Our Partners close more business.
Use these powerful resources to win more business, faster, with less effort.
Call 877-411-2220 x121 for personal support with any opportunity.
RESET SEARCH
Hosting Quote Estimator
GET a FREE Sandbox or Trial Environment NOW
How To Use This Tool:
To find answers to common RFP and RFI questions, select a tag, or, search for terms like "security", "performance", etc. You will find common questions and answers grouped together in one record. Follow the tag links to refine your search. Supporting downloads and documentation are available, below.
Please login to obtain download access to additional supporting documentation. Registered users can also contribute to the database. You can request access by Contacting Us.
Supporting Documents
Please note that assets with generic thumbnail require login for access. If you require access please Contact Us.
© Omegabit LLC, 2023
Enter a Search Phrase or Select a Tag
Backups - alternate location
Q:
Do you conduct backups of user-level information, system-level information and information system documentation including security-related documentation; and protects the confidentiality, integrity, and availability of backup information at storage locations?
A:
Local SAN and backup snapshots occur twice, daily of all operational and Client/tenant data. Offsite archives of backup snapshots operate continuously and is typically <5 minutes behind local backup via secure high-speed transver over a dedicated fiber link to an alternate facility over a privately managed switched circuit with tunneled encryption. See the SLA for retention details; standard retention is stated as "Backups should be considered for disaster recovery purposes only. Our retention policy is variable and based upon data volume. Depending upon the environment rollbacks to the previous several days, weeks are available, but with sporadic snapshots between periods. Therefore, a specific point-in-time recovery may not be possible. We are typically able to restore backward up to several weeks depending upon the total size of your store." A 45 day retention is typical. However, custom retention policies are easily accomodated if a more specific policy is required, on request.
Single point of failure
Q:
Do you have alternate telecommunication service (data and voice) plans in place for the resumption of service and alternate paths to reduce the likelihood from a common single point of failure?
A:
Yes
Maintenance - Policy and Procedures
Q:
Are there documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls?
Are all information systems maintenance and repairs tracked, scheduled, reviewed and approved prior to implementation?
Are security controls verified following maintenance or repair actions?
Do you track, approve, control, monitor the use of, and maintain information system maintenance tools on an ongoing basis?
Do you check all media containing diagnostic and test programs for malicious code before the media is used in the information system?
A:
This is inherent to our regular mode of operations and procedures; see previous answers concerning change management and control, documentation and procedure; the same answers apply. ref: Omegabit Operations Wiki
Yes
Yes
Yes
Yes
Security Incident Handling
Q:
Do you have documented incident response policy and procedures?
Are personnel defined with roles and responsibilities in incident response plan and trained at least annually?
Do you have an automated mechanism to increase the availability of incident response-related information and support?
Do you conduct incident response tests/exercises with all appropriate parties at least annually and revise the plans to address changes and problems encountered?
Do your incident response tests include other related plans (e.g. BC or DR Plans, Crisis Communication Plans, Critical Infrastructure Plans and etc.)?
Do your incident response tests include other related plans (e.g. BC or DR Plans, Crisis Communication Plans, Critical Infrastructure Plans and etc.)?
Do you employ automated mechanisms to support incident handling processes that include preparation detection, analysis, containment, eradication, and recovery?
Are incident handling processes incorporated into contingency planning activities?
Do you incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implement the resulting changes accordingly?
A:
ref: Omegabit IT Security TOC
Yes
This question is vague; however, we do provide means of escalation and the dissemination of information with backup strategies in case of critical failure.
Yes
Yes
Yes
Yes
Yes
Record Retention
Q:
Are there record retention policy and procedures in place to meet applicable laws, regulations, standards and contractual requirements?
A:
Yes. Per Federal regulations; typically 7 years for financial and contractual data. Customer data retention is per terms agreed upon in SLA; see previous answers pertaining to backups and data retention. Custom policies are supported on request.
System issues tracking
Q:
Do you have a defined process to identify, report, and correct system flaws? If yes, do you test updates before installation; and incorporate into configuration management process?
Do you have an automated system to track flaws, plan for remediation and/or exceptions?
A:
All issue resolution is documented in Customer trouble ticket system for historical reference, indefinitely.
Liferay provides the LESA trouble ticketing system for Liferay-specific issues. Omegabit provides it's own online customer ticketing system to track incidents and requests and is also able to receive requests by email (which, will be logged in the ticketing system).
Event Monitoring
Q:
Do you have event monitoring tools or security information and event management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by systems?
A:
Multiple options are available as a special feature enhancement to your host infrastructure. Please contact your Omegabit Sales representative for more information.
Security updates
Q:
Is there an automated mechanism for security updates to systems?
A:
Yes
Information Security - compromise
Q:
Do you monitor unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic?
Does your information system provide a real-time alert when indications of a compromise or potential compromise occur?
Is there an automated mechanism to detect unauthorized changes in software and information?
Is the detection of unauthorized changes in software and information events tracked, monitored, corrected, and available for historical purpose?
A:
Yes
Yes
Yes-semi-automated
Yes
Malicious Code and SPAM
Q:
Are there malicious code and SPAM protection mechanisms at information system entry and exit points (i.e. firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers), and at workstations, servers, or mobile devices on the network to detect, prevent and eradicate malicious code and messages?
Are malicious code protection security controls centrally managed?
Are there intrusion detection and intrusion prevention monitoring security controls implemented?
Is SPAM protection centrally manage and information systems are automatically updated?
A:
Yes
Yes
Yes
Yes
Input Validation
Q:
Do you perform input validation checks to prevent intentional and unintentional harm to information and information systems?
A:
Yes
Information Systems - Security Alerts
Q:
Do you receive information system security alerts, advisories, and directives from designated external organizations on a regular ongoing basis? If yes, do you disseminate internally to parties deemed necessary?
A:
Yes
Information Systems - Error message
Q:
Do information systems generate sufficiently generic authentication and other error messages that conceal useful information that may be exploited by malicious users?
A:
This is also a configurable feature of Liferay, which can be stipulated during the software configuration requirements phase of planning.
Access Control Policy
Q:
Do you have documented access control policy and procedures?
A:
This is part of the IT Security Handbook
Contenidos relacionados:
Firewall
Q:
Do you have, use a Firewall?
A:
This is documented in Omegabit Internal Operations Wiki. Omegabit operates advanced active firewalls from Cisco and Watchguard, which feature Active Intrusion Detection and Prevention, Layer 7 inspection, DLP, Zero Day, and other live-updated countermeasures. These features are on by default where appropriate, and advanced features like DLP and Zero Day may be enabled on request. Firewall configurations are tuned specifically for each customer. Private BOVPN tunnel links to Client infrastructure are also available.