Security

Security at Origami Risk is paramount. Origami Risk utilizes real-time intrusion detection and prevention tools, penetration testing, and data encryption to help protect the security of client data at all times. In addition, Origami Risk maintains compliance with rigorous SOC 1 Type II, SOC 2 Type II, and NIST 800-53 security controls and has joined the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework.

Application Security

With a web application such as Origami Risk, there are a number of fronts that must be managed in order to help ensure that data is secure. One of the major focuses for Origami Risk is within the application itself. Origami Risk takes a number of steps to help ensure application security, including:

  • Penetration Testing – Origami Risk conducts regular testing to help ensure that the defenses employed in the application and environment are sufficiently keeping up with vulnerabilities that could be exploited to compromise our clients’ data.
  • Vulnerability Assessment – Origami Risk uses state-of-the-art tools to regularly perform scans for vulnerabilities within its information system and client applications.
  • User Security – Origami Risk’s role-based security provides clients the ability to manage their users’ access and capabilities down to the field level. In addition, Origami Risk is built to accommodate Single Sign-On authentication, allowing clients to authenticate their users to specific roles through their own network.
  • Encryption helps ensure that Origami Risk’s client data is protected from unauthorized access at all times. All data is encrypted in transit and at rest within Origami’s Amazon Web Services Elastic Cloud environment and all Origami Risk databases use file-level encryption. In addition, all web traffic is encrypted using Transport Layer Security (TLS).
  • Intrusion Detection and Prevention tools are also utilized to establish a security perimeter that provides Origami Risk with real-time alerts of suspicious activities and traffic that are indications of an active or attempted compromise.
  • Domain Name System Security Extensions (DNSSEC) – Public/private key cryptography creates a chain of trust and provides validation that Origami Risk users are connecting to the correct domain.

Data Center Security

Origami Risk’s servers are housed in the Amazon Web Services Elastic Cloud environment. Amazon Web Services Elastic Cloud maintains several data centers with the highest standards in data security. Amazon Web Services Elastic Cloud data centers are housed in nondescript facilities that have extensive setback and military grade perimeter control berms, as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security standards utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized personnel must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Amazon also provides environmental controls in its data centers to assure the proper working condition of its systems, including fire prevention/suppression, power management, and temperature controls. Origami Risk utilizes Amazon regions that are confined to the United States. Data maintained by Origami Risk is kept in these regions and will not be moved to offshore regions. More details can be found at http://aws.amazon.com/security/.

Compliance

Origami Risk maintains compliance with the following standards, attesting to our commitment to provide world-class security:

  • The Statement of Standards for Attestation Engagements SSAE18 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants for reporting on internal controls at service organizations. Origami Risk undergoes annual SSAE 18 SOC1 Type II and SOC 2 Type II audits under these frameworks. Origami’s SOC 1 Type II and SOC 2 Type II reports demonstrate how we achieve compliance with internal controls related to financial reporting (SOC 1 Type II) and security and confidentiality (SOC 2 Type II). The reports contain a description of our controls environment and the external audit results of our controls.
  • FISMA – Origami Risk is compliant with security controls based on NIST 800-53 Revision 4 and has received Federal Information Security Management Act (FISMA) Moderate System Authorization and Accreditation. In addition, the Origami Risk service has received Authorization to Operate (ATO) by a federal authorizing agency.
  • HIPAA Security Rule – Compliance with NIST 800-53 allows Origami Risk, by way of existing security controls, to meet security requirements established by the HIPAA Security Rule in accordance with NIST SP800-66, “An Introductory Resource Guide for Implementing the HIPAA Security Rule”.
  • EU-U.S. and Swiss-U.S. Privacy Shield – Privacy Shield is a framework designed by the U.S. Department of Commerce and European Union member countries and Switzerland to provide companies with a mechanism to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States. Origami Risk has joined the Privacy Shield Framework and has self-certified to the U.S. Department of Commerce that it agrees to adhere to the Privacy Shield Principles. Evidence of this certification is available at https://www.privacyshield.gov/.
  • EU General Data Protection Regulation (GDPR) – The GDPR is a comprehensive data protection law in the European Union. Origami Risk complies with the GDPR with regard to the Origami Risk service and is dedicated to helping customers comply with the GDPR with regard to the Origami Risk service, which includes providing GDPR-related assurances in Origami Risk’s contractual commitments. Additionally, Amazon Web Services (AWS) – the cloud computing environment for Origami Risk – also maintains GDPR compliance.