Security

Firewall;
Microsoft Active directory;
Monitored by IS-Distributed Network Operations,
IS-Security and OUA;
Virus protection by Server Protect;
SSL available on the web servers and its usage is enforced.
IIS Lockdown;
All ports except 80 and SSL blocked to the Internet.
System level monitoring by Candle Command Center and in-house custom routines.
IIS logs processed by Web Trends.

Consent: at the time of initial system access, the system will display a banner indicating that the user has accessed a private and restricted system, and that all usage will be monitored.
Authentication: the system uses a unique identifier (ID) for each user. Users are required to login with their user name and password each time they access the database. All access control is based on this user ID.
Expiration: The system will automatically terminate and re-authenticate an interactive user's session when a predefined period of inactivity has been exceeded.
Encryption: the password is obscured by one-way encryption. Users will be required to reset the password in every 90 days.
Failed Logon Attempts: Failed logon attempts are unsuccessful attempts to provide the correct logon user ID and authentication combination. The system will suspend the user id after three unsuccessful logon attempts. The System Administrator will receive the email notification of user ID suspension.
Access control: role-based access control mechanism. Once authenticated, a user's ability to access information is further controlled by the access control mechanism, which mediates all access to pages or elements in the pages and controls the way in which users can use them. Users are granted permission to view, add, edit or delete data for pages or elements based on the user-specified role.
Security Log: The system will automatically log user's activities into security log file. The system will save 1) the time, 2) the accessed page and 3) the actions (view, add, edit or delete).