With a web application such as Origami Risk, there are a number of fronts that must be managed in order to help ensure that data is secure. One of the major focuses for Origami Risk is within the application itself. Origami Risk takes a number of steps to help ensure application security, including:
- Penetration Testing – Origami Risk conducts regular testing to help ensure that the defenses employed in the application and environment are sufficiently keeping up with vulnerabilities that could be exploited to compromise our clients’ data.
- Vulnerability Assessment – Origami Risk uses state-of-the-art tools to regularly perform scans for vulnerabilities within its information system and client applications.
- User Security – Origami Risk’s role-based security provides clients the ability to manage their users’ access and capabilities down to the field level. In addition, Origami Risk is built to accommodate Single Sign-On authentication, allowing clients to authenticate their users to specific roles through their own network.
- Encryption helps ensure that Origami Risk’s client data is protected from unauthorized access at all times. All data is encrypted in transit and at rest within Origami’s Amazon Web Services Elastic Cloud environment and all Origami Risk databases use file-level encryption. In addition, all web traffic is encrypted using Transport Layer Security (TLS).
- Intrusion Detection and Prevention tools are also utilized to establish a security perimeter that provides Origami Risk with real-time alerts of suspicious activities and traffic that are indications of an active or attempted compromise.
Data Center Security
Origami Risk’s servers are housed in the Amazon Web Services Elastic Cloud environment. Amazon Web Services Elastic Cloud maintains several data centers with the highest standards in data security.
Amazon Web Services Elastic Cloud data centers are housed in nondescript facilities that have extensive setback and military grade perimeter control berms, as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security standards utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized personnel must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon also provides environmental controls in its data centers to assure the proper working condition of its systems, including fire prevention/suppression, power management, and temperature controls.
Origami Risk utilizes Amazon regions that are confined to the United States. Data maintained by Origami Risk is kept in these regions and will not be moved to offshore regions.
More details can be found at http://aws.amazon.com/security/.
Origami Risk maintains compliance with the following standards, attesting to our commitment to provide world-class security:
- SOC 2 is a reporting framework created by the American Institute of Certified Public Accountants (AICPA) that assesses the controls of service companies such as Origami Risk. Origami Risk’s SOC 2 report, prepared pursuant to an independent third-party examination, demonstrates how Origami Risk achieves compliance with important controls related to security and confidentiality. Origami Risk’s SOC 2 report contains a description of its controls environment and an external audit of its controls that meet the AICPA Trust Services Security and Confidentiality Principles and Criteria. Origami Risk’s service is audited under this framework on an annual basis by an accredited firm.
- FISMA – Origami Risk is compliant with security controls based on NIST 800-53 Revision 4 and has received Federal Information Security Management Act (FISMA) Moderate System Authorization and Accreditation. In addition, the Origami Risk service has received Authorization to Operate (ATO) by a federal authorizing agency.
- HIPAA Security Rule – Compliance with NIST 800-53 allows Origami Risk, by way of existing security controls, to meet security requirements established by the HIPAA Security Rule in accordance with NIST SP800-66, “An Introductory Resource Guide for Implementing the HIPAA Security Rule”.
- EU-U.S. and Swiss-U.S. Privacy Shield – Privacy Shield is a framework designed by the U.S. Department of Commerce and European Union member countries and Switzerland to provide companies with a mechanism to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States. Origami Risk has joined the Privacy Shield Framework and has self-certified to the U.S. Department of Commerce that it agrees to adhere to the Privacy Shield Principles. Evidence of this certification is available at https://www.privacyshield.gov/.
- EU General Data Protection Regulation (GDPR) – The GDPR is a comprehensive data protection law in the European Union (EU) that will become effective on May 25, 2018. Origami Risk is committed to GDPR compliance when enforcement begins and is dedicated to helping customers comply with the GDPR with regard to the Origami Risk service, which includes providing GDPR-related assurances in Origami Risk’s contractual commitments. Additionally, Amazon Web Services (AWS) – the cloud computing environment for Origami Risk – has announced that it will comply with the GDPR when the regulation becomes enforceable.