The Security Standards Exela Meets

Media & Publishing

The Security Standards Exela Meets

by Lauren Cahn

As leaders in digital transformation initiatives around the world, Exela is entrusted with maintaining the integrity, privacy, and security of information belonging to our customers and their customers and end users. “The information entrusted to us is the lifeblood of our customers’ businesses,” notes Mario Carneiro, Exela’s Data and Technical Security Manager. So to say there’s a lot at stake would be an understatement.

In fact, maintaining the privacy and security of the information entrusted to us by our customers is a primary business objective of ours. Our robust approach includes:

  • Compliance with the GDPR and related Privacy Shield Framework
  • Compliance with the GLBA
  • Compliance with SSAE (Statement on Standards for Attestation Engagements), including SSAE 16 (applicable specifically to service organizations) and SSAE 18 (applicable to all attestation engagements, and requiring, among other things, annual SOC1 audit of data and system security controls and protocols)
  • Compliance with the Sarbanes-Oxley Act (SOX, which protects shareholders and the general public from accounting errors and fraudulent enterprise practices)
  • Compliance with the National Archives and Record Administration’s standards for guidance on maintenance and storage of electronic records.
  • Biennial internal auditing and monthly self-assessment auditing of all Exela facilities to ensure compliance
  • Implementing physical, electronic, and managerial procedures to safeguard and secure all information we process, including preventing unauthorized access and/or disclosure and maintaining data accuracy

Fully compliant operations

In every country, in each locality, and in every industry in which Exela delivers services, Exela is charged with being and remaining compliant with the applicable laws, rules, regulations regarding data security and privacy. That means, among other things:

  • System Certification and Accreditation under NIST (the U.S. Department of Commerce’s National Institute of Standards and Technology, as discussed in What Rules Apply to Data Security), which requires compliance with the applicable guidelines and standards contained in:
    • FISMA
    • PCI DSS
    • HIPAA
    • ISO/IEC 27000-series
    • FIPS (Federal Information Processing Standards, with regard to nonmilitary government agencies and government contractors)
    • DIACAP (Department of Defense Assurance Certification and Accreditation Process with regard to information systems risk management)

System security

To protect the integrity of our systems and ensure secure, uninterrupted service for all our customers, we maintain a complex and rigorous set of security and control features, including:

  • Access controls:
    • Our facilities uphold the highest standards for security and access control, including continuous monitoring by personnel and by CCTV, identification display protocols, and periodic system integrity checks. Physical access (to both buildings and computer equipment) is restricted to individuals requiring access to perform their job responsibilities.
    • Contractors and subcontractors are required to implement and maintain safeguards consistent with ours.
    • User access privileges are reviewed regularly.
    • Unauthorized attempts to access information as well as authorized access to sensitive data is logged and reported; the logs and reports are regularly reviewed, and appropriate action taken.
  • Change controls – Before any modification is made to the system or any element thereof, all affected parties are notified, and timing is to ensure minimum adverse impact.
  • Application controls – All databases are configured so that modifications can be made to data only through programs, and individuals are restricted from directly accessing underlying production databases. Segregation of duties is enforced, and source code control is in place. A Software Development Life Cycle includes industry standard secure coding training, practices and requirements.
  • Antivirus controls – The gold standard of antivirus software is deployed in all contexts and is properly maintained, including real time upgrades.
  • Disaster recovery controls – Exela’s formal disaster recovery policies, including contingency plans and securing alternative processing methods, have been established, tested, and refined over decades to ensure operating requirements are met, quality is maintained, and expectations are exceeded wherever possible. They continue to be reviewed and improved as needed at least annually.
  • Data backup & recovery controls – Our backup and recovery controls ensure all systems are backed up and all critical systems media is available for use in an emergency.
  • Risk management – Exela develops, disseminates, and periodically reviews its security policies, including risk management, security awareness, security training, and incident response.

Data security

Exela maintains the integrity, privacy, and confidentiality of the data entrusted to it through its compliance program, its system security stance, as well as a complex set of best practices that include:

  • Secure configuration, access controls & passwords – Exela’s formal policies, which are reviewed on a regular basis, ensure access to data is controlled in a secure manner that allows business operations, and such controls are regularly monitored to ensure compliance and appropriate incident response.
  • Boundary firewall – To protect data integrity and security of our enterprise network, we have implemented multiple controls and practices to maintain the highest level of security including protecting all boundaries/the external perimeter with firewalls. All external connections must terminate in a DMZ network.
  • System security – In addition to the system security controls discussed above, Exela has also engaged a Managed Security Services Provider (MSSP) to help provide threat intelligence at our boundary.

System monitoring

Exela has deployed the Tenable Security Center solution, which includes the Passive Vulnerability Scanner (PVS) to provide continuous network monitoring in real-time. Security alerts are continuously monitored and logged, and logs are maintained securely.

Thus concludes our thought-leadership series on Leveraging Cybersecurity to Master Your Domain. If you missed the earlier posts, you can catch up here: can download the entire series as a flipping-book here, and you can also find all of these posts on our blog, which we update at least twice weekly.

In the future, be sure to subscribe to Exela’s quarterly thought leadership publication, PluggedIN for up-to-the-minute news and views on topics that matter to you.