Security is the highest priority for HIC. We consider the confidentiality, integrity and availability of our partners and citizens information critical in the services we provide. Since the nature of cybercrime continues to evolve, our security program and forward-leaning posture has expanded to address the changing threats. Our proactive security approach includes working with our state partners to identify and implement internal policies, hardware and software solutions, and industry-leading audit features that mitigate the security risks state government portals encounter. As a subsidiary of a publicly traded company that processes credit card transactions, HIC is held to the high security standards required by both the Sarbanes-Oxley Act (SOX) and the Payment Card Industry’s Data Security Standards (PCI DSS). HIC also participates in Cybertrust’s Security Management Program, an intense, invasive and arduous process that includes multiple components to measure our compliance with Cybertrust’s essential security practices.
HIC Security Policy Overview
HIC’s Security Policies are reviewed annually and updated as necessary to ensure it keeps up with changes to technology and any new threat areas. All employees and contractors are made aware of HIC’s Security Policy and are required to adhere to the “Acceptable Use of Technology” requirements. The following list shows key areas that our policy covers, but is not an all-inclusive list, as we reserve the right to take additional measures to ensure the confidentiality, integrity and availability of our systems, applications, networks and the data stored and processed by them.
Build and Maintain a Secure Network
- Install and maintain a network configuration to protect sensitive data
Protect Sensitive Data
- Protect stored sensitive data
- Encrypt transmission of sensitive data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to sensitive data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to processing environment
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and sensitive data
- Regularly test security systems and processes
Scheduled Security Measures
Quarterly external PCI scans are performed by McAfee, an Approved Scanning Vendor certified by the PCI Security Standards Council to maintain PCI compliance status.
Quarterly external scans, biannual internal scans and on site security audit by Verizon/CyberTrust to meet compliance with Verizon/Cybertrust’s essential security practices.
HIC’s systems and networks are monitored with multiple security solutions. These solutions alert support personnel when adverse or suspicious events occur so that corrective actions may be taken.
Secure, Authenticated Transactions
Our online applications utilize secured two-way transactions and the ability to conduct transactions through a 256-bit Secure Sockets Layer (SSL) Server. This technology uses the public-and-private key encryption system which also includes the use of a digital certificate authentication of the network server.
- In Transit: Hawaii applications use Secure Sockets Layer (SSL) encryption for all sensitive information transmitted between the site and site users. SSL is a widely accepted encryption protocol and encrypts the exchange between the user’s Web browser and the website to mitigate the risk of unauthorized viewing or tampering of sensitive information. In cases where it is necessary to construct a secure connection between the State site and its users, HIC’s architecture has made use of other technology including VPNs, Secure File Transfer (SFTP), Unison real-time file system replication and secure database replication. This includes compliance with Engineering Task Force (IETF) standard protocols for encryption and key management (IPSEC/IKE), DES and Triple DES for data encryption, and SHA-1 and MD5 for data authentication. Also, encryption keys are updated often, ensuring maximum security and providing Perfect Forward Secrecy, so older encryption keys cannot be used to decipher more recent communications.
- In Storage: HIC’s robust security solution provides for the highest level of protection for confidential data in storage. All sensitive data is encrypted in storage and HIC follows the Payment Card Industry’s Data Security Standard (PCI DSS) for storage of all eCommerce transactions. HIC uses state of the art firewall technology to mitigate the risk of unauthorized access by outside users. Our applications use robust authentication systems and protect that authentication to minimize the opportunity for intruders to gain access to login information. Our security policies and protocols, combined with our intrusion detection methods, ensure that State information is protected.
Integrity of Data
Data integrity in a transaction environment is validation that the data received is the same as the data that was generated. This is a fundamental element to the technology of digital certificates and the processing of digital signatures.
One of the most important requirements for the implementation of electronic government is the need to enhance and promote trust in the transactions performed using the State’s portal. However, the many different transactions involved in an electronic government solution require a wide variety of security levels. It is important when evaluating a particular transaction to recognize this and review the various alternatives available.
HIC performs internal and independent third-party security audits to test the implemented security model against the latest known vulnerabilities and threats. The internal security audits include:
- Verizon/Cybertrust Security Management Program Assessment and certification
- Internal and external audits for compliance with SOX security related policies
- Internal and external audits for compliance with the PCI DSS
- Web application vulnerability scanning
HIC has contracted with McAfee to perform quarterly security audits at HIC’s expense. The results are reported to HIC’s financial institutions. HIC proposes to continue to use McAfee to meet the annual security audit requirement.
Payment Card Industry’s Data Security Standards (“PCI DSS”) Compliant
In 2005, NIC completed a year-long initiative to meet and exceed the security requirements set out by the Payment Card Industry’s Data Security Standards (“PCI DSS”). To satisfy both Sarbanes Oxley (SOX) and the PCI DSS, NIC retained an independent security firm certified by the Payment Card Industry (PCI) to conduct routine network scans of all portal operations to monitor our compliance with both SOX and the PCI DSS. To date, eHawaii.gov remains compliant with both SOX and the PCI DSS. To further bolster our SOX and PCI DSS compliance, we regularly conduct internal audits of all HIC staff and services for SOX and PCI DSS requirements and to identify any vulnerabilities or weaknesses requiring remediation each year.
HIC meets Level 3 merchant PCI DSS compliance. HIC’s security policy documents the procedures for the current portal contract and are well beyond the requirements for PCI DSS and SOX compliance showcasing HIC’s commitment to the security of the Hawaii portal and its data.