oak9 Security Best Practices
oak9’s structure allows your team to work faster; never for the sake of comprehensive security. Maintaining industry security best practices is the commitment every member of the oak9 team makes. In addition, a dedicated security team is readily available to manage and respond to incidents.
The oak9 program draws from the most prominent organizations, frameworks, and standards to keep your organization continuously secure:
- NIST SP 800-53 Rev. 4
- NIST SP 800-63 Rev. 3
- NIST Cyber Security Framework
- OWASP Top Ten
- Critical Security Controls (CIS Controls)
- CIS Benchmarks
- Microsoft Azure Security Best Practices and Patterns
- AWS Well-Architected Framework
The most critical piece of information security is the people behind it. That is why oak9’s security best practices are designed with the success of our team in mind. The more successful our team is, the better we serve you.
Culture: We show up every day to challenge ourselves and each other to make IaC security better. Information security policies are taken seriously and with pride.
Training: Regular security practices, privacy awareness, and change management training are an unwavering commitment.
Access: oak9 uses the principles of least-privilege and role-based access control to manage access to systems and information.
Reporting: All personnel are required to report suspicious events, which are then responded to by oak9’s dedicated Security Team. Internal violations of security policies are thoroughly investigated and the responsible parties are subject to disciplinary action.
Regular testing and assessment by 3rd parties ensure security best practices are being followed in both our platform and across all organizational processes. Security considerations are integrated on a multi-faceted level:
Change Management: Code and infrastructure changes are performed and tracked via GitHub. Automated controls enforce multi-person reviews before changes are deployed.
Risk-based decisions: Confidentiality, integrity, and availability requirements are the decision-making criteria for the selection and application of security controls, based on system and information classification. Classification is performed according to the risk each poses if compromised or exposed.
Data center security: oak9 infrastructure and data are hosted exclusively in US-based Microsoft Azure and Amazon Web Services data centers.
AWS’ reliability enhances the resilience of oak9. The following protocols safeguard against downtime and data loss:
Multiple data centers: Critical systems are designed to be fault-tolerant. They exist across multiple data centers, minimizing the risk of downtime.
Backups: Data is dynamically backed into multiple regions/availability zones to minimize the chance of data loss.
Infrastructure as code: Our AWS production environment is defined using Infrastructure as Code (IaC) so we can rapidly stand up a new instance in any zone or region.
Disaster Recovery Testing: Regular testing of disaster recovery and business continuity plans ensure that in the event of a disaster, we are able to quickly recover and resume operations.
3rd-Party Vendor Security
Our third-party vendors undergo a comprehensive assessment by oak9 to ensure that security, privacy, and compliance requirements are met:
Before onboarding: Security assessments of potential vendors are performed prior to allowing access to oak9 data or systems.
Contracting: Obligations to ensure the security and privacy of oak9 resources are included in all third-party vendor contracts.
Reviews: Periodic reviews are conducted to validate that oak9’s requirements are continuously being met.
oak9 collects and stores only the minimum necessary information from customers that enables us to deliver the oak9 platform.
Industry security best practices, along with applicable statutory and regulatory requirements are strictly adhered to. Using the oak9 platform, we continuously assess ourselves against all the compliance frameworks that we support; including NIST 800-53 r4, HITRUST, GDPR, CCPA, HIPAA/HITECH, and PCI-DSS.