STANDARDS

Click on the title above to see its definition.

Note on FedRAMP: Omnigo’s solutions do not currently undergo a full FedRAMP certification. However, Omnigo uses Azure Gov and AWS Gov to host applications, which are compliant with FedRAMP.

CJIS

Omnigo ensures compliance with the Criminal Justice Information Services (CJIS) Security Policy, which sets the security requirements for accessing and managing criminal justice information (CJI). This compliance is crucial for protecting sensitive data and maintaining the integrity of law enforcement operations.

Omnigo’s Law Enforcement solutions, including the ITI, ReportExec, Quetel and Command & Planning products, are CJIS-certified, meaning they meet the stringent security standards required by the CJIS Security Policy. This includes implementing robust encryption methods, ensuring secure data transmission, and maintaining strict access controls. Additionally, all personnel with access to CJI undergo a thorough screening process. This process includes fingerprint checks using the Integrated Automated Fingerprint Identification System (IAFIS) to ensure that only authorized and vetted individuals can access sensitive information. Our systems are designed to protect against data breaches and unauthorized access, ensuring that only authorized personnel can access sensitive information.

By adhering to CJIS requirements, Omnigo provides law enforcement agencies with the confidence that their data is handled securely and in compliance with federal standards. This commitment to security helps safeguard civil liberties and protect the privacy of individuals and businesses.

CLERY

The Clery Act, officially known as the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, is a federal law that requires colleges and universities to disclose information about crime on and around their campuses.

For higher education institutions, the Clery Act requires the publication of an Annual Security Report (ASR), which includes crime statistics for the past three years, policy statements regarding campus security, and information on crime prevention programs. While the Clery Act primarily targets higher education, its principles of transparency and safety can also be applied to K-12 schools, especially those with campus security concerns.

ReportExec can help organizations achieve and maintain Clery Act compliance by streamlining the reporting and documentation process. With customizable reporting fields and automated data validation, ReportExec ensures that all required information is accurately captured and formatted according to Clery Act standards. This not only simplifies the creation of the ASR but also enhances the overall efficiency and accuracy of crime reporting. By using ReportExec, institutions can focus on proactive safety measures while ensuring they meet federal compliance requirements.

COMMONWEALTH OF VIRGINIA (COV RAMP)

The Virginia Information Technologies Agency (VITA) has established the Enterprise Cloud Oversight Service (ECOS), now known as COV Ramp, to ensure that cloud solutions used by state agencies meet stringent security standards. One of the key requirements for cloud solutions under this program is compliance with the SEC530 Information Security Standard.

The SEC530 standard outlines a comprehensive set of security controls based on the NIST SP 800-53 framework. These controls cover various aspects of information security, including access control, incident response, and system and information integrity. Cloud service providers must demonstrate that their solutions adhere to these controls to be approved for use by state agencies.

Omnigo is proud to be compliant with SEC530 and is included in the COV Ramp approved list. By meeting these rigorous requirements, Omnigo ensures that our cloud solutions are secure, reliable, and capable of protecting sensitive data. This compliance provides meaningful assurances to state agencies and helps maintain a high level of security across the Commonwealth’s IT infrastructure.

GAMING COMMISSIONS

Omnigo maintains compliance as a vendor to gaming customers by adhering to stringent regulatory requirements and industry standards. This includes filing necessary applications and obtaining approvals from various gaming commissions to ensure our solutions meet all legal and operational standards. We proudly hold licenses across more than 25 gaming jurisdictions worldwide, demonstrating our extensive experience and commitment to compliance in the gaming industry.

For Casinos and Hotels with operations in the European Union, we also recommend reading about our GDPR compliance.

GDPR

Omnigo achieves GDPR compliance by participating in the Data Privacy Framework (DPF), which includes the EU-U.S.DPF, the UK Extension to the EU-U.S.DPF, and the Swiss-U.S.DPF. These frameworks provide reliable mechanisms for personal data transfers, ensuring that Omnigo adheres to stringent data protection standards. Our rigorous security program, based on industry-leading standards such as NIST 800-53 and SOC 2, further reinforces our commitment to safeguarding personal data. We have clearly defined roles and responsibilities outlined in our Data Processing Agreement (DPA), ensuring that all aspects of data handling are managed with the utmost care and compliance.

For more detailed information, you can review our Privacy Policy and the list of authorized organizations under the DPF, which includes Omnigo.

HIPAA

Omnigo ensures HIPAA compliance through a rigorous security methodology grounded in the NIST 800-53 and SOC 2 frameworks. These standards provide a comprehensive set of controls to protect the confidentiality, integrity, and availability of sensitive health information. By adhering to these robust frameworks, Omnigo implements stringent security measures, including access controls, encryption, and continuous monitoring, to safeguard protected health information (PHI). This commitment to high security standards ensures that all data handling processes meet or exceed HIPAA requirements. Omnigo’s systems also allow a high degree of customization regarding what types of PHI are stored in the application, even allowing for no PHI to be processed at all, giving our Healthcare clients full control.

Additionally, Omnigo clearly outlines roles and responsibilities in a Business Associate Agreement (BAA). This agreement specifies the obligations of both Omnigo and the Client/Covered Entity in protecting PHI, ensuring that all parties understand their responsibilities in maintaining compliance. By combining these rigorous security practices with clearly defined roles, Omnigo provides a secure and compliant environment for managing health information.

NIBRS

Omnigo can significantly aid organizations in achieving NIBRS (National Incident-Based Reporting System) compliance through our ReportExec and ITI solutions. NIBRS compliance is essential for accurately reporting crime data to the FBI, and our software is designed to simplify this requirement. ReportExec and ITI provide customizable reporting fields and automated data validation to ensure that all required information is accurately captured and formatted according to NIBRS standards. This is particularly beneficial for law enforcement agencies and campuses/facilities with sworn officers, as it streamlines the reporting process and reduces the risk of errors.

For law enforcement agencies, using Omnigo’s solutions means that officers can focus more on their core duties rather than administrative tasks. Similarly, campuses and other facilities with sworn officers can ensure that their security operations are compliant with federal reporting requirements, enhancing overall safety and accountability. By leveraging Omnigo’s NIBRS-compliant software, organizations can confidently manage their crime data reporting, ensuring accuracy and compliance with minimal effort. 

NIST 800-53

Omnigo’s compliance with NIST 800-53 underscores our commitment to maintaining the highest standards of security and privacy for our information systems. NIST 800-53, developed by the National Institute of Standards and Technology, is widely regarded as the gold standard for security frameworks. It provides a comprehensive set of controls designed to protect the confidentiality, integrity, and availability of information systems. The framework is continuously updated to address emerging threats and incorporates a risk-based approach to security, ensuring that controls are both effective and cost-efficient.

NIST 800-53 includes 18 families of controls, covering a wide range of security and privacy aspects. These controls are categorized into three general classes: management, operational, and technical. Additionally, controls are categorized into low, moderate, and high-impact levels, based on the potential impact of a security breach. The framework encompasses over 1,000 individual controls, addressing areas such as access control, incident response, and system and communications protection. By adhering to NIST 800-53, Omnigo ensures that our security practices are robust, comprehensive, and aligned with industry best practices, providing our clients with the assurance that their data is protected to the highest standards.

SOC 2, or System and Organization Controls 2, is a compliance standard developed by the American Institute of Certified Public Accountants (AICPA). It focuses on how organizations manage customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 is particularly relevant for service providers that store customer data in the cloud, ensuring that data is handled securely and privately.

At Omnigo, we take data security and privacy very seriously. To demonstrate our commitment, we undergo a SOC 2 Type 2 audit every year. This rigorous audit evaluates the effectiveness of our controls over a specified period, ensuring that we consistently meet the highest standards for data protection. The results of our SOC 2 Type 2 audit can be shared with customers under a Non-Disclosure Agreement (NDA), providing transparency and assurance that their data is in safe hands.

StateRAMP

StateRAMP is a comprehensive compliance program designed to help state and local governments ensure that cloud service providers meet stringent security standards. It is based on the NIST 800-53 controls, which provide a robust framework for protecting information systems and data. StateRAMP includes additional parameters and guidance tailored to the unique aspects of cloud computing.

Several states have adopted StateRAMP to standardize their security requirements for cloud services. For a complete list, you may review this list of participating governments. However, even if your organization is not in one of these states, a StateRAMP audit can still provide significant benefits. The detailed assessment covers a wide range of security controls, offering meaningful assurances about the security posture of your cloud services. This can enhance trust with customers and stakeholders, demonstrating a strong commitment to data protection and cybersecurity.

At Omnigo, the following solutions are covered by a StateRAMP audit: ReportExec and QueTel (Which includes Evidence, Courts, and QuarterMaster). This ensures that these solutions meet the highest standards of security and compliance, providing our clients with confidence in the integrity and protection of their data.

STATE OF TEXAS (TX-RAMP)

The Texas Risk and Authorization Management Program (TX-RAMP) is a compliance framework established by the Texas Department of Information Resources (DIR) to ensure that cloud service providers meet stringent security standards when doing business with Texas state agencies. TX-RAMP requires cloud vendors to be certified under TX-RAMP, StateRAMP, or FedRAMP. Notably, TX-RAMP grants full reciprocity to StateRAMP certifications, meaning that cloud service providers who are StateRAMP certified automatically meet TX-RAMP requirements.

Omnigo leverages this reciprocity by maintaining StateRAMP certification, ensuring that our solutions are compliant with TX-RAMP standards. This includes the following products and solutions: ReportExec, Evidence, Courts, and QuarterMaster. By adhering to these rigorous security controls, Omnigo provides meaningful assurances to our clients in Texas and beyond, demonstrating our commitment to protecting sensitive data and maintaining high security standards. For more information, you can visit the TX-RAMP Certified Cloud Products page.

It's important to note that TX-RAMP applies to state-funded universities and other institutions of higher education in Texas because it is mandated by the Texas Government Code. Specifically, TX-RAMP requirements ensure that these institutions comply with statutory guidelines when contracting for cloud services, thereby enhancing the security and management of sensitive information. This compliance is crucial for protecting data and maintaining the integrity of educational and administrative operations.

In total, approximately 104 institutions are affected by TX-RAMP, including:

· 37 general academic institutions

· 3 lower-division institutions

· 50 community and junior college districts

· 1 technical college system

· 13 health-related institutions

This comprehensive coverage ensures that a wide range of educational institutions adhere to stringent security standards.

^
Back to Top

FAQ

Q: What is NIST 800-53 and why is it important?

A: NIST 800-53 is a security framework developed by the National Institute of Standards and Technology. It includes 18 families of controls, categorized into three general classes: management, operational, and technical. These controls are designed to protect the confidentiality, integrity, and availability of information systems. Omnigo's compliance with NIST 800-53 ensures that their security practices are robust and aligned with industry best practices.

Q: What does SOC 2 compliance entail for Omnigo?

A: SOC 2, or System and Organization Controls 2, is a compliance standard focusing on how organizations manage customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Omnigo undergoes a SOC 2 Type 2 audit annually to ensure the highest standards for data protection and can share the results with customers under NDA.

Q: How does Omnigo achieve GDPR compliance?

A: Omnigo achieves GDPR compliance by participating in the Data Privacy Framework (DPF), which includes the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. These frameworks provide reliable mechanisms for personal data transfers, ensuring adherence to stringent data protection standards.

Q: What are the key compliance standards for law enforcement solutions at Omnigo?

A: Omnigo ensures compliance with the Criminal Justice Information Services (CJIS) Security Policy and the National Incident-Based Reporting System (NIBRS). These standards are crucial for protecting sensitive data and maintaining the integrity of law enforcement operations.

Q: How does Omnigo ensure HIPAA compliance?

A: Omnigo ensures HIPAA compliance through a rigorous security methodology grounded in the NIST 800-53 and SOC 2 frameworks. This includes implementing stringent security measures such as access controls, encryption, and continuous monitoring to safeguard protected health information (PHI). We frequently enter Business Associate Agreements with Covered entities which outline the parties obligations with respect to PHI.

Q: What is the Clery Act and how does Omnigo help institutions comply with it?

A: The Clery Act requires colleges and universities to disclose information about crime on and around their campuses. Omnigo's ReportExec helps institutions achieve and maintain Clery Act compliance by streamlining the reporting and documentation process.

Q: What is StateRAMP and how does it benefit Omnigo's clients?

A: StateRAMP is a comprehensive compliance program designed to help state and local governments ensure that cloud service providers meet stringent security standards. The following Omnigo's solutions are covered in our StateRAMP audit: ReportExec, Evidence, Courts, and QuarterMaster, ensuring the highest standards of security and compliance.

Q: Does Omnigo comply with the COV Ramp and the SEC530 Information Security Standard?

A: Omnigo complies with the SEC530 Information Security Standard established by the Virginia Information Technologies Agency (VITA). This standard outlines a comprehensive set of security controls based on the NIST SP 800-53 framework, ensuring that cloud solutions used by state agencies meet stringent security standards.

Q: What is TX-RAMP and how does Omnigo comply with it?

A: The Texas Risk and Authorization Management Program (TX-RAMP) is a compliance framework established by the Texas Department of Information Resources (DIR) to ensure that cloud service providers meet stringent security standards. Omnigo maintains StateRAMP certification, which grants full reciprocity to TX-RAMP standards.

Q: How does Omnigo ensure the security of criminal justice information (CJI)?

A: Omnigo ensures the security of CJI by complying with the CJIS Security Policy. This includes implementing robust encryption methods, ensuring secure data transmission, and maintaining strict access controls. All personnel with access to CJI undergo a thorough screening process.

Q: What measures does Omnigo take to protect sensitive health information?

A: Omnigo protects sensitive health information by adhering to HIPAA requirements through a rigorous security methodology grounded in the NIST 800-53 and SOC 2 frameworks. This includes access controls, encryption, and continuous monitoring.

Q: How does Omnigo help law enforcement agencies achieve NIBRS compliance?

A: Omnigo helps law enforcement agencies achieve NIBRS compliance through solutions like ReportExec and ITI. These solutions provide customizable reporting fields and automated data validation to ensure accurate and compliant crime data reporting.

Q: How does Omnigo ensure compliance with gaming industry regulations?

A: Omnigo ensures compliance with gaming industry regulations by adhering to stringent regulatory requirements and industry standards. This includes filing necessary applications and obtaining approvals from various gaming commissions.

Q: What is the role of the Business Associate Agreement (BAA) in HIPAA compliance?

A: The Business Associate Agreement (BAA) specifies the obligations of both Omnigo and its clients (the HIPAA covered entity) in protecting PHI, ensuring that all parties understand their responsibilities in maintaining HIPAA compliance.

Q: What are the benefits of StateRAMP certification for Omnigo's clients?

A: StateRAMP certification ensures that Omnigo's solutions meet the highest standards of security and compliance. This enhances trust with customers and stakeholders, demonstrating a strong commitment to data protection and cybersecurity.

Q: How does Omnigo ensure the security of cloud solutions used by Virginia State Agencies?

A: Omnigo ensures the security of cloud solutions used by state agencies by complying with COR Ramp and the SEC530 Information Security Standard established by VITA. This standard outlines a comprehensive set of security controls based on the NIST SP 800-53 framework.

Q: What is the significance of TX-RAMP certification for Omnigo's clients in Texas?

A: TX-RAMP certification ensures that Omnigo's solutions meet stringent security standards when doing business with Texas state agencies. This includes the following products and solutions: ReportExec, Evidence, Courts, and QuarterMaster.

Q: How does Omnigo ensure the security of criminal justice information (CJI) for law enforcement agencies?

A: Omnigo ensures the security of CJI by complying with the CJIS Security Policy. This includes implementing robust encryption methods, ensuring secure data transmission, and maintaining strict access controls.

^
Back to Top

GLOSSARY

AICPA: American Institute of Certified Public Accountants, the national professional organization of Certified Public Accountants (CPAs) in the United States.

ASR: Annual Security Report, a report required by the Clery Act that includes crime statistics for the past three years, policy statements regarding campus security, and information on crime prevention programs.

Business Associate: A Business Associate under HIPAA is a person or entity that performs certain functions or activities on behalf of, or provides services to, a Covered Entity that involve the use or disclosure of protected health information (PHI). This can include tasks such as claims processing, data analysis, utilization review, and billing. A Business Associate is not a member of the Covered Entity's workforce but has access to PHI to perform their duties.

BAA: Business Associate Agreement, an agreement specifying the obligations of both Omnigo and its clients in protecting PHI.

CJI: Criminal Justice Information, data collected by criminal justice agencies that is needed for law enforcement and public safety.

CJIS: Criminal Justice Information Services, a division of the FBI that sets the security requirements for accessing and managing criminal justice information.

Clery Act: The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, a federal law that requires colleges and universities to disclose information about crime on and around their campuses.

COV Ramp: The Commonwealth of Virginia's Risk and Authorization Management Program, formerly known as the Enterprise Cloud Oversight Service (ECOS). It ensures that cloud solutions used by state agencies meet stringent security standards. Compliance with the SEC530 Information Security Standard is a key requirement under this program.

Covered Entity: A Covered Entity under HIPAA is defined as a health plan, a health care clearinghouse, or a healthcare provider that transmits health information in electronic form.

DIR: Texas Department of Information Resources, the agency responsible for providing technology leadership and solutions to state and local government entities in Texas.

DPA: Data Processing Agreement, a legally binding document that outlines the roles and responsibilities of both Omnigo and its clients in handling and protecting personal data. It ensures compliance with data protection regulations such as GDPR.

DPF: Data Privacy Framework, including the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, providing reliable mechanisms for personal data transfers.

ECOS: Enterprise Cloud Oversight Service, now known as COV Ramp. It ensures that cloud solutions used by state agencies in Virginia meet stringent security standards. Compliance with the SEC530 Information Security Standard is a key requirement under this program.

EU-U.S.DPF: A framework that facilitates the transfer of personal data from the European Union to the United States, ensuring compliance with EU data protection standards.

FedRAMP: The Federal Risk and Authorization Management Program is a U.S. government initiative to ensure secure cloud services for federal agencies. It uses the NIST 800-53 guidelines to standardize security requirements. Cloud service providers must undergo a rigorous assessment and continuous monitoring to receive and maintain authorization.

FBI: Federal Bureau of Investigation, the domestic intelligence and security service of the United States and its principal federal law enforcement agency.

GDPR: General Data Protection Regulation, a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.

HIPAA: Health Insurance Portability and Accountability Act, a U.S. law designed to provide privacy standards to protect patients' medical records and other health information.

IAFIS: Integrated Automated Fingerprint Identification System, a national fingerprint and criminal history system maintained by the FBI.

NIBRS: National Incident-Based Reporting System, a system for collecting and reporting data on crimes to the FBI.

NIST: National Institute of Standards and Technology, a U.S. federal agency that develops and promotes measurement standards, including the NIST 800-53 security framework.

NIST 800-53: A security framework developed by the National Institute of Standards and Technology, providing a comprehensive set of controls to protect the confidentiality, integrity, and availability of information systems.

PHI: Protected Health Information, any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity or a Business Associate.

SEC530: Information Security Standard established by the Virginia Information Technologies Agency (VITA), outlining a comprehensive set of security controls based on the NIST SP 800-53 framework.

SOC 2: System and Organization Controls 2, a compliance standard developed by the American Institute of Certified Public Accountants (AICPA) focusing on how organizations manage customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

StateRAMP: A compliance program designed to help state and local governments ensure that cloud service providers meet stringent security standards, based on the NIST SP 800-53 controls.

Swiss-U.S.DPF: A framework that facilitates the transfer of personal data from Switzerland to the United States, ensuring compliance with Swiss data protection standards.

TX-RAMP: Texas Risk and Authorization Management Program, a compliance framework established by the Texas Department of Information Resources (DIR) to ensure that cloud service providers meet stringent security standards.

UK Extension to the EU-U.S.DPF: An extension of the EU-U.S. DPF that applies to data transfers from the United Kingdom to the United States, ensuring compliance with UK data protection standards.

VITA: Virginia Information Technologies Agency, the agency responsible for overseeing the use of information technology in the state government of Virginia.

^
Back to Top