This is documented in Omegabit Internal Operations Wiki. Omegabit operates advanced active firewalls from Cisco and Watchguard, which feature Active Intrusion Detection and Prevention, Layer 7 inspection, DLP, Zero Day, and other live-updated countermeasures. These features are on by default where appropriate, and advanced features like DLP and Zero Day may be enabled on request. Firewall configurations are tuned specifically for each customer. Private BOVPN tunnel links to Client infrastructure are also available.

(Yes to all)

Change management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties. 

Configuration management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties.

Active DLP is an optional feature that may be activated on-demand on a per customer basis. Additional fees may apply.

Watchgaurd; feature available on special request. email only?: No, it can inspect virtually layer-7 transmission including SSL encrypted transmissions it is configured to proxy - very advanced realtime detectiona and updates are included as well as optional Zero Day threat detection.

We employ industry standard methods for secure data exchange including but not limited to BOVPN links, SSH, SCP, HTTPS, SLDAP, other S using strong modern encryption and cipher standards, digitially signed and encrypted email communications, and secure chat, whereever apporpriate and applicable.

Yes; relevant staff are trained to be suspicious of all modes of threat including that which may be internally sourced.

A partially obfuscated org chart is included relating to hot operations and services.

ref: Omegabit Org Chart, Administration and Support Services

Patch management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties. Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.

This is overseen by Senior Information Security officers and verified via electronic audit and change control systems, and monitors, which cannot be altered without evidence of tampering. Sensitive access is compartmentalized and limited to trusted and fully vetted individuals who have an established trust relationship and long-standing reputation for the handling of mission critical data and applications for our customers.

This is an inherent practice; all security related procedures are reviewed, exercised, and improved in an ongoing basis to keep pace with industry standards and evolving threats. Reviews occur on a daily basis.

Liferay: yes; not only follows industry standard methodology but is the authority and provider of integration and change management tools to support best practices when developing with the DXP framework. Omegabit is able to integrate with any preferred methodology elected by the developer team (agile, sprint, etc.), and is available to help with the integration of automation, tooling, and other developer facilities to aid with the ongoing development lifecycle and maintenance of a "living" portal implementation.

A partially obfuscated org chart is included relating to hot operations and services.

ref: Omegabit Org Chart, Administration and Support Services

Christopher Lee Stavros, President and CTO of Omegabit, LLC; cstavros@omegabit.com - 805-748-9641; 20+ years InfoSec experience with commercial applications in government, finance, education, healthcare and consumer brands.

Ref: Omegabit IT Security Handbook, Omegabit Operations Wiki and procedures

Yes. This is inherent to our regular mode of operations and procedures and is refreshed on an ongoing basis to keep pace with evolving threats and best practices. Formal reviews occur quarterly. However, these matters are addressed on an almost daily basis due to the nature of operations.

This is inherent to our regular mode of operations and procedures and is refreshed in an ongoing basis to keep pace with evolving threats and best practices. Formal reviews occur quarterly. However, these procedures are addressed on an almost daily basis due to the nature of operations. Please see the responses to tab 1 for more information. ref: Omegabit Internal Operations Wiki and Ticketed Request systems.

This is tracked via secure customer support and ticket requests systems and customer wikis. All documented changes are also timestamped and auditable for historical reference. ref: Omegabit Internal Operations Wiki and Ticketed Request systems.

This is inherent to our regular mode of operations and procedures and is refreshed in an ongoing basis to keep pace with evolving threats and best practices. Formal reviews occur quarterly. However, these procedures are addressed on an almost daily basis due to the nature of operations. Please see the responses to tab 1 for more information. ref: Omegabit Internal Operations Wiki and Ticketed Request system

Due to the nature of application hosting, these practices are core and inherent to our regular of operations. A TOC outlining procedural content has been provided for reference; full content is obfuscated due to its proprietary and sensitive nature. The following outlines are provided: "Omegabit Disaster Recovery Plan TOC", "Omegabit IT Security Handbook", and the "Omegabit Employee Handbook". Collectively, these documents cover many of the issues identified in this list. Other items are covered by our Operational Wikis. Omegabit is also able to maintain a custom policy and procedures for customers with special needs, e.g. PCI, or similar compliance. A sample policy statement has been provided of an example maintained with a PCI compliant tennant. Please see also, the attachment "Federal Reserve Bank of New York - Omegabit Operations Policy Guidelines and Recommendations".

Omegabit provides extensive security training following best practices for PCI, FERPA, FEDRAMP and similar compliance modeled on industry standards and best practices. This includes emphasis on traditional IT and host infrastructure security for Internet providers, as well as specialized training relating to custom application designs and the implementation of Liferay, specifically. Many practices are modeled after requirements established from its broad base of customers operating sensitive applications for finance, healthcare, government, education and similar purposes. Omegabit is able to support most any compliance requirement and typically will establish operational policies that are considerate of best practices and the specific requirements of the Customer. A Table of Contents (TOC), outlining procedural content has been provided for reference; full content is obfuscated due to its proprietary and sensitive nature. The following outlines are provided: "Omegabit Disaster Recovery Plan TOC", "Omegabit IT Security Handbook", and the "Omegabit Employee Handbook". Collectively, these documents cover many of the issues identified in this list. Other items are covered by our Operational Wikis. Omegabit is also able to maintain a custom policy and procedures for customers with special needs, e.g. PCI or similar compliance. A sample policy statement has been provided of an example maintained with a PCI compliant tennant. Please see the attachment "Federal Reserve Bank of New York - Omegabit Operations Policy Guidelines and Recommendations".

Omegabit performs regular security and hardening testing on an ongoing basis. The most recent comprehensive scan testing was completed in April of 2017. Customer specific testing is implemented on a case basis and is ongoing. This information is sensitive in nature both in terms of methods and outcomes. Schedules, related information, outcomes and actions are documented and shared privately with customers via secure online collaboration tools supplied by Omegabit.

Omegabit performs its own regular penetration and threat testing as well as active detection and prevention countermeasures. Third party penetration testing is also frequently performed against customer implementations in cooperation with the application sponsors, typically, the hosting customer. This includes testing performed by independent agencies and customer security teams.

Automated and human-reviewed and assessed vulnerability scanning is a regular and ongoing practice and normal part of operations. Protections range from continuous scanning to planned and targeted exploit testing. This is a professional specialty of Omegabit, and is performed for its own benefit, for its Client and tenant installations, and also frequently in cooperation with Client security teams against external secure targets.

ref: Soc 2 Type II Facilities Compliance Report for Omegabit colocation' facilities managed by Digital West and alternate providers (available on request).

All omegabit facilities are audited by third-party compliance services for SOC-2 compliance are maintained to PCI compliance standards, by default. Omegabit hosted infrastructure is also frequently vetted and audited on a per-customer basis where specific compliance, e.g. PCI, FERPA, FEDRAMP, HIPAA, is required. These certifications must occur against the customer implementation and are typically performed in cooperation with the application sponsor and Client.

This technically falls under the auspice of control of our Client tenants with these requirements and their specific custom application design and implementation. However, we play a participating role in ensuring that issues relating to SOC 2/facilities compliance, data storage and transfer, managed operations and procedures, are performed in a manner that is commensurate with Client requirements. Actual secure data transmissions are accomplished via BOVPN, IPS, SSH, or HTTPS, LDAPS, or similarly secure means at the discretion of the customer and their custom application design. All popular means are supported and can be enabled and secured on request. Data storage encryption is also available on request.

This is performed on a per-client case-basis as required by Client in cooperation with the auditing service or agency of their choosing. Omegabit is able to self-certify and/or work with Client designated teams. Omegabit has established PCI, HIPAA, FERPA, and similar compliance with customers across various verticals and custom application designs. These assessments must be done on a per-Client case basis and be specific to the custom software implementation to be relevant. Compliance certifications, with the exception of Omegabit's SOC 2 facilities compliance, is not transferable across Client tenants, by definition.

The SOC-2 compliance audit is performed every 18-24 months.  

Ref: Omegabit Employee Handbook, Guidelines and Operations Wiki procedures.

Yes.

Any secure communications are further tunneled and wrapped in either IPSec or SSH depending on the nature of connection. All wifi connections including LAN Wifi are hardened similarly as with public or unprotected network links.

Yes.

IPSec, SSL, SSH (256-bit)

Wireless Policy: This is documented in Part III, Section 6. Wireless Communication Standard, IT Security Handbook.

Physical items received into inventory are documented using conventional means including shipping log history and notations by Receiving. As it relates to facilities, equipment added to or removed from the racks is documented in the Omegabit Operations Wiki in a manner that is timestamped, auditable, and tracked for historical purposes.

Shared common or public resources for the exchange or reproduction of secure data are not employed or permitted by policy except where explicitly approved by the Client ; storage devices are encrypted for portalbe delivery and electronic transfer is performed via secure protocols and encrypted/keyed document storage. Printers are not employed to output secure information except under strictly controlled conditions (e.g. hard-copy archival output of sensitive information for secure storage, as an example, would occur under specifically controlled conditions; invoicing is another example of controlled output that is limtied to customers that specifically require paper processing by devices with limited access by authorized personnel); Omegabit prefers electronic, individually permissioned and audit logged access controls and methods of information exchange, for the purposes of security and whenever possible. Be advised that by default, passwords are communicated to authorized Client users via clear-channel communications to pre-authorized destinations, e.g., email or txt message, or telephone. This can happen via both automated means (e.g., Liferay can mail a password or password reset link to pre-confirmed email destinations), or, a Support representative may communmicate a password change to a verified and authorized user via email or txt communication. All of this can be disallowed and disabled at the Client's discretion.

None; all data and storage is maintained and operated exclusively by Omegabit and specially authorized and trained personnel with special awareness for Liferay operations. No proposed services, or facilities in this proposal are to be outsourced to an additional third party and will be satisfied exclusively by Liferay and Omegabit and its affiliated facilities partners where named.