About EDGEnet
EDGEnet is Federated Shareholder Services Company’s (FSSC) powerful mutual fund trading and information gathering tool. It assists in the management of your operations by allowing you to place trades, retrieve account information and retrieve product information. Information is made available for retrieval in a variety of formats to suit your requirements. All of this is accomplished via an online connection, within a password secured environment.
The following topics are discussed on this page:
Features and Benefits
- Place trades and receive settlement and wiring information.
- Retrieve account balance and registration information.
- Access price, factor and historical or current day information.
- Generate reports when needed.
- Accessible through a secure online connection to protect the data transmission.
- Designed for efficient back office order entry, EDGEnet accommodates both mouse “point and click” as well as keyboard entry.
- Online interaction provides immediate feedback on trades and the most current information for your investment needs.
- All trading occurs on a single entry screen with account and product information readily available while trading.
- Ability to access price, factor and historical or current day information.
- Reports can be viewed online or printed to hard copy whenever you need them.
- Ability to look up transactions and open orders.
- EDGEnet executables reside on an in-house server, therefore, software distribution and upgrades are eliminated.
Security Information
Overview
FSSC has long recognized the need to balance access and ease of use against an appropriate level of security in the design and implementation of online trading systems. EDGEnet, our pioneering online trading application, allows clients to place trades, receive settlement and wiring information, retrieve account balance and registration information, access price and factor information, and generate reports over an online connection.
EDGEnet, a powerful mutual fund trading and information-gathering tool based on electronic commerce technology, is designed to provide the next level of service to clients. The communications medium is the Internet or World Wide Web, a fast, efficient network of computers that serves as the conduit to let clients access the information they need.
We understand that in order to fully realize the benefits of the Internet, we must understand our clients' potential concerns and work with our clients to implement the best solutions.
Therefore, the information on this page describes our approach to making EDGEnet's information delivery over the Internet appropriately secure. It is intended for departmental managers, security auditors, information technology managers and other decision-makers to inform them about the security of our online application. It is also intended to communicate our commitment and forethought in planning, building, and testing EDGEnet.
Finally, this information is intended to advise you on the appropriate use of EDGEnet within your operational environment and to describe the policies and procedures that are your contribution toward making EDGEnet a secure environment in which to do business with us.
It is not the intent of this page to imply that EDGEnet or FSSC presents any guarantees regarding the security of its environment. The only perfectly secure system is one that no one is permitted to use. However, we believe that an appropriate level of security can be achieved through a comprehensive combination of design, user responsibility, and cooperation.
Our goal is to make the time you spend doing business with us as easy and secure as possible.
(Back to Top)Disclaimer
It is in FSSC’s best interest to minimize the disruption created by change. However, security techniques and implementation practices are continually evolving. There may be compelling instances in the future where we believe it is appropriate to change or modify EDGEnet and its security architecture to take advantage of advancements in the technology.
In addition, because we rely on e-commerce industry-specific software tools and development practices which are themselves in a constant state of evolution, there is the possibility that changes in these tools and/or practices may necessitate a modification or change to EDGEnet.
Therefore, we reserve the right to change or modify EDGEnet to reflect evolving security tools and/or practices at any time without prior notice.
Should you have additional questions, please contact a Systems Client Consultant at 1-800-432-6106.
(Back to Top)Security Approach
There is no single technique or technology which can guarantee a secure environment. We believe that it takes a combination of:
- technologies
- industry-standard practices
- partnership with the client
to create an environment that is appropriately secure - that is, an environment that balances accessibility and ease of use against the need to secure the system from unauthorized or inappropriate use.
Increased security necessarily creates greater obstacles, barriers that must be crossed legitimately. Despite the extra effort of carrying keys and taking our time to unlock doors, few of us would choose to forego the benefits of having secure locks on our homes and businesses. Likewise, although we have worked hard to make EDGEnet security as unobtrusive as possible, EDGEnet security measures may at times seem to be inconvenient. The security measures are appropriate to the kind of business you are transacting over the Internet.
Therefore, when EDGEnet security does prove to be inconvenient, we ask you to recall that these measures were put into place and are recommended for your benefit.
(Back to Top)Security Technologies
Achieving an appropriately secure online trading environment requires the integration of multiple technologies and techniques. We have taken advantage of the following technologies in the design and implementation of EDGEnet.
Corporate Position Concerning the Handling of Data and Information
The following statement is taken from Federated Hermes Privacy Policy and Notice.
Federated Hermes maintains physical, electronic, and procedural safeguards to protect your nonpublic personal information, and has procedures in place for its appropriate disposal and protection against its unauthorized access or use when we are no longer required to maintain the information. When Federated Hermes shares nonpublic personal information, the information is made available for limited purposes and under controlled circumstances. We require third parties to comply with our standards for security and confidentiality. These requirements are included in written agreements between Federated Hermes and such third-party service providers. Each of the following sections explains an aspect of Federated Hermes’ commitment to protecting your personal information and respecting your privacy.
As stated in our corporate Security Policy:
Security
We employ firewalls, encryption technology and user authentication systems (e.g. passwords and personal identification numbers), along with secured connections (digital certificates) where appropriate on our Internet systems to assure the security of data. A firewall is a combination of hardware and software that operates as a selective barrier to let only authorized traffic through to computer systems. The firewall protects both the computer systems and the information stored on them. Federated Hermes’ computer systems also generate system and application activity logs, which are reviewed regularly for anomalies and discrepancies, which are investigated thoroughly.
We use the latest industry standard encryption technology, Transport Layer Security (TLS), to protect private information transferred from your computer.
What is TLS?
TLS stands for Transport Layer Security. This technology is developed and adopted by all vendors producing secure Web-related software. It is used to establish a secure connection between your PC and the server. TLS allows you to transmit information in an encrypted manner, so all data transmitted between the server and your computer will be completely encrypted even while traveling across multiple networks.
Encryption is achieved through an electronic scrambling technology (developed by RSA, Inc.) that uses "keys" to encrypt and decrypt data. Basically, the information is scrambled for data transmission and can be reassembled in its original format only by someone who has the correct "key." Each party has a private "key" that no one can access, and a public "key" that can be passed back and forth among the parties. Information encrypted with a public key can be decrypted only with the associated private key. In other words, the information you send is encrypted using our public "key." It can only be decrypted by us using our private "key." The same goes for the information we send to your computer-we'll encrypt it using your public "key," but only you can decrypt it using the private "key" that you alone hold. To further enhance security, these "keys" are established at the beginning of your secure session and are used for that session only. The "keys" for each secure session are established and retired automatically by the TLS program; it is not necessary for you to learn to operate an encryption program.
Encryption
Federated Hermes, using the industry standard Transport Layer Security (TLS) encryption, provides the maximum encryption key length (up to 2048-bit) allowed by your browser when transmitting your information. When we talk about encryption, such as 256-bit encryption or 2048-bit encryption, we're referring to the length of the "keys" used to encrypt and decrypt data. The longer the key, the more secure the encrypted data. You could think of the key as a password, without which you can't decode a message. Basically, a 2048-bit key is like a 40-character password (and virtually impossible to decode).
Browser Security
To establish a secure session with our site, your browser must be TLS-compliant. You'll need a Web browser such as Chrome or Microsoft Internet Explorer that supports at least 256-bit encryption. Many other browsers will support encryption, but they may not provide the highest level of security available. To take full advantage of our site's security features, we strongly recommend upgrading to a browser that supports 2048-bit encryption. Newer versions of Chrome and Microsoft Internet Explorer have this capability.
Role-Based Security
EDGEnet supports the need for users to be assigned to different levels of access to the system. With role-based security, users see and have access to only those functions required by their role in your operation.
Authentication
An essential part of any security scheme is the need to "authenticate" the person attempting to log on. EDGEnet uses an industry-standard User ID/password implementation to verify that the person attempting to log on to EDGEnet is who they say they are and that they are an authorized EDGEnet user. In order to log on to EDGEnet successfully, the user must enter the correct user ID and password.
Data Privacy
Just as account, transaction, and other information that belongs to your institution should be viewed only by authorized staff, your institution's information should not be available to another institution using EDGEnet. The system uses web, networking and database management techniques to create an organizational model so that your account information is accessible only to your personnel.
Note: Should your internal auditors require additional details, they should contact a Systems Client Consultant at 1-800-432-6106.
Our information security (or cyber-security) program (“Program”) focuses on a defense in depth strategy. Defense in depth is an information assurance (“IA”) concept in which multiple layers of security controls (defenses) are placed throughout an information technology (“IT”) system. It is intended to provide redundancy in the event a security control fails or a vulnerability is exploited. The redundancies involve personnel, procedures and technical aspects as necessary for the duration of a particular system’s life cycle. This allows us to be prepared for a wide range of possible threats.
Our Program includes:
- Documentation (including formalized information security policies, standards and procedures); and
- Protections against cyber-risk (including detection, analytics and monitoring, intrusion prevention, information gathering, and incident response); and
- Vendor diligence.
We use an integrated process involving the delivery of a range of capabilities that we believe are reasonably designed to aid against cyber-risk and/or information security, including intrusion detection, analytics and monitoring, intrusion prevention, information/intelligence gathering and incident response.
Intrusion Detection
Our intrusion detection capabilities endeavor to alert us to the presence of malicious or potentially harmful activity attempting to access or traverse relevant systems. These detection capabilities include Intrusion Detection Systems (“IDS”), Security Information and Event Management (“SIEM”) and Next Generation firewalls, among others.
Analytics and Monitoring
Our analytics and monitoring capabilities endeavor to provide our information security analysts with the ability to compile, analyze and monitor information about cyber activity and proactively protect against current and potential future cybersecurity threats and vulnerabilities. These analytics include, but are not limited to, cybersecurity preparedness analyses for vendors using a defined information security due diligence review process and our computer and network systems using vulnerability management scans, security information and event management log analysis and independent third-party penetration tests and risk assessments.
Intrusion Prevention
We have implemented intrusion prevention safeguards such as Next Generation firewalls, Intrusion Preventions Systems (IPS), encryption, web filtering, Virtual Private Networks (“VPNs”) and anti-malicious software, among others. These systems seek to proactively prevent cyber incidents.
Information Gathering
We recognize that it is imperative to constantly understand the current cyber threat (or other incident) landscape by gathering cyber-incident information which can be used to secure system environments. Our information security analysts endeavor to monitor the Financial Services Information Sharing & Analysis Center (“FS-ISAC”), information security blogs, websites, podcasts and government agency publications to understand the current cybersecurity threats.
Incident Response
We use a written Cybersecurity Incident Response Policy to address and manage the aftermath of a cybersecurity incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. We believe training is an important aspect of our incident response capability. In addition to training and prevention, we generally use a seven step process to mitigate and address cyber incidents:
- Incident discovery (including identification, analysis, initial containment and classification);
- Incident management (including assembling resources, situational assessment, communication planning, and delegation of responsibilities);
- Investigation (including forensics, containing/eradication/recovery planning, and assessing impact);
- Containment, eradication, recovery and remediation;
- Document and closure (including documenting incident, storing records, and closing incidents);
- Lessons learned (including conducting a review meeting and identifying improvements); and
- Testing (including periodic or focused tests and policy reviews/updates).
A cybersecurity incident can be fluid and require immediate and urgent response/action. As such, the steps could occur in a non-sequential manner. We view prevention, identification, analysis and containment as having the highest priority.
(Back to Top)Industry Standard Practices
Achieving an appropriately secure online trading environment requires the adoption of and adherence to industry-standard security practices. The security management principles underlying these practices apply not only to EDGEnet but to almost any electronic commerce system. We have recognized the following practices in the design and implementation of EDGEnet.
Separation of Duties for Wire Transfer & ACH Settlement Destinations
At FSSC, there is a separation of duties between the management of EDGEnet and the management of Wire Transfer or ACH settlement destinations, requiring separate staff, procedures and systems. EDGEnet cannot be used to establish Wire Transfer or ACH settlement destinations (specifically the ABA number and Router ID). This separation provides a security checkpoint for transactions entered into EDGEnet and transmitted for processing.
Access Control
You are responsible for actively controlling access to EDGEnet to only your staff who has a legitimate business need. The most frequent cause of security breaches in this regard is human error: simple carelessness or disregard for industry-standard security policies and practices such as: not allowing staff to share passwords and IDs; not allowing the posting of user IDs and passwords on terminals or in other conspicuous locations; requiring users to log off at the end of each trading session; etc.
User-ID/Password Stewardship
The stewardship of EDGEnet user IDs and passwords is essential to creating a secure environment. You should impress upon your staff that their EDGEnet user ID and password is sensitive information. We recommend the following guidelines in the management of user IDs and passwords:
- Staff should never share the same user ID and password.
- User IDs and passwords should never be posted or hidden in a location where they can easily be found. Examples include desk drawers, underneath keyboards, etc.
- User IDs and passwords should never be written down or stored in a readable form. Special care should be taken when saving user IDs and passwords to a hard drive. User IDs and passwords saved to a hard drive should be encrypted.
-
In addition to securing user IDs and passwords, care needs to be taken in choosing a password. The following is a list of guidelines your staff should use when choosing a password.
Passwords should be created that:
- Are not based on common words found in the dictionary of any known current or dead language.
- Are not proper names, including all first and last names or initials, geographical locations, and other information that can be easily known by others.
- Do not use numbers that can be derived by others (For example, phone, Social Security, college or employee ID, license plate, credit card number, birth date, etc.).
- Are not similar to an individual’s first, last, or user name.
- Are not difficult to remember.
- Differ substantially from the previous one. A password must be significantly different each time a password is changed.
Attention to the Application Environment
It is important for users to thoroughly familiarize themselves with the EDGEnet environment so they can recognize its features and functionality. Attention in this regard can alert users to discrepancies which may signal a potential security problem.
For instance, malicious individuals have been known to create "spoof" sites which on the surface look like a popular site but which operate simply to record User IDs and passwords. The Internet address of the bogus site may be a slight variation on the legitimate site's address to increase the chances that an inattentive user will type in the variation instead of the legitimate address. The initial presentation of the bogus site is made to mirror the legitimate site, including a request for the user's User ID and password. These items are then captured and stored.
You should impress upon your staff that, for any e-commerce site including EDGEnet, entering the proper URL correctly is critical. Unless the user is attentive, he or she could connect inadvertently to the wrong site. When connecting to EDGEnet (or to any e-commerce site), care must be taken to insure that the proper Internet address is used. Once the connection is made, attention should be paid to the characteristics of the site which prove or disprove its legitimacy as a secure environment.
The correct URL for EDGEnet is: https://edgenet.federatedinvestors.com
We recommend that users bookmark the URL for EDGEnet and use the bookmark to connect to EDGEnet instead of typing the URL in the browser's address field.
(Back to Top)Security Partnership
Achieving an appropriately secure online trading environment requires an ongoing partnership between you and FSSC. The importance of your cooperation cannot be overstated.
EDGEnet security requires your active participation. Your commitment to the technology, your enforcement of commonly accepted security practices, and your willingness to partner with us in security efforts are the most important ingredients in creating a secure environment.
Organizational Changes
You should strive to keep us informed in a timely fashion about organizational changes which could affect EDGEnet security. These changes include terminations, reassignments of duties, changes in reporting or problem escalation hierarchies, and so on.
Unless you notify us, we have no way of knowing that a staff member has resigned or been transferred or terminated. In particular, allowing staff members to leave your institution without notifying us of the change exposes your institution to the possibility that an ex-employee could use his or her access to EDGEnet to disrupt operational activities. This is especially true of terminated employees who might be motivated to conduct malicious activities. In all cases where staff have been transferred, reassigned or terminated, you should contact us promptly so that the user ID of the former employee can be disabled.
Role-Based Stewardship
When setting up user IDs in EDGEnet, you have the ability to assign different levels of access to your staff. Our experience has shown that most organizations create at least two levels of access:
Look-up privileges allow staff to look up or read information in EDGEnet but do not allow staff to enter or change transactions.
Full privileges allow staff to look up information, enter and change transactions.
In your role as an administrator, you should allow only those staff who have a business need to enter transactions the ability to do so. All other staff members who access EDGEnet should be assigned look-up privileges.
Reporting Security Problems
We rely on the timely reporting of any security problem or issue you may encounter. Should you identify or suspect a security problem, you should immediately report the circumstances to us so that we can work with you to take appropriate action. You can contact a Systems Client Consultant at 1-800-432-6106.
(Back to Top)What do I need in order to get started?
On the EDGEnet Main Menu, under the Getting Started section, select Application for EDGEnet Access. Click on the Request for EDGEnet Logon Form (MS Word or PDF Format) and follow the instructions provided. If you have additional questions, please contact a Systems Client Consultant at 1-800-432-6106.
(Back to Top)