Team members are educated on the risks of these technologies and they are prohibited when handling or communicating sensitive information. However, they are commonly used in Liferay implemenetations and are allowed for the purposes of diagnostics and support. Flash, in particular, is prohibited exect where reuqired to perform ciritical job funcstions with trusted affilates and services.

IPSec, SSL, SSH (256-bit)

Answer refers to default configuration of Client environment and does support optional 2-factor authentication, on request.

Salted and hashed passwords are employed for relevant connection methods, which are session specific.

Per Client requirements.

A customer specific architecture diagram will be supplied once an application footprint has been elected. The basic configuration places all Liferay stack resources behind a hardened active firewall, and private vlan segment dedicated for use only by the prescribed Client occupant - a private cloud network segment. Omegabit is happy to accommodate any custom firewall request or configuration require by the client.. All services are restricted or off by default except where required for portal operation.

Omegabit operates a private, Liferay-optimized cloud infrastructure designed specifically for optimal performance, stability, and reliability.  Infrastructure is never over allocated, by policy, and typically is operating at <50% capacity across any physical server.  We perform regular monitoring and analysis to ensure that no backend cloud infrastructure bottlenecks exist to inhibit the performance of the client VMs.  Notably, Omegabit employs high-end SSD accelerated SAN storage and 10GB backplanes for cloud infrastructure as disk path I/O is a common bottleneck with generic cloud infrastructures.  All CPU, RAM, and disk allocations are reserved and guaranteed.

All features and configuration is performed with consideration for optimal application performance across the application stack including the network, disk, cpu, JVM, db, Apache, and other related layers.  Omegabit specializes in Liferay runtime optimization and TandemSeven is an expert implementer of Liferay architecture.  Collectively, our teams are able to provide an unmatched level of expertise relating to the theoretical design and practical application of your Liferay design to ensure the best possible performance for a given use case.

Core cloud and network infrastructure:  99.999%

Liferay application infrastructure:  greater than 99.98%

Omegabit frames uptime in terms of application vs. core infrastructure stability as a more practical measure of efficacy.  Beware of providers that only indicate core infrastructure uptime vs. Liferay application uptime, which is typically higher, and can be misleading.

Omegabit commits that Client's hosted Web applications will have a monthly availability of 99.95% or greater. Monthly application availability is calculated using the following equation:
     
Availability Percentage = 100-((Md/43800)*100)
Where Md = The total minutes of unplanned downtime for the month
And 43800 is the average number of minutes in a calendar month
(22 minutes of downtime in a month would result in a total Network Availability for the month of 99.94%)
     

Planned Downtime     

Omegabit makes every effort to perform maintenance to its private cloud services transparently in the background without interrupting Client services in any capacity.  On rare occasion, a brief outage is required to complete maintenance or repair/replace piece of equipment, or in case of emergency security remediation. Omegabit makes every effort to provide at least 5 business days advanced notice for scheduled maintenance, and will provide Client with no less than 48 hours advanced notification concerning planned outages, which will include the following information:
● Affected systems and services
● Reason for outage
● Expected downtime
● Contact information
       
Downtime due to planned outages where the outage is within the expectation set in the notification and where Omegabit has provided notification of the event to the Client at least 48 hours in advance is not used in calculating monthly application availability.
       
In the event that Web application availability falls below 99.95% in any calendar month, Client will be credited on the next billing cycle with an amount equal to the percentage of the affected month's total hosting charges as indicated per the SLA terms.
       

Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.

SHA-256 or better using non-deprecated, modern ciphers for all relevant connections.

This is addressed in the Client SLA, Omegabit Operations Policy Guidelines and Recommendations, and are adaptable per Client requirements. The default practice for Omegabit includes strong complex non-repeating 15-character passwords.SHA-256 or better using non-deprecated, modern ciphers for all relevant connections.

Yes; is enforceable by custom policies that are easily managed by the Lifeay Control Panel.

Omegabit implements and follows strict, PCI compliant password policies by default.

Externally through partners chosen vendor at the partner request.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes, if required per Client security clearance for team members.

Yes. We do perform a criminal background check via credible commercially and publically available sources.

Available on a needs basis for special clearance.

Yes.

Yes.

Yes.

Yes.

Generally speaking, any externalized service is specifically contracted to match or exceed the terms and conditions of any relevant Client project or activity and parties are required to agree to complementary terms of engagement that are commensurate with Client and SLA requirements.

Yes

ref: IT Security Handbook is provided to each employee upon hire

Yes; please see related answers concerning policies and methods on tab 1.

Trainings are ongoing, role and privilege specific, and typically performed on a one-on-one basis by a qualified supervisor logged as part of private personnel records. Training is segmented by the same basic constructs outlined in the Omegabit IT Security Handbook, plus specific proprietary training that relates to the advanced operation of Omegabit and Client infrastructure. Administrators are only approved to access and operate environments on which they have received specific operational training with supervisory sign-off, or, are the originator and original architect of the environment responsible for documenting and establishing any custom training facets for said environment.

Generally speaking, any externalized service is specifically contracted to match or exceed the terms and conditions of any relevant Client project or activity and parties are required to agree to complementary terms of engagement that are commensurate with Client and SLA requirements.

Yes.

Yes.

Yes.

ref: IT Security Handbook is provided to each employee upon hire

Yes.

Yes.

Omegabit provides awareness training as it relates to the handling of customer information and custom Liferay software design, according to modern PII standards, systematically: relating to all facets of its internal and Client hosted operations. This practice is continuously refreshed to keep pace with evolving threats and industry best practices as part of Omegabit day to day operations, and is disseminated in regular updates to employees. Key procedures are updated and noted by affected personnel. Administrators are specially trained, and updated on any special Client-specific requirements relating to operational security and privacy before being allowed access and control of sensitive Client environments, and are tasked with keeping current with relevant information updates as part of their normal responsibilities. Omegabit hosted and managed environments are ONLY managed by highly-trained personnel with specific awareness and experience with the uniquness of specific customer environment they are assigned to maintain. We do not assign generic administrators or support personnel as is typical of other commodity providers - everyone in contact with the Client and related infrastructure has specific working knowledge, sensitivity, and awareness to the circumstnces of that specific installation, and any related constraints relating to compliance of the Client stack.

This is documented in Omegabit Employee Handbook, Section 6. Rules of Conduct

This is documented in Part 2, Section 1, Workstation Security Policy, IT Security Handbook

This is documented in Part I, Section I, Acceptable Use Policy, IT Security Handbook

This is documented in Part 3, Section 3, Remote Access Policy and Part 3, Section 2, Bluetooth Baseline Requirements

This is documented in Part III, Section 3. Remote Access Policy, IT security Handbook

This is documented in Part 1, Section 8, Password Construction Guidelines, IT security Handbook

This is documented in Part 1, Section 5, Acceptable Encryption Policy, IT security Handbook

Personnel Security is covered as a component of onboarding and training as it relates to work environment and surroundings. And, is also a notable component of info security training as it relates to the an individual's perceived value or risk as it relates to access to information.

ref: Omegabit Employee Handbook

This is documented in Part I, Section 2. Clean Desk Policy, IT Security Handbook

Yes

Yes; this is strictly enforced as a key component of Omegabit's secure operations.

Upon termination of an employee or contractor, Omegabit immediately terminates access to systems, networks, infrastructure –virtual and real-, and retrieves all company assets (i.e. equipment/devices, PCs, access cards, keys, smart cards, tokens, cell phones, information and documentation).

This is documented in Omegabit Employee Handbook, Section 4.7

Employee handbook internal documentation and HR procedures; includes proprietary actions and is sensitive in nature.

Yes.

Yes