At EP, our strategy is “security first” and employ an extensive layered security model to protect customer data. Using enterprise policies, people and technologies we operate a global security program for end to end protections. From the perimeter to the endpoint, EP’s protections and teams work hard to guard the systems that deliver secure products and services to the client.
Data Center and Network Security
As EP runs hybrid Clouds with data distributed across an on-premise private Cloud and top tier Cloud providers, our security technologies with associated process and procedures integrate directly into our network security strategy to ensure common security policies are deployed across all of EP’s environments. Additional network layer controls are applied prior to client traffic reaching our application environments. We pair these technologies with dedicated security monitoring, 24x7x365 analysis, and a robust analytics engine. Along with EP’s extensive logical access controls, EP maintains robust physical security requirements using top tier hosting and Cloud providers. Learn more
In order to secure EP’s applications, a secure development life cycle and release management process is used in the delivery mechanism for new products as well as updates to existing products. Advanced application security testing is performed through an automated methodology to ensure released code is secure and adhering to defined development standards. Security architects partner with our software communities to provide continuous security review throughout the product’s life cycle. Regular scanning and review are performed against our external applications with formal security testing performed on an annual basis.
Product Security Features
Entertainment Partners’ foundational cornerstones for delivering customer services focus on strong security, availability and resiliency. Within the application’s themselves, strong authentication models are utilized and made available for clients to protect their data. EP views data protection as the highest priority leveraging modern day safeguards for both data at rest and in transit. EP employs advanced encryption technologies and strong key management which provide extensive protections for sensitive data using encryption tied to access control for in-flight and at-rest data protection.
Compliance Certifications and Memberships
At EP, we measure ourselves against the best when it comes to industry standards for security and privacy frameworks. We look at the defense industry, top financial institutions, and Fortune 100 companies while assessing the customer’s needs to implement a robust Information Security Management System. EP currently maintains SOC1, SOC2 annual attestations. As an industry leading program, EP has been certified for cyber and information security under ISO 27001 which helps advance as well as promote a security minded culture of compliance.
Data Center & Network Security
EP’s private Cloud facilities employ strong centralized physical and environmental security controls which are an essential component of EP’s ISO 27001 certification. For our Cloud environments, annual audits and strong physical protections are employed
EP’s private Cloud facilities meet our stringent physical security requirements with dedicated security guards, fencing, security feeds, intrusion detection technology, and other physical security measures. Cloud hosting environments maintain similar advanced standards for their hosting facilities to protect against unauthorized access.
Data Hosting Location
EP’s primary hosting facility is located in California with a Disaster Recovery facility distributed to an out of state top tier service provider for geographical diversity to help protect data from possible environmental threats or disasters. EP leverages CLOUD data centers across the United States to help ensure availability of services for specific applications. Additionally, in order to meet customer client needs, some services are hosted in CLOUD’ European and Asia Pacific data centers.
Dedicated Security Team
EP has a dedicated team, Information Assurance, to implement and manage an information security program, execute and enforce security controls, perform security assessments and incident response, and manage information security risks.
Multiple network protections are utilized throughout the EP ecosystem for a multi-layered defense in depth approach which actively monitor and block malicious traffic or network based attacks.
EP’s network security architecture employs modern best practices to segregate environments and data based on risk. This includes the use of separate security zones, comprehensive network segmentation, physically segmented hardware (where necessary), and network access controls aligned to role-based access. Depending on the zone, enhanced security monitoring and access controls will apply.
Network Vulnerability Scanning
Extensive vulnerability assessment is performed with regular scanning and review of environments to ensure security baselines are applied as well as identify and remediate potential issues.
Third-Party Penetration Tests
In addition to an extensive internal assessment and testing program, application penetration testing is performed annually by an independent third-party provider.
Modern security analytics and 24/7 monitoring are used in conjunction with extensive logging to identify and correlate system anomalies in real time which generate events for investigation by the Security team.
Intrusion Detection and Prevention
EP employs multiple platform, network, and anti-malware tools which analyze events and generate alerts for suspicious activities. EP also uses a Managed Security Services Provider (MSSP) which monitors and analyzes logs in real time and sends alerts to the EP incident response team.
Threat Intelligence Program
EP participates in public and private threat intelligence programs which monitor active threats which are then actioned either through an automated process or by the Security team when posted. Actions and priority are based on risk or criticality.
For DDoS mitigation, EP leverages a multi-layered approach with enhanced network edge defenses and the use of native Cloud protections to maintain availability.
EP follows the principles of least privilege, and provisions user accounts based on pre-defined roles. Onboarding, terminations, and change procedures follow formal processes, including steps for authorizing access.
Security Incident Response
Incident response is managed by a dedicated 24x7x365 team, following a formal incident response plan and is tested regularly EP incident response process and procedures are reviewed regularly with adjustments made to address risk associated with current environments, system components, and requirements.
Encryption in Transit
All communications with EP’s applications and API’s are encrypted using industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. Additionally, for email we enable by default opportunistic TLS which helps secure all mail server communications.
Encryption at Rest
For sensitive data at rest, EP has deployed an advanced encryption solution with military grade capabilities by enabling policy-based AES-256 encryption with strong key management standards to address modern threats.
Availability & Continuity
EP leverages multiple aspects of service clustering and network redundancies to minimize points of failure. With comprehensive backup regimes and Disaster Recovery capabilities, allowing for effective delivery of a high level of service availability with replication across multiple regions and zones.
EP’s Disaster Recovery program ensures services remain available and are easily recoverable in the event of a disaster. This is achieved through the implementation of a dynamic technical environment, detailed planning and testing activities.
Enhanced Disaster Recovery
For EP’s modern Smart applications, full use of CLOUD capabilities with multi-zone and multi-region are utilized to ensure availability of services exceeds expectations.
Secure Development (SDLC)
Secure Code Training
Development teams are provided with regular training modules in the specific language for which they code. These modules describe various security vulnerabilities, give code examples and provide remediation advice on how to fix and prevent them.
Framework Security Controls
Modern and secure frameworks are systematically utilized to mitigate against prevailing security risk such as OWASP, NIST and other standards to manage and reduce the risk of key vulnerabilities.
EP has an extensive quality review and testing process for our code base which includes both automated and manual processes. Dedicated application security architects are embedded with the software teams and a stringent release management process to identify, test, and triage security vulnerabilities in code.
EP maintains separate environments for development, testing, and operational environments. Each environment has separate access controls to enforce segregation. Production data is never intermingled into nonproduction environments
Dynamic Vulnerability Scanning
EP conducts regular security assessments with both internal and external vulnerability scans.
Static Code Analysis
EP development follows a formal SDLC program which includes multiple checkpoints for peer code review and automated static code security testing.
Third-party Penetration Testing
EP partners with a best in class provider to complete an annual security assessment of our applications which help validate the effectiveness of our secure development processes.
EP leverages threat modeling for managing security as an integral part of the SDLC process for application development. This modeling is integrated into a release management process, whereby security and development teams work together to identify applicable requirements for each application. The effectiveness of this lies within the integration into “stories” and “epics” that are tracked to completion using embedded reporting capabilities.
Product Security Features
For EP’s modern Smart applications, customers will have the ability to leverage EP’s new single sign-on (SSO) platform for authentication.
Configurable Password Policy
EP’s SSO platform provides multiple levels of password security which can be selected ranging from Basic to Enhanced password security requirements. These security levels allow for different requirements to be applied based on a customer’s or studio’s own security requirements empowering them to reduce risk and maintain compliance.
Multi-factor Authentication (MFA)
Multi-factor authentication is available and enforceable as an added layer of security to mitigate against credential theft and misuse.
Service Credential Storage
EP leverages a strong privilege identity management solution to protect various types of sensitive credentials such as service accounts which are securely stored in a digital vault. Credentials are encrypted in transit, in use and at rest with AES Symmetric-Key Algorithm with 256-bit key length, significantly reducing the risk of disclosure or theft.
Additional Product Security Features
Role-Based Access Controls
Access to data within EP’s applications is governed by role-based access controls (RBAC) and can be configured to apply highly granular access privileges. With varying permission levels available for users.
For EP’s Scenechronize platform, enhanced security features such as watermarking, expiring links, and digital signatures are available and configurable by the customer.
EP uses best in class advanced email security services and protocols to protect client communications from beginning to end.
EP leverages advanced encryption methodologies for both data in transit and at rest with a military grade solution which applies policy-based encryption with a centralized platform for administration, enforcement, and key management. The policies add an additional layer to lock down access to only required and approved communications, enforcing a robust least privileged model for data exchanges.
Compliance Certifications and Memberships
SOC 1 and SOC 2
EP undergoes regular audits to receive updated SOC reports which are available upon request and under NDA. For more information, please contact your EP account representative
EP is formally certified and audited annually for ISO27001 certification. The certificate is available for download please contact your EP account representative.
Learn more about privacy here.
The EP Security team maintains a cross-functional, high level of skill and knowledge with multiple team members achieving industry-based certifications such as CISSP, CISM, CCISO, AWS, Microsoft, and Advanced ISO 27001.
Human Resources Security
EP has developed and implemented several enterprise security policies aligned to ISO 27001, supported by multiple security standards and procedures. These policies were developed with feedback from business unit leaders and are approved by the CEO with reviews conducted annually. Policies are communicated via an intranet site and are covered in ongoing security awareness training sessions as well as onboarding orientation.
Security awareness campaigns are conducted on a regular basis and are included as part of the onboarding process for EP employees and contractors.
Employees are required to sign confidentiality agreements and contractors are required to sign NDAs.