Security Practices

About Rootwork

Rootwork InfoTech LLC is a consulting company incorporated in the State of Florida and headquartered in the Orlando, FL area. We have been in business since 2014. We have obtained most of our clients through referrals, and our reputation is our most import business asset. Therefore, we hold our clients' information in the highest regard, and make every effort to safeguard the privacy and security of our clients' information.

Privacy

Rootwork respects the privacy of all client information. We do not sell or otherwise provide any information about our clients to third parties. When Rootwork makes use of third parties that access or store client data, such as cloud service providers or development subcontractors, we use contracts to ensure that the service providers have a commitment to privacy that meets or exceeds Rootwork’s commitments to its clients.

Security

Rootwork takes a risk-based, multi-layered approach to information security. Our internal risk assessment process is based on NIST SP 800-30.

Human Security

As information systems have become more secure, humans have become the weakest link in many organizations. Rootwork trains its workforce to ensure that employees and subcontractors are vigilant against human-oriented threats such as phishing. Vendors and subcontractors are subject to information security review and risk management. Workforce members are granted the minimum necessary permissions to perform their job functions. Rootwork requires multi-factor authentication (MFA) to access service that faces the public Internet.

Device Security

Compromise of an end-user device such as a phone, tablet, or workstations can compromise even the most secure systems. Rootwork ensures that devices used for work purposes are secured per industry best practices. Some of our device security measures include requiring strong passwords, encrypting all device storage, endpoint protection software, and automatic screen locking.

Application Security

Rootwork develops applications with security and privacy as a primary design goal. Our first objective is to reduce our target size by minimizing the amount of client information that we collect and retain. We encrypt information at rest and in transit using strong cryptography. We use secure authentication methods to verify user identity to control access to applications, and implement role-based access control when appropriate. Vulnerability scanning and penetration testing may be performed on critical applications.

Infrastructure Security

Rootwork creates cloud-native applications and services. We treat infrastructure as code for production systems and we use change management procedures to ensure the security and stability of our infrastructure. Rootwork uses major cloud platforms to run our applications, and we take full advantage of their advanced infrastructure security features. Some examples include:

  • Virtual private networks
  • Deny-by-default firewall rules
  • Resource IP addresses in private subnets whenever possible
  • Custom IAM roles tailored to job functions
  • Default encryption of all stored information

HIPAA

In the United States, most health care providers (covered entities) are subject to federal laws known as HIPAA/HITECH. HIPAA and HITECH protect personally identifiable information associated with health care (Protected Health Information, or PHI). When acting as a Business Associate to a covered entity, or as a service provider to a Business Associate, Rootwork complies with the Privacy Rule and Security Rule.