ThinkSmart Platform Security

We understand that technological innovation and change means that there is increasing need for the highest levels of security. From the operational to strategic; Prevention, Detection, Protection and the Safeguarding of our customer data is always a considered and managed factor.

Our network architecture has been hardened to PCI (Payment Card Industry ) DSS (Data Security Standards) and beyond as we strive to keep ahead of the latest threats and attacks. Our specialized team of security experts operate in conjunction with third party auditors to ensure that environments remain secure, correctly managed and maintained through daily auditing, weekly reporting and quarterly full network reviews. Such is the security program in place at ThinkSmart that Security is not just considered the responsibility of one department but more so that the entire employee body engages in industry best practices. Interdepartmental testing, auditing and training all combine to put the ThinkSmart security program at the cutting edge of security standards.

Applications & Access

  • Formal code reviews and vulnerability mitigation by third parties
  • Automated code vulnerability scanning in use to ensure secure coding of TAP applications
  • Application level Advanced Encryption Standard (AES) 256 bit encryption
  • Managed Virtual Private Cloud with constant firewall monitoring
  • Key Management & Encryption Program
  • Enterprise-grade malware protection
  • Multiple authentication mechanisms

Transmission & Storage

  • Secure, private SSL 256 bit viewing session
  • Customer configurable data retention program – provide 99.999999999% durability and 99.99% availability of objects over a given year.

Hardware & Infrastructure

  • Two geo-dispersed, ISO27001, Level 1 Service Provider Payment Card Industry (PCI) Data Security Standard (DSS), SOC1, DIACAP Level 2 audited and certified data centers
  • Near real-time secure data replication and encrypted archival
  • 365x24x7 on-site security
  • Annual Business Continuity Planning (BCP) & Disaster Recovery (DR) testing
  • Third-party penetration testing and external data center audits
  • Data center access restricted on a need to access basis.
    • Employees and contractors required to present identification, sign in and are escorted by security staff.
    • Access reviewed periodically
  • Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means.
  • Authorized staff utilize multi-factor authentication mechanisms to access data center floors.
  • Environmental controls such as fire detection and suppression systems, air conditioning and humidity monitoring systems, uninterruptible power supply (UPS) units, and generators are in place to protect assets located within the data centers.
  • Fire Detection and Suppression – Automatic fire detection and suppression equipment has been installed to reduce risk.
    • The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms.
    • These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
  • Power – The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility.
    • Data centers use generators to provide back-up power for the entire facility.
  • Climate and Temperature – Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages.
    • Data centers are conditioned to maintain atmospheric conditions at specified levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Systems and Operations

  • Physically and logically separate networks
  • Two-factor, encrypted VPN access
  • Professional, commercial grade firewalls and border routers to ensure access is only available to those permitted
  • Distributed Denial of Service (DDoS) mitigation
  • Protection against Man in the Middle (MITM) attacks, IP spoofing, port scanning, packet sniffing
  • Active monitoring and alerting
  • Periodic patching at OS and Third Party Application level to harden system security.
    • Systems configured to search for an patch according to the latest security threats identified
  • Data protection through various encryption techniques and network design
  • PCI-DSS, HIPAA and ISO 27002 based policies and procedures, which are regularly reviewed, audited and assessed by multiple members of ThinkSmart Security Team
  • Encryption for all administrative traffic (HTTP, SFTP, SSH)
  • Employee security training program, clean desk, acceptable use and VPN usage training in place.
    • Repository of certificates of training completion stored in ThinkSmart archives
  • ThinkSmart development team undergo annual OWASP training
  • Role based access control practiced throughout the ThinkSmart hierarchy.
    • Access granted on a need to know basis and permission requests tracked and reviewed periodically
  • Systems access logged and tracked for auditing and compliance purposes. Database change logging in place for auditing
  • Secure media destruction procedures in place (According to NIST and DOD standards proceeded by shredding by certified, CCTV monitored vendor)
  • Secure document removal and destruction policies for all critical and sensitive information
  • Fully documented change management procedures in compliance with PCI-DSS standards

Policies and Procedures

  • Employee access to private data is prohibited with strict penalties applied should they do so
  • Customers retain ownership of their data
  • 24/7 monitoring, escalation procedures, disaster recovery and crisis recovery plans in place and tested periodically
  • Security program which reacts to changes in security landscape by altering company policies, procedures and controls to mitigate new risks
  • All ThinkSmart TAP application users verified by email