Omegabit performs regular security and hardening testing on an ongoing basis. The most recent comprehensive scan testing was completed in April of 2017. Customer specific testing is implemented on a case basis and is ongoing. This information is sensitive in nature both in terms of methods and outcomes. Schedules, related information, outcomes and actions are documented and shared privately with customers via secure online collaboration tools supplied by Omegabit.

Omegabit performs its own regular penetration and threat testing as well as active detection and prevention countermeasures. Third party penetration testing is also frequently performed against customer implementations in cooperation with the application sponsors, typically, the hosting customer. This includes testing performed by independent agencies and customer security teams.

Automated and human-reviewed and assessed vulnerability scanning is a regular and ongoing practice and normal part of operations. Protections range from continuous scanning to planned and targeted exploit testing. This is a professional specialty of Omegabit, and is performed for its own benefit, for its Client and tenant installations, and also frequently in cooperation with Client security teams against external secure targets.

This is documented in Omegabit Internal Operations Wiki

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes, if required per Client security clearance for team members.

Yes. We do perform a criminal background check via credible commercially and publically available sources.

Available on a needs basis for special clearance.

Data retention policies are automated with regular human audit verification, and also vary by customer and compliance requirements. See attachment Federal Reserve Bank of NY-Omegabit SOW-SLA_DRAFT-PROPOSAL 3.7.3 for standard terms, which can be adjusted to meet the specific needs of this implementation.

Physical asset management is documented in the Omegabit Internal Operations Wiki as part of its asset controls for company servers and equipment. This information cannot be shared due to its proprietary and sensitive nature, but is comprehensive in nature and regularly updated to keep current with inventory control.

Classifications are established by tennant type, and compliance requirements. This is documented in the Omegabit Internal Operations Wiki; Working procedures are documented in "living", version controlled and workflow approved electronic wiki format, which is continuously maintained and updated to keep current with modern standards and best practices, security methods, etc, as they evolve. Full content is obfuscated due to its proprietary and sensitive nature.

Yes; relevant staff are trained to be suspicious of all modes of threat including that which may be internally sourced.

A partially obfuscated org chart is included relating to hot operations and services.

ref: Omegabit Org Chart, Administration and Support Services

Patch management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties. Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.

This is overseen by Senior Information Security officers and verified via electronic audit and change control systems, and monitors, which cannot be altered without evidence of tampering. Sensitive access is compartmentalized and limited to trusted and fully vetted individuals who have an established trust relationship and long-standing reputation for the handling of mission critical data and applications for our customers.

A partially obfuscated org chart is included relating to hot operations and services.

ref: Omegabit Org Chart, Administration and Support Services

Christopher Lee Stavros, President and CTO of Omegabit, LLC; cstavros@omegabit.com - 805-748-9641; 20+ years InfoSec experience with commercial applications in government, finance, education, healthcare and consumer brands.

ref: Soc 2 Type II Facilities Compliance Report for Omegabit colocation' facilities managed by Digital West and alternate providers (available on request).

All omegabit facilities are audited by third-party compliance services for SOC-2 compliance are maintained to PCI compliance standards, by default. Omegabit hosted infrastructure is also frequently vetted and audited on a per-customer basis where specific compliance, e.g. PCI, FERPA, FEDRAMP, HIPAA, is required. These certifications must occur against the customer implementation and are typically performed in cooperation with the application sponsor and Client.

This technically falls under the auspice of control of our Client tenants with these requirements and their specific custom application design and implementation. However, we play a participating role in ensuring that issues relating to SOC 2/facilities compliance, data storage and transfer, managed operations and procedures, are performed in a manner that is commensurate with Client requirements. Actual secure data transmissions are accomplished via BOVPN, IPS, SSH, or HTTPS, LDAPS, or similarly secure means at the discretion of the customer and their custom application design. All popular means are supported and can be enabled and secured on request. Data storage encryption is also available on request.

This is performed on a per-client case-basis as required by Client in cooperation with the auditing service or agency of their choosing. Omegabit is able to self-certify and/or work with Client designated teams. Omegabit has established PCI, HIPAA, FERPA, and similar compliance with customers across various verticals and custom application designs. These assessments must be done on a per-Client case basis and be specific to the custom software implementation to be relevant. Compliance certifications, with the exception of Omegabit's SOC 2 facilities compliance, is not transferable across Client tenants, by definition.

The SOC-2 compliance audit is performed every 18-24 months.  

This is an inherent practice; all security related procedures are reviewed, exercised, and improved in an ongoing basis to keep pace with industry standards and evolving threats. Reviews occur on a daily basis.

Liferay: yes; not only follows industry standard methodology but is the authority and provider of integration and change management tools to support best practices when developing with the DXP framework. Omegabit is able to integrate with any preferred methodology elected by the developer team (agile, sprint, etc.), and is available to help with the integration of automation, tooling, and other developer facilities to aid with the ongoing development lifecycle and maintenance of a "living" portal implementation.

Ref: Omegabit Employee Handbook, Guidelines and Operations Wiki procedures.

Yes.

Any secure communications are further tunneled and wrapped in either IPSec or SSH depending on the nature of connection. All wifi connections including LAN Wifi are hardened similarly as with public or unprotected network links.

Yes.

IPSec, SSL, SSH (256-bit)

Wireless Policy: This is documented in Part III, Section 6. Wireless Communication Standard, IT Security Handbook.

Omegabit does not advertise or post knowledge of its customer activities or operations under any circumstance without prior knowledge and consent of any affiliation. ref: Part 1, Section 1: Acceptable Use Policy of Omegabit IT Security TOC

● Base installation, configuration, and tuning 

● 24x7x365 monitoring and emergency response 

● Backups and disaster recovery management and execution 

● Comprehensive OS runtime container backups

● Disaster recovery and recovery rollback to point-in-time snapshots included

● Assistance with drop-in patches, upgrades and modifications to the runtime environments. 

● Regular OS patching and maintenance administration  

● Periodic log cleanups 

● Server restarts, time needed in the event of OS patches, incremental (minor release) upgrades including non Liferay automated-patching using OS auto-update facilities

● Server restarts in the event of unknown issues like unexplained high utilization, a typical behavior necessitating a restart 

● General Liferay support on feature behaviors and "out of the box" configuration settings 

● Troubleshooting and resolving runtime issues

Examples of work that will typically require additional labor outside the scope of the current Financial Summary include:

● Ongoing administrative support for sandboxing or custom configurations

● Advanced change management support

● Major release patching

● Environment customizations for proprietary operations and functionally

● Custom performance tuning and optimization, load testing, predictive analysis

● Developer logistics support

● Custom architecture and scale planning 

Omegabit's active firewalls are constantly thwarting typical (and sometimes, atypical) structured and automated attacks that are common to the Internet.  We keep up to date hourly against a database of published threats that are blocked before they ever reach the portal. That activity is logged and available for analysis by us for forensics and diagnostic purposes.  But, we typically do not report that information to the customer - that information is stored at our cloud and firewall infrastructure levels.  The exception being any logs that are on the servers themselves - customers do have direct access to (Apache, tomcat, db, etc.), and we do sometimes help provide tools like Splunk for analysis.  We also offer some exceptional monitoring and reporting options from Dynatrace, which the customer can use for deep visibility into application and runtime performance using a very rich and intuitive Web based interface and is capable of generating automated reports.   

Generally speaking, these threats are usually bots, they are numerous, and we have advanced dynamic protections in place at several levels to block theses sorts of exploits (most of which are further limited by Liferay security, anyway).  These can occur on the order of many-thousands-per-day and and are typically innocuous.  We do monitor for and react to pattern change as one indicator of potential vulnerability testing by external threat parties.  We are also able to provide advanced threat scanning and analysis for a given customer implementation.  We can accommodate specific logging and auditing requirements on a needs basis, as well as advanced features like Data Loss Protection, and Zero Day threat detection and quarantines, if desirable; these features have some practical disadvantages for typical consumer-facing apps.  But, we can enable them on demand.  

For in-Liferay workflow, which is arguably where the most risk might lie, we encourage implementing Liferay auditing, and also keeping current with fixes and patches.  We can host a central log server for a given infrastructure if the customer so desires.  And are able to assist with and accommodate those features.

Because of our Liferay optimized configurations and setup, our strong security and controls, and our experience operating Liferay's of all shapes and sizes, we are more well-equipped to maintain a secure Liferay environment and respond to threats in a way that is substantive, as compared to <any> other hosting option.  Notification is critical, but, we also take ownership of the problem:  the customer's security is our security.

Typically, what we offer OOTB is more than sufficient, except where special reporting or auditing requirements exists.  And, we are happy to understand and accommodate those requirements on a needs basis.  These are details we would typically work out during the discovery and budgeting phase of the engagement.

<more on logging facilities available>

Omegabit's primary support role is to ensure a stable and reliable environment, to monitor for signs of trouble and to provide assistance with issues like plugin deploys and configuration adjustments.

Omegabit monitors for and responds to outages 24x7x365 with a response time of 4hrs or less.  The infrastructure is highly redundant to help protect against unplanned outages at the physical layer, and we will work with you to ensure a similarly stable logical configuration to the best of our abilities.  We do not assume responsibility for outages due to customizations or modifications to the system; for example, if a custom plugin causes breakage to the portal, our recommendation will be to uninstall the plugin.

If a higher level of resilience is required, a clustered configuration is recommended instead.  Contact your Omegabit representative for more information

A robust pre-release testing strategy using an independent Liferay environment is always recommended prior to deploying customizations to production.

Email support is responded to 10am-6pm PST, except holidays, and non-critical support requests can take up to 48hrs, but are typically responded to on the same-day.