End User Customer Acknowledgment & Certification of Access Security,
Resale & Employment
In accordance with applicable law and the policies and procedures of MicroBilt and its Credit Bureau and Data Repository vendors as well as your agreement with MicroBilt, the party electronically accepting the following terms and conditions of this Certification ("User," "you" or "your") hereby certifies to MicroBilt that as applicable, User agrees to comply with same.
End User Certification not to Resell
Except as expressly permitted under User's agreement with MicroBilt, if applicable, User certifies that it is the End User and will not further sell consumer credit or other information obtained through MicroBilt or otherwise distribute, rent, sublicense, lease, sell or assign User's agreement with MicroBilt or the services or products provided thereunder, without the prior written consent of MicroBilt.
The electronic signature of User's authorized representative acknowledging acceptance of the above terms and conditions is set forth at the end of this Certification.
End User Certification of Use for Employment Reports
If your business intends to use credit reports and information for employment screening purposes, in compliance with the federal Fair Credit Reporting Act (FCRA) as amended by the Consumer Credit Reporting Reform Act of 1996 (the "Act"), User, as applicable, hereby certifies to MicroBilt that it will comply with the following provisions:
- User will ensure that prior to procurement or causing the procurement of a consumer report for employment purposes (an Employment Insight Report):
- a clear and conspicuous disclosure has been made in writing to the consumer at any time before the report is procured or caused to be procured, in a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes; and
- the consumer has authorized in writing the procurement of the report by the User.
- In using a consumer report for employment purposes, before taking any adverse action based in whole or in part on the report, User shall provide to the consumer to whom the report relates
- a copy of the report; and
- a description in writing of the rights of the consumer under the Act, a copy of which entitled "Summary of Consumers Rights" can be downloaded from https://www.microbilt.com/laws-notices or supplied upon request.
- The information from the consumer report will not be used in violation of any applicable federal or state equal employment opportunity law or regulation.
The electronic signature of User's authorized representative acknowledging acceptance of the above terms and conditions is set forth at the end of this Certification.
End User Certification of Access Security Requirements
We must work together to protect the privacy and information of consumers. The following information security measures are designed to help reduce unauthorized access to consumer information. It is your responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to employ an outside service provider to assist you. Capitalized terms used herein have the meaning given in the Glossary attached hereto, or in your agreement with MicroBilt. MicroBilt reserves the right to make changes to Access Security Requirements without notification.
The security requirements included in this document represent the minimum security requirements acceptable, and are intended to ensure that you have appropriate controls in place to protect information and systems, including any information that you receive, process, transfer, transmit, store, deliver, and / or otherwise access from or through MicroBilt.
In accessing credit reporting agency products and services from or through MicroBilt, you agree to follow these security requirements. These requirements are applicable to all systems and devices to access, transmit, process or store data.
-
Implement Strong Access Control Measures
- Do not provide your credit reporting agency Subscriber Codes, passwords, user names/identifies (user IDs) and user passwords to anyone. No one from the credit reporting agency will ever contact you and request your Subscriber Code number or password.
- If using a third party or proprietary system to access credit reporting agency systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, etc.) utilized for accessing credit reporting data/systems.
- Proprietary or third party system access software must have credit reporting agency Subscriber Codes and password(s) hidden or embedded. Account numbers and passwords should be known only by supervisory personnel.
- You must request your Subscriber Code password or user passwords be changed immediately when:
- any system access software is replaced by another system access software or is no longer used;
- the hardware on which the software resides is upgraded, changed or disposed of; or
- any suspicion of passwords being disclosed to an unauthorized party.
- Protect credit reporting agency Subscriber Code(s) and password(s) so that only key personnel know this sensitive information. Unauthorized personnel should not have knowledge of your Subscriber Code(s) and password(s).
- Create a separate, unique user ID for each user to enable individual authentication and accountability for access to the credit reporting agency's infrastructure. Each user of the system access software must also have a unique logon password. Access to privileged accounts will be restricted to those people who administer the Resource and individual accountability will be maintained. All default passwords (such as those from hardware or software vendors) will be changed immediately upon receipt.
- Ensure that user IDs are not shared, posted, or otherwise divulged in any manner and that no Peer-toPeer file sharing is enabled on those users' profiles.
- Keep user passwords Confidential.
- Develop strong passwords that are:
- Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters);
- Contain a minimum of eight (8) alpha/numeric characters for standard user accounts; and
- For interactive sessions (i.e. non system-to-system) ensure that passwords/passwords are changed periodically (every 90 days expiration is recommended), and accounts will automatically lockout after five (5) consecutive failed login attempts.
- Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or cryptographic hashing algorithm also knowns as "one-way" encryption. When using encryption, ensure that strong encryption algorithm are utilized (e.g. AES 256 or above).
- Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended.
- Active logins to credit information systems must be configured with a 30 minute inactive session, timeout.
- User IDs and passwords shall only be assigned to authorized individuals based on least privilege necessary to perform job responsibilities.
- Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of your membership application.
- Ensure that you and your employees do not access your own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose.
- Implement a process to terminate access rights immediately for users who access credit reporting agency credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.
- Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned.
- Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations.
- After normal business hours, turn off and lock all devices or systems used to obtain credit information.
- Implement physical security controls to prevent unauthorized entry to your facility and access to systems used to obtain credit information. Ensure the access is controlled with badge readers, other systems, or devices including authorized lock and key.
-
Maintain a Vulnerability Management Program
- Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems and resources (including physical, on-premise, or cloud hosted infrastructure) current with appropriate security system patches and updates. In addition, regular penetration tests will be performed to further assess the security of systems and resources. Further, end-point computer malware detection / scanning services and procedures will be used.
- Configure infrastructure such as Firewalls, Routers, servers, tablets, smart phones, personal computers (laptop and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.
- Implement and follow current best security practices for Computer Virus detection scanning services and procedures:
- Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all know types of malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.
- If you suspect an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
- On a weekly basis at a minimum, ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
-
Protect Data
- Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.)
- All credit reporting agency data is classified as Confidential and must be secured to this requirement at a minimum.
- Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.
- Encrypt all credit reporting agency data and information when stored on any laptops, tablets, personal computers, servers and in databases using strong encryption such AES 256 or above at a minimum.
- Credit reporting agency data must not be stored locally on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc.
- When using smart tablets or smart phones to access credit reporting agency data, ensure that such devices are protected via device passcode.
- Applications utilized to access credit reporting agency data via smart tablets or smart phones must protect data while in transmission such as TLS protection and/or use of VPN, etc.
- Use security measures, including encryption, to protect data in storage and in transit to reduce the risk of exposure to unauthorized parties.
- Only open email attachments and links from trusted sources and after verifying legitimacy.
- When no longer in use, ensure, that hard-copy materials containing credit reporting data are crosscut shredded, incinerated or pulped such that is reasonable assurance the hard-copy materials cannot be reconstructed.
- When no longer in use, electronic media containing credit reporting data is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).
-
Maintain an Information Security Policy
- Develop and follow a security plan to protect the Confidentiality and integrity of personal consumer information as required under the GLB Safeguard Rule.
- Establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations.
- Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. If you believe credit bureau data may have been compromised, immediately notify MicroBilt within twenty-four (24) hours or per agreed contractual notification timeline.
- The FACTA Disposal Rules requires that you implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.
- Implement and maintain ongoing annual mandatory information security training and awareness sessions for all staff to underscore the importance of security within your organization, and establish and maintain proof of same.
- When using third party service providers (e.g. application service providers) to access, transmit, store or process credit bureau data, ensure that service provider is Experian 3rd Party Security Assessment complaint, and registered in a list of compliant service providers. If the service provider is in the process of becoming compliant, it is User's responsibility to ensure the service provider is engaged with the relevant Data Repository and exception is granted in writing. Approved certifications in lieu of E13PA can be found in the Glossary section.
-
Build and Maintain a Secure Network
- Protect Internet connections with dedicated, industry-recognized Firewalls that are configured and managed using industry best security practices.
- Have Information Security policies and procedures in place that are consistent with the practices described in an industry standard, such as ISO 27002 and / or this Security Requirements document, which is aligned to this Information Security policy.
- Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
- Administrative access to Firewalls and servers must be performed through a secure internal wired connection only.
- Any stand alone computers that directly access the Internet must have a desktop Firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.
- Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendors defaults.
- For wireless networks connected to or used for accessing or transmission of credit reporting data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i / WPA2) for authentication and transmission over wireless networks.
- When using service provides (e.g. software providers) to access credit reporting data, access to third party tools/services must require multi-factor authentication.
- Use security measures, including anti-virus software, to protect communications systems and networks device to reduce the risk of infiltration, hacking, access penetration by, or exposure to, an unauthorized third-party.
- All remote access connections to internal networks and / or computer systems will require authorization with access control at the point of entry using multi-factor authentication. Such access will use secure channels, such as a Virtual Private Network (VPN).
-
Regularly Monitor and Test Networks
- Perform regular tests on information systems (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in 15 days, etc.)
- Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit credit reporting data; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and follow-up to exceptions is required.
- Use current best practices to protect your telecommunications systems and any computer system or network device(s) you use to provide Services hereunder to access credit reporting agency systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:
- protecting against intrusions;
- securing the computer systems and network devices; and
- protecting against intrusions of operating systems or software.
- Logging mechanisms will be in place sufficient to identify security incidents, establish individual accountability, and reconstruct events. Audit logs will be retained in a protected state (i.e., encrypted, or locked) with a process for periodic review.
-
Mobile and Cloud Technology
- Storing credit reporting data on mobile devices is prohibited. Any exceptions must be obtained from MicroBilt in writing; additional security requirements will apply.
- Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
- Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
- Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and /or other.
- Mobile applications and data shall be hosted on devices through a secure container separate from personal applications and data. See details below. Under no circumstances is credit reporting data to be exchanged between secured and non-secured applications on the mobile device.
- In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing credit reporting data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to application.
- When using cloud providers to access, transmit, store or process credit reporting data ensure that:
- Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations; and
- Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by MicroBilt:
- ISO 27002
- PCI DDS
- Experian 3rd Party Security Assessment
- SSAE 16 - SOC 2 or SOC 3 o FISMA
- CAI / CCM Assessment
-
General
- MicroBilt may from time to time audit the security mechanisms User maintains to safeguard access to credit reporting information, systems and electronic communications. Audits may be remote and/or onsite, and include examination and assessment of information security controls, systems security and associated administrative practices in compliance with these Security Requirements.
- In cases where the User is accessing credit reporting information and systems via third party software, User agrees to make available to MicroBilt upon request, audit trail information and management reports generated by the vendor software, regarding User individual Authorized users.
- User shall be responsible for and ensure third party software, which access credit reporting information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.
- User shall conduct software development (for software which access credit reporting information systems; this applies to both in-house or outsourced software development) based on the following requirements:
- Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks;
- Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated; and
- Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA, etc.
- Reasonable access to audit trail reports of systems utilized to access credit reporting data shall be made available upon request, for example during breach investigations or while performing audits.
- Data requests from User to MicroBilt must include IP address of the device from which the request originated (i.e., the requesting client's IP address), where applicable.
- Processes and procedures will be established for responding to security violations and unusual or suspicious events and incidents. User shall report actual or suspected security violations or incidents that impact credit reporting data within twenty-four (24) hours of confirmation of such violation or incident, or per lesser agreed contractual notification timeline. User agrees to provide notice of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law.
- User acknowledges and agrees that it (a) has received a of these requirements, (b) has read and understands User's obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to credit reporting services, systems, or data, and (d) will abide by the provisions of these requirements with accessing credit reporting data.
- User understands that its use of credit reporting networking and computing resources may be monitored and audited by MicroBilt and the relevant Data Repository, without further notice.
- User acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access credit reporting services or data are secure and in compliance with its membership agreement.
- When using third party service providers to access, transmit or store credit reporting data, additional documentation may be by required.
- User shall not "bulk email" communications to multiple MicroBilt employees or its vendors without express prior written approval.
Record Retention: The federal Equal Credit Opportunities Act (ECOA) states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, the credit reporting agency requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a breach or a consumer complaint that your company impermissibly accessed their credit report, the credit reporting agency will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract.
"Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $3,500 per violation."
Internet Delivery Security Requirements:
In addition to the above, following requirements apply where User and their employees or an authorized agent/s acting on behalf of the User are provided access to MicroBilt provided services via Internet ("Internet Access").
General requirements:
- User shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with MicroBilt on systems access related matters. User's Head Security Designate will be responsible for establishing, administering and monitoring all User employees' access to MicroBilt provided services which are delivered over the Internet ("Internet access"), or approving and establishing Security Designates to perform such functions.
- User's Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each MicroBilt product based upon the legitimate business needs of each employee. MicroBilt shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
- Unless automated means become available, User shall request employee's (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by MicroBilt. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). MicroBilt's approval of requests for (Internet) access may be granted or withheld in its sole discretion. MicroBilt may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to User), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
- An officer of User agrees to notify MicroBilt in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.
Roles and Responsibilities:
- User agrees to identify an employee it has designated to act on its behalf as a primary interface with MicroBilt on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the User and shall be available to interact with MicroBilt on information and product access, in accordance with these Access Security Requirements. The Head Security Designate Authorization Form must be signed by a duly authorized representative of User. User's duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to User's Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to MicroBilt's systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to MicroBilt immediately.
- As a Client to MicroBilt's products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of User.
- The Security Designate may be appointed by the Head Security Designate as the individual that User authorizes to act on behalf of the business in regard to MicroBilt product access control (e.g. request to add/change/remove access). User can opt to appoint more than one Security Designate (e.g. for backup purposes). User understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with MicroBilt's Security Administration group on information and product access matters.
- The Head Designate shall be responsible for notifying their corresponding MicroBilt representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.
Designate:
- Must be an employee and duly appointed representative of User, identified as an approval point for User's Authorized Users.
- Is responsible for the initial and on-going authentication and validation of User's Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
- Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities.
- Is responsible for ensuring that User's Authorized Users are authorized to access MicroBilt products and services.
- Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by User.
- Must immediately report any suspicious or questionable activity to MicroBilt regarding access to MicroBilt's products and services.
- Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to MicroBilt.
- Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users.
- Shall be available to interact with MicroBilt when needed on any system or user related matters.
Glossary:
-
- Computer Virus
- A Computer Virus is a self-replicating computer program that alters the way a computer operates, without the knowledge of the user. A true virus replicates and executes itself. While viruses can be destructive by destroying data, for example, some viruses are benign or merely annoying.
-
- Confidential
- Very sensitive information. Disclosure could adversely impact your company.
-
- Encryption
- Encryption is the process of obscuring information to make it unreadable without special knowledge.
-
- Firewall
- In computer science, a Firewall is a piece of hardware and/or software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to the function of Firewalls in building construction. The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.
-
- Information
- Information means highly sensitive information including, by way of example and not limitation, data, databases, application software, software documentation, supporting process documents, operation process and procedures documentation, test plans, test cases, test scenarios, cyber incident reports, consumer information, financial records, employee records, and information about potential acquisitions, and such other information that is similar in nature or as mutually agreed in writing, the disclosure, alteration or destruction of which would cause serious damage to business reputation, valuation, and / or provide a competitive disadvantage.
-
- Information Lifecycle
- (Or Data Lifecycle) is a management program that considers the value of the information being stored over a period of time, the cost of its storage, its need for availability for use by authorized users, and the period of time for which it must be retained.
-
- IP Address
- A unique number that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). Any All participating network devices - including routers, computers, time-servers, printers, Internet fax machines, and some telephones - must have its own unique IP address. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. It is important to keep your IP address secure as hackers can gain control of your devices and possibly launch an attack on other devices.
-
- Peer-to-Peer
- A type of communication found in a system that uses layered protocols. Peer-to-Peer networking is the protocol often used for reproducing and distributing music without permission.
-
- Resource
- Resource means all devices, including but not limited to laptops, PCs, routers, servers, and other computer systems that store, process, transfer, transmit, deliver, or otherwise access the Information.
-
- Router
- A Router is a computer networking device that forwards data packets across a network via routing. A Router acts as a junction between two or more networks transferring data packets.
-
- Spyware
- Spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the consent of that machine's owner or user. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the internet.
-
- SSID
- Part of the Wi-Fi Wireless LAN, a service set identifier (SSID) is a code that identifies each packet as part of that network. Wireless devices that communicate with each other share the same SSID.
-
- Subscriber Code
- Your seven digit credit reporting agency account number.
-
- Experian 3rd Party Security Assessment Compliance
- The Experian 3rd Security Assessment is an annual assessment of an Experian Reseller's (MicroBilt's) ability to protect the information they purchase. Experian 3rd Party Security Assessment requires an evaluation of MicroBilt's information security by an independent assessor, based on requirements provided by Experian. Experian 3rd Party Security Assessment also establishes quarterly scans of network for vulnerabilities.
-
- ISO 27002
- IS0 27002 is specification for ISMS, an Information Security Management Systems. The ISO 27002 standard is the rename of the IS0 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within it.
-
- PCI DDS
- The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM and POS cards.
-
- SSAE 16 SOC 2, SOC 3
- Statement of Standards for Attestation Engagements (SSAE) No.1 SOC 2 Report on Controls Related to Security, Availability, Processing Integrity, Confidentiality and Privacy. The SOC 3 Report, just like SOC 2, is based upon the same controls of SOC 2, the difference being that SOC 3 Report does not detail the testing performed (it is meant to be used ab marketing material).
-
- FISMA
- The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.
-
- CAI / CCM
- Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principals to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of cloud provider.
-
- WEP Encryption
- (Wired Equivalent Privacy) A part of the wireless networking standard intended to provide secure communication. The longer the key used, the stronger the encryption will be. Older technology reaching its end of life.
-
- WPA
- (Wi-Fi Protected Access) A part of the wireless networking standard that provides stronger authentication and more secure communications. Replaces WEP. Uses dynamic key encryption verses static as in WEP (key is constantly changing and thus more difficult to break than WEP).
The electronic signature of User's authorized representative acknowledging acceptance of the above terms and conditions is set forth at the end of this Certification.
Document Approval
User certifies that the terms on this and the prior pages have been read and that it agrees to the terms of this Certification as written on behalf of his / her business and represents that he / she is authorized to accept this Certification on behalf of the party so indicated.
By its electronic submission, which shall constitute a legal, valid and binding mark, with the same force and effect as a physically signed original, User agrees, acknowledges and consents to the terms of this Certification and to the electronic delivery and acceptance thereof and all exhibits, documents, notices, updates, addenda and amendments related thereto, as well as any other documents to be delivered by MicroBilt during the Term of User's agreement with MicroBilt. User understands that it will need a valid email address and access to the Internet, as well as the appropriate software and/or programs, including, but not limited to, Adobe Acrobat, in order to access this Certification electronically. User also understands that it may update its information, obtain a full description of systems requirements, revoke this consent to electronic delivery, or request one or more paper documents at any time by contacting MicroBilt in writing. Capitalized, quoted, bolded, italicized or underlined terms used in this Certification, if any, but not otherwise defined herein shall have the meanings ascribed to them in User's agreement with MicroBilt.