Security Overview

GDR Security Overview

GDR is committed to protecting data entrusted to us by our Clients.  The data which is received, stored, and/or transmitted in many cases contains information which has been deemed confidential under federal and/or state regulations.  Further, industry requirements such as the Payment Card Industry Data Security Standard require GDR to also protect confidential data; specifically cardholder data.  GDR is committed to meeting both regulatory and industry requirements for the protection of confidential data.

GDR has documented this commitment through a detailed and extensive set of policy statements.  These policy statements define the business rules at GDR for meeting federals, state, and industry requirements for protecting confidential data.  As a result of this commitment, the following are a sampling of the security practices which are in place to protect confidential data.

1)      Physical Security.  GDR’s network is located in a data center which meets and/or exceeds the payment card industry standards for physical security.

 

2)      Employee Background Checks.  All GDR employees go through extensive background checks which include employment verification, education verification, reference verification, credit checks and drug screening.

 

3)      User Authentication.  All access to data is only allowed through fully authenticated and authorized users.  GDR uses multiple authentication schemes including the use of third parties (where appropriate) to verify the identity of users during the enrollment process.  Access is only allowed to confidential data after the user is authenticated through multiple factors.

 

4)      Logical Data Segregation.  All account data is logically segregated at the portfolio level.  Users can only access portfolios and GDR generated reports where they are the registered owner of the account/portfolio or have been authorized to access the data by the registered owner of the account/portfolio. 

 

5)      No Direct Access to Data.  Once data has been submitted to GDR, no longer does any party except GDR have direct access to the data.  When requests for confidential data are submitted to GDR, GDR retrieves the data and places the data in a repository dedicated to this Client for pick up by the requesting user.

 

6)      Encryption.  Extensive use of strong encryption schemas is in place to protect data at rest and data in transit.

 

7)      Structured Change Control.  A structured change management program is in place which ensures only authorized change is permitted to systems which impact confidential data.

 

8)      Extensive Real Time Performance and Security Monitoring.  Network monitoring tools constantly benchmark mission critical devices against expected performance norms.  Intrusion Detection solutions (including network firewalls, application firewalls, host and network based intrusion detection systems, and log monitoring) are vigilantly monitoring for security events.  And, all this is monitored by a fully staffed network operations center 24 hours a day/365 days a year.

 

9)      Internal Verification of Security Functions.  GDR regularly tests its security practices to ensure they are in line with our own security policies.  This validation process extends to both GDR’s vendors and GDR’s data trading partners.

 

10)   External Verification of Security Functions.  Third parties verify on a regular basis the data which GDR secures.  This includes daily third party vulnerability scanning, annual third party penetration testing, and an annual third party audit/assessment of security policies and practices.

 

 

These are but a few of the security measures which have been put in place to protect confidential data which has been entrusted with GDR.