OPTIZMO™ Security Incident Management Program
OPTIZMO’s Approach to Handling Security Incidents
OPTIZMO’s SaaS platforms are a highly secured environment and we treat security as a first-class concern within all of our products. We have a comprehensive set of security measures in place to ensure data integrity, availability and confidentiality of both customer data and systems. However, we recognize that even with best practices in place, public access systems are susceptible to security incidents and it is important to have procedures and practices in place to effectively handle such incidents if they occur. To this end, OPTIZMO has developed a mature approach for responding to security incidents that impact our infrastructure and services. We start with preparation by logging, monitoring and hardening our systems and putting processes in place to ensure OPTIZMO’s response is coordinated, effective and rehearsed.
We align our incident response process with NIST 800-61 security incident handling guidelines. This provides a basis to ensure that each stage of our incident response process leverages industry best practices. The process is supported by our team of highly-qualified incident management personnel, who have significant experience in coordinating an effective and efficient response to any security incident. We also have access to a wide range of external security experts to assist us in investigating and responding to any issue as quickly and effectively as possible.
Security Incident DefinitionWe define a security incident as any instance involving an existing or impending negative impact to the privacy, integrity or availability of our customers’ data, OPTIZMO’s data, or OPTIZMO’s services. Our incident response structure is based on our company’s continuous focus on the needs of our customers. We are dedicated to implementing industry leading security best practices, so that our handling of potential security incidents is fully in-line with the best interests of our customers and their continued use of OPTIZMO products and services. With that in mind, we have developed a robust incident response process that incorporates several features discussed below.
Incident DetectionWe have a number of monitoring mechanisms in place to detect failures or other anomalies in the functioning of our products and infrastructure that may be an indicator of a potential security incident. These mechanisms alert us immediately upon detecting any activity that requires further investigation. We also have an aggregated log capture and analytics platform that stores and collates logs in a single location, giving our team the ability to investigate quickly and thoroughly. Our product and incident management teams also monitor the platform continuously to make sure it is always available. The systems generate alerts that notify our teams proactively in the event of any anomalous activity. Finally, we maintain external reporting channels that may also provide us with insights and awareness of any potential vulnerabilities or incidents.
Security Incident Management Framework
In order to ensure a consistent, repeatable and efficient incident response process, we have developed a clearly defined and structured internal framework that includes steps for our team to take at each stage of the incident response process. This process is documented and regularly updated to lay out each step we undertake to effectively respond to various types of security incidents.
At a high level, our response framework includes several key steps:
Incident detection and initial analysis – These are the steps we take following an initial notification of a potential incident, the first being to determine whether an actual security incident has occurred. If an incident notification is found to be accurate, further steps include understanding the attack vectors, scope of the system/data compromised, and the potential impact to OPTIZMO and its customers.
Incident Severity Evaluation – After an initial determination of what happened during the previous analysis steps, OPTIZMO uses that information to determine the severity of the security incident. We have designated four severity levels in alignment with our company-wide incident management processes that apply to a security incident:
|Urgent||Urgent and critical level incident with maximum impact to customers and OPTIZMO systems|
|High||Incident with a high impact|
|Normal||Incident with a moderate impact|
|Low||Minor incident with low impact|
Our team leverages a variety of data-points and indicators to determine the severity level of a security incident. The indicators vary, based on the product/service involved, but always include consideration of the number of customers affected (up to a total service disruption), whether core platform functionality is impacted, and whether there has been an actual loss of data.
Containment, Issue Elimination, and Recovery – Taking the incident severity level into account, we determine the next steps needed to contain the damage from the incident, eliminate the underlying cause of the incident, and initiate the recovery process to return to normal business operation as fast as possible. The specific steps taken in this stage will vary significantly, depending on the nature and severity of the incident.
Customer Notification – We will communicate with our customers throughout the process, where communication would benefit our customers or as required by legal or contractual obligations. Our goal is to provide Initial notification of a significant issue to customers within 72 hours after we become aware of an incident, or without any undue delay if a customer’s data is involved in an incident or breach. Initial notification may not include full details of the incident, but we will work to provide more detail as incident evaluation is carried out. We have aligned our customer notification policies with our GDPR obligations and responsibilities.
After-Incident Process Review – After any security incident is resolved, we evaluate how our process was implemented and determine what lessons can be learned from the entire situation. We then look for opportunities to develop new technical solutions, optimize our security incident processes, or implement new best practices into our process so that we can continue to provide our customers with the most effective and efficient security incident mitigation and resolution possible.
Incident Management Roles and ResponsibilitiesAny security incident we experience is managed by our internal incident management team, made up of members of our product and other technical teams. This team oversees the incident response process and allocates internal resources to best facilitate mitigation of the issues. In the case of an urgent or critical level incident, we bring an all-hands-on-deck approach to the response, calling in members of every internal OPTIZMO team to assist in the process.
External Security ExpertsWhen warranted, we may engage with external security experts to assist us in the investigation of a security incident. We have access to a group of cyber security consultants and forensic experts for instances that require in-depth analysis or forensic holds for e-discovery in support of potential litigation.
Security Incident Management Tools
Our incident management team leverages a number of products and services to empower our incident response process. These include, but are not limited to the following:
Confluence – Our team uses Confluence as our source of knowledge to create, document and update our security incident response processes. It also helps ensure those processes are effectively communicated to our entire team and can be easily updated in response to lessons learned based on the documentation and analysis of incidents during our incident post-mortems.
Jira – OPTIZMO creates security incident tickets in Jira if and when incidents occur. This allows us to work these tickets into our standard agile development process and to kick off the initial investigation as well as manage the response workflow.
Slack – Communication during an incident response is crucial and we use dedicated channels to keep our entire security incident response team up-to-date on the latest developments. We also use SMS alerts to bring people online if the incident severity warrants a rapid, global response.
Modern development tooling – OPTIZMO’s development teams follow modern development practices:
- we use GitLab for source control with code peer-reviews of pull requests,
- we create a comprehensive set of unit test, integration and end-to-end tests,
we use infrastructure as code,
- we maintain an automated continuous integration and deployment pipeline, and
- we use AWS to as our cloud infrastructure provider.
These practices allow us to respond quickly and effectively to security incidents by facilitating the rapid and safe release of and code or infrastructure level patches.