How does Orion respond to known major software bugs?

Our root cause analysis process determines the location of the issue and the resolution impact. Our support site documents these findings, and our Support Team coordinates all updates with the customer. Resolution is categorized within the Change Control Management process to determine the risk assessment, which is reviewed with the customer. A release of the update is either scheduled or authorized for an immediate patch. If the issue resolution is required to reduce data loss or corruption the resolution is spearheaded by the data team for an immediate database patch with the effort to reduce any long term issues.

How does Orion plan for applying patches and updates?

Updates and patches are coordinated through a release to the customer-provided test site. This includes release notes and ATP testing plans. Upon acceptance (which must occur within an agreed-to timeframe not to exceed 14 days), the system is scheduled for upgrade. Upgrades are typically scheduled for after 5 pm Monday through Wednesday. Weekly change control meetings occur to validate customer upgrade plans, schedules, and personnel.

What is the notification lead-time to the customer for applying patches and updates?

Our software has 1 upgrade/patch quarterly with 1 major functional upgrade annually. Ad-hoc patches are coordinated directly with the customer representative and can be scheduled through a mutually agreeable time period. Each customer has control of when patches and updates are applied to their instance of the system.

Orion Software Frequently Asked Questions

SOFTWARE

What environment is the software supported in?

Windows 10, 64-bit.

Does the system run as a standard user without the need for any modification to standard Windows permissions, or administrative access to the local workstation?

Yes.

What browsers do the Orion software products run on?

Orion software is browser agnostic and runs on Internet Explorer 11, Edge, Chrome, Firefox and Safari.

Does Orion software require technology such as ActiveX controls, .NET framework, Silverlight, Adobe Flash, or other similar technologies?

There are no additional computer or mobile device additional technologies other than the standard browsers or using current versions of Android and IOS.

Does Orion software require client software to be installed on the local workstation?

No. Our software is 100% web-based and only requires that users have Internet connectivity.

How is the Orion software licensed?

Our software is licensed by the quantity of allowed users (not concurrent) for the authorized customer agency(s).

How does Orion offer hosting of its software?

We can either host our solution on-site within the customer’s network infrastructure or we can host it for the customer utilizing the Microsoft Azure Government data center. Azure Government provides the network infrastructure to support application and service connectivity requirements with Network Segmentation, Network Access Control, Azure Firewall and Monitoring and Threat Detection.

Network Segmentation is achieved with the use of Azure Government Virtual Networks that isolates one virtualized network from another virtualized network. This ensures that network traffic is controlled and contained stopping accessibility from other Azure Government Customers.
Network Access Control limits access to VMs and services to only defined IP addresses and TCP and UDP Protocols.
The Azure Firewall is a managed, cloud based fully stateful firewall with built-in high availability and unrestricted cloud scalability.
Azure Monitoring and Threat Detection provides early detection, monitoring and collecting of network traffic for review.

Does the system log/record endpoint (user’s computer) metadata?

Yes, it logs IP addresses and the browser version.

SECURITY

Are login and sign-up portions of Orion’s hosted, web-based system running over a secured TLS communications channel?

Yes. The solution uses TLS 1.2.

Who manages the TLS certificates?

The customer’s IT Department.

Does Orion conduct any form of software security testing?

Yes. Application security is provided through on going BreachLock certification in which Orion complies with the required levels of application security and penetration testing in the industry.

How are end-users authenticated?

The Workforce Management PLUS system supports a configurable and polymorphic multi-factor authentication scheme. Orion offers two multifactor authentications for non-active directory access. This provides limits and freezes access for a time period. Orion encrypts passwords within the application authentication process. The solution supports hash password management including hash password management for external systems when Orion is responsible for sending user information for external platforms.

End users are authenticated using Multi-Factor Authentication, SMS Passcode, Email Passcode, iOS App/Android, or both, SSO w/ADFS and/or System Only.

Where the solution is Active Directory integrated, Orion places the security management within the Active Directory authentication. Regarding username and password select access when in error, the solution does not allow access nor provides the user knowledge of which element failed. Therefore, robots do not know what passed and what failed. Regarding IP address monitoring, if desired by the agency Orion can log IP address attempt restriction counts based upon the desires of the agency.

When using active directory, it does not require the storage of passwords or usage of passwords. Rather, Orion leverages the activity directory security to authorize access. PLUS is configurable to have a session time out set to the length of time of the session; and is configured using the agencies define settings.

The solution logs the access attempts and successes. This includes IP address recognition. Additionally, it logs the log out date/time of a user.

Does the system utilize or store confidential, restricted, or sensitive data?

Sensitive data such as username, password, date of birth, driver license, SSN ( optional PLUS does not require this at all) are encrypted. Orion is compliant with the requirements of handling these types of data.

Does the Orion data center that host the system provide security certifications?

Yes. Since our software is hosted within the Azure Microsoft Government infrastructure, it includes SSAE 16, 18; SOC1; SOC2, and FEDRamp certifications. Additional information can be found at https://docs.microsoft.com/en-us/azure/compliance/.

Is the data stored within the United States borders?

Yes, for U.S. based customers. Data for Canada based customers is stored within Canadian borders.

Is Orion CJIS certified?

Yes. We require our employees to complete and maintain CJIS certifications as a standard practice. Orion does not use contract personnel for support services.

Does the system run as a standard user without the need for any modification to standard Windows permissions, or administrative access to the local workstation?

Yes.

Does the system have the ability to Whitelist and Blacklist IP Addresses?

Yes. System Access can be set for whitelisted IP addresses. Blacklist IP address are denied access to the system.

Does the system use cookies?

Yes, cookies are used for session management only. The only data collected is a time count for auto logout. They are destroyed at logout or the system logging the user out.

Does Orion conduct any form of software security testing?

Yes. Application security is provided through on going BreachLock certification in which Orion complies with the required levels of application security and penetration testing in the industry.

What is Orion’s vulnerability management policy?

PLUS is kept current with the TLS levels released and standardized for security purposes. The Azure environment implemented for our customers includes adding the Azure Security Monitoring and Dashboard solution. This option provides notifications for support, engineering, and archecture for any alarming or security notification setting we have established.

For any vulnerability notification, the priority level is managed at a priority 1 or priority 2 level within Support. Orion follows a customer rapid response formal process for these two priority levels. The lead on the issue comprises of the Application Architect and the Database Architect. The team consists of the Senior Infrastructure Engineer, Customer Advocate, and Mobile Senior Engineer. The Support Manager is responsible to make sure event sequence is recorded, steps for resolution are documented, root cause is identified, and resolution options comprising of Triage versus Long Term are documented and implemented. Within the support agreement PLUS includes Service Levels that require customer notification time periods.

DATA

What is Orion's data retention policy?

Our software houses its data with a recommendation of archiving every 4 years. The data is not deleted, but merely archived into archive tables and are still accessible by the system and reports.

Who owns the data within an Orion system?

Data that is updated from the front end or through an import process is owned by the customer. All Schemas, Training Videos, Knowledge Center Videos and Reference IDs are owned by Orion.

What access does Orion have to the customer's data?

Access is provided through data models designed to support reports created by front end tools within the application. If the customer require direct database access an additional reporting server is required, and the customer's authorized IT personnel are provided access. The database is MS SQL

Does Orion include archiving of customer data and, if so, is there a storage duration?

Yes. We archive customer data and storage is not time dependent for archived information.

Does Orion assume or seek any right to use or to resell a customer's data or metadata in any way?

No. Orion contractually does not have the right to use or resell customer data.

Does the Orion software have the ability to Whitelist and Blacklist IP Addresses?

Yes. System Access can be set for whitelisted IP addresses. Blacklist IP address are denied access to the system.

Does Orion back up their customer's data or is it the customer's responsibility to perform data backups?

We back up customer data nightly using the Microsoft Azure region centers. Data is retained for a rolling 10-day period.

If data is lost or corrupted, how will it be restored?

We restore lost or corrupted data from backups that are housed in the Azure Government Cloud infrastructure. Database monitoring tools are run on the server on a regular basis for the sole purpose to manage and mitigate data corruption.

Through the use of Microsoft Azure recovery sites, Orion implements VMs replication to another geo-location. Due to the VM being fully replicated no interface changes are required for failover. The failover process is simply deactivating the primary site and bringing the secondary site online. Once the Primary site is back up, the failover can be set back to the Primary site. Azure automates failover recovery for Orion’s hosted customers.

Azure Service Health Notifications is a service that provides alerting notifications that are defined by a class being informational or actionable. The Health System allows for the creation of rules (classes) of different actions or information coming from the monitoring system.

Orion utilizes these rules to provide advanced alerting of information notifications for proactive actions. The actionable alert is an error alert that are server or services-based items that could or has affected system performance. The actionable alerts are acted upon when received to address the infrastructure situation by the Orion Help Desk and Operational support team.

Orion uses the Recovery Service Vault within Azure services to schedule system backups. The Recovery Vault resides in the geo-location of the primary service to a secondary geo-location. This service provides a complete backup of the VM to support immediate restoration capabilities. Site Recovery is an automated process that is setup when the VM is built. Data backups are stored in a Recovery Services Vault. These vaults are in the same region as the service area for the VM with a Secondary location stored in another geographical region. The backups are configured for a full back up every day and are archived for 30 days. Log backups are done hourly with a 30-day retention.

INTERFACE COMPATIBILITY

Does the system integrate with Microsoft Office products?

The system uses tools to export data to SecureFTP for data file exchanges. The exported data is recorded in the database for reference and reporting purposes. Importing data is also done through file drops using SecureFTP. The imported file is stored on the server and then moved to a processed folder.

There is a consistent naming convention used for all imported files which provides logic to the code file pickup routing. Files can be auto-deleted, aka only saved for X number of days. Data is imported into landing tables for collection of raw data. This data is then validated and moved to a staging table, bound back to the raw data table through ID records.

If validation has failed, an error log table processing the rationale for failure in both string format and code number format for referencing and reporting. Batch data is recorded with the number of records processed, failed, good, bad counts. The actual row of the imported file is recorded and represented in the raw data and error logging.

The API solution provides the same type of processing as a data file but allows more standard machine-to-machine communication regarding receipt, processing success or failure. Imports can be scheduled for checking by time of day, day of week, or in close to real time process (batch check by minute increment).

Describe your interface methodology.

ISSUE RESOLUTION

How are service outages communicated?

Upgrades are scheduled through a maintenance window that houses an agreed upon start and end time period with the customer’s IT staff. The front end of the site is updated with a screen informing personnel that the site is down for maintenance and will be back up at the scheduled time.

Does Orion software include an offsite or secondary repository for the data?

Yes. Our provided Microsoft Azure Government infrastructure is a High Availability using the Azure Availability zones that consist of 3 distinct centers in 3 different zones. These datacenters are physically separated and equipped with independent power, cooling and networking. Availability Zones support mission-critical applications with high availability and low-latency replication.

Does the system automatically failover to a secondary site if the primary site has a failure?

Yes. System failover is provided through a high availability solution.

What is Orion's policy for restoring the service?

If there is a full failure of the High Availability solution, agency personnel are able to use the Azure portal to create a new Virtual Machine and the restore is retrieved from the Azure Backups.

What is Orion's escalation plan for Priority Level 1, Level 2, etc. issues?

We provide an online support site for the submittal of system issues. We also provide an on-call 800-number in the event of an afterhours emergency.

Our customers are assigned a lead support engineer and have access to this engineer at any time during normal work hours. The after-hours support line is able to contact this engineer in the event of an issue.

Orion also receives messages through email to a specific Customer Email account from the existing system providing any error notifications and import/export statistics.

In addition, we use the Microsoft Azure high available data center support program to view system performance, statistics, and platform service recommendations.

PATCH AND VERSION UPDATE MAINTENANCE

How does Orion respond to known major software bugs?: Our root cause analysis process determines the location of the issue and the resolution impact. Our support site documents these findings, and our Support Team coordinates all updates with the customer. Resolution is categorized within the Change Control Management process to determine the risk assessment, which is reviewed with the customer. A release of the update is either scheduled or authorized for an immediate patch. If the issue resolution is required to reduce data loss or corruption the resolution is spearheaded by the data team for an immediate database patch with the effort to reduce any long term issues.
How does Orion plan for applying patches and updates?: Updates and patches are coordinated through a release to the customer-provided test site. This includes release notes and ATP testing plans. Upon acceptance (which must occur within an agreed-to timeframe not to exceed 14 days), the system is scheduled for upgrade. Upgrades are typically scheduled for after 5 pm Monday through Wednesday. Weekly change control meetings occur to validate customer upgrade plans, schedules, and personnel.
What is the notification lead-time to the customer for applying patches and updates?: Our software has 1 upgrade/patch quarterly with 1 major functional upgrade annually. Ad-hoc patches are coordinated directly with the customer representative and can be scheduled through a mutually agreeable time period. Each customer has control of when patches and updates are applied to their instance of the system.