Security & Compliance

1. Security Overview

VCPMS is purpose-built to safeguard the most sensitive categories of personal information in government systems: personally identifiable information (PII), protected health information (PHI), criminal justice records, and financial transaction data. Every architectural decision — from the cloud infrastructure layer to the application code — reflects a security-first design philosophy that places data protection at the core of the platform.

The system employs a multi-layered security approach (defense-in-depth) that spans six critical domains, ensuring that no single point of failure can compromise the confidentiality, integrity, or availability of victim data.

2. Compliance Framework

VCPMS operates within a comprehensive regulatory compliance framework that addresses the unique requirements of state victim compensation programs. The platform is designed to meet or exceed the standards mandated by federal and state regulations governing healthcare data, criminal justice information, and government information systems.

HIPAA Compliance

VCPMS handles protected health information including medical bills, treatment plans, counseling records, SANE examination data, and prescription information. All PHI is encrypted both at rest and in transit, access is restricted to authorized personnel on a need-to-know basis, and all access events are logged in tamper-proof audit trails. The platform implements all five categories of HIPAA technical safeguards: access controls, audit controls, integrity controls, transmission security, and entity authentication.

CJIS Security Policy

For states requiring CJIS compliance, VCPMS can be deployed on Azure Government Cloud — a physically isolated cloud environment that meets the most stringent criminal justice data requirements. All ASDCom development team members undergo background checks in accordance with CJIS requirements. Law enforcement reports (police reports, CHP reports, sheriff reports, DOJ records, FBI records, CPS reports) are protected with strict access controls, and all access is logged and auditable.

FedRAMP

VCPMS is hosted on FedRAMP-certified Microsoft Azure infrastructure with continuous monitoring, regular security assessments, and documented incident response procedures. The FedRAMP authorization provides assurance that the underlying cloud infrastructure meets the rigorous security requirements established by the federal government.

NIST 800-53 Security Controls

The platform implements security controls across all 20 NIST 800-53 control families, with particular emphasis on access control (AC), audit and accountability (AU), identification and authentication (IA), system and communications protection (SC), and system and information integrity (SI). Control mappings are documented and available for state security review.

VOCA/OVC Grant Compliance

VCPMS is designed to meet all Victims of Crime Act (VOCA) and Office for Victims of Crime (OVC) grant requirements, including performance measure reporting, subgrant monitoring, financial accountability, and data integrity standards. Built-in reporting templates generate VOCA-compliant reports, reducing the administrative burden on state programs.

ADA/WCAG 2.1 AA Accessibility

All VCPMS portals are designed and tested for WCAG 2.1 Level AA compliance, ensuring that victims, advocates, service providers, and staff with disabilities can fully access and use the system. This includes screen reader compatibility, keyboard-only navigation, sufficient color contrast ratios, alternative text for images, properly labeled form controls, and logical heading hierarchies.

3. Cloud Security (Microsoft Azure)

VCPMS is hosted exclusively on Microsoft Azure, leveraging the industry's most comprehensive set of compliance certifications and enterprise-grade security services. All data is stored and processed within United States data centers only, with no data ever leaving US borders.

Azure Infrastructure

Azure Security Services

High Availability

VCPMS is architected for high availability with multiple layers of redundancy to ensure uninterrupted service for victim compensation programs.

• Geo-dispersed redundant servers — Application instances run across multiple availability zones within a region, with disaster recovery instances in a geographically separate region
• Load balancing — Azure Load Balancer distributes traffic across healthy instances, automatically routing around failures
• Elastic scaling — Application tiers scale automatically based on demand, handling peak loads (e.g., annual reporting deadlines) without performance degradation
• Auto-scaling rules — CPU, memory, and request-based scaling rules trigger additional capacity within seconds of demand increases

4. Encryption

VCPMS implements comprehensive encryption to protect victim data at every stage of its lifecycle. All encryption mechanisms meet or exceed federal standards (FIPS 140-2), and encryption keys are managed centrally through Azure Key Vault with strict access controls and rotation policies.

Encryption at Rest

Encryption in Transit

• TLS 1.2 or higher enforced on all connections — older protocols (TLS 1.0, 1.1, SSL) are explicitly disabled
• HTTPS enforced for all web traffic — HTTP requests are automatically redirected to HTTPS
• SFTP / SSH preferred for file transfer integrations (e.g., payment batch exports, document imports)
• All wireless communications encrypted — WPA3 or WPA2-Enterprise required for any wireless access
• API communications secured with TLS 1.2+ plus API key and JWT token authentication
• Database connections encrypted with TLS between application tier and Azure SQL

Key Management

Encryption Integrity

• Regular updates — Encryption libraries and TLS configurations are updated promptly when new vulnerabilities are discovered
• Vulnerability scanning — Automated scans verify that only approved cipher suites and protocols are in use
• Documented procedures — Key generation, rotation, revocation, and destruction procedures are formally documented and auditable
• Compliance verification — Encryption configurations are verified against FIPS 140-2 and NIST guidelines during each security assessment

5. Multi-Factor Authentication (MFA)

Multi-factor authentication is configurable per tenant and can be required for all or specific user categories (back-office staff, victims, providers, advocates, law enforcement). When enabled, MFA is enforced at every login.

Authentication Methods

Identity Federation

• JWT Bearer + OpenIddict — Built-in authentication pipeline. Local accounts are the default; OpenIddict-based OAuth 2.0 / OIDC federation is available for integration with state identity providers.
• SAML / OAuth Federation — Integration-ready for state identity providers (e.g., Okta, Azure AD, ADFS, PingFederate). Named integrations require tenant-specific configuration and are not activated by default.
• SSO Token Acceptance — Once authenticated through a federated identity provider, users receive a signed SSO token valid for the configured session duration.

Session and Token Controls

• Maximum token validity: 24 hours — tokens expire and require re-authentication
• Idle session timeout: Configurable per tenant (typically 15-30 minutes of inactivity)
• Concurrent session limits: Administrators can restrict users to a single active session
• Session termination: Administrators can force-terminate any user session immediately

Password Policy

Login Protection

Tenant security settings including MFA enforcement, password policies, and session timeout configuration

6. Role-Based Access Control (RBAC)

VCPMS implements a comprehensive, four-level permission architecture that controls access at every layer of the application — from which pages a user can see, down to which fields are visible and which documents can be accessed. This granular approach ensures that every user sees only the information required for their specific role and responsibilities.

4-Level Permission Architecture

5 Permission Types

Each permission type can be independently assigned at every level, creating fine-grained control. For example, a user may have View and Search permissions on claims but no Add, Update, or Delete permissions — creating an effective read-only auditor role.

Data Masking

Sensitive data is automatically masked based on user permissions and context to prevent unauthorized exposure of PII.

• Social Security Numbers (SSN) — Displayed as ***-**-1234 (last 4 digits only) to all users except those with explicit SSN access permissions
• Victim Date of Birth — Hidden or masked on screens and reports for users without demographic access
• Protected Notes — Confidential case notes visible only to designated staff roles
• PII on Screens and Reports — Dynamic masking applied based on the user's role, the data classification, and the context (screen display vs. printed report)
• Anonymous Identifiers — External-facing portals use anonymous case numbers rather than victim names or personal identifiers

Multi-Tenant Data Isolation

• Tenant isolation on all entities — Every database record includes a mandatory TenantId field, and the ABP framework automatically filters all queries to prevent cross-tenant data access
• Jurisdiction scoping — Users can only access data within their assigned organizational unit and jurisdiction
• External user restrictions — Victims, service providers, advocates, and law enforcement officers can only see their own cases, claims, and submissions

User Categories

Role Management interface with permission assignment across system, page, field, and document levels

User Management interface showing user accounts with assigned roles and permission levels

Organization Units hierarchy for jurisdiction-based access scoping and data isolation

7. Audit Trails

VCPMS maintains comprehensive, tamper-proof, read-only audit trails that record every significant action performed within the system. Audit records capture who performed an action, what was changed, when the change occurred, and where the request originated (IP address, client type, session identifier). These trails are essential for compliance reviews, appeals processes, fraud investigation, and unauthorized access detection.

Audited Events

Audit Trail Characteristics

• Tamper-evident — Audit records (DomainEntityActivity, TriggerActionLog) are treated as write-once, append-only by the application. No application user or administrator can modify or delete audit entries through any application interface.
• Read-only at application layer — Audit data is accessible for review and export. Database-level immutability relies on Azure SQL role separation and access controls; SQL Server Ledger tables can be enabled at the deployment level for cryptographic immutability where required.
• Timestamped — All entries use UTC timestamps synchronized via Azure time services for accuracy across time zones
• Linked to identity — Every audit entry is tied to an authenticated user identity, including federated identities from state IdPs
• Retained per policy — Audit retention periods are configurable per tenant to meet state-specific regulatory requirements (typically 7+ years)

Audit Reporting

• Compliance reviews — Generate audit reports for scheduled compliance audits, covering any date range, user, entity type, or action category
• Appeals support — Complete audit trails for individual claims provide the evidentiary basis for appeals and hearings
• Unauthorized access tracking — Automated alerts for unusual access patterns (e.g., accessing records outside assigned caseload, after-hours access, bulk data exports)
• Jurisdiction-specific trails — Audit data is scoped to each tenant, ensuring state-specific audit requirements are met without exposing data from other jurisdictions

Audit Log viewer with detailed event history, filterable by date range, user, action type, and entity

8. HIPAA Compliance

Victim compensation programs routinely process protected health information (PHI) including medical bills, treatment plans, counseling records, Sexual Assault Nurse Examiner (SANE) examination data, and prescription information. VCPMS implements the full suite of HIPAA technical safeguards to ensure this data is handled in strict compliance with federal health information privacy law.

Health Information Protected by VCPMS

HIPAA Technical Safeguards

9. CJIS Compliance

Many victim compensation claims involve criminal justice information (CJI) including police reports, arrest records, court documents, and law enforcement investigation details. VCPMS aligns with the FBI Criminal Justice Information Services (CJIS) Security Policy to ensure this data is handled with the strictest protections required by federal and state law enforcement agencies.

CJIS Security Policy Alignment

Law Enforcement Records Protection

VCPMS protects the following categories of law enforcement reports and criminal justice data with CJIS-compliant controls:

• Police reports — Municipal and county law enforcement incident reports
• CHP reports — California Highway Patrol accident and incident reports
• Sheriff reports — County sheriff department investigation reports
• DOJ records — Department of Justice criminal history and case records
• FBI records — Federal Bureau of Investigation case information
• CPS reports — Child Protective Services investigation reports

Background Checks on Development Team

All ASDCom development team members undergo comprehensive background checks including criminal record searches, employment verification, and reference checks. Personnel with access to systems containing CJI undergo additional state-level fingerprint-based background checks in accordance with CJIS policy requirements. Background check results are maintained in confidential personnel files and reviewed annually.

10. Business Continuity & Disaster Recovery

VCPMS is engineered for maximum resilience with comprehensive business continuity and disaster recovery (BC/DR) capabilities. The platform is designed to maintain operations even during significant infrastructure failures, with automated failover mechanisms that minimize or eliminate service interruptions for victim compensation programs.

Backup Strategy

Geo-Redundancy

• Multi-region replication — Production data is continuously replicated to a secondary Azure region in a different geographic area
• Disaster recovery site — A standby environment in a geographically separate region is maintained in warm-standby mode, ready to assume production traffic
• Redundant power and connectivity — Azure data centers feature redundant power supplies, cooling systems, and network connections with diverse physical paths

Failover Mechanisms

Recovery Objectives

Business Continuity Plan

ASDCom maintains a formal Business Continuity Plan (BCP) that encompasses the following elements:

• Business Impact Analysis (BIA) — Identifies critical business functions, dependencies, and acceptable disruption thresholds for each VCPMS component
• Risk Assessment — Comprehensive evaluation of threats, vulnerabilities, and their potential impact on service delivery
• MAO / RTO / RPO Definitions — Maximum Acceptable Outage, Recovery Time Objective, and Recovery Point Objective established for each service tier
• Annual Testing Program — The BCP is tested annually through multiple exercise types, with findings documented and remediated

Annual BC/DR Testing

Disaster Type Assessment

Escalation Matrix

11. Vulnerability Management

VCPMS maintains a proactive vulnerability management program that identifies, assesses, and remediates security weaknesses before they can be exploited. The program combines automated scanning, manual penetration testing, and continuous monitoring to maintain the highest security posture.

Vulnerability Scanning

Penetration Testing

• Regular testing schedule — Penetration tests are conducted on a regular basis by both internal security staff and third-party testing firms
• Simulated attack scenarios — Tests simulate real-world attack vectors including social engineering, network penetration, application-level attacks, and insider threat scenarios
• CISO-scheduled annual tests — The Chief Information Security Officer schedules comprehensive annual penetration tests with findings reported to executive management
• Third-party testing — Independent security firms conduct blind and informed penetration tests to provide unbiased assessment of security posture
• Privacy impact assessments — Conducted whenever new features or integrations could affect the collection, storage, or processing of PII or PHI

Patch Management

12. Secure Software Development Lifecycle (SDLC)

VCPMS is developed using a rigorous Secure Software Development Lifecycle (SSDLC) that integrates security at every phase — from requirements gathering through deployment and ongoing maintenance. Security is not a gate at the end of development; it is woven into every step of the process.

Secure Coding Practices

• OWASP Standards — All development follows OWASP Secure Coding Practices and the OWASP Top 10 mitigation guidelines
• Input Validation — All user inputs are validated on both client and server sides using whitelisting, type checking, length constraints, and format verification
• Parameterized Queries — All database interactions use parameterized queries or ORM-generated queries (Entity Framework Core), completely eliminating SQL injection risk
• SQL Injection Prevention — Automated SAST scans and code review hooks detect and block any raw SQL concatenation before code can be merged
• XSS / CSRF Protection — Angular's built-in XSS sanitization combined with ASP.NET Core's anti-forgery tokens protect against cross-site scripting and request forgery attacks
• Code Obfuscation — Production JavaScript bundles are minified and obfuscated to deter reverse engineering
• Runtime Defenses — Content Security Policy (CSP) headers, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security headers are enforced on all responses

Code Review and Quality Gates

Development Security Infrastructure

• Git with GitFlow — All source code is managed in Git repositories using the GitFlow branching model, with protected branches and signed commits
• Quality gates — Automated quality gates in the CI pipeline block merges that fail SAST scans, unit tests, code coverage thresholds, or code review requirements
• Third-party component scanning — All NuGet packages (C#) and npm packages (TypeScript) are scanned against known vulnerability databases on every build
• Developer security certifications — ASDCom development team members hold industry-recognized security certifications including CISSP, CISA, and CompTIA Security+
• Source code escrow — Source code is maintained in escrow arrangements for state customers, ensuring continuity of operations even in unforeseen circumstances

Secure Deployment Pipeline

13. Privacy Controls

VCPMS is designed with privacy as a foundational principle, recognizing that victim compensation programs handle the most sensitive personal information about some of the most vulnerable members of society. The platform's privacy controls go beyond regulatory minimums to proactively protect victims of domestic violence, sexual assault, trafficking, and other crimes.

PII Protection

Privacy Principles

• Collect only as allowed by law — PII is collected only when authorized by applicable federal and state laws, and only for the specific purposes defined in those authorities
• Limit collection — The system is designed to collect the minimum amount of PII necessary to accomplish the stated purpose. Unnecessary data collection is prohibited
• No PII from browsing — VCPMS does not collect personally identifiable information from website browsing activities. No tracking cookies or behavioral analytics are used to identify visitors
• Inform of purpose — Individuals are notified of the purpose for data collection at the time of collection, including how the information will be used, shared, and protected
• Security safeguards — Appropriate administrative, technical, and physical safeguards are implemented to protect PII against loss, theft, unauthorized access, and disclosure
• SSL/TLS transmission — All data transmission uses SSL/TLS encryption. No PII is ever transmitted in cleartext over any network
• Staff training — All personnel who handle PII complete annual privacy training covering legal requirements, company policies, and incident reporting procedures

Communication Privacy: Virtual Secure Mail

VCPMS includes a Virtual Secure Mail (VSM) system that provides encrypted messaging between all parties in the compensation process — victims, claims staff, service providers, advocates, and law enforcement. VSM eliminates the need for paper mail and unencrypted email, providing critical safety protections.

• Encrypted messaging — All messages are encrypted in transit and at rest, with access limited to authenticated sender and recipient(s)
• Eliminates paper mail — Reduces the risk of sensitive documents being intercepted or discovered at a victim's physical address
• No unencrypted email — PII and case-related communications never travel through standard email, preventing interception and unauthorized access
• Protects DV/SA/trafficking survivors — Particularly critical for victims of domestic violence, sexual assault, and human trafficking, where physical mail or standard email could be monitored by perpetrators and endanger victim safety

Mobile Device Security

• PII not stored on devices — VCPMS is a web-based application that does not store PII on mobile devices or local storage unless specifically required for offline functionality
• Privacy impact assessments — Conducted before any mobile-accessible feature is released to evaluate PII exposure risk on mobile platforms
• Encryption required — Any device accessing VCPMS must have full-disk encryption enabled as verified by device compliance policies
• BYOD prohibitions — Personal devices used to access VCPMS must meet minimum security requirements enforced through Azure AD conditional access policies

14. Confidentiality

Strict confidentiality requirements are enforced for all personnel who have access to VCPMS systems or the data contained within them. These requirements extend beyond employment, creating enduring obligations that protect victim information indefinitely.

Confidentiality Statement Requirements

• Universal requirement — All employees, volunteers, contractors, and subcontractors must sign a comprehensive Confidentiality Statement before receiving any access to VCPMS systems or data
• Job-duty access only — Access to confidential information is permitted only when directly required for the performance of assigned job duties. No exceptions
• No curiosity access — Accessing records out of personal curiosity, interest, or any purpose unrelated to job responsibilities is strictly prohibited and subject to disciplinary action
• Secure storage — Any physical copies of confidential information must be stored in locked containers within secured areas accessible only to authorized personnel
• Disclosure restrictions — Confidential information may not be disclosed to any person, organization, or entity except as authorized by law or with explicit approval from the program administrator
• Law enforcement report protection — Law enforcement reports and criminal justice information receive the highest level of confidentiality protection in accordance with CJIS requirements

Ongoing Obligations

• Continue post-employment — The duty to protect confidential information survives termination, resignation, or contract completion with no expiration date
• Certification in personnel file — Signed Confidentiality Statements are maintained in personnel files as permanent records
• Violations subject to discipline, prosecution, and lawsuit — Breach of confidentiality may result in immediate termination, criminal prosecution under applicable federal and state laws, and civil liability for damages

15. Staff Vetting

ASDCom implements comprehensive personnel security measures to ensure that all individuals with access to VCPMS systems and victim data are trustworthy, qualified, and appropriately screened. These measures exceed industry standards and align with CJIS personnel security requirements.

Background Checks

Personnel Security

• Trusted status required — Privileged access to production systems (database administration, system configuration, key management) is granted only to personnel who have achieved trusted status through comprehensive vetting
• Oaths of confidentiality — All personnel sign oaths of confidentiality before receiving system access, with annual renewal and acknowledgment
• Regular screening — Background checks are not one-time events. Personnel in sensitive positions undergo periodic re-screening to ensure continued eligibility
• Security clearance tracking — For CJIS-related deployments, security clearance status is tracked and maintained, with automatic access revocation for lapsed clearances

Termination Procedures

• Debriefing — Departing personnel receive a formal security debriefing reminding them of ongoing confidentiality obligations
• Access revocation — All system access, VPN credentials, email accounts, and physical access tokens are revoked immediately upon separation (within 1 hour of notification)
• Security item retrieval — All company-issued devices, access badges, authentication tokens, and documentation are retrieved and inventoried before departure
• Post-departure audit — Recent access logs for the departing individual are reviewed for any unusual activity preceding their departure

16. Network Security

VCPMS network architecture is designed to minimize attack surfaces while maintaining the performance and reliability required for state government operations. Multiple layers of network security controls protect data at every point in the communication path.

Network Architecture Controls

• Documented network details — Complete network architecture documentation is maintained, including topology diagrams, IP addressing schemes, firewall rules, and data flow diagrams
• Redundancy — Network infrastructure includes redundant paths, load balancers, and failover mechanisms to eliminate single points of failure
• Minimized entry points — Public-facing endpoints are limited to the minimum necessary (HTTPS load balancers only). All other infrastructure is accessible only through private networks
• Secure protocols only — Only approved secure protocols are permitted (TLS 1.2+, SSH, SFTP). Legacy protocols (FTP, Telnet, SSL, TLS 1.0/1.1) are explicitly blocked
• Firewalls — Azure Network Security Groups (NSGs) and Azure Firewall provide multi-layer firewall protection with deny-by-default policies
• Vendor defaults changed — All default vendor credentials, ports, and configurations are changed before deployment. Default accounts are deactivated
• Guest accounts deactivated — No guest or anonymous accounts exist in any VCPMS infrastructure. All access requires authenticated identity

Network Security Measures

17. Physical Security

All VCPMS infrastructure is hosted in Microsoft Azure data centers, which implement world-class physical security measures. ASDCom does not operate its own data centers; instead, it leverages Azure's industry-leading physical security controls.

Data Center Physical Security

Physical Access Controls

• Key/card lock systems — All physical access points use electronic card readers with audit trails recording entry and exit times for all personnel
• Authorization required — Physical access to data center facilities requires prior authorization through a formal request and approval process
• Visitor escort policy — All visitors to data center facilities must be pre-approved, identification-verified, and escorted at all times by authorized personnel
• Media disposal — Failed or decommissioned storage media undergo NIST 800-88 compliant sanitization (degaussing, destruction, or cryptographic erasure) before leaving the facility

18. Work-From-Home Security

ASDCom recognizes that modern workforce arrangements include remote and hybrid work. Comprehensive work-from-home security policies ensure that remote access to VCPMS development and operations environments maintains the same security standards as on-premises access.

Remote Work Security Requirements

Incident Procedures

Remote workers are provided with clear incident reporting procedures to follow in the event of a security incident, device loss, or suspected compromise:

• Immediately report any suspected security incident to the ASDCom security team via the designated security hotline or secure messaging channel
• For lost or stolen devices, report immediately so that remote wipe can be initiated and access credentials can be revoked
• Preserve any evidence of the incident (screenshots, error messages, suspicious communications) for investigation
• Do not attempt to independently investigate or remediate security incidents — follow the established incident response chain

19. Monitoring & Incident Response

VCPMS implements comprehensive monitoring and incident response capabilities that provide 24/7 visibility into system health, security posture, and operational performance. The monitoring infrastructure is designed to detect anomalies early, alert responders quickly, and provide the diagnostic data needed for rapid resolution.

System Monitoring

Incident Response

• Comprehensive logging — All security events, access attempts, configuration changes, and data operations are logged with sufficient detail for forensic investigation
• Breach disclosure — In the event of a confirmed data breach, ASDCom will notify affected state customers within 24 hours in accordance with contractual obligations and applicable breach notification laws
• Escalation matrix — A formal escalation matrix (see Section 10) defines roles, responsibilities, and communication paths for incidents of varying severity
• Immediate notification — Critical security events (unauthorized access attempts, data exfiltration indicators, service compromises) trigger immediate automated notifications to the security team

Resilience Patterns