Obo Risk Mitigation
While security is the responsibility of all employees, the CTO is ultimately responsible for defining Obo security policies and operations. All security reviews, audits, scans, policy enforcement, and incident responses are driven by the CTO.
Obo has policies for acceptable encryption, clean desk, email, passwords and customer data. In addition, every employee is required to attend an annual Obo Security training session provided by the CTO, and monitored by all Obo executive staff. All employee laptops are strictly monitored by the Obo asset management plan.
The Obo application is multi-tenanted. Data is always encrypted at rest or in flight. Obo utilizes AWS instances, with a RDS 256 bit AES encrypted database. We employ Auth0 to manage all Obo authentication (MFA, SSO, etc…). SonarQube scans Obo application code on every code release.
OWASP Zap scans Obo production and staging environments after every release push. Periodic log inspections look for anomalies in application usage.
Obo has an extensive Incident Response Plan (IRP) which defines responses for all common incidents which could affect Obo operations or Obo users (including security and data breach incidents).
Beyond the physical security provided by AWS, the Obo office enforces keycard access for all employees.
Obo leverages AWS network security for all product environments (dev, QA, staging, demo, and production). All AWS instances have periodic patch reviews and installs during defined maintenance windows.
Obo customer data is only accessible by the Obo customer who owns the data. Obo does not have a ‘super-user’ method for viewing data stored in customer tenants. Obo may view data inside a customer’s tenant only after a user grants access to their account by sharing their username and password with a trusted Obo employee.