Assessments, Auditing, and Evaluation
As part of Orbita’s security, privacy, and compliance objectives, assessments are performed to ensure that we meet or exceed expectations using industry standards and assessments. To validate, Orbita has third-party assessments performed to ensure compliance objectives are met regarding our policies, controls, and safeguards to protect customer data.
Orbita has aligned to the AICPA SSAE 18 System and Organization Controls and Orbita’s Conversational Platform has undergone a 3 party evaluation against the common criteria of the SOC 2 Security Trust Principles. A SOC 2® assessment report was created from the evaluation against these principles.
Orbita will share the SOC 2 report with customers under agreement. To obtain a copy, please request from your Sales Representative. Orbita’s last examination was completed in October of 2019 and will continue to seek third-party assessments, including SOC 2 evaluations with regularity.
The Health Insurance Portability and Accountability Act (HIPAA) represents the standard for the protection of patient sensitive data. Companies handling protected health information (PHI) must have appropriate protective processes and safeguards in place and follow them in order to ensure HIPAA Compliance. Covered entities and business associates must meet HIPAA Compliance if they are also handling PHI. Other entities including subcontractors and other related business associates must also be in compliance.
Orbita solutions are designed to allow customers to have full control of their data including the potential use of ePHI. As Orbita does not manage this data directly, we may act on behalf of our customers as a business associate and have supporting systems in place to ensure compliance to HIPAA.
Risk Management Framework
A risk management framework is in place to determine, measure, manage, and monitor risks relating to data and information. The objectives of the Orbita Risk Management Framework are to:
- Discover and report on new risks during information processing and handling activities.
- Assess and measure risks based on system with consideration of likelihood and impact.
- Efficiently and effectively treat risks with safeguards to address root cause.
- Maintain documentation to justify reasons and rationale for safeguards and treatments used to manage active risks.
- Monitor active risks to track and control residual risk or new risks that may be introduced along with any treatments.
- Support a system of continuous improvement regarding the data handling and processing activities.
Administrative safeguards and controls have been added to ensure comprehensive coverage for the risks and potential threats utilizing industry best practices.
- Dedicated Security Personnel have been appointed and responsible for maintaining information security and data privacy management systems.
- Information Access Management – Identification validation and access controls are in place to ensure that data access is permitted according to classification as permitted and planned. A system of approval is used to govern access requests with reporting, periodic review, and monitoring.
- Training - is established and used to support the Orbita workforce that performs processing activities to ensure that relevant safeguards are trained
- Evaluation of security programs requirements and objectives are reviewed regularly to ensure alignment with the business goals and objectives while seeking opportunities for improvements.
- Physical safeguards are in place to ensure that critical data processing facilities are compliant to Orbita physical security policies and objectives.
- Third-party vendor facilities where data may be hosted have been assessed to ensure compliance to Orbita requirements.
- Physical security and environmental controls are in place to properly safeguard all critical equipment to protect against accidental or malicious misuse.
- Access Control - access is controlled and managed based on the principle of least privilege (PoLP), restricting access by default and a system of approval is in place to ensure that access requests are tracked and managed by authorized resources.
- Auditing is performed through internal and external auditing of systems and processes to ensure that requirements and objectives of the security programs at Orbita are successful and improving.
- Integrity Controls – data-at-rest including backup systems and data are encrypted, separated from their source, and protected according to industry best practices. In addition, restrictive controls limit access to all such data. Monitoring and review ensure all data-at-rest is unchanged from its genuine form.
- Transmission Security for all transmissions endpoints and critical services are encrypted and protected to prevent unauthorized access.
- Breach management process is in place to handle reports of security incidents and events. If customer data is stolen, accessed by unauthorized sources, or suspected of being compromised actions will be taken according to Orbita’s policies and procedures including timely notice to any affected Orbita customers.