Yes; relevant staff are trained to be suspicious of all modes of threat including that which may be internally sourced.

A partially obfuscated org chart is included relating to hot operations and services.

ref: Omegabit Org Chart, Administration and Support Services

Patch management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties. Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.

This is overseen by Senior Information Security officers and verified via electronic audit and change control systems, and monitors, which cannot be altered without evidence of tampering. Sensitive access is compartmentalized and limited to trusted and fully vetted individuals who have an established trust relationship and long-standing reputation for the handling of mission critical data and applications for our customers.

Due to the nature of application hosting, these practices are core and inherent to our regular of operations. A TOC outlining procedural content has been provided for reference; full content is obfuscated due to its proprietary and sensitive nature. The following outlines are provided: "Omegabit Disaster Recovery Plan TOC", "Omegabit IT Security Handbook", and the "Omegabit Employee Handbook". Collectively, these documents cover many of the issues identified in this list. Other items are covered by our Operational Wikis. Omegabit is also able to maintain a custom policy and procedures for customers with special needs, e.g. PCI, or similar compliance. A sample policy statement has been provided of an example maintained with a PCI compliant tennant. Please see also, the attachment "Federal Reserve Bank of New York - Omegabit Operations Policy Guidelines and Recommendations".

Omegabit provides extensive security training following best practices for PCI, FERPA, FEDRAMP and similar compliance modeled on industry standards and best practices. This includes emphasis on traditional IT and host infrastructure security for Internet providers, as well as specialized training relating to custom application designs and the implementation of Liferay, specifically. Many practices are modeled after requirements established from its broad base of customers operating sensitive applications for finance, healthcare, government, education and similar purposes. Omegabit is able to support most any compliance requirement and typically will establish operational policies that are considerate of best practices and the specific requirements of the Customer. A Table of Contents (TOC), outlining procedural content has been provided for reference; full content is obfuscated due to its proprietary and sensitive nature. The following outlines are provided: "Omegabit Disaster Recovery Plan TOC", "Omegabit IT Security Handbook", and the "Omegabit Employee Handbook". Collectively, these documents cover many of the issues identified in this list. Other items are covered by our Operational Wikis. Omegabit is also able to maintain a custom policy and procedures for customers with special needs, e.g. PCI or similar compliance. A sample policy statement has been provided of an example maintained with a PCI compliant tennant. Please see the attachment "Federal Reserve Bank of New York - Omegabit Operations Policy Guidelines and Recommendations".

ref: IT Security Handbook is provided to each employee upon hire

Yes; please see related answers concerning policies and methods on tab 1.

Trainings are ongoing, role and privilege specific, and typically performed on a one-on-one basis by a qualified supervisor logged as part of private personnel records. Training is segmented by the same basic constructs outlined in the Omegabit IT Security Handbook, plus specific proprietary training that relates to the advanced operation of Omegabit and Client infrastructure. Administrators are only approved to access and operate environments on which they have received specific operational training with supervisory sign-off, or, are the originator and original architect of the environment responsible for documenting and establishing any custom training facets for said environment.

Generally speaking, any externalized service is specifically contracted to match or exceed the terms and conditions of any relevant Client project or activity and parties are required to agree to complementary terms of engagement that are commensurate with Client and SLA requirements.

Yes.

Yes.

Yes.

ref: IT Security Handbook is provided to each employee upon hire

Yes.

Yes.

Omegabit provides awareness training as it relates to the handling of customer information and custom Liferay software design, according to modern PII standards, systematically: relating to all facets of its internal and Client hosted operations. This practice is continuously refreshed to keep pace with evolving threats and industry best practices as part of Omegabit day to day operations, and is disseminated in regular updates to employees. Key procedures are updated and noted by affected personnel. Administrators are specially trained, and updated on any special Client-specific requirements relating to operational security and privacy before being allowed access and control of sensitive Client environments, and are tasked with keeping current with relevant information updates as part of their normal responsibilities. Omegabit hosted and managed environments are ONLY managed by highly-trained personnel with specific awareness and experience with the uniquness of specific customer environment they are assigned to maintain. We do not assign generic administrators or support personnel as is typical of other commodity providers - everyone in contact with the Client and related infrastructure has specific working knowledge, sensitivity, and awareness to the circumstnces of that specific installation, and any related constraints relating to compliance of the Client stack.