The Loxo, LLC network is broadly defined to include all workstations, servers, and data communications infrastructure. It includes the Wide Area Network and Local Area Networks, the Virtual Private Network, all Wireless Networks and all equipment connected to those networks that are managed by Loxo, LLC Information Technology Services (ITS) personnel. All Loxo, LLC employees are required to review and follow this Security Policy and Data Privacy Statement, to ensure consistent enforcement of security best practices.
This policy applies to all computer and network systems owned by and/or administered by Loxo, LLC. Similarly, this policy applies to all platforms (operating systems), all computer sizes (mobile computers to servers), and all application systems (whether developed in-house or purchased from third parties).
ITS is responsible for the design, operation, and management of the computing and network communications services provided at the corporate level. Responsibilities include the selection, purchase, setup and maintenance of all network equipment, the choice of protocols supported by the network, and the definition of corporate standards necessary for efficient operation of the network or for the security of transmitted, stored and processed data and networked computers or other equipment.
ITS has sole authority to purchase network equipment and to build and maintain the corporation’s network infrastructure. All systems and equipment connected to the network must be approved by ITS, including but not limited to workstations, servers, firewalls, switches, routers, and mobile devices.
ITS shall dictate the protocols and services present on the corporation’s network. At the present time the corporate backbone universally supports the IP protocol. Loxo, LLC primarily uses Dynamic Host Control Protocol (DHCP) to dynamically assign IP addresses to workstations as needed. IP addresses shall not be assigned from within the corporate IP address space for individuals or organizations that are not affiliated with Loxo, LLC. In requesting an IP address, each requesting person, organization, or service agrees to abide by all applicable corporate policies and agrees not to give access to the corporate networks to others who are not affiliated with Loxo, LLC.
In addition to abiding by the various rules and conditions stated elsewhere in this Network policy, employees of Loxo, LLC may have access and use the Virtual Private Network (VPN) under the following stipulations. ITS shall limit access to the VPN to individuals who have a justifiable need to access corporate-owned systems from a remote or wireless location. VPN users who require privileged access to administrative systems must receive written approval from their manager before access to the VPN service will be granted. VPN users must use the VPN client in accordance with all Loxo, LLC policies. In addition, they must use the standardized VPN client offered by ITS and may not reconfigure the VPN client. They must not allow others who have not received written permission from their department head or other Loxo, LLC-authorized official to use the VPN client. Finally, anyone using the VPN client must maintain all of the workstation security measures as defined in the section below, under User Responsibilities.
Upon termination of employment with Loxo, LLC, all VPN users must uninstall the VPN client and return all corporate equipment, if applicable. Accessing any system via VPN after termination is a violation of federal law if the user no longer has permission to access Loxo, LLC-owned systems.
ITS is responsible for monitoring Loxo, LLC’s network and will act accordingly to protect client data, other electronic assets or quality of service. Because of the interconnections provided by the network, a security violation on one machine can threaten security of other systems on the network. Policies in this section describe the steps that will be taken in response to security threats. They also describe circumstances when data normally considered private could be collected and examined by an individual managing a LAN, server, or system.
Designated personnel within Loxo, LLC may for the purposes of security assessment conduct scans against Loxo, LLC-owned network segments, hosts, and systems connected to the Loxo, LLC network. The security threat increases in relation to remote access (through the VPN) and wireless access. Thus, all wireless and VPN connections and transmissions are logged and subject to scanning by ITS-approved officials.
All client and customer data is protected by firewalls and Access Control Lists. Firewall rules and router ACLs are continuously monitored and administered by trained ITS staff.
Access to selected file servers utilized for workstation back-up and select corporate documents of interest to employees are allowed to Loxo, LLC employees, protected by username and password and access control level is dependent on their role within the organization. Loxo, LLC employees may have access while directly connected to the corporate network or while connected to a corporate VPN.
The administrator of a server on a Loxo, LLC network-connected computer is responsible for the security of that system. The system administrator must monitor and log accesses and keep other system logs that could be useful in establishing the identities and actions of people, programs and processes who use the system to breach network or system security. All servers that provide access to the Loxo, LLC network or Internet services must require user authentication in order to restrict access.
Default network data transmissions are not secure. Sensitive data should always either be encrypted separately before transmission or a secure network transmission protocol, which provides encryption automatically, should be used.
Loxo, LLC ITS is responsible for ensuring IT computing equipment, including workstations and servers, connected to the corporate network are secure. At a minimum, proper security measures include running an operating system that has been recently updated and patched. Some brand of personal firewall is also recommended.
Any security violation that represents a significant misuse of Loxo, LLC resources will be brought to the attention of the appropriate authorities.
In the event that Information Technology Services judges that a network, a device or an individual user presents an immediate security risk to the corporate network equipment, software, or data, ITS may terminate or restrict network connection immediately and without notice.
Attempts to attack or otherwise damage the corporate network or systems are continuously monitored and detected by corporate network and system administrators. Severe or ongoing attacks (such as an onslaught of unsolicited mail) may require that the source of the attack be blocked from the corporate network. ITS may block a specific network address, port or application in order to protect Loxo, LLC against attack, or as it otherwise deems necessary.
Customer data is stored in a database for Loxo, LLC for purposes of providing Loxo, LLC services through various application interfaces provided to our clients on the AWS Cloud Infrastructure. Access to all data through the Loxo, LLC portal is based on a combination of user and role, and each Loxo, LLC portal user has distinct username and password credentials. Each portal user is also assigned an access control role, which specifically defines that user’s level of permissions for privacy and security.
Loxo, LLC uses industry-standard Secure Sockets Layer (SSL) encryption to enhance the security of sensitive data transmissions. ITS also utilizes SSL encryption for access to the Loxo, LLC portal for all management and administration.
All customer data is stored in a secure database. All password data is protected and encrypted using industry-standard methods. Loxo, LLC customer-specific data, such as Jobs, Users and Candidates, are controlled and only available to customers based on their defined relationship to the data and their strict role within the portal.
All portal access is logged and monitored. Attempts to access data without permissions is logged and immediately reported to Loxo, LLC ITS according to the above policies.
AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.
Each certification means that an auditor has verified that specific security controls are in place and operating as intended. You can view the applicable compliance reports by contacting your Loxo, LLC account representative. For more information about the security regulations and standards with which AWS complies, see the AWS Compliance webpage.
Loxo, LLC will deliver network performance meeting or exceeding the specifications listed below. This does not cover (without limitation) network performance to customer’s physical location or internet access point.
" Jitter" means variation in Latency. " Latency" refers to the amount of time it takes for a packet of data to travel from one point to another. " Maximum Jitter" means the highest permissible level of jitter within a given period when there is no Network Outage. " Network Outage" means an unscheduled period during which IP services are not useable due to capacity-constraints on the Loxo, LLC network or a hardware failure in the Loxo, LLC network. " Packet Loss" means Latency in excess of 10 seconds. All Jitter, Latency, and Packet Loss metrics below are monthly averages, unless otherwise noted.
At least two of the specified networks in each continent will meet the performance specifications listed below at any given time, as measured by Loxo, LLC. Loxo, LLC may change the specific measured hardware devices without notice.
With the AWS cloud, not only are infrastructure headaches removed, but so are many of the security issues that come with them. AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. And multiple geographic regions and Availability Zones allow you to remain resilient in the face of most failure modes, including natural disasters or system failures.
The AWS virtual infrastructure has been designed to provide optimum availability while ensuring complete customer privacy and segregation.