Slide background

Security

Security 2018-04-30T09:05:10+00:00

THE BMI DIFFERENCE: SECURITY

SECURITY IS NOT A POLICY; IT’S A MINDSET

BMI is committed to the security of our people, our projects, and your data. When you choose us as your partner you can be confident that your information is handled with the care and responsibility we use to protect our own records. Below are some of our methods to keep your data secure:

  • Facility Access: BMI utilizes a least-privilege layered access model within its facilities. Access to each layer of the facility requires a higher level of clearance and specific job assignment. Access privileges are assigned to employees based upon individual security clearance levels and project assignments.
  • Employee Badging: A security badge is required for access to BMI facilities. Each employee security badge consists of a picture ID and a programmable key fob with a four-digit personal code, forming a two-factor entrance requirement. The employee’s security clearance levels and access privileges are indicated on each employee’s badge and encoded in the key fob for access to restricted production areas.
  • Visitors are not allowed beyond the Public Access Area without a government-issued photo ID, access log entry and signature, and a BMI employee escort.
  • Perimeter and interior surveillance cameras operate 24/7 with a minimum 30-day backup recording.
  • Server rooms remain locked at all times, and are only accessible to designated BMI employees.
  • Both facilities are free-standing and single-tenant buildings.
  • There’s an On-site Media Vault for material storage throughout your project’s duration.
    • The Vault is accessible only to designated employees.
    • High-value security “cages” within the vault are available for media that must remain separate from other media.
  • BMI utilizes a Digital Vault for images and data created during a project.
    • Files in BMI’s Digital Vault are stored on a mirrored set of two drives.
    • High-security project data is stored on encrypted drives using 256 AES.
    • Secret-level project data is stored on an individual encrypted drive set and locked in a physically separated storage cage.
  • Hard drives for transmission are encrypted using 256 AES.
  • BMI utilizes AlienVault for real-time intrusion detection and monitoring of all network access points and secure assets on the BMI network.
  • BMI’s hosting environment consists of two live, geographically separate sites operating in a load-balanced mode to provide automatic failover for datasets configured to run at two site locations. One hosting site is located in BMI’s Sunnyvale data center. The second site is provisioned at Sacramento-based RagingWire, a 2N+2 hosting facility with an N-Matrix DCIM. RagingWire has SSAE-16 and PCI DSS certification.
  • Third-party Network and Application Penetration Testing: BMI performs annual network and application penetration tests on BMI hosting systems. Tests are based on OWASP, NIST, OSSTMM, or CVE standards.
  • Regression testing is performed on every software release. New release deployments are typically every two weeks. Security tests are conducted in tandem with regression testing.
  • BMI utilizes un-marked company-owned vans with Fleetistics vehicle tracking systems. BMI employees are the only vehicle operators.
  • Lockable containers are available during transportation of your material.
  • Background checks are conducted for every employee at BMI.
  • Employee credit and criminal history checks are repeated every five years.
  • Criminal Justice Information Services (CJIS) training, testing, and certification is conducted biennially.
  • Annual non-product related training for BMI employees:
    • HIPAA awareness and procedures
    • Security awareness
    • Fire extinguisher employment
    • First aid employment
    • Harassment mitigation
  • Material Security Classification
    • BMI designates projects with a Material Security Classification Level to ensure that specific processes for handling the material are utilized based on client data and project requirements.
  • HIPAA guidelines are followed and procedures are utilized for projects containing material that falls under the HIPAA umbrella.
  • Internal material and project tracking systems are employed to monitor projects at the unit level.
  • Disaster Recovery Plan in place for business resumption after an emergency incident.
  • Criminal Justice Information Services (CJIS) – listed vendor.
  • National Institute of Standards and Technology Special Publication (NIST SP) 800-53 compliant.
  • HIPAA self-certified.