Maintaining a Safe, Secure Marketplace
ICE ensures both the physical and digital security of its markets and data through leading-edge security technology and processes.
ICE maintains detailed information security policies. All employees are required to read and provide written acknowledgement of relevant policies. Topics covered range from ICE's corporate security and information classification policies to application development standards and password handling. A dedicated Information Security group is responsible for information security operations including; daily reviews, access control requests, incident handling, engineering, consultation, design and implementation of security mechanisms. The policies and procedures are for official use only and are reviewed as part of the testing procedures detailed below within the section “Testing and Audit.”
ICE uses a multi-tiered network architecture with multiple firewall tiers and service silos to isolate different security zones. Intrusion Detection Systems at production and office facilities monitor network traffic against industry-standard and ICE-customized network activity signatures.
External screening routers employ access control lists to terminate virus, worm, and common hacking attempts before they reach external ICE firewalls. Firewalls further parse traffic to ensure only specifically permitted sources can reach specific destinations and services. VPN or private line connections terminate outside external firewalls, but independently from Internet connection points.
Encryption and Data Integrity
Strong encryption is used to authenticate and encrypt customer communication to ICE systems. Encryption prevents potential malicious third parties from intercepting sensitive data and credentials in transmission. The controls inherent to SSL and TCP provide additional integrity to ensure content is not tampered with by a third-party during transmission. Participant credentials are never stored unencrypted – they are hashed or encrypted as appropriate to the application.
The ICE Information Security group handles all access control requests for administrative access. These requests and authorization are documented and reviewed.
User ID and password authentication are required by all ICE accounts. Additionally, an optional IP address restriction facility allows customer administrators to define limited networks from which their participants can log into the system to enforce two-factor authentication. Nine-character initial passwords are randomly generated and assigned by the ICE Helpdesk via phone. Users are prompted to change their password on initial login and must choose a strong password, 8 to 14 characters in length, and including at least 3 of the following attributes: lowercase, uppercase, numbers, and special characters.
All systems follow build standards to ensure standardization and security. The Information Security group monitors, assigns, and tracks patch status to respond to vendor operating system or application alerts.
Application-layer access controls impose strict restrictions on the data available to individual users. Data storage is physically and logically segmented from application servers, and queries can only be formed and executed after access control databases have been queried and credentials are fully verified. These processes ensure that users retrieve data only related to their account. The ICE Information Security group includes a dedicated application security team that integrates into the SDLC process via security architecture review, vulnerability scans, static code analysis scans, dynamic analysis scans and manual pen testing.
ICE Operations maintains detailed incident-response plans to handle any incident with operational impact -- security or otherwise. It is ICE policy to notify customers if there is a security incident that could compromise customer data.
BUSINESS CONTINUITY PLANNING / DISASTER RECOVERY
A “like for like” Disaster Recovery datacenter is maintained in the Atlanta area and governed by an enterprise wide policy. Per policy, all ICE core procedures, systems and operational tasks are: duplicable in recovery facilities, exercised at least annually, documented in comprehensive Disaster Recovery (DR), Business Continuity (BCP) and Incident Response Plans and ensure infrastructure is recoverable.
TESTING AND AUDIT
ICE conducts regular internal penetration testing and auditing to determine compliance with written policies and to assess vulnerability. In addition, third-party external penetration tests are performed at least annually. The results of these tests are used internally to verify internal audit processes and controls.
A rigorous Service Organization Control (SOC) audit is performed annually to produce independent verification and testing of ICE controls for external parties and auditors that rely on ICE. The scope of this report is evaluated each year and tailored in response to customer feedback and business developments. The report is available to requesting participants and covered by the confidentiality provisions of the Participant Agreement. Potential customers not bound by the Participant Agreement must obtain a separate NDA to receive the report. To request this report send an email request to Reports-IASOC@theice.com.