Yes, at very granular levels at every layer of the application framework (pages, portlets, content, documents, social entires, etc.).

SHA-256 or better using non-deprecated, modern ciphers for all relevant connections.

This is addressed in the Client SLA, Omegabit Operations Policy Guidelines and Recommendations, and are adaptable per Client requirements. The default practice for Omegabit includes strong complex non-repeating 15-character passwords.SHA-256 or better using non-deprecated, modern ciphers for all relevant connections.

Yes; is enforceable by custom policies that are easily managed by the Lifeay Control Panel.

Omegabit implements and follows strict, PCI compliant password policies by default.

This is dependent on Kindred's specific implementation of the Liferay portal.  Liferay can be configured to expire content, and has indicated it is working to implement purging capabilities for GDPR compliance.  APIs are also available to actuate purging functions. 

Omegabit is able to advise on best practices relating to the design and implementation, and can also support maintenance and data preening as an optional Professional Service.

All electronic data is returned/made available for retrieval  by the Client until fully acquired and verified.

All data managed by Omegabit is assumed to be confidential in nature.  All physical manifestations of Client data are destroyed and cataloged where applicable using PII and HIPAA compliant shredding methods.   

Terms of data protection, retention, and destruction are enforced per SLA and Customer Compliance Policy Agreements.

Omegabit maintains a comprehensive and proprietary database for the purposes of troubleshooting and documenting known incidents and actions, which is utilized to inform resolution path options and document outcomes for all parties. 

As it relates to customer communications, Omegabit notifies Client designated contacts of urgent incidences by email, and telephone wherever practical, as well as a shared ticketing system to track the incident response.

Severe or high-risk conditions trigger a human-managed chain of response protocol. Critical systems are monitored automatically by multiple. Escalations are programmed to trigger alerts via alternate channels if not acknowledged. Depending on incident type and level of escalation, it may be flagged for more investigation and a trouble ticket opened for further analysis. Any incident of substance is documented with visibility by the Client; proactive notifications are sent for incidents of immediate concern or requiring action or where a breach has occurred.

Notification follows the SLA terms and conventional practice.

Please refer to the Omegabit IT Security TOC for more information.

Core cloud and network infrastructure:  99.999%

Liferay application infrastructure:  greater than 99.98%

Omegabit frames uptime in terms of application vs. core infrastructure stability as a more practical measure of efficacy.  Beware of providers that only indicate core infrastructure uptime vs. Liferay application uptime, which is typically higher, and can be misleading.

Omegabit commits that Client's hosted Web applications will have a monthly availability of 99.95% or greater. Monthly application availability is calculated using the following equation:
     
Availability Percentage = 100-((Md/43800)*100)
Where Md = The total minutes of unplanned downtime for the month
And 43800 is the average number of minutes in a calendar month
(22 minutes of downtime in a month would result in a total Network Availability for the month of 99.94%)
     

Planned Downtime     

Omegabit makes every effort to perform maintenance to its private cloud services transparently in the background without interrupting Client services in any capacity.  On rare occasion, a brief outage is required to complete maintenance or repair/replace piece of equipment, or in case of emergency security remediation. Omegabit makes every effort to provide at least 5 business days advanced notice for scheduled maintenance, and will provide Client with no less than 48 hours advanced notification concerning planned outages, which will include the following information:
● Affected systems and services
● Reason for outage
● Expected downtime
● Contact information
       
Downtime due to planned outages where the outage is within the expectation set in the notification and where Omegabit has provided notification of the event to the Client at least 48 hours in advance is not used in calculating monthly application availability.
       
In the event that Web application availability falls below 99.95% in any calendar month, Client will be credited on the next billing cycle with an amount equal to the percentage of the affected month's total hosting charges as indicated per the SLA terms.
       

Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.

Antivirus software is typically not applicable for the nature of this application and Linux hosting environment.  However, several commercial and open source options are available, and supported on request.  Nominal licensing fees may apply.  Please contact your Omegabit representative for more details. 

Patch management is documented with visibility by the customer and application sponsors via security ticketing system supplied by Omegabit for the purposes of approval workflow, audit, and historical record. Customer specific Wikis are also maintained to help document information that is proprietary to the Client implementation and that is important to all parties. Schedules and approvals are managed in direct coordination with Client teams to ensure changes are controlled and do not cause breakage. Actions are scheduled according to policies defined in the Omegabit SOW/SLA, except where explicitly overridden by special policy or Client requirement.

Yes, to the limits deemed appropriate by the customer.  Omegabit manages Liferay installations that vary from completely managed environments, to mixed managed environments where Omegabit assumes control of production but not development environment, to a more traditional turnkey approach.  In all cases, Omegabit will work with the Customer to ensure that best practices are followed, and is able to provide recommendations on methods and procedures that will help ensure the smooth rollout, operation and maintenance of the application and runtime environments.

Patches relating to security or access control will be prioritized over other non-critical tasks and expedited wherever possible.  Software patches requiring special personnel or procedures, an extended outage, or client-side testing and coordination will be applied at best possible speed, and typically take a minimum of 48 hours and up to 5 business days to coordinate and execute.  All outages are coordinated with Client, except where necessitated by emergency repair.

Infrastructure patching of our cloud occurs transparently and is typically no impact to you thanks to the redundant nature.  If impactful maintenance must occur, we provide a week or more notice in advance and will coordinate with you to ensure it occurs during a planned window and is clearly communicated (this is rare, and we understand the potential impact to your operations and will coordinate, accordingly).

For your hosted infrastructure, patch cycles are always coordinated with your team to avoid interruptions to production services and "surprises" with compatibility (both OS and Liferay/application layer).  We help remind of this schedule but it is ultimately up to your team to approve the updates and allow the opportunity for the work to occur.  ]]

We recommend a cycle of no longer than 3mos, except where there is a specific need (e.g. for urgent security fix or, function).  Generally speaking, OS same-release patches occur without incident, but may require a service restart.  For Liferay, your engineering team will typically need to integrate the patches with any custom builds and test extensively.  So we consider that part of the custom development/maintenance lifecycle.

For any patching or configuration changes, we do strongly recommend a prerelease strategy to prove out the change before it is promoted to production.

We are here to help support that lifecycle, and are able to help the engineering team identify potential conflicts with patches and fixpacks vs. custom code using the Liferay patching tools.

Liferay is fully SAML compatible and provides out-of-the-box integration with most SAML systems.

Liferay and the host infrastructure can serve as both a SAML Service Provider (subscriber), as well as a full SAML Identity Provider  and SSO Authenticator (IDP).