External Network Connections & Data Transfer Policy

🔌 External Network Connections

• eXpress badging® maintains external network connections to the Internet, intranet, and AWS cloud environments.

• All connections are routed through firewalls and access control lists (ACLs) to enforce least-privilege access.

• Scoped customer data is only transferred through secure electronic channels (never physical media).

🔒 Remote Access & Segmentation

• Remote access to internal resources is restricted to authorized endpoints with role-based access.

• VPN access is segmented from production systems to prevent lateral movement.

• AWS-hosted systems use separate VPCs and security groups to isolate external-facing services from internal administrative systems.

🛡️ Firewall & ACL Reviews

• Firewall rules and ACLs are reviewed quarterly as part of the security governance process.

• Rules are tested during vulnerability scans with Fortra VM and adjusted if risks are identified.

• No “allow any” rules are permitted on SonicWall or AWS firewalls.

• Related article: Firewall & Network Security Controls.

📶 Wireless Networking

• Wireless networking is in use at eXpress badging® facilities.

• Access is controlled by an approved and documented WiFi governance policy, including WPA3 encryption and role-based access.

• Related article: Network of eXpress badging® (WiFi Governance).

📤 Scoped Data Transfers

• Electronic only — Scoped Data is never moved via physical media.

• Secure transfer methods include:

  • Upload Center (Citrix ShareFile).

  • Direct entry into the Veonics® Portal.

• Email: Any PII data sent via email is automatically rejected and deleted. Customers are instructed to resubmit via approved secure channels.

• Encryption is enforced for all transfers, as detailed in: eXpress badging® Security at a Glance.

📊 NIST CSF 2.0 Alignment

Last Updated: 08/30/2025