newfold equipment only; these areas are not shared with third parties.
  • Access to data centers and hosting systems are regularly reviewed by Newfold’s data center operations team to assure that only authorized users have access.
  • 7×24 security guards perform random checks of the data center to ensure physical security controls have not been compromised.

Network Security

  • Newfold requires that network communications adhere to the principles of data confidentiality, integrity, and availability discussed above.
  • Newfold’s hosting environment is protected from the public Internet and corporate Local Area Network (LAN) via multiple next-generation firewalls and is monitored by an intrusion prevention/detection system, including a strategically placed distributed denial of service mitigation system.
  • Newfold requires that information is handled with appropriate levels of encryption in accordance with our policies and standards and to comply with applicable laws.

Customer Hosted Environment Security

  • Newfold performs industry-standard security hardening efforts — more specifically, critical systems are hardened and configured per industry best practices as defined by the Center for Internet Security (CIS).
  • Newfold regularly reviews information on current security vulnerabilities, including vendor announcements and other industry sources. If security updates are determined to be critical to the Endurance environment, they are tested and deployed in a timely manner.
  • Customer hosting systems and services are routinely monitored for integrity and availability. Operations staff review alerts generated by monitoring systems and respond promptly.
  • Customer hosting systems are monitored 24×7 for malicious activity.
  • Administrative access to Newfold’s infrastructure is limited strictly to authorized users with multi-factor authentication. Individual usernames and passwords are required for machine and data access.
  • Newfold adheres to strong password guidelines, including complexity and minimum length requirements. Passwords are expired and changed on a regular basis.

Software Security

  • Internally developed code is subject to Newfold’s secure coding guidelines, which includes testing of functionality and business logic, and for security flaws. In addition, our Change Management Policy ensures that code deployed to the production environment has been appropriately tested, reviewed, and approved.
  • We train our engineers in secure coding and architectural design patterns such as those outlined in the OWASP Top 10, CIS Critical Security Controls, and NIST frameworks.
  • As part of Newfold’s ongoing PCI compliance, we regularly undergo security reviews, including external and internal scanning for vulnerabilities on an ongoing basis. All vulnerabilities discovered are reviewed by internal security and addressed in accordance with the level of severity.

Incident Management

  • Newfold has a documented Cybersecurity Incident Response Plan, a 24×7 Command Monitoring Center, and an industry-leading incident response third party on retainer.
  • The Cybersecurity Incident Response Plan undergoes annual tabletop testing and is updated as necessary.

Personnel Security

  • Newfold employment offers are contingent upon successful completion of a criminal background and reference checks where allowed by law.
  • Upon commencing employment, all Newfold employees receive information security training and are contractually obligated to confidentiality clauses to ensure that they adhere to Newfold’s commitment to security and confidentiality.
  • Newfold’s information security awareness and training programs require employees to complete annual security refresher training.

Patch Management

  • Where feasible, system components and software are protected from known vulnerabilities by applying the latest vendor-supplied security patches.
  • Newfold systems are routinely updated per vendor recommendations and industry standards.

Virus/Malware Management

  • Newfold uses up to date virus scanning software for detecting currently known malware.
  • Malware definitions are updated daily and installed as required.
  • Operations teams monitor the Newfold hosting environment 24×7 for malware infections.

Questions

Email [email protected] and we’ll get back to you as soon as we can.