We protect your data with enterprise-grade security
Forte’s Quality and Information Security Management System focuses on ensuring our operations and products remain secure through the implementation of industry best practices and ongoing monitoring activities.
Our security strategy covers all aspects of our business, including:
- Forte corporate information security policies
- Physical and environmental security
- Operational information security processes
- Secure Software Development Lifecycle (SDLC) procedures
- Customer data handling policies
- Third-party managed infrastructure partners and cloud providers
Forte has received external certification in both ISO 27001:2013 and ISO 9001:2015, reinforcing our dedication to providing world-class information security, compliance and quality for our customers.
The ISO 27001 certification demonstrates our commitment to security management best practices and controls, minimizing information risk for our customers. We approach data security holistically to ensure the most secure products and infrastructure available.
ISO 9001 provides a framework for operating and maintaining a quality management system (QMS). Our certification reflects our work in developing comprehensive, sustainable processes for building and supporting high-quality products and services. In addition, our processes focus on providing customers with a solid foundation for achieving compliance within their institution, including 21 CFR Part 11 and HIPAA.
Forte Corporate Security Policies & Procedures
Forte has comprehensive information security policies and procedures in place.
Employee Background Checks, Training, and Authorization
Every Forte employee is subjected to a background check prior to hire. Upon hire each employee is required to sign the employee handbook which outlines Forte ethics expectations and an acknowledgement of sanctions applied for the failure to comply with privacy policies and procedures. When hired and with each substantive update, each employee is required to complete company information security program and customer data handling process training. Employees who are granted access to customer environments are also required to complete annual HIPAA certification testing. This training and certification testing is a prerequisite to granting access to view customer production or test data.
Forte office security utilizes electronic access controls and monitoring. Access controls and attempts are regularly audited and action is taken when unauthorized access is attempted.
Workstation and Laptop Security
All workstations and laptops are encrypted and antivirus scans are run regularly. Antivirus definitions are automatically kept updated. Workstations report into a central management console where information security team members review alerts or warnings and action is taken when warranted. Policies are in place to enforce screen lock after 20 minutes of inactivity.
Malware detection software is centrally managed and scans are run on all workstations, laptops and servers. The malware detection signature database is updated automatically, no less than daily. All email and attachments are scanned for malware; emails that contain or appear to contain malware or are qualified as spam are isolated and the recipient is notified. The firewall scans for malware in network traffic, bi-directionally, including file downloads, web pages, etc.
Multiple monitoring systems are in place, including the monitoring of logs generated on systems housing customer data, for malicious activities and active blocking of suspect IP addresses. Notifications are automatically sent to information security employees who review, investigate and respond to events and threats. An aggregation of essential logs is collected and maintained to aid in the investigation of security related events.
Forte Software Development Lifecycle Security Procedures
Forte designs security controls into all products delivered to customers.
People and Process
Forte has taken steps to ensure application security awareness across the SDLC team. Most notably:
- Forte has developed engineering standards and best practices centered on OWASP principles.
- Coding standards and code review guidelines are well documented.
- Engineers are required to have working knowledge of the OWASP Top 10, correlating directly to security and vulnerabilities within web based applications.
- Mandatory peer code reviews are completed on all changes implemented to confirm adherence to coding standards.
These processes, guidelines and best practices are in use for all Forte products and are routinely audited to ensure compliance and continual improvement over time.
Forte utilizes tools in the software build process that analyze the code base for potential security vulnerabilities. The analyzation of the code is executed on a regular interval prior to applications being built, packaged and provisioned to internal Quality Assurance test instances. Build failures occur if new vulnerabilities are injected by engineering changes to the code base allowing the development team to proactively resolve vulnerabilities.
Forte has invested in a commercial grade analysis tool which is an integrated platform for performing security testing of web applications. The scanning tool is configured and tuned to inspect and discover security vulnerabilities on a deployed/running instance of a Forte application. As with static analysis, if new vulnerabilities of sufficient severity are introduced by engineering changes, these will be addressed immediately within the same product release.
Ownership of the dynamic scanning of Forte applications belongs to the Quality Assurance group. Dynamic scanning is a required process within the Forte release readiness activities for all products.
Third Party Analysis
Forte is investing in security analysis and penetration testing performed on multiple Forte applications by a third party who specialize in such matters. Any vulnerability findings identified through third party analysis are investigated and if vulnerabilities are found to be of sufficient severity, they are addressed in future releases.
All Forte products use Red Hat EAP, which is a commercially supported runtime environment for Java based applications. The benefits of using EAP are many, including:
- Access to the latest security updates
- Lower risk of future vulnerabilities
- SLA-based support from Red Hat
- Assurance of patches, updates and multi-year maintenance policies
Additionally, Forte has contracted with Oracle to provide customers with Oracle supported versions of Java, providing benefits similar to those listed above for EAP.
Rigorous security controls required to meet HIPAA requirements have been implemented within the Forte applications. The specific controls vary based on product requirements but the following are key control areas:
- Protection from Cross-Site Request Forgery (CSRF)
- OWASP (Open Web Application Security Project) recommended libraries that ensure enhanced security
- Avoidance and removal of vulnerabilities as per static/dynamic analysis relating to Cross-Site Scripting (XSS) and arbitrary HTML injection.
- Functionality intended to control/limit the use of HTML within application fields.
- Adherence to the latest standards and recommendations for web application security including the incorporation of a validation framework providing consistent user input validation.
Customer Data Management and Managed Infrastructure
Forte has customer data handling policies and procedures in place to ensure compliance with the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR 164.400, and all regulations implementing HITECH and HIPAA.
Third-Party Provider Management
Forte monitors processes and third-party providers to safeguard customer data and confirm a high level of service quality. External certifications of hosting partners are in place to confirm data is protected including ISO 27001, HITRUST, PCI as well as SOC 1, 2, and 3.
When data is moved from customer networks to the Forte managed infrastructure, encryption technologies are utilized in transit and at rest.
Business Continuity and Disaster Recovery Planning
Forte has customer data BCP and DR policies and procedures in place for our hosted installations to ensure that, in the event of an emergency, this data is protected and recoverable. Forte has established Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) for all hosted products.
Forte maintains a primary and secondary site for the hosted services which are geographically isolated from each other. The disaster recovery mechanisms are routinely tested to ensure readiness. Forte performs daily encrypted backups of hosted customer data and stores these backups in a commercially accepted manner.