Managed Technology Solutions—Hosted Litigation Solutions Security White Paper
LexisNexis® is committed to ensuring the confidentiality of customer data and has established standards and procedures regarding the collection, protection, communication and dissemination of that information. LexisNexis takes privacy and security seriously. We understand and accept the responsibilities associated with safeguarding sensitive data. LexisNexis products that use public records and non-public information provide invaluable fraud detection and identity authentication solutions to law enforcement, homeland security, commercial and legal customers that help to safeguard citizens and reduce consumers’ financial losses. This information is restricted to legitimate customers for legally permissible uses, and helps to prevent fraud, reduce the risk of terrorist attacks, and help find missing children, among other important applications.
LexisNexis is dedicated to protecting the integrity of your data. LexisNexis® Managed Technology Solutions employs network security, firewall and intrusion detection systems and maintains high-speed Internet and WAN connections, co-location facilities and terabytes of scalable disk storage. We also employ the finest data mirroring and failover technology, as well as multiple layers of physical security. Our procedures and protocols exceed the most rigorous standards. All data is stored using our state-of-the-art architecture with full chain-of-custody tracking.
The LexisNexis Managed Technology Solutions (MTS) Security Policy is based on observed experience, common practices and guidance from ISO 27001/27002, which outlines a framework for information security management. All Company (Reed Elsevier, Global Divisions and Business Units) information has value and must be protected against unauthorized or unintended disclosure, use, modification, destruction and interruption of availability for continuing operations. LexisNexis works with confidential data on a daily basis and has spent considerable time implementing the proper framework to secure this data.
LexisNexis has a wide variety of security policies in place to protect data that is hosted at a LexisNexis facility. Policy examples related to our Hosted Litigation Solutions include but are not limited to:
- Application Development Standards
- Client-Side Security Controls Guidelines, Requirements and Standards
- Computer and Network Security
- Data Destruction Guidelines
- Hardening Guidelines
Infrastructure Security Architecture:
Standards and Technical Requirements
Network Security Architecture:
Standards and Technical Requirements
- Remote Access Standards
- Security Event Log Standards
- Secure File Transfer Guidelines
- Web Services Security Architecture
LexisNexis undergoes a twice-annual security assessment with LexisNexis corporate offices, which is an ISO-17799–based audit, to make sure all services adhere to our own internal policies.
Asset Classification and Control
Accountability for Assets
LexisNexis has a strict asset-control policy to track details of the assets used to provide our service. All asset information is stored in a spreadsheet and contains information relevant to the asset, i.e., software licensing, versions, patch information, hardware model numbers, etc.
Physical media will be received by the LexisNexis data handlers, who will follow chain-of-custody procedures, moving the media rapidly into a limited-access storage/loading room. The media will then be attached to a data-loading workstation, with direct connectivity to the environment, channeled through conduit to the raised floor where the servers and storage reside.
When upload is complete, the media will remain in this room until a return request is provided. We also have a data disposition form that each customer completes when data is deemed to be end of life. This form allows us to return the original data or destroy the physical media once it is loaded into the system. Additionally, all communication channels between the client browser and the server are encrypted, meaning there is no clear-text communication across the Internet to the client desktop.
Physical and Environmental Security
There are numerous security access levels based on job function. The LexisNexis hosting facility generally contains the following physical security:
- Swipe access with PIN code required to enter main doors to the data center
- Man-trap revolving door to enter off the lobby
- Data Center Security Control is staffed 24/7/365
- Closed Circuit TV—some with pan/tilt/zoom. Cameras are recorded for a minimum of 30 days. 4 Security White Paper
- Access is electronically logged for all door openings and closings.
- Escorts are provided for all hosting clients requiring access to secured areas. Clients are signed in and escorted to their space by Systems Operations. If in a caged area, a phone call is made to Systems Operations when ready to be escorted out of the facility. If your area does not have a cage you will require a full escort at all times.
- Facility and parking lot are fully enclosed by a security fencing system
Our Dayton-based products have been SAS70-audited. LexisNexis has been regularly audited by well-known and nationally recognized information security firms. We have obtained Systrust certifications for our infrastructure that includes the lexis.com® product. A copy of the certification can be found at: https://cert.webtrust.org/reed
LexisNexis is also a PCI level 4 merchant, which means it’s required for Hosted systems to be vulnerability scanned on a quarterly basis by a PCI-complaint third-party organization that specializes in PCI vulnerability assessment standards. Critical vulnerabilities must be resolved in a timely manner to comply with the PCI regulations. Internal network scanning for vulnerability remediation is done on a monthly basis to ensure compliance with the latest security patch updates and deployments from vendors.
In Q1 of 2011, all MTS-hosted products and platforms were part of the LexisNexis SAS70 audit. The MTS products will also be subject to any company-wide vulnerability and penetration scanning that is performed for our other customer-facing products.
Firewall technology protects the Hosted Litigation Solutions network and data. Twin HA (High Availability) firewalls, on hardened security appliances, protect the Internet-facing systems. If one firewall were ever to fail, the other firewall will statefully pick up all new and existing connections without a service interruption. Both firewalls have anti-DOS (Denial of Service) capabilities that will stop certain attacks that could possibly interrupt service. Attacks such as spoofing and SYN-flood attacks will be mitigated by the existing set of HA firewalls.
The only ports allowed for ingress (inbound) Internet traffic to the client systems are HTTP (Web) and HTTPS (SSL). Egress (outbound) traffic, initiated from the client network, is dropped and logged by both firewalls and the IDS (Intrusion Detection Sensor) that monitors the client network. Alerts are sent automatically to the Concordance® Hosted FYI™ security staff when egress traffic is logged by those sensors.
All network devices are monitored on a 24/7/365 basis. LexisNexis manages thousands of network nodes both internally and for our customers. Our NOC provides quick fault detection with advanced polling (three-minute increments) and event correlation. Our master system gathers data from multiple tools and correlates events reducing false positives. Initial email auto-notifications sent near real time for network device outages with hourly email updates provided for incident support.
Each LexisNexis Hosted Litigation Solutions customer has their own virtual LAN (VLAN), allowing only required traffic in and out and granting no access to other customer traffic. Internal firewalls separate the hosted litigation environment(s) from the LexisNexis internal environment. These are credentialed and tied to source IP. For storage, CIFS and NFS are also tied to VLAN, so no one customer can access another customer’s data. For the shared multi-tenant LexisNexis Hosted Litigation Solutions environment, we use ESX 4.1, leveraging the VLANs provisioned as needed, as well as Cisco® VSANs for storage segregation.
On the NetApp® storage arrays, we use MultiStore Vfilers, further carving off what is accessible to whom. The VFilers are joined to the specific customer’s AD domain, have their own IPs, and are inaccessible from the root filer, or vfiler0. LUNS, both iSCSI and FC, are segregated by both VSANs and zones within those VSANs.
SSL VPN Access
Secure administrative access for customer environments is accomplished using an SSL VPN appliance. Two-factor authentication can be utilized for accounts and split tunneling is disabled. Once a customer member is logged into the VPN, they are then granted access to systems and networks that are defined in the VPN profile for user.
LexisNexis provides an enterprise-class storage solution as a service at the Springfield, Ohio, and Miamisburg, Ohio, facilities respectively. The storage solution provides for Primary data storage capacity, secured on-site data backups for retention and restore, off-site data replication via privately owned network circuit and off-site data retention and backups.
- The storage solution consists of a NetApp FAS6080HA clustered storage array at the Primary site and an identical clustered NetApp FAS6080HA at the Secondary facility. The Primary FAS6080HA are configured with as-needed usable storage capacity with the ability to add more. The disks are configured using NetApp’s proprietary double parity Raid-DP technology, which is an equivalent of Raid-6
- On the NetApp storage arrays, we use MultiStore Vfilers, further carving off what is accessible to whom. The VFilers are joined to the specific customer’s AD domain, have their own IPs, and are inaccessible from the root filer, or vfiler0. LUNS, both iSCSI and FC, are segregated by both VSANs and zones within those VSANs.
- The DR and Backup failover copy of the data in Secondary data center ensures high redundancy, disaster recovery and data protection.
- Both storage systems have identical configurations for CIFS shares and fiber channel LUNs, ensuring maximum redundancy.
From data collection through the process of culling, processing, review and production, proper chain-of-custody tracking is maintained by our litigation support services team and network and data specialists. We employ a variety of tools to maintain reports and tracking of data. Upon receipt, data is tracked, inventoried and catalogued in a secure environment.
The data is then transferred to our services with analysis confirming the accuracy of data transfer. Original media is maintained and remains pristine unless otherwise instructed by the client. Throughout the process of data handling, each step taken with respect to the data is tracked and recorded with extensive quality control. This method applies throughout the course of the project and through the end of the engagement and data disposition.
All communication channels between client browser and server are encrypted, meaning there is no clear-text communication across the Internet to the client desktop. Robust user security ensures that your confidential information stays protected. The application uses LDAP to authenticate logins with SSL encryption. Plus 128-bit single use, private key encryption delivers high-speed session-level security. Our storage devices and data-handling process can perform data scrubbing of sensitive data in support of DOD 5220.
exisNexis offers a high speed data transfer option for large volumes of data. This option is immune to network latency, resulting in consistent transfer rates that can be achieved regardless of customer location. This provides a secure transfer maintained via AES256 encryption and built-in client certificate. To ensure customer data privacy, each customer has their own isolated server and back-end storage.
The majority of hardware in our Hosted environment is virtualized on VMWare ESX 4.x. The Server oS is Windows 2003 and Windows 2008 with HP DL385/585’s as the server platforms.
Vendor security patches and updates are tested, except when there is a highly critical patch (worm in the wild) deployment enacted within a 24-hour period. Our patch schedule coincides with the Microsoft® patch release dates.
All systems contain the McAfee® Enterprise suite of products which receive daily updated signature files for antivirus, anti-malware, spyware, etc. Additionally, all inbound access is via a Blue Coat® Proxy security appliance that provides file blocking, URL filtering and AV and malicious mobile-code scanning for all Web browsing.
Local snapshot and remote mirroring capabilities allow LexisNexis to provide very fast file restoration and disaster recovery using the minimum bandwidth between storage arrays. Snapshots occur every hour for 24 hours, then daily for 30 days. These snapshots are replicated to another storage array in a different LexisNexis data center where they are available for failover use. Data is backed up to disk via snapshot. These snapshots occur hourly for the first 24 hours, then daily for 30 days. The snapshots can be kept longer if required, but after 30 days, the oldest snapshot backup is overwritten.
Password usage is audited daily; all account events are sent via syslog to a Security Information Management (SIM) appliance where the logs are correlated and stored.
Mechanisms are implemented to record all access events on firewalls protecting confidential and proprietary company information or data critical to the operation of the computing environment, network and product. Access events are recorded in files and stored on computer disk or tape media. All computer audit files are stringently protected.
All firewall logs must have their times synchronised to a common internal source to aid in forensic analysis and log review. All audit logs are reviewed periodically. Firewall logs from protecting high-loss impact data or performing security functions must either be set up to generate alerts to system personnel in the case of critical audit events or be reviewed daily. All logs from critical servers or services are retained for at least one month online and three months offline.
All audit logs are reviewed periodically. IDS/IPS logs from protecting high-loss impact data or performing security functions must either be set up to generate alerts to system personnel in the case of critical audit events or be reviewed daily. All logs from critical servers or services are retained for at least one month online and three months offline.
Network logs are audited daily; all events are sent via syslog to a SIM appliance where the logs are correlated and stored. A copy of the raw data is also stored on a separate system, with a retention time of six months on the server and backups being kept another six months. An audit report can be produced as per client request.
Communications and Operations Management
Our incident/change management and service delivery program is based on service level agreements founded on the ITIL principles.
To effectively support a customer’s ongoing changes without adversely impacting service levels, it is important that we meet on a regular basis to communicate and plan for future enhancements and changes. LexisNexis will provide ongoing change management for the customer, which includes documenting and publishing a calendar of upcoming changes.
All services provided by LexisNexis are in accordance with the Concept of Operations (COO) document. This document describes guiding principles and best practices that dictate how LexisNexis interacts with its customers in order to provide support for the services described per the terms of its customer agreements.
Logical access controls exist at the storage, network (LAN, WAN, SAN), OS (AD), database and application levels. Every customer has a dedicated Domain and Virtual LAN (VLAN). A copy of the raw syslog data is also stored on a separate system, with a retention time of six months on the server and backups being kept another six months.
An audit report can be produced as per client request. System Usage is restricted and is enforced by the use of ACLs, firewall rules, IP address, and username/password.
User Access Management
All client accounts and passwords are managed via Active Directory. Active Directory security groups are used for each case database. Each client has their own set of accounts issued by the LexisNexis Hosted Litigation Solutions account specialist. Password usage is audited daily; all account events are sent via syslog to a SIM account appliance where the logs are correlated and stored.
Account and user IDs must only be created as part of a manual or automated process where the appropriate authorization is received and recorded. The granting of additional rights to a user account should also be governed by a similar process. The principle of “least privilege” applies.
When access is no longer required, accounts that enable access to the entire network must be disabled promptly; all other accounts should be disabled within a reasonable period of time (based on risk).
Accounts and user IDs should be deactivated if they are inactive for more than 60 days and must be deactivated if they are inactive for more than 90 days. Where feasible, a process should be established to interface account and user ID management with Human Resources systems to facilitate the addition, change or deletion of access in a timely manner.
Administrative, root or database admin user IDs/accounts are stringently controlled and limited to only those individuals with a job-related need.
All default administrative, root or database user IDs/accounts are disabled where feasible and individual users should be directly assigned these privileges.
When admin access is required for Windows servers, the admin users are assigned individual admin accounts and do not use the default admin account provided by the operating system.
Any administrative generic and/or shared user IDs/accounts necessary for support (or service accounts) must be stringently controlled, and the passwords for these user IDs/accounts must be changed periodically when feasible or at least annually
Privileged User Access
The Password policy for privileged user access follows the same policy as used for employees, alliances, suppliers and contingent workers.
Service accounts are by their nature not used by a single individual. This, however, leaves them exposed to abuse as any actions originating from a service account may not be able to be traced back to an individual. Additionally they can become orphaned and the situation arises where nobody in the organization is responsible for or managing the service account. Service account passwords should be changed as follows:
- Whenever anyone who knows the password leaves the organization
- Whenever the individuals who should know the password change (for example when a service moves from commissioning to support)
- If at any time an incident is detected when a non-authorized person knows the service account password.
- At least annually or every 90 days where practical.
Additionally, existing service accounts should be reviewed at least annually by the owner and someone with IT Security responsibility. This review covers the following areas:
- The account is still required and has the same scope.
- The account still has appropriate permissions assigned to it.
- Any security restrictions on the account are still in place and cannot be tightened further.
Systems Development and Maintenance
Currently, Test/QA/Development data is logically isolated from production data by use of VLANs. In the near future, a completely isolated storage array will be built in a different data center solely for the purpose of QA/Test/Pilots. It is the customer’s decision as to which data sets are used in test/development environments. We do not utilize clientspecific data in our testing and development environments; we utilize public data published on www.edrm.net. The data sets are Enron public email and native file stores used by the litigation support industry for gathering metrics and application performance.
Business Continuity Management
RTO is in the range of six hours. The storage solution provides for 30-days delta snapshots to local disk and full replication of production (active and non-active) data to a secondary data center. LexisNexis will keep a 20 percent storage buffer for quick provisioning of storage to accommodate new cases.
Local snapshot and remote mirroring capabilities allow LexisNexis to provide very fast file restoration and disaster recovery using the minimum bandwidth between storage arrays. Snapshots occur every hour for 24 hours, then daily for 30 days. These snapshots are replicated to another storage array in our Miamisburg, Ohio, data center where they are available for failover use. Availability is derived from a combination of various availability components, including network, Internet, servers and application availability.
This document is for educational purposes only and does not guarantee the functionality or features of LexisNexis products identified. LexisNexis does not warrant this document is complete or error-free. If written by a third party, the opinions may not represent the opinions of LexisNexis.