Skip to content

Security and Compliance

Introduction

Origence understands that the security of its client and consumer data is critical both to the success of Origence and its customers. As such, data security is important to Origence and is part of everything we do, including product design, software development, customer support, and system administration.

The overall information security program at Origence is built upon:

  • Industry best practices
  • Compliance with laws and regulations
  • Contractual requirements

 

Additionally, the Origence information security program is based on a multi-layered approach, whereby responsibility for information assurance is shared at multiple levels:

First level – Origence emphasizes security awareness training for both standard and administrative users. Additionally, security is made part of the software development lifecycle through secure coding training, established security guidelines, and additional code review. End users are responsible for abiding by established security policies, using the information systems in a manner that promotes security, and relaying risks and concerns to management.

Second level – Origence management is responsible for reviewing both the Origence environment, evaluating the risks to the environment, and developing sound policies to help secure the environment. The Information Security department establishes and manages controls to protect data, systems, and infrastructure from threats by managing risks, enforcing policies, and responding to incidents maintaining a strong security environment.

Third level – External auditors and other independent assurance providers help identify new and emerging risks and verify that established processes are followed.

 

Industry best practices

Origence has designed its security controls on industry standards and best practices. Such standards include the NIST Cyber Security Framework, NIST 800-53, and those described by the Center for Internet Security. By aligning the information security program to these standards, the program delivers security throughout the data lifecycle today and continues to deliver security as technology evolves.

Standard control areas include:

  • Asset management
  • Vulnerability management
  • Access control
  • Configuration management
  • Event log management
  • Malware defense
  • Boundary defense
  • Data backup
  • Data encryption
  • Business continuity / disaster recovery
  • Incident response

 

Key elements of this best practice security program include:

  • 24 x 7 security monitoring
  • Intrusion detection technologies, both at the network and host levels
  • Anti-malware detection and prevention
  • Site redundancy
  • File integrity monitoring
  • Central logging of key security events

 

Compliance with laws and regulation

Local, State, and Federal law

Origence understands that it exists in a complex environment of laws and regulations. Origence is committed to ensuring its security practices are in line with local, state, and federal laws. Policies and procedures have been established to address common requirements, including but not limited to:

  • Gramm-Leach Bliley Act (GLBA)
  • California Consumer Privacy Act / California Privacy Rights Act
  • Americans with Disabilities Act (ADA)
  • Fair Credit Reporting Act (FCRA)
  • Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

 

Other regulatory and compliance requirements

Origence acts in compliance with key regulatory requirements, largely those impacting both the financial and technology sectors. Origence adopts practices that adhere to industry regulations, and compliance initiatives that enable data security and privacy, as well as to foster consumer and client confidence. Origence adheres to the following compliance frameworks:

  • AICPA SOC II Type II
  • Payment Card Industry Data Security Standard (PCI-DSS) 4.0
  • National Institute of Standards and Technology (NIST) 800.53
  • National Automated Clearinghouse Association (NACHA)
  • Federal Reserve – FedLine

 

Contractual requirements

Origence may from time to time make certain contractual commitments to specific clients. Additionally, Origence contractually requires that clients and vendors employ security programs that meet industry standard requirements to protect the information of our clients and their customers.

 

Disaster recovery

Origence maintains a business continuity and disaster recovery plan to coordinate recovery efforts following a disaster that impacts the technology, facilities, and/or departments necessary to operate critical business functions. Such business continuity and disaster recovery are tested at least annually to verify the effectiveness of the plan.

 

Maintenance windows

Origence reserves the right to have a maintenance window at least three times per month. The schedule can be found at https://origence.com/resources/system-maintenance/. This maintenance window is to allow for preventive maintenance to critical and ancillary systems. During this maintenance window, all public facing systems may be unavailable.