At Marom Consulting, there is no higher priority than the privacy and security of our customers' data. We believe that protecting the privacy of our customers' data is integral to our mission of earning and maintaining the trust of each of our customers. We, through Marom Tech and its technology platform vendor, utilize the latest, most sophisticated cloud computing infrastructure in the industry. Below outlines some of the major aspects of this infrastructure as it relates to privacy issues.
Over the past several years, numerous laws and frameworks have emerged that govern the handling of personal information, including the following:
Although the requirements of these laws and frameworks vary greatly, some common themes have emerged, such as notice, choice, access, and security:
- Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
- Financial Modernization Act of 1999 or Gramm-Leach-Bliley Act (GLB)
- Numerous state breach notification laws
Notice: What information must be provided to individuals about how their data may be used and who it may be shared with? When must this notice be provided to individuals? In what manner must this notice be provided?
Choice: What choices are individuals offered in terms of what information about them is collected and how such information is used?
Access: Are individuals given the opportunity to access information maintained about them? Can individuals request that their information be amended or deleted?
Security: Are organizations that handle personal information required to protect such information using administrative, technical, and physical safeguards?
Marom Consulting�s customers solely determine what data is submitted to the Marom Consulting service as customer data. With respect to such data, Marom Consulting acts as a data processor. In our role as a processor of customer data, Marom Consulting addresses the general privacy principles described above in the following ways:
Notice, Choice & Access: Marom Consulting generally does not have a direct relationship with individuals whose personal data is submitted by customers to the Marom Consulting service as customer data. Marom Consulting does not collect personal information on behalf of our customers, and Marom Consulting does not determine how our customers use such data.
Compliance with the Notice, Choice, and Access principles is based on cooperation between Marom Consulting and our customers. For example, customers are responsible for the accuracy, quality, integrity, reliability, and appropriateness of data submitted to the Marom Consulting service and that customers must comply with applicable laws in using the Marom Consulting service.
Security: Marom Consulting utilizes appropriate administrative, physical, and technical safeguards to help protect the security, confidentiality, and integrity of data our customers submit to the Marom Consulting service as customer data. Marom Consulting's customers are responsible for ensuring the security of their customer data in their use of the service.
Marom Consulting understands that the confidentiality, integrity, and availability of our customers� information are vital to their business operations and our own success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems, and processes to meet the growing demands and challenges of security.
Our service is collocated in dedicated spaces at top-tier data centers. These facilities provide carrier-level support, including:
- 24-hour manned security, including foot patrols and perimeter inspections
- Biometric scanning for access
- Dedicated concrete-walled Data Center rooms
- Computing equipment in access-controlled steel cages
- Video surveillance throughout facility and perimeter
- Building engineered for local seismic, storm, and flood risks
- Tracking of asset removal
- Humidity and temperature control
- Redundant (N+1) cooling system
- Underground utility power feed
- Redundant (N+1) CPS/UPS systems
- Redundant power distribution units (PDUs)
- Redundant (N+1) diesel generators with on-site diesel fuel storage
- Concrete vaults for fiber entry
- Redundant internal networks
- Network neutral; connects to all major carriers and located near major Internet hubs
- High bandwidth capacity
- VESDA (very early smoke detection apparatus)
- Dual-alarmed, dual-interlock, multi-zone, pre-action dry pipe water-based fire suppression
- Connection to the Marom Consulting environment is via SSL 3.0/TLS 1.0, using global step-up certificates from Verisign, ensuring that our users have a secure connection from their browsers to our service
- Individual user sessions are identified and re-verified with each transaction, using a unique token created at login
- Perimeter firewalls and edge routers block unused protocols
- Internal firewalls segregate traffic between the application and database tiers
- Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports
- A third-party service provider continuously scans the network externally and alerts changes in baseline configuration
- Marom Consulting utilizes services that perform real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center
- Data are transmitted across encrypted links.
- Disaster recovery tests verify our projected recovery times and the integrity of the customer data
- All data are backed up to tape at each data center, on a rotating schedule of incremental and full backups
- The backups are cloned over secure links to a secure tape archive
- Tapes are not transported offsite and are securely destroyed when retired
Marom Consulting utilizes services that tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly:
- Application vulnerability threat assessments
- Network vulnerability threat assessments
- Selected penetration testing and code review
- Security control framework review and testing
Our Information Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.