Data Security Maintenance

FAQs regarding maintaining data security.

  • Are there periodic reviews via installed malware detection programs that identify any system threats?

    Yes. Systems are continuously monitored at the endpoint level, network level, and perimeter for malicious activity and threats. Vulnerability scanning is performed at a 4-hour interval. All results are aggregated in a central Security Information and Event Management (SIEM) tool which is configured to alert on anomalous behavior.

  • When was the last penetration test for the external facing portal?

    The last penetration test was performed in September 2020.

  • Are security testing results available? Is there a SOC2 audit performed on the entity? If so, is the SOC2 documentation available?
    • The audit results are not available to the public.
    • CSBS is currently undergoing a SOC for cybersecurity assessment. SES itself is hosted between two CSPs: Appian and AWS. Both Appian (front-end) and AWS (back-end) are FedRAMP authorized at a moderate level and have SOC-2 information available through their respective websites.
    • SES underwent an initial third-party FISMA assessment as part of their initial authorization to operate. Reassessments are performed annually.
  • Are automated input checks (error checks) to detect out-of-range values, invalid characters, missing, or incomplete data implemented?

    Yes, automated input checks are performed on a regular basis.