Our Partners close more business.

Use these powerful resources to win more business, faster, with less effort.  
Call 877-411-2220 x121 for personal support with any opportunity.

RFP Responder Search Tool

Information Security - Review and Penetration Testing

Q:

Internal Security Review / Penetration test performed by internal resources.

Security review / penetration test performed by a trusted source.

Do you perform vulnerability penetration tests for internal and externally facing information systems and hosted applications at least annually?


A:

Omegabit performs regular security and hardening testing on an ongoing basis. The most recent comprehensive scan testing was completed in April of 2017. Customer specific testing is implemented on a case basis and is ongoing. This information is sensitive in nature both in terms of methods and outcomes. Schedules, related information, outcomes and actions are documented and shared privately with customers via secure online collaboration tools supplied by Omegabit.

Omegabit performs its own regular penetration and threat testing as well as active detection and prevention countermeasures. Third party penetration testing is also frequently performed against customer implementations in cooperation with the application sponsors, typically, the hosting customer. This includes testing performed by independent agencies and customer security teams.

Automated and human-reviewed and assessed vulnerability scanning is a regular and ongoing practice and normal part of operations. Protections range from continuous scanning to planned and targeted exploit testing. This is a professional specialty of Omegabit, and is performed for its own benefit, for its Client and tenant installations, and also frequently in cooperation with Client security teams against external secure targets.

 



Noch keine Kommentare. Seien Sie der Erste.

Physical Security

Q:

Do you have a Physical Security Document?


A:

This is documented in Omegabit Internal Operations Wiki



Noch keine Kommentare. Seien Sie der Erste.

Personnel & Contractors - Onboarding Requirements

Q:

Do you perform background screening of individuals as part of your hiring/on-boarding procedures (including contractors)? If yes, does it include:

Do you perform National Social Security Search?

Do you request/verify Work Authorization?

Do you perform Credit Check?

Do you require Drug Test?

Do you verify Education Verification?

Do you verify Employment History?

Do you require Re-screening?

Do you request FBI Fingerprint Check?

Do you utilze the Patriot Act/Office of Foreign Asset and Control (OFAC) Watch List?


A:

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes, if required per Client security clearance for team members.

Yes. We do perform a criminal background check via credible commercially and publically available sources.

Available on a needs basis for special clearance.

 



Noch keine Kommentare. Seien Sie der Erste.

Systems Maintenance - Patch Management

Q:

Systems Maintenance / Patch Management


A:

Patch management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties. Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.



Noch keine Kommentare. Seien Sie der Erste.

Information Security - Data Retention

Q:

Data Retention


A:

Data retention policies are automated with regular human audit verification, and also vary by customer and compliance requirements. See attachment Federal Reserve Bank of NY-Omegabit SOW-SLA_DRAFT-PROPOSAL 3.7.3 for standard terms, which can be adjusted to meet the specific needs of this implementation.



Noch keine Kommentare. Seien Sie der Erste.

Asset Management

Q:

Do you have an Asset Management Policy?


A:

Physical asset management is documented in the Omegabit Internal Operations Wiki as part of its asset controls for company servers and equipment. This information cannot be shared due to its proprietary and sensitive nature, but is comprehensive in nature and regularly updated to keep current with inventory control.



Noch keine Kommentare. Seien Sie der Erste.

Information Classification and Handling

Q:

Information Classification and Handling


A:

Classifications are established by tennant type, and compliance requirements. This is documented in the Omegabit Internal Operations Wiki; Working procedures are documented in "living", version controlled and workflow approved electronic wiki format, which is continuously maintained and updated to keep current with modern standards and best practices, security methods, etc, as they evolve. Full content is obfuscated due to its proprietary and sensitive nature.



Noch keine Kommentare. Seien Sie der Erste.

Information Security - Insider Threat

Q:

Do you train employees and contractors on recognizing and reporting potential indicators of insider threat?

Information security (IS) organization structure (provide organization chart including where IS function resides in organization - individual names of employees can be redacted)

Do you have a dedicated information security team?

Systems Maintenance / Patch Management

Do you have a process that monitors insider threat?


A:

Yes; relevant staff are trained to be suspicious of all modes of threat including that which may be internally sourced.

A partially obfuscated org chart is included relating to hot operations and services.

ref: Omegabit Org Chart, Administration and Support Services

Patch management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties. Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.

This is overseen by Senior Information Security officers and verified via electronic audit and change control systems, and monitors, which cannot be altered without evidence of tampering. Sensitive access is compartmentalized and limited to trusted and fully vetted individuals who have an established trust relationship and long-standing reputation for the handling of mission critical data and applications for our customers.



Noch keine Kommentare. Seien Sie der Erste.

Information Security - Org Chart/Team

Q:

Information security (IS) organization structure (provide organization chart including where IS function resides in organization - individual names of employees can be redacted)

Do you have a dedicated information security team?

Is there an individual assigned responsibility as the senior information security officer or equivalent?


A:

A partially obfuscated org chart is included relating to hot operations and services.

ref: Omegabit Org Chart, Administration and Support Services

Christopher Lee Stavros, President and CTO of Omegabit, LLC; cstavros@omegabit.com - 805-748-9641; 20+ years InfoSec experience with commercial applications in government, finance, education, healthcare and consumer brands.



Noch keine Kommentare. Seien Sie der Erste.

Systems Maintenance - Patch Management

Q:

Systems Maintenance / Patch Management Documentation

Does the customer have any control on applying patches, upgrades, and changes to the SAAS app

How are upgrades, patches and other maintenance performed? How is this communicated to the customers?


A:

Patch management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties. Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.

Yes, to the limits deemed appropriate by the customer.  Omegabit manages Liferay installations that vary from completely managed environments, to mixed managed environments where Omegabit assumes control of production but not development environment, to a more traditional turnkey approach.  In all cases, Omegabit will work with the Customer to ensure that best practices are followed, and is able to provide recommendations on methods and procedures that will help ensure the smooth rollout, operation and maintenance of the application and runtime environments.

Patches relating to security or access control will be prioritized over other non-critical tasks and expedited wherever possible.  Software patches requiring special personnel or procedures, an extended outage, or client-side testing and coordination will be applied at best possible speed, and typically take a minimum of 48 hours and up to 5 business days to coordinate and execute.  All outages are coordinated with Client, except where necessitated by emergency repair.



Noch keine Kommentare. Seien Sie der Erste.

Information Security - SOC 2, HIPPA, FERPA, FEDRAMP, PCI

Q:

Do you have documented physical security policy and procedures?

SSAE 16 / ISAE 3402 SOC 2 Type II audit or equivalent performed by a trusted source

Do you process, store or transmit FRS sensitive PII or PHI? If yes, are there documented Privacy Management Program policy and procedures?

Do you employ independent assessors or assessment team to conduct assessment of the security controls in information systems and services?

How often is this compliance audited? Please provide date and results from most recent audit.


A:

ref: Soc 2 Type II Facilities Compliance Report for Omegabit colocation' facilities managed by Digital West and alternate providers (available on request).

All omegabit facilities are audited by third-party compliance services for SOC-2 compliance are maintained to PCI compliance standards, by default. Omegabit hosted infrastructure is also frequently vetted and audited on a per-customer basis where specific compliance, e.g. PCI, FERPA, FEDRAMP, HIPAA, is required. These certifications must occur against the customer implementation and are typically performed in cooperation with the application sponsor and Client.

This technically falls under the auspice of control of our Client tenants with these requirements and their specific custom application design and implementation. However, we play a participating role in ensuring that issues relating to SOC 2/facilities compliance, data storage and transfer, managed operations and procedures, are performed in a manner that is commensurate with Client requirements. Actual secure data transmissions are accomplished via BOVPN, IPS, SSH, or HTTPS, LDAPS, or similarly secure means at the discretion of the customer and their custom application design. All popular means are supported and can be enabled and secured on request. Data storage encryption is also available on request.

This is performed on a per-client case-basis as required by Client in cooperation with the auditing service or agency of their choosing. Omegabit is able to self-certify and/or work with Client designated teams. Omegabit has established PCI, HIPAA, FERPA, and similar compliance with customers across various verticals and custom application designs. These assessments must be done on a per-Client case basis and be specific to the custom software implementation to be relevant. Compliance certifications, with the exception of Omegabit's SOC 2 facilities compliance, is not transferable across Client tenants, by definition.

The SOC-2 compliance audit is performed every 18-24 months.  



Noch keine Kommentare. Seien Sie der Erste.

Information Security - Life Cycle

Q:

Secure Systems Development Life Cycle

Do you deploy a system development life cycle methodology that includes security considerations, roles and responsibilities during each phase of the life cycle?


A:

This is an inherent practice; all security related procedures are reviewed, exercised, and improved in an ongoing basis to keep pace with industry standards and evolving threats. Reviews occur on a daily basis.

Liferay: yes; not only follows industry standard methodology but is the authority and provider of integration and change management tools to support best practices when developing with the DXP framework. Omegabit is able to integrate with any preferred methodology elected by the developer team (agile, sprint, etc.), and is available to help with the integration of automation, tooling, and other developer facilities to aid with the ongoing development lifecycle and maintenance of a "living" portal implementation.



Noch keine Kommentare. Seien Sie der Erste.

Information Security - Wireless

Q:

Do you have an established usage restrictions and implementation guidance for wireless access?

Does wireless access require authorization before connection?

Are wireless connections encrypted using WPA2 or higher?

Do you monitor and restrict connection and use of unauthorized mobile devices, writable, removable media in information systems?

Do you employ full-device encryption or container encryption to protect the confidentiality and integrity of the client information on mobile devices?

Wireless Policy


A:

Ref: Omegabit Employee Handbook, Guidelines and Operations Wiki procedures.

Yes.

Any secure communications are further tunneled and wrapped in either IPSec or SSH depending on the nature of connection. All wifi connections including LAN Wifi are hardened similarly as with public or unprotected network links.

Yes.

IPSec, SSL, SSH (256-bit)

Wireless Policy: This is documented in Part III, Section 6. Wireless Communication Standard, IT Security Handbook.



Noch keine Kommentare. Seien Sie der Erste.

Social Media, Networking Policies

Q:

Do you have a policy that restricts the use of social media/networking sites and posting organizational information on public websites?


A:

Omegabit does not advertise or post knowledge of its customer activities or operations under any circumstance without prior knowledge and consent of any affiliation. ref: Part 1, Section 1: Acceptable Use Policy of Omegabit IT Security TOC



Noch keine Kommentare. Seien Sie der Erste.

Inventory of Information Systems

Q:

Do you maintain an inventory of your information systems?

Exceptions to limits of support/service:


A:

● Base installation, configuration, and tuning 

● 24x7x365 monitoring and emergency response 

● Backups and disaster recovery management and execution 

● Comprehensive OS runtime container backups

● Disaster recovery and recovery rollback to point-in-time snapshots included

● Assistance with drop-in patches, upgrades and modifications to the runtime environments. 

● Regular OS patching and maintenance administration  

● Periodic log cleanups 

● Server restarts, time needed in the event of OS patches, incremental (minor release) upgrades including non Liferay automated-patching using OS auto-update facilities

● Server restarts in the event of unknown issues like unexplained high utilization, a typical behavior necessitating a restart 

● General Liferay support on feature behaviors and "out of the box" configuration settings 

● Troubleshooting and resolving runtime issues

Examples of work that will typically require additional labor outside the scope of the current Financial Summary include:

          

● Ongoing administrative support for sandboxing or custom configurations

● Advanced change management support

● Major release patching

● Environment customizations for proprietary operations and functionally

● Custom performance tuning and optimization, load testing, predictive analysis

● Developer logistics support

● Custom architecture and scale planning 

 

 



Noch keine Kommentare. Seien Sie der Erste.

RESET SEARCH

GET a FREE Sandbox or Trial Environment NOW

How To Use This Tool:  

To find answers to common RFP and RFI questions, select a tag, or, search for terms like "security", "performance", etc.  You will find common questions and answers grouped together in one record.  Follow the tag links to refine your search.  Supporting downloads and documentation are available, below.

Please login to obtain download access to additional supporting documentation.  Registered users can also contribute to the database.  You can request access by emailing "portal@omegabit.com".