HID undergoes regular internal and external security audits on the organization as well as all the HID Origo platform components to ensure our solutions comply with industry security standards and best practices.
We use the services by Amazon in HID Global which are certified by the following assurance programs: SOC, PCI, ISMAP, FedRAMP, DoD CC SRG, HIPAA BAA, IRAP, MTCS, C5, K-ISMS, ENS High ,OSPAR ,HITRUST CSF, FINMA and GSMA Further details can be viewed at Amazon’s compliance page: https://aws.amazon.com/compliance/services-in-scope/
| HID Origo Services | |||||
|---|---|---|---|---|---|
| API | Gateway | DynamoDB | ElastiCache for Redis | RDS | S3 Glacier |
| VPC Glue | Systems Manager | Athena | EBS | GuardDuty | SES |
| VPC | ACM | IAM | Application Load Balancer (ALB) | Aurora | EC2 |
| Kinesis Data Firehose | SNS | ACM | Config | IoT Core | Network Load Balancer (NLB) |
| CloudFront | ECR Kinesis | Data Streams | SQS Config | Direct Connect | KMS |
| CloudWatch + Logs | ECS | MSK S3 | Direct Connect | Fargate | Lambda |
HID Global maintains an Information Security Management System, certified according to the ISO/IEC 27001 standard, to govern security controls for the development and ongoing operations of the HID Origo services which includes:
- HID Origo Cloud Platform and Services:
- HID Origo Mobile Identities
- HID Origo Management Portal
- HID Origo Connected Architecture
- HID Authentication Service (AaaS)
- HID Approve
CSA STAR Level 2: Certification
Cloud Security Alliance is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
HID Global is a corporate member of the Cloud Security Alliance and participates in CSA Security, Trust & Assurance Registry (STAR) certification to adhere, to cloud security best practices.
On 15 Oct 2023, HID PACS for below scope was assessed and certified for CSA Star 2 certification, which can be referred in the link https://cloudsecurityalliance.org/star/registry/hid-global.
The scope of the CSA STAR certification is aligned to the scope of the information security management system (ISMS) that covers the information security framework for the activities relating to the development, provision, maintenance, and operations of the in-scope applications and services listed below, and in accordance with the statement of applicability, version Q, dated December 21, 2022. The ISMS preserves the confidentiality, integrity, availability (CIA), and privacy of HID Global information assets and processes for the following services:
HID Origo Cloud Platform and Services:
- HID Origo Mobile Identities
- HID Origo Management Portal
- HID Origo Connected Architecture
HID Origo Mobile Identities has achieved SOC 2 Type 2 compliance.
- Issued by the Association of International Certified Professional Accountants (AICPA), the Service and Organization Controls (SOC) standard covers security, availability, processing integrity, confidentiality and privacy related to the evaluated set of services.
- This attestation implies that HID Origo Mobile Identities has been independently examined as being able to deliver upon service commitments in terms of the AICPA Trust Services Criteria relevant to security and availability.
- Achieving SOC 2 Type 2 demonstrates that HID Origo Mobile Identities follows the defined process, industry best practices, maintain its infrastructure, protects the systems and ensuring the product meet all types of deployments up to an enterprise level.
HID Origo Mobile Access & Origo Connected Architecture have achieved SOC 2 Type 1 compliance.
- Issued by the Association of International Certified Professional Accountants (AICPA), assessed against trust services criteria, relevant to security
- SOC 2 Type 1 reviews the design of your organization’s internal controls at a point in time. It assesses your organization’s SOC 2 compliance posture and determines whether the implemented controls meet the framework’s requirements
- Achieving SOC 2 Type 1 demonstrates that HID Origo Mobile Access & Origo Connected Architecture, follows the defined process, industry best practices, maintain its infrastructure, protects the systems and ensuring the product meet all types of deployments up to an enterprise level
Frameworks
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode.
The Software Alliance has developed The BSA Framework for Secure Software to fill that gap. The Framework offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry – developers, vendors, customers, policymakers, and others – communicate and evaluate security outcomes associated with specific software products and services.
Building Security In Maturity Model (BSIMM) is a study of current software security initiatives or programs. It quantifies the application security (appsec) practices of different organizations across industries, sizes, and geographies while identifying the variations that make each organization unique.