VST Security
All client data is encrypted at rest and in transit using 2048-bit RSA keys. The generation, storage and handling of these keys follow the requirements in the security Org Documents listed below. All VST cloud services and servers are 100% located in the United States and access is limited to accredited users only.
Definitions
Keyword Definition
VST - Victim Services Tracking
VST-services - Cloud based software applications
Login-credentials - A unique username and password assigned to a VST-user
VST-user - An individual that has login-credentials and is authorized to use VST-services
VST-client - The individual and/or organization responsible for the VST membership and administration
VST-client-data - All information/data submitted by the VST-client to VST-services
Links
Org Document
NIST - https://www.nist.gov/
CJIS - https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
HIPAA - https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
FIPS 140-2 - https://csrc.nist.gov/publications/detail/fips/140/2/final
FIPS 200 - https://csrc.nist.gov/publications/detail/fips/200/final
What are VST-services and the cloud?
VST-services are cloud-based applications that assist the VST-client in managing case work and government grants. The only system requirement is a modern browser; such as Google Chrome, Microsoft Edge, Mozilla Firefox, or Safari. In this context, the cloud is a secure off premises server/computer located in the United States that is designated to processes and store client-data.
How does the login/authentication work?
Access to VST-services is done by using a standard user login and password across the https protocol. Simply go to agencyservicestracking.com and provide your login-credentials; normally an email and password. VST-services uses the RBAC (role-based access control) model to allow VST-clients the ability to control who has access to what. VST-client Administrators can set the permission levels for each advocate granting or revoking access to the various VST-services. After a successful login, a time sensitive access key is granted to the browser and used to make authenticated requests to a VST-service.
Your data is your data!
All VST-client-data belongs to the VST-client. VST does not share or analyze VST-client-data without explicit consent from the VST-client. Only specific VST employees are authorized to access and maintain VST-client-servers. The VST-client has full authority over the VST-client-data and can decide what happens to it in terms of removal, storage and transmission at any time for any reason.
Who has access?
VST never accesses client-data unless a VST-client explicitly requests it. Only specific VST personnel are authorized to access client-data for the purposes of maintenance and upgrades only. VST-client administrators are authorized to access the data at any time and the VST-client advocates can access the data according to their perspective roles assigned by the administrator.
Where is your data and data backups?
All VST-client-data is stored in the United States on FIPS compliant servers. The data is encrypted in transit and at rest and backups are made daily and are also stored on FIPS compliant servers in the United States. Each VST-client’s data is isolated from other VST-clients. The granularity of the isolation depends on the membership of the VST-client. Standard memberships house all data on the same server but in different databases.
Personally Identifiable Information (PII)
The information stored in VST databases consists of, and is not limited to, victim contact information and the nature of their victimization. Identification numbers can be associated to victims as opposed to names and/or addresses to meet compliance requirements. When grant reports are generated, the statistics are completely anonymized and do not associate PII or location data in the reports.
What happens if a breach occurs, a vulnerability is found, or if a natural disaster occurs?
These are the steps VST will take once a breach or vulnerability has been discovered. The execution of these steps depends on the severity of the issue and will be performed in a timely manner from the date of discovery.
- Disable and reset all login-credentials of affected accounts
- Develop a plan-of-action based on the severity of the issue, this includes fixing the vulnerability and enabling data recovery if necessary
- Notifying the affected VST-clients
- Notifying law enforcement if necessary
- Implementing the plan-of-action
VST Training and Service Schedule
VST performs scheduled maintenance and employee training. The table below outlines a current view of what processes are performed and when they are scheduled. All upgrades and maintenance routines are performed after the close of business (in the Mountain Time zone) in order to prevent or minimize downtime for VST-clients.
| Procedure | Daily | Weekly | Monthly |
|---|---|---|---|
| Data Backups | |||
| Server Updates | |||
| Compliance Checks | |||
| Virus/Malware Scans |