The SmartBen security platform includes application security, host security, encryption during transmission, and physical barriers to our server environment. Protection starts with a wide range of physical security features for the servers that host the SmartBen application and data. The hosting facility provides 24×7 security monitoring by on-premises security officers, continuous video camera surveillance, electronic motion sensors, security breach alarms and biometric access and exit sensors. Access to the servers is strictly limited to authorized SmartBen personnel.
SmartBen uses comprehensive measures to protect our clients’ data during transmission over the Internet. Access to the site requires a unique username and password. Once the user has successfully authenticated their identity and requests information, data transfers between the client and server are protected by 128-bit Secure Socket Layer (SSL) encryption. SSL creates a secured connection between our web servers and the user’s browser which eliminates unauthorized access to transmitted data and received data.
The data is hosted behind a dedicated firewall cluster for traffic load balancing and high availability in the event of a system failure. The firewall only permits designated traffic to access the SmartBen servers. Unauthorized system access is proactively monitored and attack definitions updated at multiple daily intervals to provide protection against attacks and OWASP threats. A Unified Threat Management (UTM) System that is monitored 24×7 also protects our systems. This system eliminates network based attacks and intruders at the firewall as a third level of defense. SmartBen’s fourth level of defense is the deployment of an application firewall which monitors web traffic at the application level and monitors against attack vectors.
SmartBen encrypts all data on its network of servers in addition to external offsite database backups using strong 256-bit encryption. Hard drive encryption, as well as an encrypted email system, is maintained on all desktop and laptop systems to meet the highest security and HIPAA standards. Each of these elements combines to form the highest level of security, while providing our customers with ease of system use.
SSAE 16 Audited
SmartBen’s system and data facilities have successfully completed third-party security examinations relating to security and data privacy. The Statement on Standards for Attestation Engagements (SSAE) No. 16: Reporting on Controls at a Service Organization has replaced SAS-70 Type II examinations as the authoritative standard for reporting on service organizations. An independent third-party auditor conducts an SSAE examination yearly to address all security protocols, including physical and environmental safeguards for data centers, data availability and integrity procedures, change management procedures and logical security procedures.
SmartBen also obtains independent third-party audit opinions related to security and data privacy on an annual basis. These Service Organization Controls (SOC) reports are covered under SSAE No. 16. Each year, SmartBen obtains a SOC 1 Type II and SOC 2 Type II report. The SOC 1 Type II report includes a third-party assessment and opinion on our description of our system for processing user entities’ transactions. The SOC 2 Type II reports focus on internal controls related to unauthorized physical and logical access to systems and data.
The above audits are widely recognized as industry standards, representing that a service organization has undergone a thorough evaluation of their control activities. Specifically, these audits focus on protocols related to financial statements, data security and operational controls. A Type II report includes a system description, as well as detailed testing of the design and operating effectiveness of an organization’s controls. In other words, we subject our entire operation to the highest level scrutiny from an independent examiner in order to verify that we are meeting the standards we claim to meet.