Purpose

This ISA describes the minimum information security standards OpenGov maintains to protect your Customer Data.  Requirements in this ISA are in addition to any provisions in the Agreement. 

OpenGov follows AICPA guidelines and regularly reviews controls described in OpenGov’s SOC2 Type II independent auditor report (“SOC2 Report”). OpenGov references some of the applicable SOC2 controls in this ISA for your convenience. See the SOC2 Report for the exact language. OpenGov will provide you with a copy of the SOC2 Report upon request and availability.

Encryption and key management

OpenGov uses industry-standard encryption techniques to encrypt Customer Data at rest and in transit (SOC: C-10). 

All connections are authenticated and encrypted using industry-standard encryption technology (SOC: C-11).

OpenGov’s key generation utilizes keys generated with methods consistent with industry-accepted best practices and are reviewed annually. (SOC: C-12)

Customer Data is checked for integrity during transit to enable OpenGov to detect data tampering or corruption. (SOC: C-9).

Support and maintenance

OpenGov deploys changes to the Cloud Services during scheduled maintenance windows, details of which are posted to the OpenGov website before the scheduled period. In the event of a service interruption, OpenGov publishes a notification to the website describing the affected services. OpenGov provides status updates and high-level information regarding upgrades, new releases, via the OpenGov website (SOC: CM-11).

Incident response and notification

“Incident” means a security event that compromises the confidentiality, integrity, or availability of an OpenGov information asset. “Breach” means an Incident that results in the confirmed disclosure, not just potential exposure, of Customer Data to an unauthorized party. 

OpenGov has an incident response plan, including a breach notification process, to assess, escalate, and respond to identified physical and cyber security Incidents that impact the organization and customers or result in data loss. Discovered intrusions and vulnerabilities are resolved in accordance with established procedures. The incident response plan is reviewed and updated annually and more frequently as needed (SOC: OPS-4).

If there is a Breach involving your Customer Data, OpenGov will (A) notify you within 24 hours of the discovery of the Breach, (B) reasonably cooperate with you concerning such Breach, and (C) take appropriate corrective action to mitigate any risks or damages involved with the Breach to protect your Customer Data from further compromise. OpenGov will take any other actions that may be required by applicable law as a result of the Breach. 

OpenGov security program

OpenGov maintains a written security program that (A) complies with applicable global industry-recognized information security frameworks, (B) includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data and (C) is appropriate to the nature, size and complexity of OpenGov’s business operations. 

Security Program Changes. OpenGov policies (including the OpenGov Code of Conduct), standards, and operating procedures related to security, confidentiality, integrity, and availability are available to all OpenGov personnel via the OpenGov Policy Portal. Security policies are reviewed, updated (as needed), and approved at least annually to maintain their continuing relevance and accuracy. OpenGov personnel must review and acknowledge the Acceptable Use Policy and Employee Handbook during onboarding and annually after that (SOC: ORG-2). 

Security Officer. The OpenGov Director of Global Security and the Global Security Team develop, maintain, review and approve OpenGov Security Policies.

Security Training & Awareness. All OpenGov personnel must complete security awareness training annually (SOC: ORG-8). OpenGov conducts periodic security awareness education to give personnel direction for creating and maintaining a secure workplace. (SOC: COM-11).

Risk management

OpenGov has a security risk assessment and management process to identify and remediate potential threats to OpenGov. Risk ratings are assigned to all identified risks, and remediation is managed by security personnel (SOC: RM-1). Executive management is kept apprised of the risk posture of the organization.

OpenGov risk management program and security operations monitor, alert and investigate threats posed by both non-malicious and malicious actors inside the organization on an ongoing basis. Identified issues are reviewed and investigated as appropriate (SOC: RM-2).

Threat and vulnerability management and security testing. OpenGov’s Threat and Vulnerability Management (TVM) program monitor for vulnerabilities on an ongoing basis (SOC: RM-3). OpenGov conducts daily internal and external vulnerability scans using industry-recognized vulnerability scanning tools. Identified vulnerabilities are evaluated, documented, and remediated to address the associated risk(s). (SOC: RM-6). An independent third party conducts risk assessments and external penetration tests annually. Findings from these tests are evaluated, documented, and remediated (SOC: RM-7).

Access management

OpenGov assigns application and data rights based on security groups and roles created based on the principle of least privilege. The ARC (Access Review Committee) reviews and approves security access requests before provisioning access (SOC: LA-1).

OpenGov classifies informational assets in accordance with the OpenGov data classification guideline (SOC: C-5).

Access to OpenGov systems and networks is disabled promptly upon notification of termination (SOC: LA-7). 

OpenGov reviews administrator access to confidential and restricted systems, including corporate and cloud networks, on a semiannual basis. OpenGov reviews administrator access to the cloud production environment and selects corporate systems that provide broad privileged access every quarter. Any inappropriate access is removed promptly (SOC: LA-8). 

OpenGov uses separate administrative accounts to perform privileged functions, and accounts are restricted to authorized personnel (SOC: LA-9).

Password management and authentication controls

Authentication mechanisms require users to identify and authenticate to the corporate network with their unique user ID and password. OpenGov requires minimum password parameters for the corporate network via SSO and Multi Factor SAAS provider.(SOC: LA-2). 

Remote access and cloud access

Remote access to the corporate network is secured through a virtual private network (VPN) solution with two-factor authentication (SOC: LA-3). Access to the cloud network requires two authentication steps; authorized users must log on to the corporate network and authenticate using separate credentials. (SOC: LA-4).

Asset configuration and security

Endpoint detection technology is installed and activated on all OpenGov endpoints to monitor for virus and malware infections. Endpoint devices are scanned in real-time.. Issues are investigated and remediated as appropriate. Virus definition updates are automatically pushed out to endpoint devices from the technology as they become available. (SOC: LA-11). OpenGov uses full-disk encryption on endpoint devices. Endpoint devices are monitored and encrypted using industry-recognized tools. OpenGov has tools to identify and alert IT administrators of discrepancies between OpenGov security policies and a user’s endpoint settings (SOC: LA-12). OpenGov maintains and regularly updates an inventory of corporate and cloud infrastructure assets and systematically reconciles the asset inventory annually (SOC: OPS-5).

Logging and monitoring

OpenGov continuously monitors application, infrastructure, network, data storage space, and system performance (SOC: OPS-1). OpenGov utilizes real-time security log information from servers, firewalls, routers, intrusion detection system (IDS) devices, end users, and administrator activity. Our tooling is configured for alerts and is monitored on an ongoing basis. Logs contain details on the date, time, source, and type of events. OpenGov reviews this information and works events worthy of real-time review (SOC: OPS-2). 

Change management

OpenGov has change management policies and procedures for requesting, testing, and approving applications, infrastructure, and product-related changes. All changes receive a risk score based on risk and impact criteria. Low-risk changes generate automated change tickets and have various levels of approval based on the risk score. High-risk changes require manual change tickets to be created and are reviewed by approvers based on change type. Planned changes to the corporate or cloud production environments are reviewed regularly. Change documentation and approvals are maintained in a ticketing system (SOC: CM-1). Product development changes undergo various levels of review and testing based on change type, including security and code reviews, regression, and user acceptance testing before approval for deployment (SOC: CM-2). Following the successful completion of testing, changes are reviewed and approved by appropriate managers before implementation into production (SOC: CM-3). OpenGov uses dedicated environments separate from the output for development and testing activities. Access to move code into production is limited and restricted to authorized personnel (SOC: CM-9).

Secure development

OpenGov has a software development life cycle (SDLC) process, consistent with OpenGov security policies, that governs the acquisition, development, implementation, configuration, maintenance, modification, and management of OpenGov infrastructure and software components (SOC: CM-4). Before the final release of a new OpenGov system version to the production cloud environment, code is pushed through lower-tier environments for testing and certification (SOC: CM-6). OpenGov follows specific coding guidelines based on leading industry standards. These guidelines are updated and available to personnel via the corporate intranet. OpenGov developers receive annual secure coding training (SOC: CM-7). OpenGov utilizes a code versioning control system to maintain the integrity and security of the application source code (SOC: CM-8).

Network security

OpenGov uses network perimeter defense solutions, including an IDS and firewalls, to monitor, detect and prevent malicious network activity. Security personnel monitor items detected and take appropriate action (SOC: LA-15). Firewall rule changes (that meet the corporate change management criteria) follow the change management process and require approval by the appropriate approvers (SOC: LA-16). OpenGov’s corporate and cloud networks are logically segmented by virtual local area networks (VLANs), and firewalls monitor traffic to restrict access to authorized users, systems, and services (SOC: LA-17).

Third-party security

OpenGov assesses and manages the risks associated with existing and new third-party vendors. OpenGov employs a risk-based scoring model for each third party (SOC: MON-2). OpenGov requires third parties to enter into contractual commitments that contain security, availability, processing integrity and confidentiality requirements, and operational responsibilities as necessary (SOC: COM-9). OpenGov evaluates the physical security controls and assurance reports for data centers annually. OpenGov assesses the impact of any issues identified and tracks any remediation efforts (SOC: MON-3).

Oversight and audit

Internal audits are aligned with OpenGov’s information security program and compliance requirements. OpenGov conducts internal control assessments to validate that controls are operating effectively. Issues identified from assessments are documented, tracked, and remediated (SOC: MON-1). Internal controls related to security, availability, processing integrity, and confidentiality are audited by an independent external auditor at least annually and in accordance with applicable regulatory and industry standards. 

Business continuity plan

OpenGov maintains a Business Continuity Plan and a Disaster Recovery Plan to manage significant disruptions to OpenGov operations and infrastructure. These plans are reviewed, updated, and approved annually (SOC: A-5). OpenGov conducts business continuity exercises to evaluate OpenGov tools, processes, and subject matter expertise in response to specific incidents. The results of these exercises are documented and any issues identified are tracked to remediation (SOC: A-6).

Human resources security

OpenGov has procedures in place to guide the hiring process. Background verification and Criminal background checks are completed for OpenGov personnel in accordance with relevant laws and regulations (SOC: ORG-5). OpenGov requires personnel to sign a confidentiality agreement as a condition of employment (SOC: C-2). OpenGov maintains a disciplinary process to take action against personnel that does not comply with company policies, including OpenGov security policies (SOC: ORG-3).