Security Policy
MNI takes cyber security and data protection seriously, including our network and all MNI-owned websites. Please see our security documentation below and reach out with any questions.
Application Security
Website Encryption
Sessions between you and our websites operate over HTTPS and are protected with Secure Sockets Layer (SSL) encryption using 2,048-bit or better keys and Transport Layer Security (TLS) 1.2 or above (with TLS 1.3 recommended where supported). MNI takes regular steps to maintain compliance with PCI DSS 4.0, a rigorous data security standard for organizations that process credit card transactions.
Network Firewall
MNI servers and network are kept secure behind a commercial grade firewall with intrusion protection technology and real-time packet-by-packet anti-virus and anti-malware scanning. We also employ advanced threat intelligence measures to help block malicious traffic in real time. The MNI network contains Distributed Denial of Service (DDoS) prevention defenses to help keep our services active at all times.
Software Development Lifecycle (SDLC) Security
MNI implements human review processes, including architecture analysis during design and code review during coding and build, to ensure consistent quality in our software development practices. Development staff is trained on secure coding best practices and is familiar with mitigating the OWASP Top 10 Web Application Security Risks.
Sensitive User Information
We do not store any credit card information on our servers. Payments on all MNI websites are posted directly to our processor, and no digital copies are retained. Where possible, we also utilize tokenization to protect cardholder data. Additionally, we do not require any personally sensitive information for any of our services, such as your birthdate, social security number, or medical information. Where data must be stored, we implement encryption at rest to safeguard user information.
User Account Access
User accounts on IndustrySelect and IndustryNet are only accessible to the account holder (anyone with the correct email and password), and select members of the MNI staff as needed for technical support and fulfillment of services. Multi-factor authentication (MFA) is required for staff access to internal administrative systems and sensitive data.
Datacenter Protections
Physical Security
MNI hosts its own applications at its datacenter in the Chicago area. This datacenter features strictly managed physical access control, video surveillance, security systems, among other protective measures.
Software Security
Patch Management
MNI's patch management process ensures the latest patches and appropriate software versions are installed on all systems at regular intervals. This includes routine reviews to align with PCI DSS 4.0 requirements.
Security Incident Response
MNI's security incident response processes are defined during routine preparation activities and are refined through investigation follow-ups. We use standard incident response process structures to ensure that the right steps are taken at the right time, with 24/7 coverage for critical events.
Vulnerability Assessment & Penetration Testing
Vulnerability Assessment
MNI tests for potential vulnerabilities on a recurring basis. We run both static and dynamic code analysis along with external vulnerability scans.
Penetration Testing
MNI leverages 3rd party penetration testing several times a year to test the MNI websites and network infrastructure. We also conduct additional testing following major changes to our systems to help maintain PCI DSS 4.0 compliance.
Employee Operations Security
Background Screening
All MNI employees undergo background checks prior to gaining substantial access to customer data systems. MNI may rescind an employment offer if a background check is found to be falsified, erroneous, or misleading.
Policy Awareness
MNI employees are provided training on the company's technology policies during the onboarding process. All MNI personnel are then required to acknowledge that they have received, understand, and will adhere to these policies. Annual refresher training is required to maintain awareness of evolving threats and regulatory requirements.
Remote Work
All remote work must be performed in a manner consistent with MNI's security policies. VPN must be used for all connections with the MNI network, and multi-factor authentication is required for remote access to internal systems. All of MNI's security settings must be followed for any equipment used to perform work. Employees must ensure no unauthorized individuals may view, overhear, or otherwise have access to MNI's customer data.
Questions, comments, or feedback can be directed to:
MNI
Attention: Legal
1633 Central Street
Evanston, IL 60201
Email Legal
|