Additionally, the Origence information security program is based on a “three lines of defense” model, whereby responsibility for information assurance is shared at multiple levels:
First line – end users represent the first line of defense in our strategy. As such, Origence emphasizes security awareness training for both standard and administrative users. Additionally, security is made part of the software development lifecycle through secure coding training, established security guidelines, and additional code review. End users are responsible for abiding by established security policies, using the information systems in a manner that promotes security, and relaying risks and concerns to management.
Second line – management represents the second line of defense. Origence management is responsible for reviewing both the Origence environment, evaluating the risks to the environment, and developing sound policies to help secure the environment.
Third line – auditors represent the third line of defense. Both the internal audit function and external auditors help identify new and emerging risks, as well as ensuring that established processes are followed.
Industry best practices
Origence has designed its security controls on industry standards and best practices. Such standards include the NIST Cyber Security Framework, NIST 800-53, and those described by the Center for Internet Security. By aligning the information security program to these standards, we believe that the program can deliver security throughout the data lifecycle today and continue to deliver security as technology evolves.
Standard control areas include: