Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

General OPS-COM Information 

What browsers are supported?

OPS-COM supports the latest version of the following browsers:

  • Internet Explorer

  • Safari

  • Chrome

  • Firefox

Is OPS-COM mobile friendly?

Our system is largely optimized for mobile devices with some of the more obscure sections being updated within the year. The main system is to be used as a mobile website.

Our violations app is specific to Android devices.

Who owns OPS-COM?

OPS-COM owned by Tomahawk Technologies Inc., a privately owned, Canadian company.

92 Bridge St. Carleton Place, ON Canada

855-410-4141

What laws govern the contractual agreement as it relates to the licensing arrangement?

The laws of the province of Ontario

What is your Privacy Policy and how is it implemented?

Appendix B in our Contract outlines our privacy policies. All employees review and acknowledge our Privacy and Security policies annually. All employees sign confidentiality agreements.

  
Product Lifecycle 
Describe your coding practices and how you security test your applications.

We use:

  • Peer code reviews
  • QA & testing by junior developers and non-developer staff.
  • Third-party scanning
  • Web application vulnerability testing.
How often are new versions of OPS-COM released? Who performs these upgrades? Are they disruptive to customers? Are they disruptive to the service availability?

We currently do monthly updates with any potential changes being released to a preview (production mirror site) 1 week before it is moved to clients production code. SysAdmins work with Developers to release these code changes. These releases are transparent to clients and rarely, if ever, disrupt service.

Notifications are sent out prior to the release to inform the client that the release is coming and should be tested and reviewed based on client workflow. Release notes and documentation are available prior to release to preview. Critical hot fixes are occasionally released to production systems as warranted.

With less than 6 hours lost to down time in the past 12 months, we are averaging an up time better than 99.5%


  
Incident Response Plan 
What happens if there is a breach or a data security incident?

If there is an incident, the client would be notified with all pertinent details. Depending on the severity of the issue, the system would be disconnected from the network and a snapshot of the system state and hard drive would be taken (all systems are VM’s)

Our Contracts state the following:

In the event that the Service Provider anticipates a breach of privacy or becomes aware of a breach relating to the personal information received, collected, retained, or stored by the Service Provider in the course of performing the Services, the Service Provider must immediately notify the Customer in writing of the following, to the extent known:

    • the nature of the information that was breached (type and date of the information, name(s) of the person(s) whose information is affected);
    • when the breach occurred;
    • how the breach occurred;
    • who was responsible for the breach;
    • what steps the Service Provider has taken to mitigate the matter; and
    • what measures the Service Provider has taken to prevent re-occurrence

What are the qualifications of your incident response staff?

Our development/technical staff have been working with the software application and servers for many years. Currently we employ:
    • 2 Senior developers with application and system knowledge.
    • 1 System Administrator with advanced system/server knowledge in regard to setup,firewall, web server + SQL, and virtualisation platform.

All developers and sysadmins are required to participate in our security awareness program.


  
Processes & Policies 
What is your change control process as it relates to OPS-COM?We assess new technologies regularly. Through small office lunch and learn sessions, and meetings, we discuss future initiatives. At this time much of our software (functional) changes are driven through client requests and therefore managed as projects. Internally we also investigate opportunities to integrate technical improvements with every project.

Does the Service Provider have formal written Information Security Policies? 

Yes, we have 18 PCI compliant policies and an additional 3 Security policies that are required to protect our data and that of our clients while maintaining a high standard of data security.
Describe your information security (INFOSEC) organizational structure and your policies.We are a small office of 10, with 1 server admin and 2 Sr. developers. Any tech issues flow through these staff members. The business owner is a key architect to the application and one of the senior developers. Security and process are regular points for discussion at Team meetings and all employees have knowledge of PCI requirements for data security. Polices are documented and reviewed regularly.
  
Third-Party Compliance 
 Are you SOC 2 compliant?No, not at this time. 
Are you PCI compliant?

Yes, we are PCI DSS 3.1 compliant. We are assessed annually by a 3rd party to ensure we maintain compliance.

Our Attestation of Compliance, SAQ D-SP is available upon request


  
Disaster Recovery 
 Do you have a disaster recovery process?

We have a Disaster Recover Plan that is tested every 3 months. Backups are performed using external hard drives and are kept for 7 years. Backups are located at the data centre and Head Office.

  
Data Model and Data Security 
Describe your application’s architecture and tiered design

Our Web servers are publicly accessible, however, our SQL servers are not.

SQL servers are backed up daily, and mirrored to a secondary system. 
All data is stored to iSCSI RAID devices which are on a separate network. The system is multi-tenant, as an example iSCSI LUN’s are separated and on network accessible only to VM hosts.

How do you protect user authentication information?

Usernames and passwords are used and are stored to the SQL server.  Passwords are encrypted with a minimum Blowfish with 64 bit key for legacy systems and for OPS-COM systems that use Android or PHP rijndael-128 is used. All passwords are hashed for one-way hashing. IP filtering is also possible. OPS-COM allows for password aging and complexity requirements to be enforced.

Client files can be accessed by SysAdmins and Sr. Developer's only, and only on an as-required basis.

 Is Data protected "at rest" and "in motion"?

All sensitive data is encrypted in transit and at rest. For Data in Motion: all transfers are logged; all transfers are encrypted. Data at Rest is secured using Column level encryption inside database. 

How is data backed up, stored and protected?

Client user files are backed up and held for 7 years on external hard drives unless requested to be destroyed earlier. These hard drives are held in a secure location at all times. External Hard drives are the only removable media we use to store client data. We do not store client media on desktops, laptops or BYODs.

Client data is occasionally stored on systems owned and operated by a third-party but only as required for proper system functionality and in a very limited capacity. For example, Google app engine is used to store/host ticket images, no other data is hosted with third-party services

Our backup procedures are multi-tiered since data is the single most important detail for business continuity.

  • All systems run on RAID-10 storage devices
  • All servers utilize iSCSI storage link to RAID-10 hardware
  • All SQL services replicate all data to a designated data mirror server

  • All VM's are backed up (complete VM; OS & Data snapshot) once per month and maintained for 3 months
  • All dynamic data (script + SQL) is backed up nightly and maintained indefinitely (or until contract termination)
  • single day backups are maintained for one week
  • weekly backups are maintained for two months
  • monthly backups are maintained indefinitely (or until contract termination)
  • emergency and data restore tests are performed regularly

We maintain a separate data link specifically for storage traffic. This (SAN) network is physically disconnected from the main LAN (and WAN) network.

All backups are stored at the co-location facility on a server that is designated solely for this purpose. On a rolling (nightly) schedule, backups are pushed to a removable device which is physically removed (quarterly) and stored in an offsite secure location

Client data does exist on development, QA and preview environments. These environments are secured in the same fashion that production data is.

When disk media is destroyed Tomahawk uses Secure Erase as outlined by the U.S. National Institute of Standards and Technology (NIST)

External backup drives not stored in data centre are retained at head office for long term storage (7 years). Physical security includes locked doors, keypads, alarm systems, motion sensors, and a locked safe. Access to external drives is limited to OPS-COM employees who explicitly require such access to provide disaster recovery and backup retrieval services.

Who has access to your data and who approves this access and are we notified?

Technical support personnel who require access to support Clients or require access to perform job duties and responsibilities have access to client data. This may include programmers, system administrators, and client support staff. Lead System Administrators determine who requires such access based on aforementioned requirements. We log our access to client data using a ticketing system when we do either testing (upcoming releases for new functionality) or for support reasons.

Who is considered the owner of client data stored in vendor or third-party Data centres?
The client always owns their database of information on the system. We will provide a Raw Data Dump in a MS-SQL file format for the client to use as required. There are small fees for creating and providing to the client the data file. We will not provide the architecture or road map of the data since that would be considered proprietary information.
How do you segment and isolate our customer instance and data from other customer data?Each customer instance has a separate database with separate login credentials.
Describe the permissions granted to each role in your application/system?

OPS-COM has the ability to set up permissions for all roles. The Super User, (usually the department head) sets permissions for all levels. For example; counter staff could have permission to add/edit payments but not edit site configuration. A patrol officer could enter violations but not edit violation types. 
All permissions are set using the Edit Admin Users menu. This edit window is only accessible to the Super User and any others that the Super User grants "Edit Admin Users" permission to. 
Other permissions that are part of the table is the ability to limit where a user can log in from. IP restrictions can be implemented to a single computer, area, the whole site or completely open. The Super User can grant the ability to work from offsite locations. i.e., work from home or limited to a single area within a location. Multiple IP addresses can be specified.

There are in excess of 75 permissions that can be set to fine tune any role. When the permissions are assigned, the assignee will only see what they can do. They will not be aware of restricted permissions.


Do you ever use client data for analysis?  Is client data ever shared with 3rd parties?No.


System & Network Security 
What is your system availability notification process?

System availability is monitored with monitoring software. Logs are monitored for errors and anomalies. All technical staff are notified of any outages, 24/7. Clients are notified of outages if they are not rectified within 1 hour.

Who has access to these systems and how do they authenticate

System Administrator and Senior Developers have access and they authenticate through VPNs using Microsoft Active Directory accounts with proper permissions. Passwords are managed through LastPass. All access, including administrative accounts, is controlled and logged (i.e. firewalls, file system permissions, ACLs, database table permissions, packet logs, etc.)

What is your patch management process?

What is the patching protocol for back-end infrastructure? How often are critical hotfixes to server OS, database and other components installed?

System and Operating System:

    • Software (Kaspersky) monitors available system patches. The software reports software as well as operating system updates which are available.
    • Nagios is also used to assist in this effort and monitors all Linux boxes for updates.
    • On a regular basis firewall and network devices are updated with new firmware.
    • All server/system updates are tracked using logging tools.
    • Patches are rolled to staging systems when possible to reduce system failure risks.

Software releases:

    • OperationsCommander maintains several systems including development, testing/preview, and production
      • Development systems exist for development
      • Testing/staging/preview systems exist to allow for testing of new patches and software updates
      • Testing/staging/preview systems also exist for testing and training to avoid these actions on production systems
      • Software is rolled to production with messages and release notes to clients about the updates

Weekly, most updates are done automatically (such as OS). In some cases where additional testing and precautions are required before an update, the patch maybe delayed by a few days.

Describe your vulnerability management and notification process.

Third party security audits, email notifications of errors (sometimes security related). Quarterly we are scanned for system vulnerabilities by a 3rd party.

How is your production network segmented from your corporate, QA, and development environments?

There are completely different servers, code, and databases. QA and Dev servers are also located in a different physical location. Non-production servers (preview, QA, and dev) are also sandboxed as to not allow database connections to production systems, emails are blocked from being sent out, etc. No matter what is done in a non-production system, the production systems won't be affected.

Describe your systems High Availability features

To offer high availability at the operating system level, we use Citrix XenServer technology to provide a virtualized server environment. This allows us to maintain 6 physical servers (running numerous server VM's) which can act as DOM0 (server master) at any point in time. In a case where one VM is running away with CPU or eating up memory, the other VM's will be transitioned automatically to a designated secondary; generally with no noticeable adverse effect. If a physical server requires maintenance a secondary server can manually be designated to handle the load and ensure that the virtual server(s) and exposed services are not affected.

In the case of web services, our website hosting servers have automatic load balancing in place between multiple servers. If one of the web servers is inaccessible, such as in the case of Windows updates or a reboot, our system will automatically stop directing web traffic to the inaccessible web server and start directing web traffic to the other available servers.

In the case of SQL services, our SQL database servers are mirrored to sister servers which fail over automatically under similar conditions. Whether due to maintenance or increased load, this allows our technical team to take a server offline at any time with no affect to client services.

At the network layer, we employ a backup firewall device which would take on the role of master in the event of a physical firewall failure.


Do you have a vulnerability management and penetration testing program?

SecurityMetrics does our vulnerability scanning. Our scans identify top risks such as misconfigured firewalls, malware hazards, and remote access vulnerabilities to keep your data safe.

What type of firewalls do you use?

Are you using Next Gen Firewalls and IPS to secure your Data centre customers from the internet? If you are using a third party hosting provider such as Azure or AWS, are you operating any advanced threat detection services through that vendor?


Firewalls used:

  • NOC: SonicWall NSA 2400 MX
  • Office: SonicWall TZ 205

Yes, deep pack inspection (DPI), network monitoring, and application firewall are all used by our firewalls. We do not use third party hosting providers related to firewalls.


How are system/network monitoring, logging and alerting setup?

  • Automatic network monitoring software (HostMonitor). email notifications, text notifications, status display screens.
  • PaperTrail cloud log watching and Nagios monitoring
How do you safeguard against virus and malicious code?We use Kaspersky software to help ensure virus/malware clean systems. This same software offers firewall and malicious process monitoring. No software is installed on servers once in production, with minor exceptions. Servers are never used as desktop systems.

What are your capacity management practices?

  • Load balance systems using nginx.
  • Monitor resources through VM management tools. 
Is wireless networking used in your organizationYes, wireless networking is used at the OperationsCommander head office in Carleton Place.  Wireless access is limited by device MAC address.

What are you currently performing in terms of build hardening?

System hardening is based on our policy System Lockdown Policy. This policy is designed to minimize risk to organizational resources and data by establishing a process for increasing the security of servers and workstations by stopping unneeded services and testing for vulnerabilities. Physical firewall hardware is utilized to limit network/system access
Do you have a completed Shared Assessments full SIG questionnaire? Have you undergone a SAS 70 or SSAE 16 audit?No.
What internal controls do you currently have in place to audit the security configuration of any AWS or SaaS hosted applications – e.g. secure storage and database instancesAnti-virus software, Host Monitor software, Status screens (dedicated TV's and PCs with system status dashboard information for sysAdmins), Database transaction logs, IIS logs, Windows logs, Payment logs.
Risk Management practices - any other controls or process you can share?

All employees read and confirm understanding of PCI policies annually. These policies cover areas such as Confidential Data, Incident Response, External connections etc.

In addition to understanding the established policies, employees are encouraged to identify potential risks or make suggestions, whether related to system administration, software development, QA testing, or support.

When risks are identified appropriate personnel are notified and severity and priority are determined.

Risks are logged and tracked in project management to be scoped and scheduled for resolution.

Weekly team meetings and quarterly department assessments are made to discuss resolutions or status on outstanding resolutions.


  
Data Centre Information 

What are the requirements for the data centre?

We use Rogers Data Centre in Ottawa, Ontario Canada. Physical servers are owned and operated by Tomahawk Technologies Inc. NOT Rogers Data Centre.

  • PCI DSS, ISAE 3402 Type II, SSAE 16 SOC 1 Type II and CSAE 3416 Type II certifications
  • Unmarked facilities with single secure entrances for customers and staff.
  • 100 percent CCTV security cameras (low-light technology) monitor facility interiors and exteriors 24x7.
  • Two-stage biometric authentication process (iris-scanners and encrypted access cards).
  • Individually locked cabinets that house servers.

Users with high level access permissions can add and remove who has access to the data centre via contacting the company that runs the data centre. A physical meeting is also required to get access for iris scans and card.

A web portal lists users who have access to the data centre with varying levels of permissions.

Access is only granted to System Administrators who require it to perform their duties (add new servers, hard drives, maintain existing, etc) gain entry to the data centre.

 What redundancy and availability does the data centre provide?
  • Fire Suppression
  • N+1 cooling redundancy, computer-controlled compressors, humidity control systems, hot aisle/cold aisle containment and perforated cabinet doors for enhanced temperature control.
  • Two-stage, pre-action dry pipe sprinkler system and/or gas suppression (extinguishes fire without water).
  • Network Redundancy
  • Backup generator
  • Rogers’ private, nationwide Fibre Optic network includes over 25,000 km of fibre routes with connectivity to key network access points in the U.S. and overseas. Our multi-homed network is provisioned with extensive peering and Tier 1 transit providers.
  • Redundant Cooling System
  • 100% uptime
  • Sophisticated architecture design is guaranteed to protect your mission-critical applications and data against possible impact from single points of failure, with redundant connectivity, backup power and cooling.
Can the system be setup in multiple Data centres to support HA?Yes, the system could be setup in multiple data centres to support a geographical separate HA installation.  The same technologies that are used on the local system LAN could be replicated in a secure WAN environment.


SSO Implementation with OPS-COM 
Please describe how SSO is implemented in your solution.

SSO is implemented with standard client/server technology.  Recent project implementation using CAS under Jasig (http://www.jasig.org/cas).  The Jasig open source CAS server software integrates with a number of protocols for back-end SSO implementation.  Whether local or remotely accessed, the CAS server offers a front line to SSO.

We support SAML 1.1 through CAS

LDAP intergrations for SSO have also been done.

Does your system require access to direct LDAP access for SSO in a hosted environment?No, using a CAS server (as mentioned above) it would be possible to access LDAP without requiring direct LDAP access. In almost all cases this would be preferred implementation as this allows for future scalability without requiring any changes to the software. As an example, the Jasig CAS server supports proxy authentication using custom developed (or existing) plugin modules. Since the Jasig CAS project is a community driven project, it continues to mature and grow with added features.

...