Mobile Emergency Response Plan (MERP)
Security Information

Background

Safeguard Risk Solutions has developed the Mobile Emergency Response Plan (MERP), a web and mobile (available on Apple iOS and Android Google Play) application that stores an organization’s emergency operations plans. The application, both web and mobile, allows for staff to have immediate access to policies and procedures in MERP for and in response to an emergency incident. The web application also allows a facility’s emergency manager, safety officer, or facility-assigned individual to import/customize their facility’s emergency operations plans onto MERP. Once content is added and saved into MERP, content is pushed out on the mobile MERP application for users to access and view. Typically, facilities have either colored flip-charts or binders with tabs that provide response procedures for specific emergency incidents (e.g., fire, evacuation, flood/thunderstorm, etc.) that are stored at each department’s desk or near other emergency alerting systems (e.g., fire panel, security system). MERP is an electronic application that augments paper emergency operations plans. Emergency operations plan binders/documents do not and should not contain any Personal Information or any other confidential information.

  • Users Types for MERP:
    • Facility/Safety/Emergency managers or directors
    • All staff employees
    • External staff such as coaches and substitutes
  • Information stored in MERP:
    • Non-confidential
    • No Personal Information
    • Facility policies and procedures for MERP and responding to emergency incidents such as, but not limited to:
      • Fire
      • Flood/Thunderstorm/Tornado
      • Evacuation
      • Access issues due to unsafe conditions
      • Shelter In Place
      • Utility/Infrastructure failure
    • Emergency contact phone numbers
    • Floor plans (limited visibility based on user)

The following information highlights system controls (i.e., physical hosting environment, network/host security), application, and user controls established for MERP for secure use by organizations and users.

System Controls for MERP Website

The MERP’s web physical environment is hosted through Amazon Web Services (AWS) Elastic Compute Cloud (EC2) on a single instance. Amazon has documentation available with details about the environment here. Below are quick highlights of the AWS EC2 Environment with regard to its security system controls:

  • Intel Processor Feature—Intel AES New Instructions (AES-NI): Intel AES-NI encryption instruction set improves upon the original Advanced Encryption Standard (AES) algorithm to provide faster data protection and greater security. All current generation EC2 instances support this processor feature.
    • MERP is running on Linux on m4.4xlarge (vCPU:16, RAM:64GB) server on AWS EC2
  • Completely Controlled—the environment of our AWS EC2 instance where MERP is hosted allows us to control items such as root access and the ability to interact with the instances with any machine.
  • Limited Server Access—Since MERP’s EC2 instance is a web server, its security groups permits only inbound HTTPS, management traffic, and minimal outbound connections
    • MERP can be accessed via web at MobileEmergencyResponsePlan.com. MERP connects through HTTPS with SSL installed, which transmits data security using an encrypted connection.
  • Data Encryption/Security—with AWS we have added additional layer of security to the data within the cloud
    • As developers of MERP, we hold the private key that allows us to access any files within the cloud. The private key is an encrypted, non-editable file, which is generated when we first established the AWS EC2 instance. Each time we log into the host site, a new authentication token is generated along with an IP address.
    • The traffic flow and network paths between the user of MERP and MERP is from end user web browser/mobile application directly to web server. User creation passwords are encrypted by HASH (12 Byte) and contents within MERP are BASE64 encoded.
  • System Monitoring and Alerting—we have 24 hours, 7 days a week server monitoring enabled through AWS EC2 Instance. If any vulnerability occurs, it will send a notification to us, which we are able to log into the system. During each login into the server, a new authentication token is generated, and IP addresses are captured. Whenever data is updated, dates and times are also recorded. We are able to access the complete user login log.
System Controls for MERP Mobile Application
The MERP’s mobile application is released in both iOS App Store (Apple Devices) and Android Apps on Google Play (Android Devices). Both iOS and Google Play implement strict guidelines when applications are submitted to either platform, ensuring products released are secure and app developers verified. For more information of data security implemented by each platform, documentation is available here for Apple and Android. MERP mobile application follows the guidelines as described by both Apple and Android to ensure the application is secure and compliant.

The data exchange from API to mobile app is encrypted and secured by JSON Web Token (JWT). JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Information can be verified and trusted because it is digitally signed using a public/private key pair. More information about JSON Web Token can be found here.

Data is captured through the API only once as users log in. Each time MERP is opened by the user on their mobile, data is then stored in the local device, which deters data manipulation when data is fetched.

Application and User Controls

Safeguard Risk Solutions, developer of MERP, has super administrative rights that allow for managing all MERP-purchased clients. When MERP is purchased by a facility/organization, Safeguard Risk Solutions will work to set-up MERP for the specific facility with the facility leader responsible for managing content and users. This will require creating credentials (i.e., username and password) for the facility manager to:

  • Access the facility’s MERP
  • Import/Add/Edit/Delete content into MERP
  • Create groups to which users will be assigned permissions on what plans and supporting files are accessible to them
  • Create users that will have access to MERP

There are 3 user types and permissions:

  • Level 1 Admin—can add/edit/delete plans, supporting files (such as PDF), users, and groups.
  • Level 2 Admin—only has permission to add/edit/delete supporting files for their department, etc.
  • User—can only VIEW the information presented such as plans, documents, and emergency contact numbers. Regular MERP users have NO administrative permissions to make changes to the MERP content.

The facility leader will be assigned as a Level 1 Admin to allow for management of content and users. Level 2 Admins can be assigned to department leaders or others that may require to upload documents necessary during or for emergency incidents.

The following application controls are established to allow for limited and secure access:

  • Passwords must follow standard rules (i.e., more than 8 characters, must have 1 numeral, must have 1 capital letter, must have 1 character such as !, @, #, $, %, &) established to increase computer security and reliable, secure passwords. The individual creating the credentials will be prompted with the rules if the password does not follow the rules. Also, when a user is created, there is the option for the administrator to “lock password,” which prevents users from changing the password.
    • *Note:
      • Facility leader should establish how often passwords will be changed (e.g., 30, 60, 90, 180 days). Once passwords are changed, users must be notified of the change and will need to use the new password to log onto both web and mobile MERP application.
  • Credentials are NOT single sign-on. MERP is hosted on a secure, HTTPS website, and therefore can only be accessed if user enters the web address and logs into MERP using their assigned credentials. Each user can sign on at the same time using the same credentials if the facility sets up MERP in that manner or facility leader can create multiple user credentials for each staff.
  • Specific for mobile application, user must use the credentials assigned to them to access the facility emergency operations plan content. Each user has their own discretion of security for their mobile device; therefore, Safeguard Risk Solutions suggests that the facility leader creates policies regarding app use on personal/mobile devices.
  • Users will need to be assigned to specific groups within the MERP system. Each group is given permission of what emergency operations plans and documents users are able to access and view.
  • ***CONTENT IMPORTED/ADDED/EDITED INTO MERP MUST NOT CONTAIN ANY CONFIDENTIAL INFORMATION SUCH AS PROTECTED INFORMATION (PERSONAL INFORMATION) ***
    • Facility emergency operations plans do not contain any PERSONAL INFORMATION, therefore NO PERSONAL INFORMATION or any confidential information should be included anywhere within the MERP application. Once again, MERP is customizable by the purchaser of the product and does not come with any confidential information. The facility leader assigned as a Level 1 Administrator or Level 2 Administrators (able to ONLY upload documents as supporting files) should be cautious and review any and all information to be used in the MERP application and avoid use of any confidential information that would not be normally distributed/available to the public. Again, this platform is not to be used as a means of distributing employee information or confidential information.

Security is important to Safeguard Risk Solutions. If you have any questions or require more information about MERP, please contact us at info@Safeguard Risk Solutions.com.