HID undergoes regular internal and external security audits on the organization as well as all the HID Origo platform components to ensure our solutions comply with industry security standards and best practices.
We use the services by Amazon in HID Global which are certified by the following assurance programs: SOC, PCI, ISMAP, FedRAMP, DoD CC SRG, HIPAA BAA, IRAP, MTCS, C5, K-ISMS, ENS High ,OSPAR ,HITRUST CSF, FINMA and GSMA Further details can be viewed at Amazon’s compliance page: https://aws.amazon.com/compliance/services-in-scope/
| HID Origo Services | |||||
|---|---|---|---|---|---|
| API | Gateway | DynamoDB | ElastiCache for Redis | RDS | S3 Glacier |
| VPC Glue | Systems Manager | Athena | EBS | GuardDuty | SES |
| VPC | ACM | IAM | Application Load Balancer (ALB) | Aurora | EC2 |
| Kinesis Data Firehose | SNS | ACM | Config | IoT Core | Network Load Balancer (NLB) |
| CloudFront | ECR Kinesis | Data Streams | SQS Config | Direct Connect | KMS |
| CloudWatch + Logs | ECS | MSK S3 | Direct Connect | Fargate | Lambda |
HID Global maintains an Information Security Management System, certified according to the ISO/IEC 27001 standard, to govern security controls for the development and ongoing operations of the HID Origo services which includes:
- HID Origo Cloud Platform and Services:
- HID Origo Mobile Identities
- HID Origo Management Portal
- HID Origo Connected Architecture
- HID Authentication Service (AaaS)
- HID Approve
HID Origo Cloud Services has also performed a self-assessment based off of the Cloud Controls Matrix by Cloud Security Alliance. The technical report covers the following domains:
- Application and Interface Security
- Audit Assurance and Compliance
- Business Continuity Management and Operations ResilienceChange Control and Configuration Management
- Data Security and Information Lifecycle Management
- Datacenter Security
- Encryption and Key Management
- Governance and Risk Management
HID Origo Mobile Identities has achieved SOC 2 Type 2 compliance.
- Issued by the Association of International Certified Professional Accountants (AICPA), the Service and Organization Controls (SOC) standard covers security, availability, processing integrity, confidentiality and privacy related to the evaluated set of services.
- This attestation implies that HID Origo Mobile Identities has been independently examined as being able to deliver upon service commitments in terms of the AICPA Trust Services Criteria relevant to security and availability.
- Achieving SOC 2 Type 2 demonstrates that HID Origo Mobile Identities follows the defined process, industry best practices, maintain its infrastructure, protects the systems and ensuring the product meet all types of deployments up to an enterprise level.
Frameworks
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode.
The Software Alliance has developed The BSA Framework for Secure Software to fill that gap. The Framework offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry – developers, vendors, customers, policymakers, and others – communicate and evaluate security outcomes associated with specific software products and services.
Building Security In Maturity Model (BSIMM) is a study of current software security initiatives or programs. It quantifies the application security (appsec) practices of different organizations across industries, sizes, and geographies while identifying the variations that make each organization unique.