OpenMarkets understands the important and critical nature of operating a secure infrastructure. We are in the business of fostering positive relationships between provider and supplier organizations, and we understand our success is built on a foundation of trust.
We strive to ensure that user data is kept securely, and that we collect only as much data as is required to provide our services to users in an efficient and effective manner. The statements within this document provide a deeper review of the OpenMarkets approach.
Security
OpenMarkets applies a tiered approach to securing its platform:
Application & User Security
Secure Data Transmission
Utilizing Secure Socket Layer (SSL) and Transport Layer Security (TLS) Encryption, all application transactions and user activity are performed over a secure, encrypted channel for communication. This ensures the data transmissions are safe, secure and available only to the intended parties.
User Authentication and Authorization
All users on the platform are provisioned a unique login identifier that corresponds to their organization. All user access to the application and data is governed and restricted based on their role type and organization membership. Every unique login identifier is required to use a strong password that complies with minimum complexity requirements to reduce the threat of compromised entry in the application. Passwords, along with other sensitive data, are stored in an encrypted manner using the latest available security algorithms.
Data Portability
OpenMarkets subscribers can export their data sets through the application in several pre-defined formats - e.g., csv and pdf. The process for exporting the data is managed and controlled in a two-step process of creating a safe document free of viruses, as well as sending the exportable document over a secure data channel.
Infrastructure
Data Center and Accreditations
OpenMarkets physical infrastructure is hosted and managed within the most updated cloud-based data centers. Our service providers continually manage risk and undergo recurring assessments to ensure compliance with industry standards. Our service providers have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Data Center Surveillance
Our data centers are staffed and monitored 24 hours a day, 7 days a week, all year round. All physical access to facilities is secured by trained security guards, audible visitation logs and the required entry requirements - e.g., verifiable identification materials and biometric controls. All aspects of the facilities and infrastructure are monitored including environmental variables that are critical to the success of a great data center operation - i.e., controlled temperature, smoke / fire detection.
Fault Tolerance & High Availability
OpenMarkets architecture has been designed to utilize the latest in cloud-based technology to greatly reduce the risk of unplanned outages to the infrastructure. Fully redundant network devices and connectivity points are built-in throughout the architecture - e.g., firewalls, routers, servers, power supplies, connectivity to storage area network (san) and wide-area network Internet connectivity. Additionally, our service providers have contracted arrangements in place to draw power from multiple backup points including batteries, large diesel generators and substations.
Network Security Protection
In an effort to protect all Clients, their users and maximize productivity via high availability, OpenMarkets takes several proactive measures to protect the integrity of the network:
Distributed Denial of Service (DDoS) Mitigation
Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
Spoofing and Sniffing Protections
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. OpenMarkets utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port Scanning
Port scanning is prohibited, and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped, and access is blocked.
Operational
Monitoring Services
The uptime of mission-critical services is continually monitored by contracted service providers with documented escalation procedures within OpenMarkets in the event of an unplanned outage.
Proactive Security Scans
Third party security testing of the application is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team.
Environment Segregation
OpenMarkets clients and environments are segregated across multiple Development, Test, Demonstration and Production environments. This is to ensure the maximum level of testing can be performed without disrupting the Production environment.
Backups
Backups to the database occur hourly and are securely replicated to a centralized backup storage location within our data center service provider’s network. Our procedures are tested and restore workflow is predictable in the event a restore is needed in the production environment.
Application Development
OpenMarkets has adopted OWSAP Top10 defensive coding techniques and controls to reduce the threat of a malicious attack on our Clients managed infrastructure and software - i.e., SQL injection attacks, cross site scripting, and cross site request forgery.
Privacy and Compliance
OpenMarkets operational security efforts are led by a named Privacy & Compliance Officer who oversees all escalated matters and ensures timely resolution to reported incidents.