We protect your data with enterprise-grade security

Forte’s Quality and Information Security Management System focuses on ensuring our operations and products remain secure through the implementation of industry best practices and ongoing monitoring activities.  Forte is pursuing external ISO9001 and ISO27001 certification to further demonstrate this commitment to information security excellence.

Our security strategy covers all aspects of our business, including:

  • Forte corporate information security policies
  • Physical and environmental security
  • Operational information security processes
  • Secure Software Development Lifecycle (SDLC) procedures
  • Customer data handling policies
  • Third-party managed infrastructure partners and cloud providers

 

Forte Corporate Security Policies & Procedures

Forte has comprehensive information security policies and procedures in place.

Employee Background Checks, Training, and Authorization

Every Forte employee is subjected to a background check prior to hire.  Upon hire each employee is required to sign the employee handbook which outlines Forte ethics expectations and an acknowledgement of sanctions applied for the failure to comply with privacy policies and procedures. When hired and with each substantive update, each employee is required to complete company information security program and customer data handling process training.  Employees who are granted access to customer environments are also required to complete annual HIPAA certification testing.  This training and certification testing is a prerequisite to granting access to view customer production or test data.

Physical Security

Forte office security utilizes electronic access controls and monitoring.  Access controls and attempts are regularly audited and action is taken when unauthorized access is attempted.

Workstation and Laptop Security

All workstations and laptops are encrypted and antivirus scans are run regularly.  Antivirus definitions are automatically kept updated. Workstations report into a central management console where information security team members review alerts or warnings and action is taken when warranted. Policies are in place to enforce screen lock after 20 minutes of inactivity. 

Malware Detection

Malware detection software is centrally managed and scans are run on all workstations, laptops and servers. The malware detection signature database is updated automatically, no less than daily. All email and attachments are scanned for malware; emails that contain or appear to contain malware or are qualified as spam are isolated and the recipient is notified. The firewall scans for malware in network traffic, bi-directionally, including file downloads, web pages, etc.

Monitoring

Multiple monitoring systems are in place, including the monitoring of logs generated on systems housing customer data, for malicious activities and active blocking of suspect IP addresses. Notifications are automatically sent to information security employees who review, investigate and respond to events and threats. An aggregation of essential logs is collected and maintained to aid in the investigation of security related events.

 

Forte Software Development Lifecycle Security Procedures

Forte designs security controls into all products delivered to customers.

People and Process

Forte has taken steps to ensure application security awareness across the SDLC team. Most notably:

  • Forte has developed engineering standards and best practices centered on OWASP principles.
  • Coding standards and code review guidelines are well documented.
  • Engineers are required to have working knowledge of the OWASP Top 10, correlating directly to security and vulnerabilities within web based applications.
  • Mandatory peer code reviews are completed on all changes implemented to confirm adherence to coding standards.

These processes, guidelines and best practices are in use for all Forte products and are routinely audited to ensure compliance and continual improvement over time.

Technology

Static Analysis

Forte utilizes tools in the software build process that analyze the code base for potential security vulnerabilities. The analyzation of the code is executed on a regular interval prior to applications being built, packaged and provisioned to internal Quality Assurance test instances. Build failures occur if new vulnerabilities are injected by engineering changes to the code base allowing the development team to proactively resolve vulnerabilities.

Dynamic Analysis

Forte has invested in a commercial grade analysis tool which is an integrated platform for performing security testing of web applications. The scanning tool is configured and tuned to inspect and discover security vulnerabilities on a deployed/running instance of a Forte application. As with static analysis, if new vulnerabilities of sufficient severity are introduced by engineering changes, these will be addressed immediately within the same product release.

Ownership of the dynamic scanning of Forte applications belongs to the Quality Assurance group. Dynamic scanning is a required process within the Forte release readiness activities for all products.

Third Party Analysis

Forte is investing in security analysis and penetration testing performed on multiple Forte applications by a third party who specialize in such matters. Any vulnerability findings identified through third party analysis are investigated and if vulnerabilities are found to be of sufficient severity, they are addressed in future releases.

Application Infrastructure

All Forte products use Red Hat EAP, which is a commercially supported runtime environment for Java based applications. The benefits of using EAP are many, including:

  • Access to the latest security updates
  • Lower risk of future vulnerabilities
  • SLA-based support from Red Hat
  • Assurance of patches, updates and multi-year maintenance policies

Additionally, Forte has contracted with Oracle to provide customers with Oracle supported versions of Java, providing benefits similar to those listed above for EAP.

Application Security

Rigorous security controls required to meet HIPAA requirements have been implemented within the Forte applications. The specific controls vary based on product requirements but the following are key control areas:

  • Protection from Cross-Site Request Forgery (CSRF)
  • OWASP (Open Web Application Security Project) recommended libraries that ensure enhanced security
  • Avoidance and removal of vulnerabilities as per static/dynamic analysis relating to Cross-Site Scripting (XSS) and arbitrary HTML injection.
  • Functionality intended to control/limit the use of HTML within application fields.
  • Adherence to the latest standards and recommendations for web application security including the incorporation of a validation framework providing consistent user input validation.

 

Customer Data Management and Managed Infrastructure

Forte has customer data handling policies and procedures in place to ensure compliance with the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR 164.400, and all regulations implementing HITECH and HIPAA.

Third-Party Provider Management

Forte monitors processes and third-party providers to safeguard customer data and confirm a high level of service quality.  External certifications of hosting partners are in place to confirm data is protected including ISO 27001, HITRUST, PCI as well as SOC 1, 2, and 3.

Data Encryption

When data is moved from customer networks to the Forte managed infrastructure, encryption technologies are utilized in transit and at rest.

Business Continuity and Disaster Recovery Planning

Forte has customer data BCP and DR policies and procedures in place for our hosted installations to ensure that, in the event of an emergency, this data is protected and recoverable.  Forte has established Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) for all hosted products.

Forte maintains a primary and secondary site for the hosted services which are geographically isolated from each other. The disaster recovery mechanisms are routinely tested to ensure readiness. Forte performs daily encrypted backups of hosted customer data and stores these backups in a commercially accepted manner.