ref: IT Security Handbook is provided to each employee upon hire

Yes; please see related answers concerning policies and methods on tab 1.

Trainings are ongoing, role and privilege specific, and typically performed on a one-on-one basis by a qualified supervisor logged as part of private personnel records. Training is segmented by the same basic constructs outlined in the Omegabit IT Security Handbook, plus specific proprietary training that relates to the advanced operation of Omegabit and Client infrastructure. Administrators are only approved to access and operate environments on which they have received specific operational training with supervisory sign-off, or, are the originator and original architect of the environment responsible for documenting and establishing any custom training facets for said environment.

Generally speaking, any externalized service is specifically contracted to match or exceed the terms and conditions of any relevant Client project or activity and parties are required to agree to complementary terms of engagement that are commensurate with Client and SLA requirements.

Yes.

Yes.

Yes.

ref: IT Security Handbook is provided to each employee upon hire

Yes.

Yes.

Omegabit provides awareness training as it relates to the handling of customer information and custom Liferay software design, according to modern PII standards, systematically: relating to all facets of its internal and Client hosted operations. This practice is continuously refreshed to keep pace with evolving threats and industry best practices as part of Omegabit day to day operations, and is disseminated in regular updates to employees. Key procedures are updated and noted by affected personnel. Administrators are specially trained, and updated on any special Client-specific requirements relating to operational security and privacy before being allowed access and control of sensitive Client environments, and are tasked with keeping current with relevant information updates as part of their normal responsibilities. Omegabit hosted and managed environments are ONLY managed by highly-trained personnel with specific awareness and experience with the uniquness of specific customer environment they are assigned to maintain. We do not assign generic administrators or support personnel as is typical of other commodity providers - everyone in contact with the Client and related infrastructure has specific working knowledge, sensitivity, and awareness to the circumstnces of that specific installation, and any related constraints relating to compliance of the Client stack.

ref: Omegabit Internal Operations Wiki and Customer Environment Ticketed Request system, Omegabit Operations Portal, Omegabit IT Security Handbook

ref: Omegabit Disaster Recovery Plan TOC

Due to the nature of our business and services, Risk Management is an inherent part of our DR planning lifecycle and includes business factors including finance, infrastructure, personnel, liabilities, etc. A quarterly assessment of these risks is performed as part of our regular strategic planning lifecycle. This information is proprietary.

Liferay executes regular security assessments and publishes hotfixes and notifications concerning newly discovered threats within the Liferay framework. It is the responsibility of the Client or application sponsor to determine the applicability of these risks and to integrate published fixes into any custom built software. As the runtime manager, Omegabit assumes responsibility to assist with the deployment of any/all compatible security related patches or changes to the Liferay runtime and its supporting components (OS, DB, Web acceleration, etc.; the "stack", collectively), which are provided or approved for use by the application sponsor. As this relates to hosting and runtime operations, notifications are also provided concerning any relevant security or stability related risk or action. This is addressed in the hosting SLA. Circumstances relating to security or other immediate threat are escalated and responded to with the highest internal priority. Important Note: Most host providers will <not> monitor or respond proactively to risks at the OS level or inside the Liferay application container. This is a noteworthy and unique benefit of Omegabit Liferay Enterprise Portal Hosting services, which monitors and assumes responsibilty for <ALL> layers of the application infrastructure and Liferay runtime. And, maintains specific operational awareness and sensitivity to the purpose and compliance requirements of its Client's hosted environments. Omegabit monitors, manages, and responds to all relevant threat conditions - malicious or otherwise- proactively, at all layers of the infrastructure on the behalf of it's Client tennats.

Ref: Omegabit IT Security Handbook, Omegabit Operations Wiki and procedures

Yes. This is inherent to our regular mode of operations and procedures and is refreshed on an ongoing basis to keep pace with evolving threats and best practices. Formal reviews occur quarterly. However, these matters are addressed on an almost daily basis due to the nature of operations.

This is inherent to our regular mode of operations and procedures and is refreshed in an ongoing basis to keep pace with evolving threats and best practices. Formal reviews occur quarterly. However, these procedures are addressed on an almost daily basis due to the nature of operations. Please see the responses to tab 1 for more information. ref: Omegabit Internal Operations Wiki and Ticketed Request systems.

This is tracked via secure customer support and ticket requests systems and customer wikis. All documented changes are also timestamped and auditable for historical reference. ref: Omegabit Internal Operations Wiki and Ticketed Request systems.

This is inherent to our regular mode of operations and procedures and is refreshed in an ongoing basis to keep pace with evolving threats and best practices. Formal reviews occur quarterly. However, these procedures are addressed on an almost daily basis due to the nature of operations. Please see the responses to tab 1 for more information. ref: Omegabit Internal Operations Wiki and Ticketed Request system

Physical items received into inventory are documented using conventional means including shipping log history and notations by Receiving. As it relates to facilities, equipment added to or removed from the racks is documented in the Omegabit Operations Wiki in a manner that is timestamped, auditable, and tracked for historical purposes.

Shared common or public resources for the exchange or reproduction of secure data are not employed or permitted by policy except where explicitly approved by the Client ; storage devices are encrypted for portalbe delivery and electronic transfer is performed via secure protocols and encrypted/keyed document storage. Printers are not employed to output secure information except under strictly controlled conditions (e.g. hard-copy archival output of sensitive information for secure storage, as an example, would occur under specifically controlled conditions; invoicing is another example of controlled output that is limtied to customers that specifically require paper processing by devices with limited access by authorized personnel); Omegabit prefers electronic, individually permissioned and audit logged access controls and methods of information exchange, for the purposes of security and whenever possible. Be advised that by default, passwords are communicated to authorized Client users via clear-channel communications to pre-authorized destinations, e.g., email or txt message, or telephone. This can happen via both automated means (e.g., Liferay can mail a password or password reset link to pre-confirmed email destinations), or, a Support representative may communmicate a password change to a verified and authorized user via email or txt communication. All of this can be disallowed and disabled at the Client's discretion.

None; all data and storage is maintained and operated exclusively by Omegabit and specially authorized and trained personnel with special awareness for Liferay operations. No proposed services, or facilities in this proposal are to be outsourced to an additional third party and will be satisfied exclusively by Liferay and Omegabit and its affiliated facilities partners where named.

By default Omegabit server environments are configured with warning-level logging for all services, and Web requests logging on, by default, in a 90-day rotation. All logs are directly accessible to the customer, and advanced aggregation and reporting tools, as well as custom reporting, is supported on an as needs basis (fees may apply). Omegabit is able to assist in configuring logging and verbosity at any layer of the infrastructure to meet specific business requirements or to trap specific issues.

Omegabit provides a highly secure default configuration  as well as advice and guidance on the specific settings relevant to the Client implementation.  This is documented extensively in Omegabit Operations Wikis and Customer Wikis for properetary confiugrations, where applicable.

Yes

Team members are educated on the risks of these technologies and they are prohibited when handling or communicating sensitive information. However, they are commonly used in Liferay implemenetations and are allowed for the purposes of diagnostics and support. Flash, in particular, is prohibited exect where reuqired to perform ciritical job funcstions with trusted affilates and services.

These tools are used responsibly and with sensitivity to the transfer of secure information by trained and authorized personnel for insecure communications.

This is documented in Omegabit Employee Handbook, Section 6. Rules of Conduct

This is documented in Part 2, Section 1, Workstation Security Policy, IT Security Handbook

This is documented in Part I, Section I, Acceptable Use Policy, IT Security Handbook

This is documented in Part 3, Section 3, Remote Access Policy and Part 3, Section 2, Bluetooth Baseline Requirements

This is documented in Part III, Section 3. Remote Access Policy, IT security Handbook

This is documented in Part 1, Section 8, Password Construction Guidelines, IT security Handbook

This is documented in Part 1, Section 5, Acceptable Encryption Policy, IT security Handbook

Personnel Security is covered as a component of onboarding and training as it relates to work environment and surroundings. And, is also a notable component of info security training as it relates to the an individual's perceived value or risk as it relates to access to information.

ref: Omegabit Employee Handbook

This is documented in Part I, Section 2. Clean Desk Policy, IT Security Handbook

Yes

Due to the nature of our business and services, Risk Management is an inherent part of our DR planning lifecycle and includes business factors including finance, infrastructure, personnel, liabilities, etc. A quarterly assessment of these risks is performed as part of our regular strategic planning lifecycle. This information is proprietary.

Please see the SOC 2 Type II compliance facilities report and "Federal Reserve Bank of New York - Omegabit Operations Policy Guidelines and Recommendations" document supplied with this response. We frequently participate in customer-specific audits performed by Clients using their preferred standard or methodology, typically, PCI/PII, FERPA, FEDRAMP, HIPAA, or similar compliance. These are completed by internal Client security teams or third parties, at the Client's discretion. These compliance certifications must typically be established proprietary the customer's specific software and infrastructure implementation and are private.

This is inherent to our regular mode of operations and procedures and is refreshed in an ongoing basis to keep pace with evolving threats and best practices. Formal reviews occur quarterly. However, these matters are addressed on an almost daily basis due to the nature of operations. Please see the responses to tab 1 for more information.

Yes

TLS is enabled where preferred but not desirable at all layers or in all cases; this is configurable on a per Client basis to meet the specific requirements of each implementation.

Web washing is an optional feature available on request.

Only allowed for specially privileged and authorized administrators for the purposes of advanced diagnostics and testing, and not for normal network users or operations.

(assumes SSL site configuration)