Security Strategy, Program, and Policies
MX’s approach to security includes a defense-in-depth strategy. This strategy is supported by an established, operational MX Security Program, with a robust suite of governing policies, processes, security controls, and procedures to achieve MX’s security strategy. MX enacts defense in depth by hardening each layer of MX’s infrastructure and supporting processes.
Risk and Vulnerability Management
MX deploys a defense-in-depth security model - securing MX systems against malicious attacks at each level and layer. To proactively identify potential risks, MX employs several vulnerability and risk detection mechanisms including, but not limited to, continuous security vulnerability scans, regular compliance and security audits, security alert reviews, and engaging with third-party assessment organizations to conduct rigorous external penetration tests.
Results of these risk detection activities are consolidated and input into MX’s Risk Management dashboard. The MX Risk Management dashboard is reviewed by the Head of Information Security on a regular basis—accounting for updated scan results, audit findings, Security Information and Event Management system (SIEM) event reviews, system security alerts, and other information collected on a regular basis. Risk ratings are applied to each risk and are calculated based on both the impact and likelihood of each risk. MX’s Information Security team creates risk mitigation plans for each risk and executes these risk mitigation plans. Status of risk mitigation activities contained within MX’s Risk Management dashboard are communicated to MX’s management team on a regular basis. Any blockers identified in risk mitigation activities are provided to MX’s management team in order to diffuse any risk mitigation disruptors in a timely manner.
MX’s Information Security team has established the MX Incident Response Plan, which is maintained and executed as needed. MX’s Incident Response Plan includes execution criteria, effective response procedures, and processes for communicating incident details (when customer impacting) to customers. The MX Incident Response Plan is reviewed, updated (as needed), and tested on an annual basis.
MX’s Information Security team provides a mechanism for MX personnel and external system users to report potential security incidents. MX personnel are encouraged and trained to report security-related incidents directly to MX’s Information Security team either verbally, via internal communication mechanisms, or by emailing security@ mx.com.
External system users are able to report security-related incidents via the “Contact Support” links available in MX’s applications by contacting their MX customer service representative, or by emailing email@example.com.
MX relies on secure data center colocation facilities to house MX infrastructure. This includes:
- Power (including redundant power supplies, uninterruptible power supplies, and generator backup power)
- HVAC (including temperature and humidity controls)
- Server and Hardware Racks
- System components (including network devices and servers)
MX equipment is isolated in secured partitions in each data center colocation facility. Partitions are built with tamper-resistant hardware and extend from subfloor to partition ceiling.
Physical access controls include:
- Access is provided to authorized personnel only
- Access does not provide logical access to systems
- Access is granted to authorized persons via electronic key card having the appropriate access permissions and either PIN or biometric authentication
- Cameras are in place to monitor ingress into the data center colocation facilities
- Access lists are reviewed on a periodic basis for appropriateness
- Access is removed when MX personnel employment is terminated
Visitor access controls include:
- Visitors to data center colocation facilities require authorization by designated personnel
- Visitors must check into the data center colocation facility upon arrival
- Each visitor’s identity is authenticated using a government-issued identification
- Visitors are escorted at all times by authorized MX personnel
Data center colocation facilities are required to maintain compliance with the AICPA’s Trust Services Principles and Criteria (TSP), and provide evidence indicating ongoing compliance with the TSP by providing a Report on the Design and Operating Effectiveness of Controls at Service Organizations (SOC-2 Type II Report) issued by a third party assessment organization.
Physical access to MX corporate office buildings is secured to allow only MX personnel with an active electronic key card. Physical access is removed when MX personnel leave MX. Physical access control lists are reviewed periodically for appropriateness.
MX personnel are required to wear their MX identification (or I.D.) badge in a manner that allows others to easily see the badge. The electronic key card has no logos or other information that would attribute the card to the MX corporate office building. Visitors to MX corporate office buildings must check-in at the reception desk. Each visitor’s identity is authenticated using government-issued identification. Visitors are required to sign-in using the Visitor Access Log prior to being provided a visitor badge. The visitor badge is a card that does not have the ability to enter through MX corporate office doors. Visitors must be escorted at all times by authorized MX personnel.
Logical Access Control
Logical access to MX production system components is limited to only authorized personnel with a legitimate business justification and documented engineering, operations, and security management approval. MX follows the principle of least privilege by provisioning only the needed permissions to users in order to perform their job function.
Users are authenticated to the MX production environment using strong multi-factor authentication (MFA) mechanisms that include a complex password and mobile device push notification MFA prompt. User access to systems and user permissions are reviewed on a periodic basis. User access is removed from MX systems when personnel leave MX.
Network devices are configured to use secure configurations. MX maintains a robust vulnerability management program and updates network devices as needed for security or bug patches.
Firewalls are configured to deny all traffic except permitted by justified exception. Firewall rules are periodically reviewed to help ensure rule sets are configured to limit ingress and egress communications to only those required for the operations of MX services.
System Hardening, Baselines, and Configuration Management
MX systems are hardened using input from industry-recognized hardening standards such as Defense Information Systems Agency (DISA), Security Technical Implementation Guide (STIG) and Center for Internet Security (CIS) benchmarks. A baseline Operating System (OS) image is used for every system build. Patches are automatically applied to production systems daily. Patching includes updating the baseline OS image for all new builds and also includes updating systems currently running in production. OS configurations are maintained by centrally managed deployment mechanisms. Configurations are pushed out to systems on an ongoing basis to help ensure systems maintain baseline configurations. System configuration deviations are identified, logged, and reported by this centrally managed deployment mechanism.
The OS baseline and associated system configurations are regularly backed up to help ensure timely restore of systems and system configurations in the event of catastrophic system failure.
Logging, Monitoring, and Alerting
System and application activities are logged and monitored for irregular and otherwise suspect system and user behaviors. Logs are sufficiently detailed to support MX’s incident response and root cause analysis processes. Logs are in read-only format - protected against direct or inadvertent modification. Systems sync with authoritative NTP time sync sources to help ensure events and logs are using accurate timestamps.
The MX Information Security team has defined critical security alert criteria. These criteria are applied to monitoring systems to produce alarms and notifications, which are sent to the MX Information Security team to review, investigate, determine root cause, and identify and execute corrective changes.
Segregation of Duties
MX segregates its development, Quality Assurance (QA), and production environments - both via network segmentation and logical access restrictions. Development of code takes place in the development environment. Testing of pre-production builds take place in the QA environment. Production code, after appropriate authorization, is deployed into the production environment. Segregating duties in these critical processes is key to reducing the risk of fraud, error, and other potential malicious activities.
System Resiliency, Business Continuity and Disaster Recovery
MX production systems are architected with the level of resiliency required to meet operational up-time requirements. MX operates using 2N (redundant) production environments. Each production environment is located in geographically separate, fault-tolerant zones—significantly reducing the likelihood of full system failure and impactful system outages.
As noted above, OS baselines and associated system configurations, code repositories, and critical system data are regularly backed up to help ensure timely restoration of systems and system configurations in the event of catastrophic system failure.
MX maintains a Business Continuity Plan that identifies business impacting systems and processes, critical dependencies, and strategy plans to restore business operations in the event of a business impacting event. In order to support MX’s Business Continuity Plan, MX has a Disaster Recovery Plan that lists and describes critical system components, identifies recovery time and point objectives, and contains procedures to recover from a catastrophic system failure.
MX’s Disaster Recovery Plan is reviewed, tested, and updated as needed on an annual basis.
Code Security and Change Management
Application code is managed and deployed using a centrally-managed software repository.
Deployments to the production environment require:
- Documented description of the change
- Peer review by two engineers
- Systematic code style checks
- Code security review (including checks against OWASP’s Top 10 common coding vulnerabilities and other code vulnerability checks)
Code is deployed to servers in a methodical manner - deploying code to a single node, testing the deployed code on that single node and, when confirmed successful on the single node, code is then deployed to all subsequent nodes. Code repositories are regularly backed up to help ensure timely restoration of applications in the event of catastrophic system failure.
Data Classification, Handling, and Encryption
Data at MX is handled commensurate with the level of data sensitivity.
MX classifies data as one of the following (listed from least to most sensitive):
- MX Internal
- MX Confidential
- MX Privileged and Confidential
Data classified as either MX Confidential or MX Privileged and Confidential is encrypted in transit and at rest using cryptographically strong encryption mechanisms.
Sensitive data in transit is encrypted using TLS 1.2 and 1.3. Sensitive data at rest is encrypted using AES-256 keys.
At the end of the useful lifecycle or when requested by clients, data is destroyed securely. Media (e.g., hard disk drives) are destroyed by using NIST-approved drive-shredding techniques.
Data Leakage Protection
Access to database zones containing sensitive information is limited to only authorized personnel. Additionally, authentication to these zones is via interface tools that restrict the extraction of sensitive data from these zones— limiting the likelihood of sensitive data leakage.
Human Resources Security
MX personnel are required to pass a robust background check prior to starting employment at MX. Job roles and responsibilities are communicated to MX personnel. For MX personnel with security-related roles and responsibilities, the MX Information Security team provides role-based security-related training and instruction to these personnel. MX personnel found not adhering MX policy are subject to investigation with appropriate consequences, including disciplinary action up to termination of employment.
All MX personnel are required to complete security awareness and data protection training to be assertively security-minded. Security and compliance processes are embedded into MX’s culture and are demonstrated by the members of the MX organization.
As part of MX’s new hire orientation, new hires are provided a thorough information security awareness training. This training is provided to MX personnel on an annual basis and is a requirement of employment at MX. As part of this awareness training, MX personnel are instructed to report any suspicious behavior to the MX Information Security team. It’s important that employees understand that security and data protection is everyone’s responsibility and that actions they take during their day to day activities could negatively impact the overall security of the business.
Third Party Security
Third Party Vendor Risk Management
MX engages with third party organizations to support our ongoing operations. MX conducts a risk assessment of each third party prior to engaging with the third party. As part of this risk assessment, the services provided are evaluated to determine the types of data that will be processed, facilitated, or otherwise provided to the third party. The level of sensitivity of data will determine the depth of security review performed on the third party prior to using third party services. As part of the security review, identified findings are discussed with and provided to the third party to remediate within an agreed-upon timeframe. Third parties are contractually obligated to secure their own networks and systems in a manner consistent with MX requirements.
In addition to this initial risk assessment performed on each third party prior to engagement of services, MX conducts a review of security of each third party on an annual basis based on an established set of risk criteria and thresholds. Identified findings are discussed with and provided to the third party to remediate within an agreed upon timeframe.
MX engages qualified third party assessment organizations to assess MX’s information security program (including processes described within this document) against industry-recognized security criteria and certifications. MX maintains compliance with the AICPA’s TSP, and provides evidence indicating ongoing compliance with the TSP by providing a Report on the Design and Operating Effectiveness of Controls at Service Organizations (SOC 2 Type II Report) issued by MX’s third party assessment organization.
MX also maintains compliance with applicable security requirements listed in the Payment Card Industry Data Security Standard (PCI DSS) to help ensure that any data that may fall under this provision is handled accordingly. MX provides evidence indicating ongoing compliance with PCI DSS as assessed by MX’s third party assessment organization.
Both the MX SOC 2 Type II Report and PCI DSS Attestation of Compliance are updated on an annual basis. These compliance reports can be provided to MX clients with an effective non-disclosure agreement (NDA) in place. MX clients request these reports via their designated MX contact.
MX invests heavily in reducing security risks at each layer of MX’s organization and each level of MX’s infrastructure. Part of MX’s security program includes a continuous improvement program, where policies, controls, mechanisms, detection and prevention systems, threats, and risks are reviewed, evaluated, and enhanced to achieve progressive hardening against external and internal threats.
Please direct any questions to your MX contact, or call (801) 669-5500.