Board portal security is discipline which requires constant vigilance, a strong commitment to process, and deep technical expertise. Our viewpoint is that the range of threats to confidential online communication is broad and that a good portal should protect against all of them. We also believe that the environment is rapidly evolving, which necessitates a commensurately evolving architecture. This evolution needs to happen at the structural level. 'Bolt-on' security is counterproductive and should be avoided. Security architecture doesn't work unless it's built from the ground up. BoardVantage categorizes threats according to their predominant character—platform, mobility and service.
The four major platform threats are: external hacks, internal breaches, discoverability and human error.
External threats include industrial espionage, social engineering, and intrusion by non-state actors in various forms. We deploy proven techniques that include full strength encryption, multi-factor authentication, certificates, perimeter defense and secure site hosting to address them.
The second class of threats emanates from the inside. Internal breaches may come from disgruntled employees or others. While it's true that much of the information that is communicated internally is not confidential, the unique sensitivity of board content dramatically raises the requirement for protection, whether protecting against threats from the outside or from the inside.
For a typical director, discoverability is the number one concern relative to electronic board communications. BoardVantage deploys two strategies to address this threat: non-proliferation of content so that only a single copy of any document exists, and central administrative control. These two responses permit the GC to enforce the organization's retention policy independent from the actions of the users.
The fourth threat is inadvertent—human error. As we all know, email and other common forms of digital communication are prone to over sharing. But that approach backfires in board communication. Whether through segregation of content, granularity of permissions or hard restrictions on content distribution, the system is hardened so that common mistakes are no longer a concern.
While platform security sufficed in a 'pre-iPad' world, the model has to be expanded to account for the risks introduced by the iPad's mobility. Fundamentally, tablet use requires the extension of the board portal's security umbrella to the device itself.
BoardVantage tackles this challenge with the briefcase, built so that any board content downloaded by directors from the portal remains under the central control of the administrator. Administrators can remotely delete any annotations. Also, the briefcase is encrypted and password-protected to safeguard its content in the event that the device is lost or stolen—content can then be centrally purged by the administrator. briefcase technology effectively bridge the gap between online and offline by extending our board portal security on the iPad.
Given what's at stake with board content, BoardVantage takes the position that it is not acceptable for any of our staff, whether in datacenter operations, engineering, or any other capacity, to view customer data. That's why we built an architecture that encrypts all customer data on the server. This is costly because it creates CPU overhead and it impedes the debugging process. However, it closes a serious hole in the security architecture of the hosted service model.
With these principles in mind, BoardVantage has implemented the necessary measures to ensure the confidentiality and security of client information. The platform is protected by full strength encryption, multi-factor authentication, and hosted in a highly secure site. We maintain a strong perimeter defense using multiple layers of security and constant monitoring. BoardVantage processes are independently audited, and the company has achieved SOC2 (SAS70 Type II) and SysTrust certifications. Our security has been hardened by a decade of third-party testing and validation, and we devote significant resources to continuously improving our security with the latest technologies. Between our secured state-of-the-art hosting facilities and our security management program, our architecture, expertise and execution ensure that our customers receive the highest commercially available data protection.