As a company we use Oroson everyday to store a significant amount of sensitive
data. Ensuring Oroson is secure is vital for protecting our data, and our customers data. Security is
our highest priority.
The purpose of this document is to highlight in an open fashion the measures which
Oroson has taken to ensure that the entrusted data is secured both from attack and from accidental
Security and Data Policies
As a remote development team Oroson faces challenges and opportunities which may
not be present in a more static environment.
Oroson engages with 3rd party security specialists to build and implement procedures to constantly
improve security posture.
All customer data stays within the production data centre with strict access controls
References are obtained from all personnel before starting with the company, and in
some circumstances AccessNI or similar background checks may be required.
All employees and 3rd parties who could have access to the systems are provided with an introduction to
the security policies and must agree to confidentiality and non-disclosure terms.
As remote workers, all personnel are provided with training on how to secure their
environments including provision of secured devices, and training on physical and environmental security
A joiners and leavers process is followed for all personnel to ensure access is
enabled and removed immediately.
The Oroson Site Reliability Engineering (SRE) team are the only Oroson employees
which can access production data for debugging purposes. This is a small group of senior engineers who
report directly to the Oroson CTO.
Security and privacy training
All personnel are required to undergo security training at the start of their
tenure with the organisation, this features personal data responsibilities as framed against the Data
Protection Act 2018 as well as more general security training to assist with identification of phishing
This training is revisited on an annual basis and as required should a shortfall in
training be encountered.
Audits, compliance and 3rd party assessments
Oroson work diligently and with 3rd parties to ensure compliance with
At the time of writing, Oroson are certified as CyberEssentials compliant, a UK Government
standard. More details of this certification are available at the NCSC website. The CyberEssentials certificate is available here.
Policies and standards
Although Oroson has not yet obtained the ISO27001:2013 certification, Oroson have
aligned all policies to ISO27001:2013.
The policies currently govern the following areas:
- Security Policy - A general document listing requirements
for securing the organisation.
- Data Audit - Lists the types of data which are collected
in the application including personal data. This lists amongst other items the retention time,
storage location and lawful basis for processing.
- Data protection policies including:
- Subject Access Request
- Breach Notification
- Business Continuity Policy
- Deployment and Change Control Process
All documents are regularly reviewed and updated as required by senior team
Oroson engage with external parties to provide guidance on standards as required.
The effectiveness of all policies is audited during this
process, and all policies are developed to align with ISO27001:2013. All audit results are
dealt with at a senior management level and tracked to completion including root cause analysis where
Oroson engage with external experts to provide application and network level
security and penetration testing, including full scanning of cloud infrastructure and configuration.
Penetration testing and security scans are performed by external security experts
at least annually. The latest penetration test was performed in December 2018.
All security testing results are dealt with at a senior management level and
tracked to completion including root cause analysis where applicable.
Oroson have worked with a variety of legal professionals to ensure the platform
adheres to the requirements of all relevant legislation. This has included ensuring that a data audit
has been carried out to assist with meeting the requirements of the Data Protection Act 2018, this audit
lists at a minimum:
- Data captured
- How captured
- Lawful basis for processing
- Retention policy
- Location for storage
Oroson have implemented a Subject Access Request policy which allows users to
retrieve their data in an organised fashion within the requirements of the Data Protection Act 2018. The
Software development lifecycle
Oroson operates a secure software development lifecycle which includes
assessments of security to be carried out as part of the requirements gathering.
The security process continues with the use of static analysis software including
sonarqube and dependency checkers, this allows developers to see an overview of potential issues.
Developers use version control processes to control each change within the system,
this allows for full traceability of issues. All requirements, features, and configuration
changes must be raised in the Oroson issue tracker.
Oroson uses the Git version control system.
Changes to the Oroson code base are performed on separate branches and tested using a suite of automated
tests. A Pull Request (PR) is raised for this branch and another member of the development team reviews.
After successful review all PRs are merged into a development branch and periodically the
is merged into the master branch. Once in the master branch, the code is tagged and a Continuous Integration (CI) process builds
the code and deploys it to a staging environment. Once in staging the release is tested and issues are
signed off by a Product Owner. Either one of the CTO or Chief Architect can then sign off the release to be installed in production.
Protecting Customer Data
As previously mentioned, Oroson are responsible for a significant amount of
personal and other data which is provided by customers, and used for improving workflow and increasing
productivity. This data is often classified as client confidential or for internal use only. It is vital
that this information is treated with respect and remains secure.
Data encryption in transit and at rest
All data transmitted to or from Oroson clients/servers is over a secure connection
using strong encryption. Oroson support all the latest recommended cipher suites including TLS1.2, ESDHE_RSA
with P-256 and AES_128_GCM by default. These cipher suites are monitored and updated as required. There
is occasionally a requirement to support older cipher suites although this is largely negated by only
supporting newer devices.
Data is encrypted at rest in all locations including Amazon S3 and RDS databases.
All encryption keys are managed using Cloud KMS services, and rotated at least every 90 days.
The Oroson application is entirely cloud based and uses infrastructure from both AWS and Google Compute Engine. Both of these organisations
feature strong levels of security using the shared responsibility model and allow organisations to bring
their own security requirements. Both organisations are certified to ISO27001:2013 amongst other
certifications and contain strong, auditable processes for items including:
- Physical and environmental security
- Network security
- Deletion of data after use
Oroson’s application and data are based in a number of availability zones
within the AWS eu-west-1 / Ireland region. The systems are regularly tested to understand the ability to
failure. Backups and logs are also replicated to the eu-central-1 / Frankfurt region to provide business
continuity in the case of a catastrophic AWS region failure.
The Oroson production and staging environments are completely separate AWS
accounts. Data from production is never made available to staging or development.
Keys are not shared between different environments and user details are not
permitted to cross over.
Oroson implements a number of methods for increasing network security, including the
use of tools such AWS GuardDuty and AWS Config Service within the cloud environment for intrusion
detection and prevention. These tools allow
administrators to be aware of, and take action on, issues and potential issues before they cause problems.
These tools feature automated actions in some cases to quickly remove instances or devices suspected of
The level of confidentiality is determined based on the following criteria:
- Value of information - Based on impacts assessed during
- Sensitivity and criticality of information - Based on the
highest risk calculated for each information item during risk assessment
- Legal and contractual obligations
All information is classified into confidentiality levels.
||Unauthorized access to information may cause catastrophic (irreparable) damage to business
and/or to the organization's reputation
||Information is available only to individuals in the organisation
||Unauthorized access to information may cause minor damage and/or inconvenience to the
||Information is available to all employees and selected third parties
||Making the information public cannot harm the organization in any way
||Information is available to the public
||Unauthorized access to information may considerably damage the business and/or the
||Information is available only to a specific group of employees and authorized third parties.
The basic rule is to use the lowest confidentiality level ensuring an appropriate
level of protection, in order to avoid unnecessary protection costs.
Oroson heavily restricts the access and movement of data, especially from high
security areas to low security areas.
Oroson uses 2-factor authentication for all systems which support it, this
includes cloud providers and communication devices.
Any server instances require the use of a private key for authentication as opposed
to password access. Where sudo or administrative access is enabled, a strong passphrase is required and
implemented using operating system functionality.
All employees must use an approved password manager for storage of sensitive
information as recommended by the NCSC.
System monitoring, logging and alerting
All systems are monitored using a combination of tools including services provided
by cloud providers, this allows alerting and automatic resolution of issues should a server become
All logs are immediately removed from systems and copied to a central location for
examination and analysis as required. Log systems have access only to write to the log storage location
and cannot delete or modify.
Servers and instances are monitored using a selection of monitoring tools as listed
above. Workstations in use by Oroson developers have antivirus installed which is regularly updated and
provides alerting of issues as required. Access to Oroson production systems is through a Bastion host which
uses strong SSL keys and enforces strict IP address whitelisting.
All devices must be patched within 5 days for high and critical issues. Patches
should be applied to testing environments first where possible.
Mobile device management
Mobile devices are controlled using centralised infrastructure and can be remotely
wiped as required.
Responding to security incidents
In order to manage incidents effectively, Oroson have implemented a formal
procedure. Each member of the team has a responsibility to follow an issue through from open to close
with support from the CTO and other representatives as required. As with all processes, this is regularly
updated and audited.
Oroson have developed a secure methodology for securing secrets within the
infrastructure, this includes keys and credentials. All secrets are obtained only when required and then
removed at the earliest possible opportunity, secrets are not contained within configuration or other
All production systems use AWS roles and instance profiles, so no production API
keys can exist outside the AWS production environment.
Workstation and laptop security
All devices, including laptops, tablets and mobile phones must have the following
- Firewall installed and switched on
- Full Disk Encryption enabled with strong passphrase
- All passphrases should follow the guidance issued by NCSC
- The use of a password manager is mandatory
- Antivirus installed where possible
All instances are based on secure images, which have all extraneous services
removed, default passwords changed, and users removed. Base containers contain only the software
absolutely required to implement the system and users are not able to access the containers
Disaster Recovery and Business Continuity
Due to the distributed nature of the organisation, business continuity measures are
well established, and recovery from a single failure can be easily performed. Risks and controls in place
are listed within the Risk Assessment and Treatment documents.
Business continuity for the production environment is achieved by reliance on the
ability of the AWS and GCE clouds to recover from failure. The environment is based across multiple
availability zones within a single region (eu-west-1 / Ireland) and all instances can be brought up within these
zones as required.
Backup of production data
Oroson continually backs up customer data within the production AWS account.
- RDS instances are backed up on a rolling basis using standard RDS snapshots.
snapshots are retained for 7 days.
- Daily RDS snapshots are taken and replicated to the eu-central-1 / Frankfurt region. The
source account can only write backups, and not read, remove, or update existing snapshots.
- S3 buckets have versioning enabled. All changes to S3 objects replicate to a
S3 bucket in
another AWS region (eu-central-1 / Frankfurt).
The source account can only write new versions of data, and not read, delete, or update existing
3rd Party Suppliers
Oroson use a number of 3rd party suppliers who have been vetted and approved as
required within the risk assessment and treatment plan, if suppliers are not ISO27001:2013
they are required to complete a questionnaire listing their technical and organisation measures in
to protect data. The CTO will ensure that all appropriate external parties are familiar with this
and adhere to Oroson security policies.
Security is an integral part of the Oroson lifecycle, we believe that if an
organisation is trusting us to take care of their data we should apply as many resources as possible
For more details please speak to one of our account management team or to the
- November 2018 - Original Version - Prepared by