In general, E-File data communications between our clients and us are transmitted via encrypted channels. E-File Request data files are encrypted when it is at rest, waiting to be processed. Once the request data files are processed, they are wiped. Our applications output and encrypt response data files are for the clients. Our applications are cloud based, hosted in PCI-compliant environment.
Feel free to read a subset of our security policies below.
E-File Data Security Policy
Information Classification Policy
(ISO/IEC 27001:2005 A.7.2.1)
COMPANY provides fast, efficient, and cost-effective electronic services for a variety of clients worldwide. As an industry leader, it is critical for COMPANY to set the standard for the protection of information assets from unauthorized access and compromise or disclosure. Accordingly, COMPNAY has adopted this information classification policy to help manage and protect its information assets.
All COMPANY associates share in the responsibility for ensuring that COMPANY information assets receive an appropriate level of protection by observing this Information Classification policy:
• Company Managers or information ‘owners’ shall be responsible for assigning classifications to information assets according to the standard information classification system presented below.
(‘Owners” have approved management responsibility. ‘Owners’ do not have property rights.)
• Where practicable, the information category shall be embedded in the information itself.
• All Company associates shall be guided by the information category in their security-related handling of Company information.
All Company information and all information entrusted to Company from third parties falls into one of four classifications in the table below, presented in order of increasing sensitivity.
|Information is not confidential and can bemade public without any implications forCompany. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.||
|Information is restricted to management approved internal access and protected from external access. Unauthorized access could influence Company’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital.||
|Information received from clients in any form for processing in production by Company. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.||
|Information collected and used by Company in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance.Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.||
E-File Encryption Policy and Standards
The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.
This policy applies to all COMPANY employees and affiliates.
Proven standard algorithms such as AES(Rijndael), Twofish, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. Symmetric cryptosystem key lengths must be at least 128 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. The use of SSL/TLS is recommended for communication security over the Internet.
COMPANY’s key length requirements will be reviewed annually and upgraded as technology allows.
The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by IT. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.