Our Partners close more business.
Use these powerful resources to win more business, faster, with less effort.
Call 877-411-2220 x121 for personal support with any opportunity.
RESET SEARCH
Hosting Quote Estimator
GET a FREE Sandbox or Trial Environment NOW
How To Use This Tool:
To find answers to common RFP and RFI questions, select a tag, or, search for terms like "security", "performance", etc. You will find common questions and answers grouped together in one record. Follow the tag links to refine your search. Supporting downloads and documentation are available, below.
Please login to obtain download access to additional supporting documentation. Registered users can also contribute to the database. You can request access by Contacting Us.
Supporting Documents
Please note that assets with generic thumbnail require login for access. If you require access please Contact Us.
© Omegabit LLC, 2023
Enter a Search Phrase or Select a Tag
Access Control
Q:
Do you have a process that authorizes and maintains a list of authorized personnel, consultants and vendor for maintenance activities? If yes, do you grant temporary credentials for one-time use or a very limited time period?
Do you allow non-local maintenance? If yes, do you employ multi-factor authentication for all sessions and network connections, and terminate connection once completed?
A:
Database, search and other ancillary services operating within the Client private infrastructure are exclusive to the use of the Client and are not shared with any other user, Client, or application except where explicitly intended by the Client application design. All databse services access is restricted by firewall, connecting client IP, unique users id, view restrictions, and strong passwords. Omegabit will implement the most secure (off before on) style of access control by default, and coordinate with the Client to make informed, security-aware changes where required for the operation of the hosted application.
Access of this nature is always chaperoned.
All administration links require two-token VPN linked authentication (pass+comlex trust key), or SSH tunnel, plus single factor authentication for console access, and additional secondary authentication for privileged access, by default. All restrictions and controls are configurable per Client requirements. Strong (15-char, complex), and unique passwords are employed, always. Optional Google two-token public authentication, digital certificates and personal keys are also supported on request. Hardware based two-token authentigtation integration for Client systems is also supported as a customization.
Access Control Policy
Q:
Do you have documented access control policy and procedures?
A:
This is part of the IT Security Handbook
Related Assets:
Account Access approval
Q:
Do administration/privileged access accounts require additional approval by appropriate personnel (e.g., system owner, business owner, chief information security officer)?
A:
Yes. As it relates to backend access, Clients may designate authorized approvers and any required workflow, e.g., validation from an independent Client Security Team, for approval. Access is only provided where explicitly requested/approved, and access is strictly limited on a needs basis. Omegabit will recommend and follow best-practices but defer to the Client on the preferred method of approval and determining what level of access is appropriate for its administrative users. As it relates to front-end (portal UI) access and control. This is typically under the direct management of the Client at implementation and can vary based on the desired workflow and use-case. Omegabit is able to advise Clients on the use of Liferay access and permissions controls, and other considerations relating to PCI and similar compliance; e.g., encryption of designated data within the Liferay application database. These options are available to Clients on request and are typically determined in collaboration with Client engineering teams at the time of the application design.
The details of the approval process are established at onboarding time and implemented as part of Omegabit's customer management workflow to help ensure quality of service for any/all requests.
Configured per Customer Operations Policy and SLA terms.
Account Access - automated process
Q:
Do you have an automated process to remove or disable temporary and emergency accounts after a predefined period of time?
Do you have an automated process to disable inactive accounts after a defined period of time?
Do you have an automated process to expire passwords on a periodic basis and users must change passwords within this period? If yes, at what frequency?
A:
This is a configurable setting in Liferay. This is an available option for Clients upon special request pertaining to Client hosted infrastructure.
Account suspended
Q:
Do you automatically suspend accounts after a maximum number of unsuccessful attempts? If so, what is that limit?
Do you require an administrator to unlock suspended accounts?
A:
This is a configurable setting in Liferay. This is an available option for Clients upon special request pertaining to Client hosted infrastructure.
Asset Management
Q:
Do you have an Asset Management Policy?
A:
Physical asset management is documented in the Omegabit Internal Operations Wiki as part of its asset controls for company servers and equipment. This information cannot be shared due to its proprietary and sensitive nature, but is comprehensive in nature and regularly updated to keep current with inventory control.
Asset Management - Inventory
Q:
Is there an asset management policy; and are all hardware and software assets maintained in an inventory system?
Do you employ automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of system components?
A:
Yes, see previously supplied responses on this tab and tab 1 for related answers.
Inventory is regularly audited and confirmed against automatically reported metrics reported by monitoring systems.
Audit and audit records
Q:
Do your audit records contain detailed information such as full text recording of privileged commands or the individual identifies of group account users?
Do you have audit record storage capacity to maintain audit records for a significant amount of time?
Do you have documented audit and accountability policy and procedures?
Do you generate audit records that identify users and point in time when they accessed the system or service, and unauthorized access attempts?
Do you retain a list of auditable events that are adequate to support after-the-fact investigations of security events and audit needs? If yes, does the event list include execution of privileged functions?
A:
This is a configurable environment option.
Adjustable per Client requirements.
Auditing and documentation is extensive and method varies by task/layer of change in infrastructure; relevant changes are documented in customer facing change management logs. Additional automated auditing is available as part of a custom configuration at any/all layers of the infrastructure by combining the appropriate facilities for each layer (Omegabit change management, inside OS runtime, Inside Liferay runtime, etc.). Liferay also offers extensive customizable auditing features and capabilities for in-Liferay event logging Liferay and Omegabit confiturations are capable of supporting most any auditing requirement stipulated. Additional configuration and services fees may apply.
This is a configurable environment option.
This is a configurable environment option. Execution of privileged actions and escalation in the OS are logged. All facets of auditing and logging are configurable.