Maintaining a Safe, Secure Marketplace
ICE ensures both the physical and digital security of its markets and data through leading-edge security technology and processes.
ICE maintains detailed information security policies. All employees are required to read and provide written acknowledgement of relevant policies. Topics covered range from ICE's corporate security and information classification policies to application development standards and password handling. A dedicated Information Security group is responsible for information security operations including; daily reviews, access control requests, incident handling engineering, consultation, design and implementation of security mechanisms.Network Architecture
ICE uses a multi-tiered network architecture with multiple firewall tiers and service silos to isolate different security zones. Intrusion Detection Systems at production and office facilities monitor network traffic against industry-standard and ICE-customized network activity signatures.Perimeter Defense
External screening routers employ access control lists to terminate virus, worm, and common hacking attempts before they reach external ICE firewalls. Firewalls further parse traffic to ensure only specifically permitted sources can reach specific destinations and services. VPN or private line connections terminate outside external firewalls, but independently from Internet connection points.Encryption and Data Integrity
128-bit or stronger encryption is used to authenticate and encrypt customer communication to ICE systems. Encryption prevents potential malicious third parties from intercepting sensitive data and credentials in transmission. The controls inherent to SSL and TCP provide additional integrity to ensure content is not tampered with by a third-party during transmission.Access Control
The ICE Information Security group handles all access control requests for administrative access. These requests and authorization are documented and reviewed.Systems
All systems follow build standards to ensure standardization and security. The Information Security group monitors, assigns, and tracks patch status to respond to vendor operating system or application alerts.Application Design
Application-layer access controls impose strict restrictions on the data available to individual users. Data storage is physically and logically segmented from application servers, and queries can only be formed and executed after access control databases have been queried and credentials are fully verified. These processes ensure that users retrieve data only related to their account.Testing and Audit
ICE conducts regular internal penetration testing and auditing to determine compliance with written policies and to assess vulnerability. In addition, a third-party external penetration test is performed annually. The results of these tests are used internally to verify internal audit processes and controls.
A rigorous SSAE16 audit is performed annually to produce independent verification and testing of ICE controls for external parties and auditors that rely on ICE. The scope of this report is evaluated each year and tailored in response to customer feedback and business developments. The report is available to requesting participants and covered by the confidentiality provisions of the Participant Agreement. Potential customers not bound by the Participant Agreement must obtain a separate NDA to receive the report.