• Authentication
  All transactions are authenticated against a user’s identity and current assigned permissions
• Network security
  Defense-in-depth strategy with 24 x 7 monitoring
• Redundancy
  No single point of failure

Once we have authenticated the user’s identity, we determine whether the user has been granted permission to perform the requested action.

Permissions
Our permissions system is a based on a “gatekeeper” COM object in C++. This COM object can enforce permissions on any object in the system, such as a document folder. The permissions system (which is extensible) currently enforces the following permissions: create, read, write, and delete.

The benefits of using the C++ COM object are its speed of execution, and its inherent security. Because the COM object is object code running on a server, the user may not inspect the underlying algorithm.

Network Security

Network Security
BBI Business adopts a defense-in-depth approach to network security. There are multiple layers of hardware devices between the internet and any customer data.

In addition to other capabilities, the first layers perform load balancing and protocol security. These effectively prevent all but HTTP requests from reaching our web servers.

Our applications reside on an extensible fleet of web servers, which are peer-level redundant. Only these servers may be accessed via a Web URL; the web servers communicate with the back-end database servers to store and retrieve member information and user data.

Member records and some user data are stored in the member information database (a SQL database). File attachments are stored in a separate filesharing system. User file attachments are not commingled: each site’s files reside in a separate directory on the back-end file server. All file attachments are scanned with anti-virus software before being stored on the file servers.

BBI Business uses an encrypted virtual private network (VPN) for backend Web site management. This system employs a secure ID tokenbased authentication system, Microsoft NT and Solaris host-based security, and router-based Access Control List (ACL) security and firewall management to effect a comprehensive security infrastructure. Additionally, BBI Business offers an option for SSL (Secure Socket Layer) encryption of its sites. SSL technology runs communications through a process which scrambles the information so that it cannot be read by unauthorized parties during transmission. When information is received by the intended recipient, SSL software on the recipient’s machine decrypts it, authenticates that it came from the correct server, and verifies that it has not been tampered with. SSL makes use of a Digital Certificate issued from a world-wide trusted authority to authenticate one or both parties of an Internet transaction. These certificates bind the details about an individual or organization to a public key which allows another party to encrypt information for the certificate’s owner, and provides proof that the holder of the certificate is who they claim to be. The use of SSL between a user and the BBI Business servers, ensures that all information exchange (for example: documents, postings of announcements and member and contact information, etc.) have not been intercepted by unauthorized third parties.

BBI Business stays abreast of the latest security developments in the industry and conducts periodic security audits of its systems.

Site Security

Secure Hosting Facility
Physical access to our facility is highly restricted. The center is manned 24 x 7. Access to the site is granted only to authorized personnel, who must present photo ID’s, as well as a current password. Access to the BBI Business resources is restricted to a handful of personnel.

Backup and Restore

Data Backup
BBI Business is committed to maintaining the security and integrity of our customers’ data. To do so, we employ industry standard backup and restore procedures. These procedures ensure the ready availability of data in the event of a hardware failure, and also permit us to restore information inadvertently deleted by users (upon request of the customer).

In order to ensure the greatest possible data integrity, we store user file attachments, member record information, and program code in separate databases. Each night, all data are backed up to tape. The tapes are archived on-site, with duplicate copies stored at a secure, off-site facility. We follow industry-standard backup procedures in that once a week, a full backup of all data is performed; incremental backups are performed daily. In addition to our daily backups to tape, we retain 14 days worth of member database information on hard disks so we may quickly restore member information (all data except file attachments) without resorting to off-site storage.

Data Recovery
Once each quarter, we test our data backup and recovery procedures by restoring a sample amount of data from tape archives. We have never had to restore data lost as a result of hardware failure or file corruption, but there have been several instances in which we’ve restored data on the request of a customer who inadvertently deleted information.

Disaster Recovery

Our hosting facility has been designed to withstand many foreseeable catastrophic failures, such as power outages, contractor mishaps, fire, flood, and theft. For example, power is supplied by two separate feeds originating on different sides of the building, and the site has full UPS and diesel generator capabilities.

High-Availability
We provide an industry-leading service level that results in less than five total minutes of downtime per month. The site is fully redundant with respect to hardware, power, and internet connectivity.

Compatible redundant hardware
In the event of a total disaster at our main hosting facility, the survivors among us would retrieve the off-site data and restore it at an appropriate alternate location.