Orion Technology
Frequently Asked Questions

SOFTWARE

What browsers do the Orion software products run on?

Orion software is browser agnostic and runs on Internet Explorer 11, Edge, Chrome, Firefox and Safari.

Does Orion software require technology such as ActiveX controls, .NET framework, Silverlight, Adobe Flash, or other similar technologies?

There are no additional computer or mobile device additional technologies other than the standard browsers or using current versions of Android and IOS.

Does Orion software require client software to be installed on the local workstation?

No. Our software is 100% web-based and only requires that users have Internet connectivity.

How is the Orion software licensed?

Our software is licensed by the quantity of allowed users (not concurrent) for the authorized customer agency(s).

How does Orion offer hosting of its software?

We can either host our solution on-site within the customer’s network infrastructure or we can host it for the customer utilizing the Microsoft Azure Government data center. Azure Government provides the network infrastructure to support application and service connectivity requirements with Network Segmentation, Network Access Control, Azure Firewall and Monitoring and Threat Detection.

 

  • Network Segmentation is achieved with the use of Azure Government Virtual Networks that isolates one virtualized network from another virtualized network. This ensures that network traffic is controlled and contained stopping accessibility from other Azure Government Customers.

  • Network Access Control limits access to VMs and services to only defined IP addresses and TCP and UDP Protocols.

  • The Azure Firewall is a managed, cloud based fully stateful firewall with built-in high availability and unrestricted cloud scalability.

  • Azure Monitoring and Threat Detection provides early detection, monitoring and collecting of network traffic for review.

SECURITY

Are login and sign-up portions of Orion’s hosted, web-based system running over a secured TLS communications channel?

Yes. The solution uses TLS 1.2.

Does Orion conduct any form of software security testing?

Yes. Application security is provided through on going BreachLock certification in which Orion complies with the required levels of application security and penetration testing in the industry.

How are end-users authenticated?

The system supports a configurable and polymorphic multi-factor authentication scheme. End users are authenticated using Multi-Factor Authentication, SMS Passcode, Email Passcode, IOS App/Android/Both, SSO w/ADFS and/or System Only. Active Directory can be provided as a native and configurable authentication source.

Does the Orion data center that host the system provide security certifications?

Yes. Since our software is hosted within the Azure Microsoft Government infrastructure, it includes SSAE 16, 18; SOC1; SOC2, and FEDRamp certifications. Additional information can be found at https://docs.microsoft.com/en-us/azure/compliance/.

Is Orion CJIS certified?

Yes. We require our employees to complete and maintain CJIS certifications as a standard practice. Orion does not use contract personnel for support services.

DATA

What is Orion's data retention policy?

Our software houses its data with a recommendation of archiving every 4 years. The data is not deleted, but merely archived into archive tables and are still accessible by the system and reports.

Who owns the data within an Orion system?

Data that is updated from the front end or through an import process is owned by the customer. All Schemas, Training Videos, Knowledge Center Videos and Reference IDs are owned by Orion.

Does Orion include archiving of customer data and, if so, is there a storage duration?

Yes. We archive customer data and storage is not time dependent for archived information.

Does Orion assume or seek any right to use or to resell a customer's data or metadata in any way?

No. Orion contractually does not have the right to use or resell customer data.

Does the Orion software have the ability to Whitelist and Blacklist IP Addresses?

Yes. System Access can be set for whitelisted IP addresses. Blacklist IP address are denied access to the system.

Does Orion back up their customer's data or is it the customer's responsibility to perform data backups?

We back up customer data nightly using the Microsoft Azure region centers. Data is retained for a rolling 10-day period.

If data is lost or corrupted, how will it be restored?

We restore lost or corrupted data from backups that are housed in the Azure Government Cloud infrastructure. Database monitoring tools are run on the server on a regular basis for the sole purpose to manage and mitigate data corruption.

ISSUE RESOLUTION

How are service outages communicated?

Upgrades are scheduled through a maintenance window that houses an agreed upon start and end time period with the customer’s IT staff. The front end of the site is updated with a screen informing personnel that the site is down for maintenance and will be back up at the scheduled time.

Does Orion software include an offsite or secondary repository for the data?

Yes. Our provided Microsoft Azure Government infrastructure is a High Availability using the Azure Availability zones that consist of 3 distinct centers in 3 different zones. These datacenters are physically separated and equipped with independent power, cooling and networking. Availability Zones support mission-critical applications with high availability and low-latency replication.

Does the system automatically failover to a secondary site if the primary site has a failure?

Yes. System failover is provided through a high availability solution.

What is Orion's policy for restoring the service?

If there is a full failure of the High Availability solution, agency personnel are able to use the Azure portal to create a new Virtual Machine and the restore is retrieved from the Azure Backups.

What is Orion's escalation plan for Priority Level 1, Level 2, etc. issues?

We provide an online support site for the submittal of system issues. We also provide an on-call 800-number in the event of an afterhours emergency.

 

Our customers are assigned a lead support engineer and have access to this engineer at any time during normal work hours. The after-hours support line is able to contact this engineer in the event of an issue.

 

Orion also receives messages through email to a specific Customer Email account from the existing system providing any error notifications and import/export statistics.

 

In addition, we use the Microsoft Azure high available data center support program to view system performance, statistics, and platform service recommendations.

UPDATE MAINTENANCE

How does Orion respond to known major software bugs?

Our root cause analysis process determines the location of the issue and the resolution impact. Our support site documents these findings, and our Support Team coordinates all updates with the customer. Resolution is categorized within the Change Control Management process to determine the risk assessment, which is reviewed with the customer. A release of the update is either scheduled or authorized for an immediate patch. If the issue resolution is required to reduce data loss or corruption the resolution is spearheaded by the data team for an immediate database patch with the effort to reduce any long term issues.

How does Orion plan for applying patches and updates?

Updates and patches are coordinated through a release to the customer-provided test site. This includes release notes and ATP testing plans. Upon acceptance (which must occur within an agreed-to timeframe not to exceed 14 days), the system is scheduled for the upgrade. Upgrades are typically scheduled for after 5 pm Monday through Wednesday. Weekly change control meetings occur to validate customer upgrade plans, schedules, and personnel.

What is the notification lead-time to the customer for applying patches and updates?

Our software has 1 upgrade/patch quarterly with 1 major functional upgrade annually. Ad-hoc patches are coordinated directly with the customer representative and can be scheduled through a mutual agreeable time period. Each customer has control of when patches and updates are applied to their instance of the system.