Security and Reliability Safeguards

Updated August 18, 2016

The protection of customer data and privacy is the ITRP Institute’s number one operational priority.

TLS

All information traveling between your browser and ITRP is protected with 256-bit TLS encryption. This is the same level of security banks use. The security lock icon in your browser lets you verify that you aren’t talking to a phishing site impersonating ITRP and that your data is secure in transit.

The email notifications that ITRP sends out to end users, managers and support specialists are also protected with TLS encryption, provided that the email servers of your organization support TLS. ITRP’s mail servers support TLS so that all messages sent to ITRP are encrypted in transit as long as the email clients set up a TLS connection.

Maintaining a Secure Environment

Access control measures have been deployed at multiple levels to limit access to legitimate users and only to the operations that these users have been authorized to perform.

Access and usage of the ITRP service and its hosting environments are continuously monitored in order to identify unauthorized operations and access attempts as early as possible. The ITRP Institute actively maintains and tests both the hosting environments of the ITRP service as well as the ITRP application code to prevent security issues as much as practical, and to ensure that security issues which affected the ITRP service do not recur.

Apart from the detection mechanisms used for the early identification of possible security issues that may affect the ITRP service, response measures are in place to handle such issues if they occur.

Reporting Security Issues

Naturally, we welcome any feedback that can help us make the ITRP service more secure. To report a possible security issue that affects the ITRP service, send an email to security@itrp.com.

Please include a detailed summary of the issue you have discovered, as this will allow us to respond more rapidly and effectively to your report. Security issues are given priority over any other incidents that may affect the ITRP service (even over incidents that affect the availability of the service) and are handled through a separate procedure. We are committed to safeguarding your privacy throughout this procedure. You can use the ITRP Service Security public key at the bottom of this page to encrypt sensitive information sent via email.

After drawing our attention to a potential security issue, you will receive a confirmation via email to confirm that we have received your report. The ITRP Institute will subsequently attempt to validate and reproduce the reported vulnerability. If additional information is required in order to validate or reproduce the issue, we will work with you as needed to obtain it. When the initial investigation is complete, results will be delivered to you. If the issue cannot be validated, this will be shared with you.

On the other hand, if the vulnerability has been verified, a plan for its resolution and public disclosure will be shared with you. If the vulnerability is found to be caused by a third party software product, the ITRP Institute will notify this third party. The ITRP Institute will continue to work with the third party to ensure that a fix gets implemented. Your identity will not be disclosed to the third party without your explicit permission.

The ITRP Institute will coordinate public notification of the validated vulnerability with you. ITRP security bulletins are posted within the ITRP service. You, or your company, may want to post your advisories on your own web site or in security forums. When possible, we would prefer that our respective public disclosures be posted simultaneously.

Responsible Disclosure

Notifying a vendor before publicly releasing information about a security issue is a best practice known as responsible disclosure. Responsible disclosure allows companies like the ITRP Institute to better protect its customers by fixing vulnerabilities before they are brought to the attention of someone who may want to exploit them. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies of responsible disclosure. The ITRP Institute follows the same practice when it discovers and reports security vulnerabilities to other organizations.

Security Notifications

For the protection of our customers, the ITRP Institute does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases have been implemented. Once a security issue has been fixed, the ITRP Institute publishes an ITRP security bulletin about the issue within the ITRP service.

Public Key

The ITRP Service Security public key has an operational life span of three years. When we generate a new public key, it will be made available on this web page.

Key ID: 5B06CC3DE490B6C3
Key Type: RSA
Expires: 2019-08-19
Key Size: 4096
Fingerprint: 1E01 264B 8BD1 DD61 6A0A 7171 5B06 CC3D E490 B6C3
UserID: ITRP Service Security

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQINBFe2YXgBEADFnDeXn2ApcWtkZmnpQkFc7+HnrQtoWpPUu7eZRoaMRkIcUmmp
9tajga1JHpyN8f8s5u15HmWkHc3SHznDWKWK8ylDQppQO/KI6Wvw2OpDX7vO1K1q
gS5Urg0iltmX6VJ0rcVOQ7t8S0WjtzsZ+/9Ew4CvZSJe2VH4LXP7O+KN8ymESNQR
rDwPevkyQ6oDz4LM3fRBO4RQN3TH77y+2pPeTU2gV96pPIM9XUdaBhMjfpch4Pdi
TNtKURXC9lyTjAN7AOJ7ctHjR3xjWW6w7fqVYx3Lv/FkRlhDk4IeB5fkUGKRmThw
0V2LIi1d0anW3o0kotBZrq1w4rt9VG1RmQf+ixS5OJ07R49dx7HJK3CyCloEOkhN
Z9yHeC32U2cQ1FlVNIv2We1WuCGII9RLx63XPBF4pWG5NB4PURdNtFyGB92nCot9
b5OP2ETh2NuIRc3etQstMiylFQ5DMYs0CEpXSoVor7GT8c06/JssBBAy6K2Y/l77
JJNzxPofFssQYXnsnHU/uxtISDlERgv3LET+jECLCGzW/uIp0BFYXL1pmy6Kvm3/
0cxpvrk7CN+iRnm211I9btmYKr7JDaQEXcc+QfhKa1WcP9TXg4Gccb75elUMy5M3
mCByaP2wZo8R9Xms77Hg+gYMLW3a4AVqE652LtinliwcF8Caam+nkVFEiwARAQAB
tClJVFJQIFNlcnZpY2UgU2VjdXJpdHkgPHNlY3VyaXR5QGl0cnAuY29tPokCPwQT
AQoAKQUCV7ZheAIbAwUJBaOagAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EFsGzD3kkLbD22wP/14XX6jHxfeAGbt3QUDHej4pRp1jWvAYgqHnXnN3YZBf+Y6A
chlklWJsvw0ACExwXap8hywD/EylzxI17UPU7B/ppuZZm9C12BwXVdpVsZ1Gox4B
uKJhSYYvzUsxHhDQJ1ICdWEGpwZ1GZt97akfJIo9QoJJuJZiSwnz3c38gxFY0JEW
MdgMWK/9neuhS4OnIh27GE9BZmOyH1icRdj05kBQDtpWeugqtMMgCIrkmz+Kj9rj
VjCuNe0x4kfPsca3wJc83DKwXJohWCHBvJQatIcifz10ByFwkSBvLDvxGJ+HrCzu
1UerquA2D6TO9zC2PsY+FWpXKEiByl46EX61pJxn0LXwZIaqiWqNsz7xSCfvrZxs
Ca1xWHaNUfnhzMu0LLGJmpag/5UjpwrmAsw2Y9WiiT/P59MWB0rpgcQPfvRg+tmp
5rjTgRYvYDI0aqOS1aS9WyVcfrjLtv51ExSVtNb7+3LRvSX5MmfGN29azwFZ2dNz
pyTUBGxLmGTqZvppRlyStsrD4Ta8P1z1ioO1h0TtZypMj6VEq/wDmjv0Qj7ZPupN
MX4dE3dOVakNwEv4ve8LluD51e+ShBHT0M3yfG3MxjNTLn71/YuxCxZ+mOvcz5x6
dBJ98eg8fRkY0upjqk1x20pheLkIktF2E36CuA6sMoECaUTQp6dEi+MZpJDUuQIN
BFe2YXgBEADdeXqGl6/Dy6jTbz/fDIagd8DD+Kt0RwUG2MuQ1uKBOKFQ27QEO8Fs
Wuw9PW8PVnPqIeFRR6vNzxxckl1OJTShKrtyl+vDu1ffGtODwxq1An/Skx1iYnl5
YYWGIHAIC53Gn7PopUp0w5e5H9UW9EUgY5uUuU3pwmNV29QUyG9WCR+we4T/axIQ
JcWEBTI/iBVQPzA1Ojys1eVk5CaAiBnBNsxg2GJDBkk2sISEhaE0whBeexnlO5kB
MvFEB4AWmHaXY6q3OcU0uCARbET723I2EVQs2z29WVU0/ngLGv6XRJXC9jnrHFkR
OUYvPqbCkso/iVRPaFUtY2TNv02GCJ3af96TASCW7AZ/+ixnCTstCJnv9UfHUgaS
OiLA+OXuLo9FuwHRVQsLTw+hp5j7PWzZz2gpyg2/xj/d3Gmr5v06tVnUlhAxYpmG
k1fkVCW4xMlLTb86Twy4CWwjyQwoZhyR8VwBrMgsV44P89hdic5W23w3raE03N+o
wSfyBR3aBKU/6E/AkHzZUv0GyBzgQ2lho9qYCCBYBS73Bug7CQchwAhQZcpMePuQ
TZm1LB91Ef6S8vGNsT5Ju1/WxBlu5RjR5CDnFbYLRj5PXJu1/v+V2Fj5iriWMLWG
aBRg9dd6dVAssZcztdQUQbiR6Mow5mEspbaKmOYyVK0EjbC34vmXtQARAQABiQIl
BBgBCgAPBQJXtmF4AhsMBQkFo5qAAAoJEFsGzD3kkLbDvQkQALTrwV41A2gME4xg
z9VMb4OLkfd9jnHJEC2zXyJcsR0ip9dFqPIYypKo/Wo5PvR5jPFH5qjRn/TtcwRB
hgxKp7G4MuZY4s6CIcZc7VJBlbb/bmnCmlDdXPGdAjhuE39ppmpnBNQCJjHuQ/Py
iLAno2kRN4GpwpywpXY2KsHDmEx7GwwXatn8FbkzqrZgRMhaKibfn0LIcMBrUs2t
/m/OAqhjqlTDGaRcv5++DLS9344/6Fb5R3i8at/nuv6F+kTto++20FxPU2JctP2f
/RhkU0n21IXY+kypfmlxSdIbmgr59znma1+jx+S1rtL+Nzt+Q03Ez/NRJ0KDVTVR
ogkXVP0ZDJqe4kYN0KJl76pe1SDfdGnVaDFSjwNr+x2RKLmR0Fm0rzZBQ7Pr9o2e
ileb124CUlszC8Mcy+wKKhlYexBMFpqaWwaotpYG6GN89rAEVvIu8pE7dZNkXlBd
2p4tMBiR/g6ArWfYeTLzC+TRBpaySSEuFukrv6jEW0Bp4BP34p3kR6aHEcfHF4js
FLGmRJVak1nrr/E4a3KQNkwO2K/S2YyFgkIH8+Rj7Q4f33mt2RKf+noS8jZTe5Mp
KpNIsVjg/EBAzzUfcz6FPrbqlCukN8fyisxN/C2rU7Lhho1KZ/L3l4wSNL6l70G3
35OKvLTSCPWTXVauYKCKGAhitQZP
=jFSD
-----END PGP PUBLIC KEY BLOCK-----