Security is the highest priority for HIC. We consider the confidentiality, integrity, and availability of our partners and citizens information critical in the services we provide. Since the nature of cybercrime continues to evolve, our security program and forward-leaning posture has expanded to address the changing threats. Our proactive security approach includes working with our state partners to identify and implement internal policies, hardware and software solutions, and industry-leading audit features that mitigate the security risks state government portals encounter. As a subsidiary of a publicly traded company that processes credit card transactions, HIC is held to the high security standards required by both the Sarbanes-Oxley Act (SOX) and the Payment Card Industry’s Data Security Standards (PCI DSS). HIC also participates in NIC Security & Compliance Assessment program, an intense, invasive, and arduous process that includes multiple components to measure our compliance with NIC’s essential security practices.
HIC security policy overview
HIC’s security policies are reviewed annually and updated as necessary to ensure it keeps up with changes to technology and any new threat areas. All employees and contractors are made aware of HIC’s security policy and are required to adhere to the “acceptable use of technology” requirements. The following list shows key areas that our policy covers, but is not an all-inclusive list, as we reserve the right to take additional measures to ensure the confidentiality, integrity and availability of our systems, applications, networks and the data stored and processed by them.
Build and maintain a secure network
- Install and maintain a network configuration to protect sensitive data.
Protect sensitive data
- Protect stored sensitive data.
- Encrypt transmission of sensitive data across open, public networks.
Maintain a vulnerability management program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
Implement strong access control measures
- Restrict access to sensitive data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to processing environment.
Regularly monitor and test networks
- Track and monitor all access to network resources and sensitive data.
- Regularly test security systems and processes.
Scheduled security measures
Quarterly external PCI scans are performed by Tenable Network Security, an approved scanning vendor certified by the PCI security standards council to maintain PCI compliance status.
Quarterly external scans, biannual internal scans and annual review and update as needed of security policies and procedures to meet compliance with the NIC Security & Compliance Assessment program.
HIC’s systems and networks are monitored with multiple security solutions. These solutions alert support personnel when adverse or suspicious events occur so that corrective actions may be taken.
Secure, authenticated transactions
Our online applications utilize secured two-way transactions and the ability to conduct external transactions supporting TLS 1.1 or higher. This technology uses the public-and-private key encryption system which also includes the use of a digital certificate authentication of the network server.
- In transit: Online applications developed by HIC encrypt all sensitive information with cipher suites available in TLS 1.1 or higher in transmission between the online applications and users. TLS is a widely accepted encryption protocol and encrypts the exchange between the user’s web browser and a website to mitigate the risk of unauthorized viewing or tampering of sensitive information.
- In storage: HIC’s robust security solution provides for the highest level of protection for confidential data in storage. All sensitive data is encrypted in storage and HIC follows the PCI DSS for storage of all eCommerce transactions. HIC uses state of the art firewall technology to mitigate the risk of unauthorized access by outside users. Our applications use robust authentication systems and protect that authentication to minimize the opportunity for intruders to gain access to login information. Our security policies and protocols, combined with our intrusion detection methods, ensure that state information is protected.
Integrity of data
Data integrity in a transaction environment is validation that the data received is the same as the data that was generated. This is a fundamental element to the technology of digital certificates and the processing of digital signatures.
One of the most important requirements for the implementation of electronic government is the need to enhance and promote trust in the transactions performed using the state’s portal. However, the many different transactions involved in an electronic government solution require a wide variety of security levels. It is important when evaluating a particular transaction to recognize this and review the various alternatives available.
HIC performs internal security audits to test the implemented security model against the latest known vulnerabilities and threats. The internal security audits include:
- NIC Security & Compliance Assessment program assessment and certification.
- Internal and external audits for compliance with SOX security related policies.
- Internal and external audits for compliance with the PCI DSS.
- Web application vulnerability scanning.
The Fishtech Group, an independent third-party cybersecurity company, is contracted by NIC to provide assessments and validations whether HIC is compliant with the NIC Security & Compliance Assessment program.
Payment Card Industry’s Data Security Standards (PCI DSS) compliant
In 2005, NIC completed a year-long initiative to meet and exceed the security requirements set out by the PCI DSS. To satisfy both Sarbanes Oxley (SOX) and the PCI DSS, NIC retained an independent security firm certified by the Payment Card Industry (PCI) to conduct routine network scans of all portal operations to monitor our compliance with both SOX and the PCI DSS. To date, HIC remains compliant with both SOX and the PCI DSS. To further bolster our SOX and PCI DSS compliance, we regularly conduct internal audits of all HIC staff and services for SOX and PCI DSS requirements and to identify any vulnerabilities or weaknesses requiring remediation each year.
HIC meets level 3 merchant PCI DSS compliance. HIC’s security policy documents the procedures for the current portal contract and are well beyond the requirements for PCI DSS and SOX compliance showcasing HIC’s commitment to the security of the Hawaii portal and its data.