Crystal D performs information security risk assessments through their insurance provider using the E-Risk Services LLC web portal.

Crystal D performs vulnerability scans over devices connected to its network via a dedicated firewall hardware platform. In addition, the workstations on the network have their own client-based antivirus, Webroot SecureAnywhere. At the application level unsuccessful access attempts are logged and sent to our IT staff for further investigation.

Crystal D retains personally identifiable data no more than 30 days. We encrypt PII data at rest using industry standard encryption algorithms. PII data subjects have the right to request a portable copy of the data collected by our applications in a common format, and the right to have their data erased under certain circumstances. We do not share PII with any outside resources or third parties.

Crystal D maintain logs that document major changes to their IT environment via internal documentation written in electronic forms (Word and PDF). For example, when there is a new server, third-party cloud service provider, or any system and network related changes, IT will document the information into an electronic form (Word and PDF). In addition we use a version control system (git) complete with changelogs to document changes to application code.

Crystal D maintains an up-to-date patching of security updates from Microsoft to their workstations and servers on a monthly basis. Code based vulnerability updates are done on an as needed basis.

Crystal D has a dedicated firewall hardware platform called SonicWall that contains a gateway anti-virus which monitor for malicious activities on the network. In addition, the users’ workstations have their own client-based anti-virus, Webroot SecureAnywhere, which will automatically scan and detect malicious threats.

The general overview of actions we’ll take on any incidents involving data breach or leakig will include the following not necessarily in this order: 1. Locking down the system for analyzation. 2. Detecting what was compromised 3. Informing all parties involved that a data breach has occurred 4. Make all attempts to recover and restore compromised data if necessary. 5. Patch the vulnerability or any other security holes. 6. Document in detail the vulnerability and evidence that supports it. Also document remediation actions and associated corrective process/system controls that were implemented.

Our data is backed up every day with a 28 day retention period using Veeam. The PII contained in the backups employ the same encryption algorithms as our primary data sources.

On public accessible endpoints Crystal D maintains security through IP filtering and HTTP basic authentication with authorization keys (JWT or otherwise). All public endpoints use SSL encryption for incoming and outgoing traffic. All authorized access is logged in a secure database.

Crystal D holds an annual information security awareness or cyber security training to all of its employees. All employees that will be attending the training will need to sign an attendance sheet. Quarterly tests are conducted to periodically test trained employees on our protocols.

All access and permissions are controlled for network directories. Internal application user permissions and user groups are used to maintain access to various data. An employee that needs access will need to be authorized before permissions are granted by senior management.

All of Crystal D’s servers, network storage, and network devices are located in a secured, climate controlled, server room that is accessible only to authorized personnel. All building access doors are secure with a key tag system.