This document exists to provide a publicly distributed summary of key elements of our efforts to maintain cybersecurity and continue safe business operations.  It is intended to provide partners and clients with general information about our security protocols as well as specify where further information may be available.  In some cases, the firm may choose to share more than our public summary documents with partners under a non-disclosure agreement.

Risk Assessment

The policies and procedures detailed in this document are intended to mitigate risks identified by management assigned to identify risks in their assigned areas, bring those to the attention of the risk assessment group, and engage in periodic comprehensive reviews of general risk posed to the firm and its clients.  This management group works in conjunction with third party advisors to determine appropriate solutions and audit their efficacy.  All products, services, and operational units of the firm are considered in this risk assessment and mitigation process.

General Policies and Procedures

Advisors Assistant maintains security procedures within its primary employee manual as well as within various department-specific documents.  In particular, these require secure behavior from all employees and specify how management will monitor and address related activities.  This behavior includes handling of data, response to request from clients or third parties, use of firm equipment and software, as well as requirements for ongoing education.  Our manual specifies that violation of security protocol carries penalties up to and including termination.

We sharply limit our own employees access to private information and vital secure systems, only allowing permissions for those who need regular access.  These permissions are regularly reviewed by senior management.

We have developed a proprietary process for reviewing, testing, and approving product releases and changes to our production environments.  Given the longevity of our firm, we developed our product release process prior to the availability of common industry-wide methods and it does not conform to one particular method.  From a simple development standpoint, we use a fairly standard implementation of Agile methods.

Employee Background Checks

All employees are subject on hire and periodically thereafter to background checks provided by a third-party vendor.  These checks are used to determine if a potential or current employee has engaged in activity that would contravene the spirit of our security and ethical policies.  Review of these background checks is always performed by senior management.

Ongoing Training

The firm provides training regarding security protocols and appropriate behavior.  This occurs both on hire and ongoing at least annually.  New security concerns are addressed directly to each and every employee in department meetings.  Discussion of new software, hardware, products, and procedures always includes a specific section on security issues.  These cumulative changes are added to the annual training as well as core procedural material.

Unique User IDs

Our firm requires that all users have unique IDs to all software and systems used in development, support, and production.  All access credentials are issues through our centralized DevOps team, recorded in a centralized repository, and subject to both scheduled and unplanned audit by management.  Additionally, we use tools to enforce quality of passwords and other authentication factors assigned to users or reset by those users.

Intrusion Response Plan

We maintain both detailed and public summary plans for intrusion detection, classification, and response.  The public summary document is both made available to inquirers and kept in physical form by key members of the response team.  Our Intrusion Response plan involves both internal procedures and close cooperation with multiple third-party vendors tasks to assist with detection and mitigation.  This plan is updated at least annually.

Business Continuity & Disaster Recovery Plan

We have a documented plan to maintain operation of the firm and our business structure is designed to survive and adjust to a wide variety of disaster scenarios.  Both Continuity and the operational aspects of response to disaster are detailed in a single document.  The full plan is considered sensitive as it contains private information about key staff and our operations, so we do not share it publicly.

The core of our disaster response plan involves leveraging remote staff.  As a regular practice, we maintain core functionality via remote staff outside of our home office in Pismo Beach, CA.  All staff connect through company hardware into secure, monitored environments.  No core infrastructure or production environments are maintained in the home office, with key services like phone service provided by SaaS vendors and ready to be swapped for alternate services.  Our Web Hosted Service clients are hosted on dedicated hardware at the Rackspace Texas location, with options for swapping to alternate domestic locations as required.

Our plan is detailed to deal with different types of events and expected durations, but at its core is the ability to use current remote staff to maintain key service while the rest of the team establishes secure communication from alternate locations.

As required by many of our partners, our plan has distinct procedures for operation during a pandemic.

Insurance Coverage

The firm maintains separate policies for general Business Liability as well as Errors and Omissions coverage.  We have business liability coverage of $1m/$2m, which has no cybersecurity component.  This policy includes components that are vital to our Continuity and Recovery plans, as it assists with quick replacement of hardware in the case of disaster.  We also have a $5m general operational E&O policy that covers all aspects of our operations to secure data and maintain access, including cybersecurity incidents.  This coverage is reviewed annually in light of ongoing risk analysis and growth of the firm.

Regulatory Compliance

While Advisors Assistant Holdings is not specifically subject to regulation by the financial industry, most of our clients are.  We provide public summaries of how our clients may meet their HIPAA requirements, have worked with our FINRA member clients and partners to submit our client facing reports to FINRA Communications Review, and can provide details of how our core CRM and optional ReadyDoc module may be used to meet SEC Books and Records requirements.

Privacy Policy

Our privacy policy is incorporated into our client agreements.  Samples of these documents are publicly available.  It is simple and thorough, clearly specifying that we claim no ownership over data with our users’ databases.  This applies both to on-premises (Computer Based System) and private cloud (Web Hosted System) clients.  Many of our employee procedures exist specifically to support this privacy policy, and each department has access to more detailed protocols for protecting the privacy of data under their purview.

Data Classification and Retention

We maintain a standard policy for classifying and retaining data, both as individual elements within our software and as bulk information in the form of production databases or backups.  Among other things, this policy is used to determine which fields are considered to contain PII for the purpose of salting within a database and determines how we handle the movement of data between various locations.  Our classifications are simple and broad, but we consult with our risk assessment team for any new element or situation.  When we are unsure about specific data elements we default to requiring higher security.  When we are unsure about data retention, we default to allowing active clients to retain data, and we default to eliminating storage of inactive backups or lapsed databases.

Encryption Standards

The software we deploy utilizes encryption at rest over all PII with the highest key length of the NIST AES-256 encryption.  Some elements of our encryption process use proprietary methods, as opposed to open-source variants of the process.  Information transferred for delivery of backups or stored during database conversions is also encrypted using AES-256.  We deploy encryption in transit across all of products with standard 4096 bit RSA certificates.

 

SaaS/Cloud Policies & Client Controls

The Advisors Assistant Web Hosted Service should be considered a Software as a Service subscription.  The service provides a managed, single-purpose, private cloud.  All portions of this service are hosted entirely within the United States, as are all cloud products or services utilized in any way by the firm.  The location and facilities utilized by the web hosted service may not be chosen clients, though they may exercise similar control by choosing to move their database to an on-premises option.  All policies and procedures of the firm are extended across cloud resources and vendors providing these services are held to a similar or higher standard.

Vendor Management

The firm maintains a vendor management process to choose and periodically evaluate all providers of both services and hardware.  This process is undertaken by a centralized DevOps team with mandated oversight by upper management.  Security and a history of safe practice are key considerations in vendor review.  Vendor choice and the review process itself is periodically audited by third party advisors.

Hardware Asset Management

Our firm is exceedingly careful to manage the equipment we use.  This starts with careful choice of supplier, includes a formal process to secure each device as appropriate, involves a regularly audited inventory of devices, and ends with a strict process to destroy data before disposing of hardware.  This process is centrally managed by our DevOps group.

Internal/External Penetration Testing

The firm is subject to internal and external penetration tests multiple times per year both from third party advisors at our instruction and from client groups as part of user due diligence.  We carefully examine both our own results and the material provided by clients/partners in order to identify and mitigate any issues.  Any issues identified in these tests would be provided high priority with the risk assessment group and DevOps team.

Patch Management

We maintain channels for receiving notice of updates to our production systems and the libraries underlying our software as well as applying them in a timely fashion.  For production systems managed by third parties, such as the Web Hosted Service on Rackspace, patch management is one of the key metric we use to determine the vendor’s performance.  The process of internal updates and external monitoring is undertaken by our centralized DevOps team, under the leadership of a member management in of our risk assessment group.  Our performance in this area is reviewed by third party advisors.

Independent Audit and Oversight

Every aspect of the firm’s internal processes, deliverable software, and production systems are subject to some form of independent audit and oversight.  Critical security and operational areas are subject to regular oversight from third party advisors with periodic formal audit of both systems and deliverables.  These review procedures are specific to the operation of our firm.  All production facilities are formally audited within the auspices of with a strictly defined, independent standard with all results scrutinized by the Risk Assessment group and made available to clients and partners.

External Audit of Production Facility

All client data and key development systems held by Advisors Assistant Holdings are held within a SOC compliant datacenter managed by a leading hosting provider – Rackspace.  Our dedicated hosting agreement with Rackspace includes access to their SOC-1 and SOC-2 report, which can be provided to partners as required.  This covers all Web Hosted Service users, but does not include data hosted on premise by clients of our Computer-based system where they are responsible for their own physical and electronic security.