Question 1

Executive Summary of security measures

Accepted Answer

OperationsCommander (OPS-COM) is a cloud-based parking and security management platform that has been developed in-house for over 15 years.

Tomahawk Technologies Inc., the owner of OperationsCommander, is committed to maintaining a high level of information security. Its key priority is protecting customer information and carefully maintaining the information security of OPS-COM. OPS-COM is PCI SAQ D-SP 3.2.1 certified and is audited quarterly by a third party to maintain this certification. We are also currently TxRMP level 2 certified and are seeking our SOC 2 compliance.

Risk analysis forms the foundation of our security program. Risk assessments are periodically performed, and security is regularly discussed during weekly team meetings. Our security processes, roles, and responsibilities are clear and well-defined. All staff know our responsibilities and obligations when protecting our client’s data. OPS-COM is developed and maintained by inspired, skilled personnel who are committed to maintaining a high level of online security. OPS-COM has been designed to meet customers’ strict security requirements and industry best practices.

OPS-COM has a solid and secure foundation that is based on widely used security methods and protocols. It has been designed to protect data both in transit and at rest to ensure its confidentiality, integrity, and availability. Strict access control allows only authorized users to access the data.

Operation and maintenance of OPS-COM follow documented processes. Continuous monitoring of information security and system performance ensures that trained and competent personnel can respond to all deviations and incidents in a timely manner in accordance with the incident response process.

Tomahawk Technologies Inc is a proudly Canadian company serving the North American market.

Category: Security

Question 2

Does your system require access to direct LDAP access for SSO in a hosted environment?

Accepted Answer

No

Question 3

Please describe how SSO is implemented in your solution.

Accepted Answer

OperationsCommander implements single sign-on (SSO) for authentication into the application when requested. SSO is implemented with standard client/server technology.  Supported SSO technology: SAML, LDAP, custom as scoped and developed for

Question 4

Can the system be setup in multiple Data centers to support HA?

Accepted Answer

Yes

Question 5

What redundancy and availability does the data center provide?

Accepted Answer

OperationsCommander has ensured redundancy strategies for equipment, systems, and processes to meet availability requirements, including redundancy in network components, production resources, supporting utilities, service providers, and processing sites.

Redundancy and high availability are implemented through our hosting provider; Digital Ocean.

Category: Security

Question 6

What are the requirements for the data center?

Accepted Answer

We chose DigitalOcean as our preferred provider due to their knowledge and experience in providing world-class, redundant systems. The data centers we utilize must meet stringent requirements, including:     Security Compliance: SOC-II certification ensures rigorous data security protocols and regular audits.    Redundancy: Data centers must provide multiple layers of redundancy for power, network connectivity, and hardware to prevent single points of failure.    Global Availability: Our provider operates globally distributed network operations centers, allowing for regional failover and optimized performance based on geographic proximity to users.    Environmental Controls: Facilities must have advanced climate control and fire suppression systems to protect equipment and ensure operational stability.    24/7 Monitoring: Continuous monitoring by highly trained teams ensures rapid identification and response to potential issues.    Scalability: The data centers must offer scalable infrastructure to accommodate our growth, enabling us to add capacity as our business demands increase.     These criteria ensure our systems remain secure, reliable, and prepared for operational demands.

Question 7

What internal controls do you currently have in place to audit the security configuration of any AWS or SaaS hosted applications – e.g. secure storage and database instances

Accepted Answer

OperationsCommander has internal controls in place to audit the security configuration of AWS or SaaS hosted applications. Anti-virus software, HostMonitor software, Status screens (dedicated TV's with system status dashboard information for system administrators), Database transaction logs, IIS logs, Windows logs, Payment logs.  In addition, OperationsCommander engages with a third-party to conduct quarterly vulnerability scans of the production environment, and reviews findings to create and implement remediation plans.

Question 8

Do you have a completed Shared Assessments full SIG questionnaire? Have you undergone a SAS 70 or SSAE 16 audit?

Accepted Answer

No

Question 9

What are you currently performing in terms of build hardening?

Accepted Answer

The company has documented baseline security configuration standards for all system components in accordance with industry-accepted system hardening standards or vendor hardening recommendations. System hardening is based on our policy System Lockdown Policy. This policy is designed to minimize risk to organizational resources and data by establishing a process for increasing the security of servers and workstations by stopping unneeded services and testing for vulnerabilities. Physical firewall hardware is utilized to limit network/system access    These standards are updated as needed when vulnerabilities are identified.

Question 10

Is wireless networking used in your organization

Accepted Answer

Yes

Question 11

What are your capacity management practices?

Accepted Answer

The Asset Management Policy outlines processes for system hardening and capacity management. The Change Management Policy also mentions using tools to standardize and automate configuration management.

Question 12

How do you safeguard against virus and malicious code?

Accepted Answer

Yes, OperationsCommander safeguards against viruses and malicious code through various measures. Anti-malware software is installed and enabled on all systems to detect and remove malware. Access to disable or alter anti-malware mechanisms is restricted. All anti-virus mechanisms generate audit logs which are retained.

Question 13

Are systems that support this service managed via a separate management network?

Accepted Answer

No

Question 14

How are system/network monitoring, logging and alerting setup?

Accepted Answer

OperationsCommander has infrastructure logging configured to monitor web traffic and suspicious activity, and alerts are automatically created and sent to appropriate personnel when anomalous traffic is detected. There are documented policies and procedures for logging and log monitoring that describe the events to log, systems to monitor, information to capture, and logging infrastructure configuration.

Question 15

Do you have a documented policy for firewall change requests?

Accepted Answer

Yes

Question 16

Do you monitor for intrusions on a 24x7x365 basis?

Accepted Answer

Yes

Question 17

Are you utilizing a web application firewall (WAF) and/or a stateful packet inspection (SPI) firewall?

Accepted Answer

Yes

Question 18

Do you have a vulnerability management and penetration testing program?

Accepted Answer

Yes

Question 19

Describe your systems High Availability features

Accepted Answer

High availability is achieved through our hosting provider.      We are utilizing different strategies, including:  - a database cluster with failover master/slave architecture  - hosted app platform that scales and self-heals to meet demand

Question 20

How is your production network segmented from your corporate, QA, and development environments?

Accepted Answer

OperationsCommander has network segmentation controls in place to isolate the production environment from other environments like development, testing, and corporate networks. The production network is logically separated using unique identifiers and access controls at different layers. Penetration testing is also performed periodically to validate the segmentation controls.    There are completely different servers, code, and databases. Testing/quality (QA) and development (dev) servers are also located in a different physical location. Non-production servers (preview, QA, and dev) are also sandboxed as to not allow database connections to production systems, emails are blocked from being sent out, etc. No matter what is done in a non-production system, the production systems won't be affected.

Question 21

Describe your vulnerability management and notification process.

Accepted Answer

Vulnerabilities are identified through quarterly vulnerability scans conducted by a third-party. High risk and critical vulnerabilities are addressed immediately, while other vulnerabilities are addressed based on the company's risk evaluation. The company also has a responsible disclosure program to receive vulnerability reports from external parties.

Question 22

What is the patching protocol for back-end infrastructure? How often are critical hotfixes to server OS, database and other components installed?

Accepted Answer

Critical or high-security patches/updates are installed within one month of release, and all other applicable security patches/updates are installed within the timeframe established by the company's risk analysis and policies. The patching protocol for back-end infrastructure follows a formal patch management process implemented by OperationsCommander.

Question 23

What is your patch management process?

Accepted Answer

System and Operating System:  - Software (Bitdefender GravityZone) monitors available system patches. The software reports software as well as operating system updates which are available.  - On a regular basis firewall and network devices are updated with new firmware.  - All server/system updates are tracked using logging tools.  - Patches are rolled to staging systems when possible to reduce system failure risks.    Software releases:  - OperationsCommander maintains several systems including development, testing/preview, and production          - Development systems exist for development          - Testing/staging/preview systems exist to allow for testing of new patches and software updates          - Testing/staging/preview systems also exist for testing and training to avoid these actions on production systems          - Software is rolled to production with messages and release notes to clients about the updates    Weekly, most updates are done automatically (such as OS). In some cases where additional testing and precautions are required before an update, the patch maybe delayed by a few days.

Question 24

Who has access to these systems and how do they authenticate

Accepted Answer

System administrator and senior developers have access and they authenticate through VPNs using Microsoft Active Directory accounts with proper permissions. Passwords are managed through BitWarden. All access, including administrative accounts, is controlled and logged (i.e. firewalls, file system permissions, ACLs, database table permissions, packet logs, etc.)

Question 25

What is your system availability notification process?

Accepted Answer

System availability is monitored with monitoring software. Logs are monitored for errors and anomalies. All technical staff are notified of any outages, 24/7. Clients are notified of outages if they are not rectified within 1 hour. The company communicates system changes to customers that may affect security, availability, processing integrity, or confidentiality.

Question 26

Are audit logs available that include AT LEAST all of the following; login, logout, actions performed, and source IP address?

Accepted Answer

Yes

Question 27

Does the Vendor have a mobile application that can access the clients data/application? If so, please describe how the mobile application code is validated for security risks?

Accepted Answer

Yes, there is a pseudo mobile application that can access client data. However, the application is built on a framework called Ionic and is used as the interface for data on the web.    Web testing will also test the 'mobile' version of the app since it is a single codebase.

Question 28

Does the system provide data input validation and error messages?

Accepted Answer

Yes

Question 29

In what format will clients be provided their data if they are leaving OPS-COM?

Accepted Answer

The client always owns their database of information on the system. We will provide a raw data dump in a SQL file format (or zip archive) for the client to use as required. There are service fees for creating and providing the data file. We will not provide the architecture or road map of the data since that is considered proprietary information.

Question 30

What are the acceptable data transmission methods to allow client data to be uploaded to the OPS-COM system?

Accepted Answer

The acceptable data transmission methods to allow client data to be uploaded to the OPS-COM system are strong cryptography and security protocols to safeguard sensitive data during transmission over open, public networks, and enabling TLS whenever cardholder data is transmitted or received. Any traffic uploaded or downloaded to the service would be encrypted with Transport Layer Security (TLS). eg. HTTPS (web/API) SFTP (secure FTP). Generally data will use one of these protocols. In some cases data will pass been SQL servers using encryption (utilizing TLS).

Question 31

Do you ever use client data for analysis? Is client data ever shared with 3rd parties?

Accepted Answer

No

Question 32

Describe the permissions granted to each role in your application/system?

Accepted Answer

OPS-COM has the ability to set up permissions for all roles. The Super User, (usually the department head) sets permissions for all levels. For example; counter staff could have permission to add/edit payments but not edit site configuration. A patrol officer could enter violations but not edit violation types.  All permissions are set using the Edit Admin Users menu. This edit window is only accessible to the Super User and any others that the Super User grants 'Edit Admin Users' permission to.    Other permissions that are part of the table is the ability to limit where a user can log in from. IP restrictions can be implemented to a single computer, area, the whole site or completely open. The Super User can grant the ability to work from offsite locations. i.e., work from home or limited to a single area within a location. Multiple IP addresses can be specified.    There are in excess of 75 permissions that can be set to fine tune any role. When the permissions are assigned, the assignee will only see what they can do. They will not be aware of restricted permissions.

Question 33

How do you segment and isolate our customer instance and data from other customer data?

Accepted Answer

Customer data is logically separated at the database/datastore level using a unique identifier for each customer. The separation is enforced at the API layer where the client must authenticate with their account, and the customer's unique identifier is included in the access token to restrict data access.

Question 34

Who is considered the owner of client data stored in vendor or third-party Data centres?

Accepted Answer

The client is considered the owner of their data stored in vendor or third-party data centers. According to the Vendor Management Policy, client confidential data under the control of a vendor remains the property of OperationsCommander's client.

Question 35

Can employees access customer data remotely?

Accepted Answer

Yes

Question 36

Who has access to your data and who approves this access and are we notified?

Accepted Answer

The Access Control policy states that OperationsCommander has designated entities to monitor and control data access.  Technical support personnel who require access to support clients or require access to perform job duties and responsibilities have access to client data. This may include programmers, system administrators, and client support staff. System administrators determine who requires such access based on aforementioned requirements.     We log our access to client data when we do either testing (upcoming releases for new functionality) or for support reasons.

Question 37

Do backups containing institution data ever leave the institution's Data Zone, either physically or via network routing?

Accepted Answer

Yes

Question 38

How is data backed up, stored and protected?

Accepted Answer

OperationsCommander has a comprehensive backup and recovery process for data protection. Customer data is backed up automatically to a separate region on a regular basis, and the backups are encrypted. Source code is also backed up regularly to a cloud provider account. Backup failures trigger alerts to the Security Officer.

Question 39

Is Data protected /"at rest/" and /"in motion/"?

Accepted Answer

Yes, data is protected at rest and in motion. OperationsCommander uses strong encryption and security protocols to protect data at rest on encrypted volumes and during transmission over public networks.  For data in motion: all transfers are logged; all transfers are encrypted, for data at rest, it is secured using Column level encryption within the database with a minimum 128-bit encryption in all areas.

Question 40

How do you protect user authentication information?

Accepted Answer

OperationsCommander protects user authentication information through various measures. User identity is verified before allowing changes to authentication factors. Strong encryption is used to render authentication credentials unreadable during transmission and storage. Multi-factor authentication is required for employee users and optional for external users.  Client files can be accessed by system administrators and senior developer's only, and only on an as-required basis.  All access is logged.

Question 41

Describe your application's architecture and tiered design

Accepted Answer

OperationsCommander maintains a documented description of the cryptographic architecture in place, including details of all algorithms, protocols, and keys used for the protection of stored account data. The cryptographic architecture description covers key strength and expiry dates, preventing the use of the same cryptographic keys in production and test environments, description of key usage, and an inventory of hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices used for key management.

Question 42

Does your organization conduct an annual test of relocating to an alternate site for business recovery purposes?

Accepted Answer

Yes

Question 43

Do you have a disaster recovery process?

Accepted Answer

Yes

Question 44

Have you undergone a SSAE 18 audit?

Accepted Answer

No

Question 45

Do you have an assessment on file with the Higher Education Community Vendor Assessment Tool (HECVAT)?

Accepted Answer

Yes

Question 46

Are you PCI compliant?

Accepted Answer

Yes

Question 47

Are you SOC 2 compliant?

Accepted Answer

Yes

Question 48

Describe your information security (INFOSEC) organizational structure and your policies.

Accepted Answer

OperationsCommander has defined and documented an Information Security Policy and other topic-specific policies to support the functioning of internal controls. The policies cover areas such as roles and responsibilities, security planning, system and communication protection, and personnel security.

Question 49

Does the Service Provider have formal written Information Security Policies?

Accepted Answer

Yes

Question 50

What is your change control process as it relates to OPS-COM?

Accepted Answer

OperationsCommander has a documented change control process. This includes requirements for managing changes across the organization, testing updates for compliance, documenting back-out procedures, and using a system development life cycle that incorporates security considerations.

Question 51

What are the qualifications of your incident response staff?

Accepted Answer

OperationsCommander has an incident response team that is responsible for responding to security incidents involving confidentiality, integrity, and availability. Our development/technical staff have been working with the software application and servers for many years.  Currently we employ:    - 2 senior developers with application and system knowledge  - 2 junior developers with limited application and system knowledge  - 1 system administrator with advanced knowledge in regard to setup, firewall, web server, SQL, and VM platforms    All developers and system administrators are required to participate in our security awareness program.

Question 52

What happens if there is a breach or a data security incident?

Accepted Answer

In the event of a breach or data security incident, OperationsCommander has defined procedures to respond, recover, resume, and restore operations. The incident response plan outlines steps for incident monitoring, reporting, handling, and incorporating lessons learned.

Question 53

Have you had a significant breach in the last 5 years?

Accepted Answer

No

Question 54

Are your systems and applications scanned for vulnerabilities [that are remediated] prior to new releases?

Accepted Answer

Yes

Question 55

How often are new versions of OPS-COM released? Who performs these upgrades? Are they disruptive to customers? Are they disruptive to the service availability?

Accepted Answer

New versions of OPS-COM and critical hot fixes are released as warranted. The upgrades are performed by OPS-COM personnel and are designed to be non-disruptive to customers and service availability.

Question 56

Describe your coding practices and how you security test your applications.

Accepted Answer

Yes, OperationsCommander follows secure coding practices and security tests applications during the development lifecycle. Applications are developed based on secure coding guidelines like OWASP Top 10 and undergo static and dynamic code analysis, peer code reviews, web application vulnerability testing and penetration testing before release.

Question 57

What is your Privacy Policy and how is it implemented?

Accepted Answer

OperationsCommander maintains a publicly available Privacy Policy (https://operationscommander.com/privacy-policy/) that details the company's confidentiality and privacy commitments.  You can also review our Terms of service here: https://operationscommander.com/terms-of-service/

Question 58

Is OPS-COM mobile friendly?

Accepted Answer

Yes

Question 59

What browsers are supported?

Accepted Answer

OperationsCommander recognizes that our users may user various Internet Browsers when working with our system. We aim for all visitors to have the best possible experience while using OPS-COM, however, we do recognize that it is impossible to develop applications that work identically, efficiently and effectively on all web browsers. We make best efforts to support the latest versions of:   - Internet Explorer  - Microsoft Edge  - Safari  - Chrome  - Firefox

Security Q & A

Executive Summary of security measures

Does your system require access to direct LDAP access for SSO in a hosted environment?

Please describe how SSO is implemented in your solution.

Can the system be setup in multiple Data centers to support HA?

What redundancy and availability does the data center provide?

Recent Posts

Industries We Serve

Security Q & A

Executive Summary of security measures

Does your system require access to direct LDAP access for SSO in a hosted environment?

Please describe how SSO is implemented in your solution.

Can the system be setup in multiple Data centers to support HA?

What redundancy and availability does the data center provide?

nav_menu

Recent Posts

Industries We Serve