Information Security

HID Origo Organizational Security

All of HID employees are required to complete information security and privacy awareness training. Employees who may handle sensitive or customer data receive additional training specific to their roles as well as government security clearance (as needed).


Security Staff

At HID, we have a dedicated staff of highly skilled security professionals, including the following functions and responsibilities:

ISMS Executive Steering Committee

  • Fulfills all executive management requirements within the ISMS
  • Ensures roles, responsibilities, and authorities relevant to information security are assigned and communicated
  • Approves the overall risk management process including the risk assessment methodology (approach), impact and likelihood scales, risk acceptance criteria, selected controls, residual and accepted risks

Business Unit Steering Committee

  • Ensures that the ISMS meets business requirements thus bringing additional value to the business unit’s products and services
  • Reviews the risk management process for the risks related to the business unit
  • Reviews ISMS policies, processes and procedures

Global Information Security Team

  • Responsible for the overall implementation, maintenance and improvement of the ISMS
  • Ensures all security incidents are investigated, communicated, documented and resolved in accordance with published policies, processes and procedures
  • Develops an information security architecture that meets the current and future business needs of HID Global

Policies

HID Global maintains detailed internal Information Security and Data Privacy policies. All personnel must acknowledge they have read, understood, and agreed to abide by the terms of the Global Information Security Policy and supporting policies and procedures.


Assessments

HID Global is dedicated to the implementation of an active, analytics-driven approach to cyber security. Security testing and improvement is an ongoing activity incorporated into our vulnerability and threat assessment process. HID Global performs continuous testing on all HID Origo solution components, and to ensure the highest possible level of security we regularly engage with external security auditors to validate our security posture. Ongoing application and system vulnerability threat assessments cover the following:

  • Network vulnerability scans
  • Penetration testing and code review with leading, independent third parties
  • Security control framework review and testing

We strongly encourage customers to take all possible precautions to prevent unauthorized access. In case vulnerabilities are discovered, they should be reported directly to HID Global by either contacting HID Global Technical Support or through our Security Center in non-urgent circumstances.

Note: HID Global does not permit third-party vulnerability and penetration tests without prior authorization by HID Global. We have a responsibility to ensure smooth operations. Non-controlled tests carry the risk of impacting system performance negatively.

Security Incident Management

HID Global maintains security incident management policies and procedures and we apply appropriate root cause analysis and corrective action plans. HID Global promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective customer data to the extent permitted by law.

If a security incident is detected, the Global Information Security Team takes the necessary steps to evaluate, test and resolve the issue according to defined procedure:

  • Investigate and diagnose
  • Escalate to higher management if there is a suspected breach or loss of confidential data
  • Perform corrective measures
  • Test and validate
  • Evaluate incident root cause analysis if an escalation occurred

How We Build Secure Products

HID Global has an agile Software Development Life Cycle process based on SAFe (Scaled Agile Framework), that incorporates security best practices at all stages. Some of the steps in the continuous integration and deployment procedure are described below.

Development

  • Static code analysis and audit checks of source code

Testing

  • Application security tests and network security scans
  • Security test results review and approval

Deployment

  • Sensitive data masking
  • Security standards and implementation verification and approval
  • Governance compliance checks for architecture and security
  • Environment isolation of production and non-production environment

Monitoring

  • Monitoring and reviewing access control policies
  • Firewall policies implementation and review of anomalies
  • Periodical vulnerability assessments
  • Implementation of log analytics tools