A Focus on Security and Compliance
Security is woven throughout Optimal IdM operations and approach. It’s the bedrock of what we do.
Optimal IdM undergoes an AICPA SOC 2 Type II audit each year to verify compliance to its security program, policies and procedures, and industry standards. Optimal IdM also complies with the EU Standard Contractual Clauses for the protection of personal data of EU citizens. These model clauses are in place for several of our European clients and we have implemented these requirements with our vendors; such as Microsoft. Optimal IdM is in full compliance with the EU General Data Protection Requirements (GDPR).
Optimal IdM has used the SOC 2, Type I and Type II processes to successfully audit the operational and security processes of our service and our company.
“Our customers trust us with their most valuable data, so they expect the best. That’s why we are pro-active and persistent with our compliance and security practices.”
– Ed Gorczyca, Chief Compliance Officer, Optimal IdM
When it comes to software development, all code is maintained for safekeeping in a secure software vault. Developers check out the code to make design modifications which have been approved in advance. The developers operate in isolated virtual environments to make the changes and test the revised code. All code is tested for the Open Web Application Security Project (OWASP) Top 10 Security Risks and Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors. This testing checks for vulnerabilities such as buffer overflow, cross-site scripting and command injection to assure a robust and secured product is released.
Furthermore, only authorized Optimal IdM system administrators have access to the customer server environments and multi-factor authorization is used to confirm their identity at login. In addition to being backed up on a frequent basis, the servers are continuously monitored for unusual or suspicious behavior.
All employees and contractors undergo a thorough pre-employment background check before access to company information is granted. Confidentiality and non-disclosure agreements protect both company and client information from unauthorized disclosure. Personnel receive training on security and key aspects of their job. User access is granted on as needed basis at the lowest level required to company and client systems. All of these processes are defined in an employee handbook and company policies which are reviewed and distributed each year.