Skip to content

ECHO Security and Privacy Overview – Frequently Asked Questions (FAQ)

1. What is ECHO's approach to information security?

ECHO follows a Zero-Trust Security Model and is aligned with the NIST cybersecurity framework. This approach focuses on Identify, Prevent, Detect, Respond, and Recover phases to protect data integrity, confidentiality, and availability, while ensuring compliance with state, federal, and international regulations.

2. Which certifications and compliance standards does ECHO adhere to?

ECHO holds the following certifications and complies with these frameworks:

  • SOC 2 Type II
  • HITRUST
  • PCI DSS
  • CORE AICPA/SOC
  • OFAC
  • HIPAA
  • NACHA

These certifications are validated through regular internal and third-party audits.

3. How does ECHO manage access control?

ECHO enforces least privilege and role-based access controls. User access is managed through detailed policies outlining how access is granted, changed, or revoked. Regular reviews ensure that access control remains compliant and secure.

4. What technical security measures are in place?

ECHO employs a comprehensive approach to network and host security, utilizing industry-leading technologies and best practices to safeguard systems and data. Key measures include:

Network and Host Security

ECHO deploys intrusion detection systems (IDS), firewalls, and commercial-grade antivirus protection. Operating systems and applications processing ECHO or client data are patched promptly upon discovery of security vulnerabilities or vendor patch releases. ECHO ensures external software, systems, or networks that interact with its infrastructure do not introduce malicious components.

Intrusion Detection

ECHO's intrusion detection program monitors network traffic involved in the access, processing, storage, and transmission of client data. This includes network intrusion detection, log analysis, and data integrity monitoring. Security personnel are alerted of suspicious activity and respond immediately. Detection engines are regularly updated for optimal protection.

Firewalls

ECHO employs stateful inspection firewalls at key locations across its infrastructure. Firewall configuration standards include:

  • A default-deny policy restricting access to only authorized ports and protocols.
  • A formal process for approving and testing external network connections and firewall configuration changes.
  • Regular audits of firewall configurations to maintain security best practices.

Patch and Vulnerability Management

ECHO has a structured process for patch and vulnerability management to keep systems secure:

  • System components and software are regularly updated with vendor-supplied security patches.
  • ECHO subscribes to security alert services to stay informed of new vulnerabilities.
  • Security standards and procedures are updated continuously to address emerging threats.

Antivirus Protection

ECHO uses enterprise-grade antivirus software to protect against viruses, worms, and other malicious code. Antivirus software is installed on all systems that access, store, or process ECHO or client data, and is regularly updated with the latest virus definitions.

In addition to antivirus protection, File Integrity Monitoring (FIM) systems are deployed to continuously monitor and alert for any unauthorized changes to critical system files, configuration files, or directories. This ensures that any potential malicious modifications are promptly detected, adding another layer of defense against threats that may bypass traditional antivirus mechanisms.

System Hardening

ECHO follows CIS and NIST standards for system hardening, including:

  • Removing unnecessary system functionality (scripts, drivers, file systems).
  • Disabling non-secure services and protocols.
  • Configuring security parameters to prevent exploitation.
  • Changing default system configurations before deploying systems in live environments.

Network Infrastructure Security

ECHO applies best practices to secure network infrastructure, including:

  • Applying the latest security patches for network devices and software.
  • Implementing processes to identify and address new security vulnerabilities.
  • Conducting regular audits to ensure network devices comply with security policies.

Data Encryption

ECHO encrypts sensitive data in transit and at rest in accordance with NIST guidelines, ensuring confidentiality and integrity across systems and networks.

SIEM (Security Information and Event Management)

ECHO’s SIEM system aggregates logs from across the network and applications for real-time monitoring, providing a proactive approach to incident detection and response. The 24/7/365 Security Operations Center (SOC) continuously reviews alerts and responds to potential threats.

Data Loss Prevention (DLP)

ECHO enforces DLP policies to prevent unauthorized transmission of sensitive data. These policies include:

  • Monitoring and controlling data transfers across network channels.
  • Enforcing encryption on outbound communications containing sensitive information.
  • Blocking or flagging potential violations to prevent accidental or intentional data leaks.

Email Security

ECHO maintains strict controls to protect against phishing, spyware, and malware:

  • Web-based email traffic is inspected for suspicious activity.
  • Anti-spyware and anti-malware software are installed across all devices.
  • Phishing attacks are blocked through corporate email filtering.
  • Employees receive regular training and advisories on email threats.

Physical Security

ECHO ensures physical security at office facilities, data centers, and IT systems handling client data. Data centers comply with SOC 2 standards and include:

  • Badge access
  • CCTV monitoring
  • 24/7 security personnel
  • Environmental controls (temperature, humidity, power management)

5. What does ECHO do to ensure business continuity?

ECHO has comprehensive Business Continuity (BCP) and Disaster Recovery Plans (DRP), which are regularly tested. We use redundant IP networks and secondary site failover environments to ensure uninterrupted operations.

6. What is ECHO's process for managing risks?

ECHO’s GRC (Governance, Risk, and Compliance) Department conducts both internal and third-party risk assessments, including HIPAA and enterprise risk evaluations. Risks are tracked, monitored, and addressed based on severity, with quarterly reviews by executive leadership. An Enterprise Risk Assessment is also conducted by an external party at least annually to further identify and manage potential risks.

7. How does ECHO handle third-party vendors?

ECHO’s Third-Party Risk Management Program evaluates vendors at the beginning of the relationship and reassesses them annually. Vendors processing sensitive information undergo audits to ensure compliance with security and privacy standards, as well as regulatory and contractual requirements.

8. How does ECHO handle incident response?

ECHO’s 24/7/365 Security Operations Center (SOC) monitors for security incidents, including reviewing logs for unusual activity. Incidents are routed through a centralized workflow for prompt resolution.  The Incident Response Team receives training throughout the year to ensure preparedness for an actual incident.

9. What training do ECHO employees receive on security and privacy?

All employees, contractors, and temporary workers complete security and privacy training within 60 30 days of hire and annually thereafter. Employees must report any security or privacy incidents immediately, and regular phishing tests are conducted with follow-up training. Upon hire and annually thereafter, all employees are trained on appropriate topics such as:

  • Code of Conduct
  • Conflict of Interest
  • HIPAA
  • Incident Reporting
  • CMS Compliance and Fraud, Waste, and Abuse

Additionally, all employees undergo quarterly Security training and monthly phishing tests, with follow up training for those who fail the phishing test.  Informal training includes presentations, emails, and ad-hoc discussions about relevant topics, rising threats, and common concerns.

10. How does ECHO handle data privacy and retention?

ECHO adheres to strict data retention policies, ensuring data is stored only as long as necessary. Data is classified, encrypted, and securely destroyed when no longer required, in compliance with client contracts and regulations. ECHO performs regular audits to ensure automated data purge jobs are functioning as expected.

11. What auditing practices does ECHO follow?

ECHO undergoes regular audits, including:

  1. Enterprise Risk Assessment (including HIPAA)
  2. Penetration Testing
  3. NACHA Compliance
  4. Anti-Money Laundering (AML) Audits
  5. SOC 2
  6. HITRUST
  7. PCI Compliance
  8. Audited Financial Statements

Internal audits cover user access rights, data retention, and physical access rights, ensuring compliance and security.

12. What is ECHO’s System Development and Lifecycle (SDLC) process?

ECHO’s Change and Configuration Management and Software Development Lifecycle (SDLC) policies and procedures ensure a security by design approach. We manage the application development process using Microsoft Azure DevOps, with all software requests tracked from business requirements through code development and testing.

All deployments are:

  • Versioned and tracked with comprehensive deployment packages.
  • Equipped with full roll-back capability for emergencies.
  • Typically updated on a quarterly basis, unless an emergency change is required.

An Architecture Review Board meets periodically to provide guidance and strategic direction to development and project teams before initiating new development projects or significant redevelopment efforts.

13. How does ECHO prevent and detect fraud?

ECHO employs a multi-faceted approach to Fraud Prevention and Detection.  We have a dedicated team of agents and multiple automated audits and controls to ensure a timely response to suspicious activity. Using a combination of outsourced and home-grown tools, the Fraud Team has a winning record in terms of validating legitimate transactions and preventing fraudulent attempts, allowing payments to flow timely to intended parties. 

ECHO’s fraud prevention and detection processes focus on four main pillars: IT Security, ACH Payments, Card Payments, and Check Payments. Each payment type and the web-tools used to facilitate the payment process have their own multi-layered fraud strategy used to detect and prevent fraud from occurring. With a holistic approach to reviews and auditing, an alert or red flag in one area results in a review of all areas related to the flagged payment information.

14. How does ECHO manage its Policies?

ECHO’s GRC Department manages the Policy library, ensuring that all company policies are reviewed on an annual basis, and updates are circulated to staff as needed.  The policies reside in a shared repository that all employees can access, and a link to the repository is shared with all new hires in their first week at ECHO.