First Orion Security Overview
1.0 Introduction, Scope & Applicability
This document provides a high-level overview of First Orion’s Security Policy and is intended as a vehicle for sharing information regarding our security posture and approach with partners, clients and prospects who have signed an NDA.
These policies apply to all First Orion employees, contractors, sub-contractors, vendors, and entities employed to perform work or process information on behalf of First Orion that have access to the corporate network of First Orion.
First Orion’s security program follows industry best practices and guidelines established by National Institute of Standards and Technology (NIST) publications. First Orion has also received ISO 27001:2013 certification for its Information Security Management System (ISMS).
2.0 Roles and Responsibilities
All employees and company officers must comply with the Security Policy and report any suspected policy violation.
Our Security Policy describes the roles and responsibilities of the Chief Security Officer, the Chief Privacy Officer, the Chief Legal Officer, the Chief Marketing Officer, the Chief Human Resources Officer, the Chief Technology Officer, and the Chief Information Officer.
3.0 Security and Privacy
Security and privacy are at the core of First Orion’s business, products, and solutions. When developing applications and solutions, First Orion employees, contractors, and vendors must take necessary steps to include security and privacy considerations from inception. This includes techniques to minimize attack surface area, employ appropriate defaults, apply principles of least privilege, defense in depth and design our systems to fail securely.
Our Privacy by Design approach addresses global standards for the collection, use and disclosure of personal information while complying with all legal requirements and best practices related to transparency and choice, access and control, and data minimization. This approach also complies with any applicable trans-border data flow obligations.
First Orion’s product managers, supported by the Chief Privacy Officer and Chief Security Officer, perform Privacy Impact Assessments (PIAs) aka Data Protection Impact Assessments (DPIAs) and Security Impact Assessments (SIAs) any time there is a product release, change to the product, or change in the law that results in changes to how the product collects, uses, or transfers personal information.
4.0 Cloud Computing
First Orion inherits the security controls pertaining to its cloud providers’ physical, environmental, media protection, and business continuity when operating inside those cloud environments. However, security and compliance are a shared responsibility and can only be achieved when First Orion also takes measures to secure its deployments in cloud-based environments.
Information regarding cloud-based security and compliance can be found in their respective Security and Compliance centers online.
First Orion employees are prohibited from using third-party software as a service, social networks, e-mail, cloud services or other web applications for official First Orion business, unless explicitly authorized to do so.
5.0 Secure Email Communication
First Orion email accounts should be used primarily for First Orion business related purposes. All First Orion data contained within an email message or an attachment must be secured according to the data classifications in the Data Management Policy.
First Orion monitors all messages and utilizes methods to detect phishing, fraud, or malware on the incoming or outgoing messages. However, employees and vendors are still required to screen email and be able, through security awareness training, to discern legitimate communication from potentially hazardous communication.
6.0 Encryption and Hashing
First Orion has designated acceptable hashing algorithms for storing passwords in accordance with the Security Policy.
Acceptable protocols and encryption algorithms are also defined for client to site VPN connectivity, site to site VPN connectivity, and wireless network connectivity.
Data transport is performed using acceptable transport layer security protocols and cypher suites.
7.0 Standard Configuration Hardening and Data Loss & Leak Prevention (DLP)
System or configuration hardening occurs prior to deployment of new systems, applications, or processes, as well as periodically reviewing common system hardening templates.
First Orion may monitor the network, systems, applications, or processes for proper use of data in any state – in motion, at rest, or in use, in accordance with the Security Policy and Data Management Policy.
No computer, digital media storage device, or technology equipment may be repurposed or sold, without going through disposal or digital sanitization processes, which may include physical destruction.
8.0 Change Management
First Orion maintains a change management policy and process to ensure that security related releases, updates, and patches are installed on all applicable systems in a reasonable time to minimize exposure to known risk factors.
9.0 Vulnerability Management
Vulnerability Management is intended to allow First Orion to (a) identify computer system security weaknesses; (b) prioritize assets; (c) assess, report, and remediate the weaknesses; and (d) verify that they have been eliminated.
First Orion will perform periodic vulnerability assessments of production systems.
First Orion will conduct application penetration testing of all new applications prior to release into production and any applications that under-go major revisions.
First Orion will also conduct static code scanning of all new applications, code, or code changes. Static code vulnerability findings will be resolved prior to application or code release.
Source code shall be treated and classified as proprietary and its use shall be governed according to data classification policy, unless said code has been specifically classified otherwise. The Chief Technology Officer shall maintain coding standards utilized by First Orion. All employees or vendors working on source code must abide by these coding standards.
10.0 Logging and Audit Trails
First Orion maintains an audit trail on all network, security and other electronic devices, servers, and applications where technically feasible or required by law or policy. Audit and security logs are confidential business records and are treated as such. Whenever technically feasible, logs are to be encrypted or hashed at rest and in transit.
11.0 Identity, Password, and Access Management
First Orion networks require users to authenticate themselves prior to allowing access using multi factor authentication. All information processing systems and networks that employ passwords are enabled to adhere to a set of minimum controls that include processes for changing the password, enforcing password standards and change requirements. All systems and applications track login and audit information.
12.0 Network & Data Security
Limited Access to Network Services
In deploying the principles of least privilege, First Orion allows only authorized access for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. Practices are implemented that establish effective authentication processes applicable to First Orion’s private networks. Furthermore, no mechanisms or facilities may be implemented or utilized that bypass established First Orion network access facilities.
Wireless Network Security
Employees may connect to First Orion wireless networks at work and/or public or private access-points to conduct official business. Any communication data transmitted (web, email, voice, or messaging) is to be encrypted during transport regardless of wireless network encryption protocol or wireless network location.
First Orion designs and operates employee and guest wireless networks in accordance with our wireless network standards.
Bring-Your-Own-Device (BYOD) and Internet of Things (IoT)
Personal computer, mobile, BYOD or IoT devices not owned and managed by First Orion are not allowed on First Orion corporate network. Employee-owned personal devices, such as mobile cellphones, tablets or laptop computers are allowed on the First Orion guest wireless network subject to IT approval.
13.0 Anti-Malware Protection
All employees, service providers, vendors, subcontractors, and such entities are required to have anti-malware protection on their computing devices of sufficient functional effectiveness and currency to provide protection to First Orion.
14.0 Physical Security
First Orion employees are responsible for the safety of the electronic equipment assigned to them. Workstations, laptops, tablets, and phones are secured according to the Security Policy. Certain designated software or hardware is not allowed on the First Orion network, workstations, servers, or mobile devices.
Employees must ensure that all Restricted or Sensitive information in hardcopy or electronic form is secure in their work area and is locked up when the workspace is unoccupied.
Printouts containing information classified other than Public should be immediately removed from the printer. All documents destined for disposal should be placed in the locked confidential disposal bins. Whiteboards containing Restricted and/or Sensitive information should be erased.
Doors that require badged access shall not be kept open at any time. Employees must badge in at any time they cross through a controlled access point. Badge surfing or trailing behind authorized employees who badged through a door is not allowed.
All non-First Orion employees accessing First Orion property shall be considered visitors. The First Orion employee hosting the visitor shall notify reception/front desk when a visitor is scheduled to be at a First Orion site. All visitors must register with reception. Visitors must provide a valid, non-expired, government issued identification, such as driver’s license or passport. Visitors will be escorted at all times while remaining within First Orion facilities, excluding designated restrooms and areas designated for visitors.
15.0 Backup & Disaster Recovery
First Orion solutions shall be documented, and the documentation, configuration files, and programs required for the solution must be backed up to allow for disaster recovery or rapid redeployment. Documentation and deployment plans are updated annually or at any time a new version of deployment is released.
Whenever possible, hosted systems or applications shall be distributed across multiple availability zones and/or regions to allow continuous business processing without a centralized point of failure. Systems or applications that are not distributed across multiple regions or availability zones or are incapable of fault tolerance (example: losing a region or processing center) shall have a documented business continuity plan, and an assigned team performing annual business continuity testing.
In an event of a disaster, a disaster incident team led by a product manager who will be responsible in coordinating communication to the affected stakeholders shall be formed to restore services.
16.0 Incident Management & Response
First Orion maintains various incident response teams. These teams consist of First Orion employees, vendors, and contractors tasked with investigating, containing, and managing incidents.
The Chief Security Officer is responsible for coordinating the investigation and leading the Incident Response Team, notifying, and keeping executive leadership apprised of the status of the incident, and notifying, as required by law, the appropriate authorities.
The Chief Security Officer, in conjunction with the Chief Privacy Officer, the Chief Legal Officer, and public relations team will coordinate disclosure and make necessary announcements.
17.0 Data Disposal & Destruction
Printed material, regardless of data classification, deemed for disposal will be placed and destroyed through the provided security shredding boxes adhering to NIST guidelines.
Physical computing hardware with attached storage media such as workstations, laptops, servers, network routers, switches, mobile devices etc., will first be “CLEARED”, “PURGED” or “DESTROYED” based on intended use according to NIST guidelines.
18.0 Vendor Selection and Management
All vendors, contractors, subcontractors, entities, companies, or individuals hired to process data, do work on behalf of First Orion, or access First Orion’s data, network or facilities are subject to screening – which may exceed screening usually performed on First Orion’s own new hires.
Vendors, contractors, and subcontractors must comply with First Orion’s Security Policy and maintain their own security policy that matches or exceeds First Orion’s Security Policy relative to the work performed.
19.0 Security Awareness & Training
The Chief Security Officer will conduct annual security and compliance awareness training in coordination with human resources. Employees are required to review and acknowledge they have read the latest security policy at the time of hire, and yearly thereafter for the duration of their employment.
The Chief Security Officer and/or executive management will communicate the Security Policy and any policy changes to employees and applicable contractors as needed to support the ISMS program.
20.0 Compliance and Exceptions
Failure to comply with the Security Policy and associated policies, standards, guidelines, and procedures may result in disciplinary actions up to and including termination of employment or contracts.