oak9 Security Best Practices

Overview

oak9’s structure allows your team to work faster; never for the sake of comprehensive security. Maintaining industry security best practices is the commitment every member of the oak9 team makes. In addition, a dedicated security team is readily available to manage and respond to incidents.

The oak9 program draws from the most prominent organizations, frameworks, and standards to keep your organization continuously secure:

• NIST SP 800-53 Rev. 4
• NIST SP 800-63 Rev. 3
• NIST Cyber Security Framework
• OWASP Top Ten
• Critical Security Controls (CIS Controls)
• CIS Benchmarks
• Microsoft Azure Security Best Practices and Patterns
• AWS Well-Architected Framework

The Team

The most critical piece of information security is the people behind it. That is why oak9’s security best practices are designed with the success of our team in mind. The more successful our team is, the better we serve you.

Culture: We show up every day to challenge ourselves and each other to make IaC security better. Information security policies are taken seriously and with pride.

Training: Regular security practices, privacy awareness, and change management training are an unwavering commitment.

Access: oak9 uses the principles of least-privilege and role-based access control to manage access to systems and information.

Reporting: All personnel are required to report suspicious events, which are then responded to by oak9’s dedicated Security Team. Internal violations of security policies are thoroughly investigated and the responsible parties are subject to disciplinary action.

Platform Testing

Regular testing and assessment by 3rd parties ensure security best practices are being followed in both our platform and across all organizational processes. Security considerations are integrated on a multi-faceted level:

Change Management: Code and infrastructure changes are performed and tracked via GitHub. Automated controls enforce multi-person reviews before changes are deployed.

Risk-based decisions: Confidentiality, integrity, and availability requirements are the decision-making criteria for the selection and application of security controls, based on system and information classification. Classification is performed according to the risk each poses if compromised or exposed.

Data center security: oak9 infrastructure and data are hosted exclusively in US-based Microsoft Azure and Amazon Web Services data centers.

Disaster Planning

AWS’ reliability enhances the resilience of oak9. The following protocols safeguard against downtime and data loss:

Multiple data centers: Critical systems are designed to be fault-tolerant. They exist across multiple data centers, minimizing the risk of downtime.

Backups: Data is dynamically backed into multiple regions/availability zones to minimize the chance of data loss.

Infrastructure as code: Our AWS production environment is defined using Infrastructure as Code (IaC) so we can rapidly stand up a new instance in any zone or region.

Disaster Recovery Testing: Regular testing of disaster recovery and business continuity plans ensure that in the event of a disaster, we are able to quickly recover and resume operations.