This white paper was updated in February 2019
OperationsCommander (OPS-COM) is a cloud-based, hosted solution that provides parking and security software. This system has been fully developed, in-house over that last 15 years. Tomahawk Technologies is committed to maintaining a high level of information security, and its' key priority is always protecting customers’ information, and carefully maintaining the information security of OPS-COM. This Security White Paper gives an overview of the OPS-COM security features.
OPS-COM is PCI DSS 3.1 certified and is audited yearly by a third-party to maintain this certification. Risk analysis forms the foundation of our security program. Risk assessments are periodically performed and security is regularly discussed in weekly team meetings. Our security processes, roles, and responsibilities are clear and well defined. Everyone is aware of our responsibilities and obligations when protecting our clients data. We review our policies annually and ensure that all employees sign off on them. OPS-COM is developed and maintained by inspired, skilled personnel who are committed to maintaining a high level of information security. OPS-COM has been designed to meet customers' strict security requirements and industry best practices.
OPS-COM has a solid and secure foundation that is based on widely used security methods and protocols. It has been designed to protect data both in transit and at rest to ensure its confidentiality, integrity, and availability. Strict access control allows only authorized users to access the data.
Operation and maintenance of OPS-COM follows documented processes. Continuous monitoring of information security and system performance ensures that all deviations and incidents can be responded to in a timely manner by trained and competent personnel in accordance with the
incident response process.
This document is designed to answer all your questions regarding the security and design of both OPS-COM and our supporting systems.
|General OPS-COM Information|
What browsers are supported?
OPS-COM supports the latest version of the following browsers:
Is OPS-COM mobile friendly?
Our system is largely optimized for mobile devices with some of the more obscure sections being updated within the year. The main system is to be used as a mobile website.
Our violations app is specific to Android devices.
Who owns OPS-COM?
OPS-COM owned by Tomahawk Technologies Inc., a privately owned, Canadian company.
92 Bridge St. Carleton Place, ON Canada
What laws govern the contractual agreement as it relates to the licensing arrangement?
The laws of the province of Ontario
Appendix B in our Contract outlines our privacy policies. All employees review and acknowledge our Privacy and Security policies annually. All employees sign confidentiality agreements.
| Describe your coding practices and how you security test your applications. |
|How often are new versions of OPS-COM released? Who performs these upgrades? Are they disruptive to customers? Are they disruptive to the service availability?|
We currently do monthly updates with any potential changes being released to a preview (production mirror site) 1 week before it is moved to clients production code. SysAdmins work with Developers to release these code changes. These releases are transparent to clients and rarely, if ever, disrupt service.
Notifications are sent out prior to the release to inform the client that the release is coming and should be tested and reviewed based on client workflow. Release notes and documentation are available prior to release to preview. Critical hot fixes are occasionally released to production systems as warranted.
With less than 6 hours lost to down time in the past 12 months, we are averaging an up time better than 99.5%
|Incident Response Plan|
|What happens if there is a breach or a data security incident?|
If there is an incident, the client would be notified with all pertinent details. Depending on the severity of the issue, the system would be disconnected from the network and a snapshot of the system state and hard drive would be taken (all systems are VM’s)
Our Contracts state the following:
In the event that the Service Provider anticipates a breach of privacy or becomes aware of a breach relating to the personal information received, collected, retained, or stored by the Service Provider in the course of performing the Services, the Service Provider must immediately notify the Customer in writing of the following, to the extent known:
What are the qualifications of your incident response staff?
|Our development/technical staff have been working with the software application and servers for many years. Currently we employ:|
All developers and sysadmins are required to participate in our security awareness program.
|Processes & Policies|
|What is your change control process as it relates to OPS-COM?||We assess new technologies regularly. Through small office lunch and learn sessions, and meetings, we discuss future initiatives. At this time much of our software (functional) changes are driven through client requests and therefore managed as projects. Internally we also investigate opportunities to integrate technical improvements with every project.|
Does the Service Provider have formal written Information Security Policies?
|Yes, we have 18 PCI compliant policies and an additional 3 Security policies that are required to protect our data and that of our clients while maintaining a high standard of data security.|
|Describe your information security (INFOSEC) organizational structure and your policies.||We are a small office of 10, with 1 server admin and 2 Sr. developers. Any tech issues flow through these staff members. The business owner is a key architect to the application and one of the senior developers. Security and process are regular points for discussion at Team meetings and all employees have knowledge of PCI requirements for data security. Polices are documented and reviewed regularly.|
|Are you SOC 2 compliant?||No, not at this time.|
|Are you PCI compliant?|
Yes, we are PCI DSS 3.1 compliant. We are assessed annually by a 3rd party to ensure we maintain compliance.
Our Attestation of Compliance, SAQ D-SP is available upon request
|Do you have a disaster recovery process?|
We have a Disaster Recover Plan that is tested every 3 months. Backups are performed using external hard drives and are kept for 7 years. Backups are located at the data centre and Head Office.
|Data Model and Data Security|
|Describe your application’s architecture and tiered design|
Our Web servers are publicly accessible, however, our SQL servers are not.
SQL servers are backed up daily, and mirrored to a secondary system.
How do you protect user authentication information?
Usernames and passwords are used and are stored to the SQL server. Passwords are encrypted with a minimum Blowfish with 64 bit key for legacy systems and for OPS-COM systems that use Android or PHP rijndael-128 is used. All passwords are hashed for one-way hashing. IP filtering is also possible. OPS-COM allows for password aging and complexity requirements to be enforced.
Client files can be accessed by SysAdmins and Sr. Developer's only, and only on an as-required basis.
|Is Data protected "at rest" and "in motion"?|
All sensitive data is encrypted in transit and at rest. For Data in Motion: all transfers are logged; all transfers are encrypted. Data at Rest is secured using Column level encryption inside database.
|How is data backed up, stored and protected?|
Client user files are backed up and held for 7 years on external hard drives unless requested to be destroyed earlier. These hard drives are held in a secure location at all times. External Hard drives are the only removable media we use to store client data. We do not store client media on desktops, laptops or BYODs.
Client data is occasionally stored on systems owned and operated by a third-party but only as required for proper system functionality and in a very limited capacity. For example, Google app engine is used to store/host ticket images, no other data is hosted with third-party services
Our backup procedures are multi-tiered since data is the single most important detail for business continuity.
We maintain a separate data link specifically for storage traffic. This (SAN) network is physically disconnected from the main LAN (and WAN) network.
All backups are stored at the co-location facility on a server that is designated solely for this purpose. On a rolling (nightly) schedule, backups are pushed to a removable device which is physically removed (quarterly) and stored in an offsite secure location
Client data does exist on development, QA and preview environments. These environments are secured in the same fashion that production data is.
When disk media is destroyed Tomahawk uses Secure Erase as outlined by the U.S. National Institute of Standards and Technology (NIST)
External backup drives not stored in data centre are retained at head office for long term storage (7 years). Physical security includes locked doors, keypads, alarm systems, motion sensors, and a locked safe. Access to external drives is limited to OPS-COM employees who explicitly require such access to provide disaster recovery and backup retrieval services.
|Who has access to your data and who approves this access and are we notified?|
Technical support personnel who require access to support Clients or require access to perform job duties and responsibilities have access to client data. This may include programmers, system administrators, and client support staff. Lead System Administrators determine who requires such access based on aforementioned requirements. We log our access to client data using a ticketing system when we do either testing (upcoming releases for new functionality) or for support reasons.
|Who is considered the owner of client data stored in vendor or third-party Data centres?||The client always owns their database of information on the system. We will provide a Raw Data Dump in a MS-SQL file format for the client to use as required. There are small fees for creating and providing to the client the data file. We will not provide the architecture or road map of the data since that would be considered proprietary information.|
|How do you segment and isolate our customer instance and data from other customer data?||Each customer instance has a separate database with separate login credentials.|
|Describe the permissions granted to each role in your application/system?|
OPS-COM has the ability to set up permissions for all roles. The Super User, (usually the department head) sets permissions for all levels. For example; counter staff could have permission to add/edit payments but not edit site configuration. A patrol officer could enter violations but not edit violation types.
There are in excess of 75 permissions that can be set to fine tune any role. When the permissions are assigned, the assignee will only see what they can do. They will not be aware of restricted permissions.
|Do you ever use client data for analysis? Is client data ever shared with 3rd parties?||No.|
|System & Network Security|
|What is your system availability notification process?|
System availability is monitored with monitoring software. Logs are monitored for errors and anomalies. All technical staff are notified of any outages, 24/7. Clients are notified of outages if they are not rectified within 1 hour.
|Who has access to these systems and how do they authenticate|
System Administrator and Senior Developers have access and they authenticate through VPNs using Microsoft Active Directory accounts with proper permissions. Passwords are managed through LastPass. All access, including administrative accounts, is controlled and logged (i.e. firewalls, file system permissions, ACLs, database table permissions, packet logs, etc.)
What is your patch management process?
What is the patching protocol for back-end infrastructure? How often are critical hotfixes to server OS, database and other components installed?
System and Operating System:
Weekly, most updates are done automatically (such as OS). In some cases where additional testing and precautions are required before an update, the patch maybe delayed by a few days.
Describe your vulnerability management and notification process.
Third party security audits, email notifications of errors (sometimes security related). Quarterly we are scanned for system vulnerabilities by a 3rd party.
How is your production network segmented from your corporate, QA, and development environments?
There are completely different servers, code, and databases. QA and Dev servers are also located in a different physical location. Non-production servers (preview, QA, and dev) are also sandboxed as to not allow database connections to production systems, emails are blocked from being sent out, etc. No matter what is done in a non-production system, the production systems won't be affected.
|Describe your systems High Availability features|
To offer high availability at the operating system level, we use Citrix XenServer technology to provide a virtualized server environment. This allows us to maintain 6 physical servers (running numerous server VM's) which can act as DOM0 (server master) at any point in time. In a case where one VM is running away with CPU or eating up memory, the other VM's will be transitioned automatically to a designated secondary; generally with no noticeable adverse effect. If a physical server requires maintenance a secondary server can manually be designated to handle the load and ensure that the virtual server(s) and exposed services are not affected.
In the case of web services, our website hosting servers have automatic load balancing in place between multiple servers. If one of the web servers is inaccessible, such as in the case of Windows updates or a reboot, our system will automatically stop directing web traffic to the inaccessible web server and start directing web traffic to the other available servers.
In the case of SQL services, our SQL database servers are mirrored to sister servers which fail over automatically under similar conditions. Whether due to maintenance or increased load, this allows our technical team to take a server offline at any time with no affect to client services.
At the network layer, we employ a backup firewall device which would take on the role of master in the event of a physical firewall failure.
Do you have a vulnerability management and penetration testing program?
SecurityMetrics does our vulnerability scanning. Our scans identify top risks such as misconfigured firewalls, malware hazards, and remote access vulnerabilities to keep your data safe.
What type of firewalls do you use?
Are you using Next Gen Firewalls and IPS to secure your Data centre customers from the internet? If you are using a third party hosting provider such as Azure or AWS, are you operating any advanced threat detection services through that vendor?
Yes, deep pack inspection (DPI), network monitoring, and application firewall are all used by our firewalls. We do not use third party hosting providers related to firewalls.
How are system/network monitoring, logging and alerting setup?
|How do you safeguard against virus and malicious code?||We use Kaspersky software to help ensure virus/malware clean systems. This same software offers firewall and malicious process monitoring. No software is installed on servers once in production, with minor exceptions. Servers are never used as desktop systems.|
What are your capacity management practices?
|Is wireless networking used in your organization||Yes, wireless networking is used at the OperationsCommander head office in Carleton Place. Wireless access is limited by device MAC address.|
What are you currently performing in terms of build hardening?
|System hardening is based on our policy System Lockdown Policy. This policy is designed to minimize risk to organizational resources and data by establishing a process for increasing the security of servers and workstations by stopping unneeded services and testing for vulnerabilities. Physical firewall hardware is utilized to limit network/system access|
|Do you have a completed Shared Assessments full SIG questionnaire? Have you undergone a SAS 70 or SSAE 16 audit?||No.|
|What internal controls do you currently have in place to audit the security configuration of any AWS or SaaS hosted applications – e.g. secure storage and database instances||Anti-virus software, Host Monitor software, Status screens (dedicated TV's and PCs with system status dashboard information for sysAdmins), Database transaction logs, IIS logs, Windows logs, Payment logs.|
|Risk Management practices - any other controls or process you can share?|
All employees read and confirm understanding of PCI policies annually. These policies cover areas such as Confidential Data, Incident Response, External connections etc.
In addition to understanding the established policies, employees are encouraged to identify potential risks or make suggestions, whether related to system administration, software development, QA testing, or support.
When risks are identified appropriate personnel are notified and severity and priority are determined.
Risks are logged and tracked in project management to be scoped and scheduled for resolution.
Weekly team meetings and quarterly department assessments are made to discuss resolutions or status on outstanding resolutions.
|Data Centre Information|
What are the requirements for the data centre?
We use Rogers Data Centre in Ottawa, Ontario Canada. Physical servers are owned and operated by Tomahawk Technologies Inc. NOT Rogers Data Centre.
Users with high level access permissions can add and remove who has access to the data centre via contacting the company that runs the data centre. A physical meeting is also required to get access for iris scans and card.
A web portal lists users who have access to the data centre with varying levels of permissions.
Access is only granted to System Administrators who require it to perform their duties (add new servers, hard drives, maintain existing, etc) gain entry to the data centre.
|What redundancy and availability does the data centre provide?|
|Can the system be setup in multiple Data centres to support HA?||Yes, the system could be setup in multiple data centres to support a geographical separate HA installation. The same technologies that are used on the local system LAN could be replicated in a secure WAN environment.|
|SSO Implementation with OPS-COM|
|Please describe how SSO is implemented in your solution.|
SSO is implemented with standard client/server technology. Recent project implementation using CAS under Jasig (http://www.jasig.org/cas). The Jasig open source CAS server software integrates with a number of protocols for back-end SSO implementation. Whether local or remotely accessed, the CAS server offers a front line to SSO.
We support SAML 1.1 through CAS
|Does your system require access to direct LDAP access for SSO in a hosted environment?||No, using a CAS server (as mentioned above) it would be possible to access LDAP without requiring direct LDAP access. In almost all cases this would be preferred implementation as this allows for future scalability without requiring any changes to the software. As an example, the Jasig CAS server supports proxy authentication using custom developed (or existing) plugin modules. Since the Jasig CAS project is a community driven project, it continues to mature and grow with added features.|