ConferencePlus Share Portal™ Security White Paper

This document provides an overview of security as it pertains to the following areas relevant to ConferencePlus' Share Portal™ Content Management Application:

• Share Portal Application Security
• Data Storage Security - ConferencePlus Generated Recordings
• Data Storage Security - Host Uploaded Files
• Transport Security
• Physical Security

---

Share Portal Application Security

Share Portal Application Access

The Share Portal application is accessible only through the Host's online Account Dashboard. The Host's Account Dashboard is User Name and Password protected and can only be changed by the Host.

Portal Page URL Privacy

A Portal Page created by a Host has a specific URL address where access to the Host's published content is located. The URL is automatically generated by the Share Portal application with Secure Sockets Layer encryption and is sent to the Host upon the Host's publishing of their Portal Page. The URL is then controlled by the Host for distribution to the user group of their choice.

Portal Page Password Protection

Portal Pages have the capability to be password protected by the Host. When setting up the Portal Page, the Host creates the password of their choice to protect access to their published content. This password can be changed in the Share Portal application by the host at any time. To gain access to the Portal Page, a user would need both the Portal Page specific URL and the password.

---

Data Storage Security - ConferencePlus Generated Recordings

Intrusion Prevention System (IPS)

ConferencePlus utilises an Intrusion Prevention System (IPS). IPS is a sensor on the ConferencePlus firewall and is a true intrusion prevention system - not just detection. When an intrusion is detected by IPS, the firewall blocks packets from being sent or received and ConferencePlus Management Information Systems is immediately notified.

Symantec Endpoint Protection

Symantec Endpoint Protection multi-tier has been implemented. The software looks for updates every five minutes to ensure the latest protection.

---

Data Storage Security - Host Uploaded Files

Amazon Simple Storage Service - Amazon S3

Files uploaded by a Host to their Share Portal application are stored with Amazon Web Services (AWS) through their Simple Storage Service - Amazon S3.

Data Encryption

All data from Host uploaded files is encrypted by ConferencePlus before being uploaded to Amazon S3. ConferencePlus uses Advanced Encryption Standard 256 bit encryption to ensure data cannot be accessed or tampered with by unauthorised parties.

Secure Sockets Layer Encryption

Amazon S3 is accessible to ConferencePlus via Secure Sockets Layer encrypted endpoints. The encrypted endpoints are accessible from both the Internet and within AWS, ensuring that data is transferred securely both within AWS and between AWS and ConferencePlus.

Key Storage

The key is required to access the data. The Key is not stored along with the data.

Redundancy

Data stored in Amazon S3 is redundantly stored in multiple physical locations.

Object Deletion/Removal

When an object is deleted from Amazon S3, removal of the mapping from the public name to the object starts immediately, and is generally processed across the distributed system within several seconds. Once the mapping is removed, there is no external access to the deleted object. That storage area is then made available only for write operations and the data is overwritten by newly stored data.

---

Transport Security

Secure Sockets Layer Encryption

The Share Portal application is accessible via Secure Sockets Layer encrypted endpoints. The encrypted endpoints are accessible from both the Internet and within ConferencePlus, ensuring that data is transferred securely. Secure Sockets Layer certificates provide 2048 bit encryption.

Vulnerability Assessment Testing (VAT)

ConferencePlus undergoes extensive vulnerability and penetration testing in the form of a Vulnerability Assessment Test (VAT).

---

Physical Security

Building Security

ConferencePlus has undertaken highly secure measures at our worldwide headquarters in Schaumburg, IL to restrict access to only authorised employees and authorised third parties. The building utilises internal/external video surveillance as well as an alarm system with an offsite security monitoring system.

Building Access

ConferencePlus has instituted a comprehensive employee badge policy with unique individual access codes for each employee. In addition, there is a strict visitor/guest policy with highly restricted access. All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff.

Server Room Access

Physical and electronic access to data centres is limited to essential personnel and essential third parties escorted by authorised staff. Physical and electronic access is logged and audited routinely.