Evidence.com customers have varying risk profiles and different security needs. Many of the access control features can be enabled or disabled by customers as needed, or can be changed to meet a specific level of risk. The default settings for these security features were chosen to provide a strong level of security, while still maintaining flexibility and convenience. Customers are encouraged to evaluate these features and align them with their unique needs.
- Customisable password length and complex password requirements
- Customisable failed login limit and lockout duration
- Enforced session time-out settings
- Mandatory challenge questions when authenticating from new locations
- Multi-factor authentication options for user login and prior to administrative actions (one time code via SMS or phone call-back)
- Restrict access to defined IP ranges (limit access to approved office locations)
Authorisation & Permissions
- Granular role-based permission management
- Device-level permission management (for example, allow specific users to use the web-based interface, but not the mobile application)
- Integration with directory services for streamlined and secure user management
Auditing and User Reporting and Management
- Detailed, tamper-proof administrator and user activity logging
- Intuitive administration web portal to manage users, permissions and roles
- Intra-force, inter-force and external evidence sharing without data transfer, data duplication, physical media or email attachments
- Detailed chain-of-custody logging when sharing
- Revoke access to previously shared content
- Prevent a recipient of shared content from downloading or re-sharing evidence
Evidence.com includes features to ensure the integrity and authenticity of digital evidence. These features ensure the evidence meets chain-of-custody requirements and can be proven to be authentic and free from tampering.
- Forensic fingerprint of each evidence file using industry standard SHA hash function. Integrity is validated before and after upload to ensure no changes occurred during transmission.
- Full tamper-proof evidence audit records. Logs the when, who, and what for each evidence file. These records cannot be edited or changed, even by account administrators.
- Original evidence files are never altered, even when derivative works (video segments) are created.
- Deletion protection, including deletion approval workflows, deletions notification emails and a deletion remorse period to recover accidentally deleted evidence files.
Axon Platform Security
These are features and measures TASER and Axon have taken to secure Evidence.com and customer data.
Evidence data is encrypted in transit and while at rest in storage. FIPS 140-2 approved encryption ciphers (or stronger) are utilised. Axon maintains mature, audited encryption key management procedures.
Data Encryption in Transit:
- Robust TLS 1.2 implementation with 256 bit connection
- RSA 2048 bit key
- Perfect Forward Secrecy
Evidence Data Encryption at Rest:
- 256 bit AES encryption
Vulnerability Identification and Remediation
TASER and Axon conduct regular vulnerability assessments to improve Evidence.com and Axon security controls and processes. Identification programs include frequent vulnerability scans and at least quarterly penetration tests performed by highly specialised and vetted 3rd party security firms. All identified vulnerabilities are evaluated by the TASER Information Security team, assigned risk and remediation time frames, and tracked through remediation.
Security Monitoring and Response
TASER and Axon employ a dedicated Security Operations team to monitor the security of the Axon platform, including Evidence.com. The team is highly skilled and capable to immediately respond to threats and malicious actors.
Hackers and other malicious hackers move fast, and they take advantages of entities that can’t keep their systems up to date and secure. Evidence.com is delivered as Software as a Service and not only are security patches applied well within vendor recommendations, but also the Axon Platform frequently receives security upgrades. These frequent security updates and upgrades come out of the box with the Axon’s Evidence.com service and do not require your interaction. The product and platform security upgrades and patches are applied during Evidence.com's Maintenance Schedule.
By having a laser focus on security and aggressively investing to maintain such security, we are able to deploy and appropriately manage advanced security tools and threat prevention solutions that are cost- or resource-prohibitive to individual forces. Unlike what you would find with an off-the-shelf anti-virus software that you install yourself, we offer advanced protections that deter even the most sophisticated attackers. We have finely tuned web application firewalls, leverage security intelligence tools for continuous monitoring, and deploy layers of defence to detect and react to malicious activity.
Shared Security Responsibility
It is important for customers to understand the measures that TASER and Axon have taken to secure Evidence.com, as customers inherit our advanced security capabilities, controls and programmes. This security inheritance enables customers to achieve levels of data security that far exceed what is feasible in on-premise or hybrid solutions. However, it is also critically important for customers to understand and implement the security practices that are within their responsibility and control.
Fortunately, we are here to help. In addition to the customisable Evidence.com security features, TASER and Axon have developed numerous resources to provide guidance and instruction to ensuring the security of data retained in Evidence.com.
Security Matters Webinar Series
Reporting security issues or vulnerabilities
If you know or suspect security issues with an Evidence.com account or if you believe you have discovered a security vulnerability on Evidence.com or with an Axon product, please email [email protected] with a thorough explanation of the issue or vulnerability. Please give us reasonable time to investigate and mitigate the issue before sharing information with others.
All non-security related issues should be directed to TASER Customer Support