One View’s Security & Compliance Protocols
Data Security is the heart of what we do at One View. That’s why we don’t just plan on meeting the minimum standards for compliance and regulation, we promise to uphold a higher standard and provide the very best security possible. We designed our Vault platform with security in mind and we value our responsibility as a 3rd party data center to put our customer’s minds at ease.
One View Security Features
- AES and RSA 256 Bit Encryption for at rest and in-transit data
- Robust user administration security controls
- Required complex password and email authentication
- IP Locking and/or IPsec Tunnel connection with siloed customer data.
- Vault Data Center – SOC 2 Certification
- One View, Inc – SOC 2 Certification (assessed in 2019)
- High Trust Certification – Underway
SOC 2 Certification
The SOC 2 certification is a voluntary compliance certification, developed by the American Institute of CPAs (AICPA), which provides strict guidelines on how service companies manage their customers data. All One View customer data is stored within redundant SOC 2 certified, modern data centers. All data that is sent to One View through our encrypted transmission methods is analyzed by an enterprise-grade anti-virus solution proper to being imported and accessed. Our databases are backed up on a daily, weekly, monthly, and yearly basis to ensure data integrity is protected. One View regularly reviews all policies, practices, and solutions as the company proactively monitors the security of customer assets.
HITRUST certification is only available for the most secure data centers. HITRUST is an authoritative body that establishes high-end security trends and regulations which are used together to create a rigorous framework. In the event of a data breach or security lapse, those sites that are HITRUST Certified have taken as many precautionary steps as possible to uphold compliance and secure an environment for sensitive information. One View is currently undergoing the additional voluntary step to obtain this certification; strictly to ensure we are doing everything to meet the most current security guidelines.
What is the GLBA?
The Gramm-Leach-Bliley Act (GLBA) also known as the Financial Services Modernization Act of 1999, protects customers’ financial information which is often shared with other affiliates and partners during the course of business. GLBA requires companies acting as “financial institutions to uphold an outlined set of security standards. The provisions of the law limit when a company acting as a financial institution may disclose a consumer’s nonpublic personal information (NPI) to nonaffiliated third parties. Generally stated, the rule requires auto dealers to “develop, implement and maintain a [written] comprehensive information security program” that “contains administrative, technical and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities and the sensitivity of any customer information at issue.” ie. Write a plan explaining how you will protect the consumer data on your systems.
Who does it affect?
The Gramm-Leach-Bliley Act (GLBA) directly impacts Auto Dealers because they are considered “Financial Institutions” through the process of offering financial agreements.
What are the new requirements for automotive dealers to comply with GLBA and what is One View doing to expand upon those requirements?
Requirement: Dealers must designate a “Qualified Individual”/ Compliance Officer for the information security program.
Our Response: We work directly with the dealership’s compliance officer to aid them in passing their certification audits.
Requirement: Utilize resources with multi-factor authentication.
Our Response: One View Vault is currently implementing multi-factor authentication process and this feature will be live before the December 9th GLBA Deadline.
Requirement: Ability to access controls for all consumer information.
Our Response: We provide comprehensive Role-Based Access Control (RBAC) coupled with Rule-Based Access Controls that assure only the people you trust can access customer data.
Requirement Comply with the Principle of least privilege.
Our Response: At One View, employees are granted permission only to the data and resources necessary to perform their jobs. We conduct standard privilege audits to combat privilege creep and keep a comprehensive tracing of individual actions.
Requirement: Undergo Penetration testing and vulnerability assessment.
Our Response: One View performs comprehensive penetration assessments each year, in additional to utilizing the top level firewall technology to prevent external access.
Requirement: Establish and maintain a written incident response plan.
Our Response: We have compiled a detailed incident response plan as part of our 2019 SOC 2 certification.
Our Spooler operates within a secure 256-bit RSA encryption.
We utilize Hypertext transfer protocol secure (HTTPS) which is the secure version of HTTP. HTTPS is encrypted to increase the security of data transfer.
Storage and Retrieval
We have advanced security controls that are customizable to individual users. One View Vault requires complex passwords as well as the use of an email authentication method to legitimize user accounts.
IP & VPN Tunnel-To-Tunnel
We want to provide an option for every dealer which meets their level of security comfort. We understand that dealerships have different levels of internal IT and we can accommodate different security measures. For example, we offer IP locking. IP locking allows secure access specific to a single or range of IP addresses, which means that the Vault platform would only be accessible from those designated IP subnets.
For the most advanced security, we can configure an IPSEC tunnel-to-tunnel VPN connection where we will create a custom one-to-one VPN portal for secure access. These restrictions can completely limit to having access only to the dealership using the dealership’s firewalls to offer the most secure connection.
In the event that you would like to remove dealership documents after a certain time period, we can enact a retention regulation process to remove the documents as designated. The benefit of this process is to limit the scope of available documents to only what is necessary.
Internal Process and Procedures (SOC 2)
We utilize the most up-to-date versions of firewalls, remote access tools, and virtual machines, in order to methodically limit the amount of internal access to customers’ financial data. We are careful and particular about how we do business.
We offer fully customizable Vault access parameters to our customers. Here are a few of our more popular choices:
- Built-in Time Restrictions limit the time of day the documents can be accessed (ie. Working hours).
- Strict limitations on the duration of an active session in order to prevent continual access for long extended periods of time. “Session timeouts”
- IP Access can be adjusted to allow or block specific IP addresses
Principal of Least Privilege
- We limit our internal employees to ensure that only designated employees have access to documents.
- The Vault security controls are customizable so you can make sure only the people who need access to the documents will have it when needed and ensure everyone else does not have unnecessary access.