Transcription
LawStudio’s Security ModelProtecting Your DataLawStudio powered by Veritext
The LawStudioSecurityModelIntroductionInformation security and privacy are built into the fabric ofeverything we do at Veritext. Helping to protect theconfidentiality and integrity of your data is a core part of ourmission. This document provides an overview of the systemscontrols implemented in LawStudio and all of our securitypractices. All Veritext facilities and systems are compliant with thehighest security standards, including HIPAA and PII.The LawStudio Security ModelHIPAA, PIISSAE-16CompliantData security in LawStudio is implementedat two layers and ensured from a processperspective by Veritext’s companyconfidentiality policy.The first is the foundational InfrastructureLayer, wherein data is stored and movedthrough the computing and storage systems.Here, LawStudio utilizes strong dataencryption, both at rest and in transit toprotect against unauthorized access to thedata without authenticated, auditableprivileges.The second layer is the Application Layer,wherein data is processed and presented toauthorized individuals based on privilegesdetermined by the client.Both of these system implementation layersare supported by our confidentiality policy(in which all Veritext employees are trainedto and held to) and prescribes practicesdesigned to ensure protection of your datain the course of developing, maintaining anddelivering our products and services. Theschematic (right) illustrates this model, andthe following sections provide more detailon the security layers and the policy aroundthem.LawStudio’s Security Model Protecting Your DataCONFIDENTIALITY POLICYLawStudio Application LayerTHE LAWSTUDIO SECURITY MODELAccessControlRightsMonitoringLawStudio Infrastructure LayerComputingNetworkStorageFacilitiesLawStudio powered by Veritext2
SecurityWithin theInfrastructureLayerComputing security isimplemented via bestpractices for operatingsystem configuration. Allcomputing devices areconfigured for access onlyby authorized, auditableadministration staffoperating underVeritext’s confidentialitypolicy. All servers areprotected by the latestvirus and malwareprotection andmaintained at the mostrecent viable securitypatch level. Client data isnot stored at thecomputer layer, and alldata is managed inprotected storagesubsystems.Security Within the Infrastructure LayerIn the Infrastructure Layer, security is built into the wayscomputing devices (i.e., servers) are accessed and protected, howthe network allows communication between devices and how ittransmits data, how storage systems protect transient andpermanent data as it is stored, and how all of the physicalcomputing, network and storage devices are protected within thefacilities in which they are hosted. While LawStudio leveragesVeritext’s dedicated technology infrastructure as well as Amazoncloud hosting services, the following implementation of thesecurity policy is maintained throughout the Infrastructure Layer.Network security isimplemented via bestpractices for external andinternal network controls.Within the internalcomputer and storagenetwork, only identifiedhosts and application portsare permitted to traversethe network as configuredin firewalls and virtualhosting configurations. Inaddition, for both theexternal (i.e., connectingwith clients via theInternet) and internalnetwork, data is encryptedin transit to ensure thataccess to data “on thewire” is protected. Externalclient and agent accessis always carried via thesecure-socket layer (i.e.,HTTPS) protocol.LawStudio’s Security Model Protecting Your DataStorage security isimplemented for allclient files via strongencryption, with accesscontrol implementedwithin the ApplicationLayer (See “AccessControl”). Data isencrypted at rest usingthe AES-256 bit encryption standard.Facilities security isassured in Veritext’sinternal hostingenvironment via acontrolled accessdedicated cage in aCenturyLink Tier IV,SSAE-16 compliant datacenter. Subsystems thatare hosted in theAmazon Web Servicescloud environment areequally protected viaAmazon’s strong facilitiescontrols. Moreinformation on Amazon’sstrong facilities controlscan be found athttp://aws.amazon.com/security.LawStudio powered by Veritext3
SecurityWithin theApplicationLayerSecurity Within the Application LayerIn the Application Layer, security is built into the ways access todata by a client is controlled, the ways that clients can managerights to different sets of data, and how access to the applicationand systems is monitored.Access Control within LawStudio isimplemented both for clients accessing thesystem, as well as across subsystems andservices that make up LawStudio. For clientsusing LawStudio, usernames and passwordsare stored in an encrypted fashion usingSHA-256 (SHA-2). User login is required inorder to obtain a token for a session, whichallows a user to access LawStudio resources forthe duration of the session.Once the user logs in, the session tokenremains active as long as there is user activity.The token is removed when the user logs out,or if their is no user activity for fifteen minutes.For subsystem communication, LawStudioimplements a stateless REST API to integratesystems. A component needs to authenticatethe user first with the LawStudio Service beforethe user can use any of the LawStudio RESTservices. A component authenticates a userwith LawStudio by calling a REST service withthe user’s login name and password. Aftersuccessful authentication, a token is returned.This token is passed in all the subsequent RESTcalls to LawStudio for any operation performedby the component on the user’s behalf.Rights Management within LawStudiois designed to allow the client control overwhich artifacts (i.e., documents, multimediaobjects, etc.) can be accessed by users withinthe system. In addition, for documents withannotations, a client can specify whether thoseannotations are publicly available to those whohave access to a published copy of thedocument, or are for the client’s internal useonly. Training material for LawStudio describeshow to set up users and rights. For moreinformation, see: http://help.lawstudio.com/knowledge base/categories/shared-workspaces.For publishing documents to colleagues outside ofLawStudio, a client can provide access to selecteddocuments via a password protected link withtime-expiration to provide secure, efficient accessto the documents.Close and rigorous Monitoring of theLawStudio system ensures that the controls andpolicies are truly effective and that new andemerging threats do not compromise datasecurity and integrity. Active monitoringincludes the use of systems and network toolsthat alert Veritext staff to unexpectedconditions in systems access and utilization, aswell as systems and subsystem faults that mayindicate an underlying problem. In addition, accessaudit logging is enabled throughout the system toensure that potential unauthorized access can bequickly assessed and resolved.
VeritextConfidentialityPolicy &ProcedureVeritext Confidentiality Policy & ProcedureUnderpinning the design, implementation and support forLawStudio is the Veritext Confidentiality Policy. The policydelineates responsibilities around information privacy andsecurity for all employees, as well as general and security-specificmanagement roles. While the policy itself is an internal policydocument, the specific scope of the policy includes:General informationsecurity controls including:Computerencryption andstrong mobile devicecontent managementEmployeecomportment andidentificationNetwork security,including firewall,Web filtering and virusand malware defenseAcceptable use of computersystems and confidentialtreatment of client andcompany dataLawStudio’s Security Model Protecting Your DataSecurity managementprotocols, including:Procedures to report,assess and trackresolution of potentialdata privacy issuesAnnual auditsfor policycomplianceAssurance of physicalsecurity at all Veritextoperational locationsLawStudio powered by Veritext5
Protectionof DataIntegrity &AvailabilityFor high-availability infrastructure, allclient data is stored on resilient,high-performance storage array withinhardened Tier IV hosting centers (See“Facilities” in “InfrastructureLayer”) High availability is achievedthrough redundant components (i.e., diskdrives, controllers) to ensure that data isnot lost even if specific components inthe storage subsystem fail. As a safety netin assuring data availability, databasebackups are performed to capture allchanges. This data is backed up to tapenightly and stored offsite. Data storedwithin Amazon’s infrastructure is highlyredundant and backed by a 99.99%availability SLA.Protection of Data Integrity & AvailabilityVeritext ensures that your data is not only secured for access onlyto authorized individuals, but also works hard to ensure that it isalways available for your access. There are two aspects of dataintegrity and availability assurance: The first is high-availabilityinfrastructure and the second is a sound recovery posture.Amazon’sinfrastructure isbacked by a99.99%availability SLAAdditional Questions?For any additional information orquestions about any of Veritext’ssecurity practices, please contact usat [email protected]’s Security Model Protecting Your DataLawStudio powered by Veritext6
About UsAbout LawStudioPart legal support software, part secure Cloud storage, LawStudio isan online workspace where law firms can organize and build theircase in a user-friendly collaborative environment.www.lawstudio.comEmail: [email protected]: 844.224.0330About Veritext Legal SolutionsVeritext provides superior court reporting and litigation services tothe legal industry with a proven track record of industry excellence.Veritext is the established leader in technology-driven deposition andlitigation support services for law firms and corporations.www.veritext.comHeadquarters290 West Mount Pleasant AvenueSuite 3200Livingston, NJ 07039Tel: 800.567.8658LawStudio’s Security Model Protecting Your Data 2015 LawStudio, Veritext Legal SolutionsLawStudio
Veritext’s dedicated technology infrastructure as well as Amazon cloud hosting services, the following implementation of the security policy is maintained throughout the Infrastructure Layer. . SSAE-16 compliant data center. Subsystems that are hosted in the Amazon Web Services cloud environment are e
