Security Q & A

OperationsCommander (OPS-COM) is a cloud-based parking and security management platform that has been developed in-house for over 15 years.

Tomahawk Technologies Inc., the owner of OperationsCommander, is committed to maintaining a high level of information security. Its key priority is protecting customer information and carefully maintaining the information security of OPS-COM. OPS-COM is PCI SAQ D-SP 3.2.1 certified and is audited quarterly by a third party to maintain this certification. We are also currently TxRMP level 2 certified and are seeking our SOC 2 compliance.

Risk analysis forms the foundation of our security program. Risk assessments are periodically performed, and security is regularly discussed during weekly team meetings. Our security processes, roles, and responsibilities are clear and well-defined. All staff know our responsibilities and obligations when protecting our client’s data. OPS-COM is developed and maintained by inspired, skilled personnel who are committed to maintaining a high level of online security. OPS-COM has been designed to meet customers’ strict security requirements and industry best practices.

OPS-COM has a solid and secure foundation that is based on widely used security methods and protocols. It has been designed to protect data both in transit and at rest to ensure its confidentiality, integrity, and availability. Strict access control allows only authorized users to access the data.

Operation and maintenance of OPS-COM follow documented processes. Continuous monitoring of information security and system performance ensures that trained and competent personnel can respond to all deviations and incidents in a timely manner in accordance with the incident response process.

Tomahawk Technologies Inc is a proudly Canadian company serving the North American market.

Category: Security

No

Category: Security

OperationsCommander implements single sign-on (SSO) for authentication into the application when requested. SSO is implemented with standard client/server technology. Supported SSO technology: SAML, LDAP, custom as scoped and developed for

Category: Security

Yes

Category: Security

OperationsCommander has ensured redundancy strategies for equipment, systems, and processes to meet availability requirements, including redundancy in network components, production resources, supporting utilities, service providers, and processing sites.

Redundancy and high availability are implemented through our hosting provider; Digital Ocean.

Category: Security

We chose DigitalOcean as our preferred provider due to their knowledge and experience in providing world-class, redundant systems. The data centers we utilize must meet stringent requirements, including:

• Security Compliance: SOC-II certification ensures rigorous data security protocols and regular audits.
• Redundancy: Data centers must provide multiple layers of redundancy for power, network connectivity, and hardware to prevent single points of failure.
• Global Availability: Our provider operates globally distributed network operations centers, allowing for regional failover and optimized performance based on geographic proximity to users.
• Environmental Controls: Facilities must have advanced climate control and fire suppression systems to protect equipment and ensure operational stability.
• 24/7 Monitoring: Continuous monitoring by highly trained teams ensures rapid identification and response to potential issues.
• Scalability: The data centers must offer scalable infrastructure to accommodate our growth, enabling us to add capacity as our business demands increase.

These criteria ensure our systems remain secure, reliable, and prepared for operational demands.

Category: Security

OperationsCommander has internal controls in place to audit the security configuration of AWS or SaaS hosted applications. Anti-virus software, HostMonitor software, Status screens (dedicated TV’s with system status dashboard information for system administrators), Database transaction logs, IIS logs, Windows logs, Payment logs. In addition, OperationsCommander engages with a third-party to conduct quarterly vulnerability scans of the production environment, and reviews findings to create and implement remediation plans.

Category: Security

No

Category: Security

The company has documented baseline security configuration standards for all system components in accordance with industry-accepted system hardening standards or vendor hardening recommendations. System hardening is based on our policy System Lockdown Policy. This policy is designed to minimize risk to organizational resources and data by establishing a process for increasing the security of servers and workstations by stopping unneeded services and testing for vulnerabilities. Physical firewall hardware is utilized to limit network/system access

These standards are updated as needed when vulnerabilities are identified.

Category: Security

Yes

Category: Security

The Asset Management Policy outlines processes for system hardening and capacity management. The Change Management Policy also mentions using tools to standardize and automate configuration management.

Category: Security

Yes, OperationsCommander safeguards against viruses and malicious code through various measures. Anti-malware software is installed and enabled on all systems to detect and remove malware. Access to disable or alter anti-malware mechanisms is restricted. All anti-virus mechanisms generate audit logs which are retained.

Category: Security

No

Category: Security

OperationsCommander has infrastructure logging configured to monitor web traffic and suspicious activity, and alerts are automatically created and sent to appropriate personnel when anomalous traffic is detected. There are documented policies and procedures for logging and log monitoring that describe the events to log, systems to monitor, information to capture, and logging infrastructure configuration.

Category: Security

Yes

Category: Security

Yes

Category: Security

Yes

Category: Security

Yes

Category: Security

High availability is achieved through our hosting provider.

We are utilizing different strategies, including:
– a database cluster with failover master/slave architecture
– hosted app platform that scales and self-heals to meet demand

Category: Security

OperationsCommander has network segmentation controls in place to isolate the production environment from other environments like development, testing, and corporate networks. The production network is logically separated using unique identifiers and access controls at different layers. Penetration testing is also performed periodically to validate the segmentation controls.

There are completely different servers, code, and databases. Testing/quality (QA) and development (dev) servers are also located in a different physical location. Non-production servers (preview, QA, and dev) are also sandboxed as to not allow database connections to production systems, emails are blocked from being sent out, etc. No matter what is done in a non-production system, the production systems won’t be affected.

Category: Security

Vulnerabilities are identified through quarterly vulnerability scans conducted by a third-party. High risk and critical vulnerabilities are addressed immediately, while other vulnerabilities are addressed based on the company’s risk evaluation. The company also has a responsible disclosure program to receive vulnerability reports from external parties.

Category: Security

Critical or high-security patches/updates are installed within one month of release, and all other applicable security patches/updates are installed within the timeframe established by the company’s risk analysis and policies. The patching protocol for back-end infrastructure follows a formal patch management process implemented by OperationsCommander.

Category: Security

System and Operating System:
– Software (Bitdefender GravityZone) monitors available system patches. The software reports software as well as operating system updates which are available.
– On a regular basis firewall and network devices are updated with new firmware.
– All server/system updates are tracked using logging tools.
– Patches are rolled to staging systems when possible to reduce system failure risks.

Software releases:
– OperationsCommander maintains several systems including development, testing/preview, and production
– Development systems exist for development
– Testing/staging/preview systems exist to allow for testing of new patches and software updates
– Testing/staging/preview systems also exist for testing and training to avoid these actions on production systems
– Software is rolled to production with messages and release notes to clients about the updates

Weekly, most updates are done automatically (such as OS). In some cases where additional testing and precautions are required before an update, the patch maybe delayed by a few days.

Category: Security

System administrator and senior developers have access and they authenticate through VPNs using Microsoft Active Directory accounts with proper permissions. Passwords are managed through BitWarden. All access, including administrative accounts, is controlled and logged (i.e. firewalls, file system permissions, ACLs, database table permissions, packet logs, etc.)

Category: Security

System availability is monitored with monitoring software. Logs are monitored for errors and anomalies. All technical staff are notified of any outages, 24/7. Clients are notified of outages if they are not rectified within 1 hour. The company communicates system changes to customers that may affect security, availability, processing integrity, or confidentiality.

Category: Security

Yes

Category: Security

Yes, there is a pseudo mobile application that can access client data. However, the application is built on a framework called Ionic and is used as the interface for data on the web.

Web testing will also test the “mobile” version of the app since it is a single codebase.

Category: Security

Yes

Category: Security

The client always owns their database of information on the system. We will provide a raw data dump in a SQL file format (or zip archive) for the client to use as required. There are service fees for creating and providing the data file. We will not provide the architecture or road map of the data since that is considered proprietary information.

Category: Security

The acceptable data transmission methods to allow client data to be uploaded to the OPS-COM system are strong cryptography and security protocols to safeguard sensitive data during transmission over open, public networks, and enabling TLS whenever cardholder data is transmitted or received. Any traffic uploaded or downloaded to the service would be encrypted with Transport Layer Security (TLS). eg. HTTPS (web/API) SFTP (secure FTP). Generally data will use one of these protocols. In some cases data will pass been SQL servers using encryption (utilizing TLS).

Category: Security

No

Category: Security

OPS-COM has the ability to set up permissions for all roles. The Super User, (usually the department head) sets permissions for all levels. For example; counter staff could have permission to add/edit payments but not edit site configuration. A patrol officer could enter violations but not edit violation types. All permissions are set using the Edit Admin Users menu. This edit window is only accessible to the Super User and any others that the Super User grants “Edit Admin Users” permission to.

Other permissions that are part of the table is the ability to limit where a user can log in from. IP restrictions can be implemented to a single computer, area, the whole site or completely open. The Super User can grant the ability to work from offsite locations. i.e., work from home or limited to a single area within a location. Multiple IP addresses can be specified.

There are in excess of 75 permissions that can be set to fine tune any role. When the permissions are assigned, the assignee will only see what they can do. They will not be aware of restricted permissions.

Category: Security

Customer data is logically separated at the database/datastore level using a unique identifier for each customer. The separation is enforced at the API layer where the client must authenticate with their account, and the customer’s unique identifier is included in the access token to restrict data access.

Category: Security

The client is considered the owner of their data stored in vendor or third-party data centers. According to the Vendor Management Policy, client confidential data under the control of a vendor remains the property of OperationsCommander’s client.

Category: Security

Yes

Category: Security

The Access Control policy states that OperationsCommander has designated entities to monitor and control data access. Technical support personnel who require access to support clients or require access to perform job duties and responsibilities have access to client data. This may include programmers, system administrators, and client support staff. System administrators determine who requires such access based on aforementioned requirements.

We log our access to client data when we do either testing (upcoming releases for new functionality) or for support reasons.

Category: Security

Yes

Category: Security

OperationsCommander has a comprehensive backup and recovery process for data protection. Customer data is backed up automatically to a separate region on a regular basis, and the backups are encrypted. Source code is also backed up regularly to a cloud provider account. Backup failures trigger alerts to the Security Officer.

Category: Security

Yes, data is protected at rest and in motion. OperationsCommander uses strong encryption and security protocols to protect data at rest on encrypted volumes and during transmission over public networks. For data in motion: all transfers are logged; all transfers are encrypted, for data at rest, it is secured using Column level encryption within the database with a minimum 128-bit encryption in all areas.

Category: Security

OperationsCommander protects user authentication information through various measures. User identity is verified before allowing changes to authentication factors. Strong encryption is used to render authentication credentials unreadable during transmission and storage. Multi-factor authentication is required for employee users and optional for external users. Client files can be accessed by system administrators and senior developer’s only, and only on an as-required basis. All access is logged.

Category: Security

OperationsCommander maintains a documented description of the cryptographic architecture in place, including details of all algorithms, protocols, and keys used for the protection of stored account data. The cryptographic architecture description covers key strength and expiry dates, preventing the use of the same cryptographic keys in production and test environments, description of key usage, and an inventory of hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices used for key management.

Category: Security

Yes

Category: Security

Yes

Category: Security

No

Category: Security

Yes

Category: Security

Yes

Category: Security

Yes

Category: Security

OperationsCommander has defined and documented an Information Security Policy and other topic-specific policies to support the functioning of internal controls. The policies cover areas such as roles and responsibilities, security planning, system and communication protection, and personnel security.

Category: Security

Yes

Category: Security

OperationsCommander has a documented change control process. This includes requirements for managing changes across the organization, testing updates for compliance, documenting back-out procedures, and using a system development life cycle that incorporates security considerations.

Category: Security

OperationsCommander has an incident response team that is responsible for responding to security incidents involving confidentiality, integrity, and availability. Our development/technical staff have been working with the software application and servers for many years. Currently we employ:

– 2 senior developers with application and system knowledge
– 2 junior developers with limited application and system knowledge
– 1 system administrator with advanced knowledge in regard to setup, firewall, web server, SQL, and VM platforms

All developers and system administrators are required to participate in our security awareness program.

Category: Security

In the event of a breach or data security incident, OperationsCommander has defined procedures to respond, recover, resume, and restore operations. The incident response plan outlines steps for incident monitoring, reporting, handling, and incorporating lessons learned.

Category: Security

No

Category: Security

Yes

Category: Security

New versions of OPS-COM and critical hot fixes are released as warranted. The upgrades are performed by OPS-COM personnel and are designed to be non-disruptive to customers and service availability.

Category: Security

Yes, OperationsCommander follows secure coding practices and security tests applications during the development lifecycle. Applications are developed based on secure coding guidelines like OWASP Top 10 and undergo static and dynamic code analysis, peer code reviews, web application vulnerability testing and penetration testing before release.

Category: Security

OperationsCommander maintains a publicly available Privacy Policy (https://operationscommander.com/privacy-policy/) that details the company’s confidentiality and privacy commitments. You can also review our Terms of service here: https://operationscommander.com/terms-of-service/

Category: Security

Yes

Category: Security

OperationsCommander recognizes that our users may user various Internet Browsers when working with our system. We aim for all visitors to have the best possible experience while using OPS-COM, however, we do recognize that it is impossible to develop applications that work identically, efficiently and effectively on all web browsers. We make best efforts to support the latest versions of:
– Internet Explorer
– Microsoft Edge
– Safari
– Chrome
– Firefox

Category: Security