Yes, see previously supplied responses on this tab and tab 1 for related answers.

Inventory is regularly audited and confirmed against automatically reported metrics reported by monitoring systems.

By default Omegabit server environments are configured with warning-level logging for all services, and Web requests logging on, by default, in a 90-day rotation. All logs are directly accessible to the customer, and advanced aggregation and reporting tools, as well as custom reporting, is supported on an as needs basis (fees may apply). Omegabit is able to assist in configuring logging and verbosity at any layer of the infrastructure to meet specific business requirements or to trap specific issues.

Omegabit facilities are SOC-2 audited and compliant (see attached certification statement).  This addresses the standards and controls that are needed and typical of a HIPAA, FERPA, or PCI-I compliant implementation.  Our NOC has also been PCI-I certified for other tenants that have elected for an independent audit.  However, in order to promise compliance to HIPAA, FERPA, or PCI, typically requires that an independent audit be applied throughout the logical application layer, including your specific Liferay implementation.  Our standard compliance is usually sufficient for these applications, but assumes that the application owner/sponsor (you), are taking responsibility for compliance that must occur at the OS and application layers, for which you are in control.  Omegabit hosts a number of healthcare related sites that are customer self-certified as HIPAA compliant based on this rationale and their own security practices.  (Caution:  Any provider that tells you that you get HIPAA compliance out-of-the-box is skirting the issue). 

Omegabit does and will advise on these best practices, and is happy to participate and support an ongoing standards audit for any of these levels of compliance by a third party entity.

Costs for actual HIPAA/FERPA or PCI-I type certification specific for a given Customer implementation typically run $40K-$65K/year to perform an annual audit and maintain the necessary standards and compliance procedures and documentation required to satisfy future audits.

Omegabit facilities are SOC-2 compliant; this is considered the modern and more scrupulous replacement for SAS 70 compliance in industry. The SOC-2 compliance audit is performed every 18-24 months.  

ref: Soc 2 Type II Facilities Compliance Report for Omegabit colocation' facilities managed by Digital West and alternate providers (available on request).

All omegabit facilities are audited by third-party compliance services for SOC-2 compliance are maintained to PCI compliance standards, by default. Omegabit hosted infrastructure is also frequently vetted and audited on a per-customer basis where specific compliance, e.g. PCI, FERPA, FEDRAMP, HIPAA, is required. These certifications must occur against the customer implementation and are typically performed in cooperation with the application sponsor and Client.

This technically falls under the auspice of control of our Client tenants with these requirements and their specific custom application design and implementation. However, we play a participating role in ensuring that issues relating to SOC 2/facilities compliance, data storage and transfer, managed operations and procedures, are performed in a manner that is commensurate with Client requirements. Actual secure data transmissions are accomplished via BOVPN, IPS, SSH, or HTTPS, LDAPS, or similarly secure means at the discretion of the customer and their custom application design. All popular means are supported and can be enabled and secured on request. Data storage encryption is also available on request.

This is performed on a per-client case-basis as required by Client in cooperation with the auditing service or agency of their choosing. Omegabit is able to self-certify and/or work with Client designated teams. Omegabit has established PCI, HIPAA, FERPA, and similar compliance with customers across various verticals and custom application designs. These assessments must be done on a per-Client case basis and be specific to the custom software implementation to be relevant. Compliance certifications, with the exception of Omegabit's SOC 2 facilities compliance, is not transferable across Client tenants, by definition.

The SOC-2 compliance audit is performed every 18-24 months.  

Omegabit's active firewalls are constantly thwarting typical (and sometimes, atypical) structured and automated attacks that are common to the Internet.  We keep up to date hourly against a database of published threats that are blocked before they ever reach the portal. That activity is logged and available for analysis by us for forensics and diagnostic purposes.  But, we typically do not report that information to the customer - that information is stored at our cloud and firewall infrastructure levels.  The exception being any logs that are on the servers themselves - customers do have direct access to (Apache, tomcat, db, etc.), and we do sometimes help provide tools like Splunk for analysis.  We also offer some exceptional monitoring and reporting options from Dynatrace, which the customer can use for deep visibility into application and runtime performance using a very rich and intuitive Web based interface and is capable of generating automated reports.   

Generally speaking, these threats are usually bots, they are numerous, and we have advanced dynamic protections in place at several levels to block theses sorts of exploits (most of which are further limited by Liferay security, anyway).  These can occur on the order of many-thousands-per-day and and are typically innocuous.  We do monitor for and react to pattern change as one indicator of potential vulnerability testing by external threat parties.  We are also able to provide advanced threat scanning and analysis for a given customer implementation.  We can accommodate specific logging and auditing requirements on a needs basis, as well as advanced features like Data Loss Protection, and Zero Day threat detection and quarantines, if desirable; these features have some practical disadvantages for typical consumer-facing apps.  But, we can enable them on demand.  

For in-Liferay workflow, which is arguably where the most risk might lie, we encourage implementing Liferay auditing, and also keeping current with fixes and patches.  We can host a central log server for a given infrastructure if the customer so desires.  And are able to assist with and accommodate those features.

Because of our Liferay optimized configurations and setup, our strong security and controls, and our experience operating Liferay's of all shapes and sizes, we are more well-equipped to maintain a secure Liferay environment and respond to threats in a way that is substantive, as compared to <any> other hosting option.  Notification is critical, but, we also take ownership of the problem:  the customer's security is our security.

Typically, what we offer OOTB is more than sufficient, except where special reporting or auditing requirements exists.  And, we are happy to understand and accommodate those requirements on a needs basis.  These are details we would typically work out during the discovery and budgeting phase of the engagement.

<more on logging facilities available>