Optera IT security: Optera’s approach to information security

Optera provides a sustainability data platform and expert services to a wide variety of customers who, in turn, provide or manage critical services and data operations. The increasing complexity of cyber attacks, such as those occurring through trusted third parties, demonstrate how a broadened understanding of the risk ecosystem is required to better mitigate information security risks.

In October 2023, Optera successfully completed a SOC 2 Type 1 audit for its data security practices and renewed our ISO 27001:2013 certification for our Information Security Management System (ISMS).

A-LIGN, an independent, third-party auditor, conducted both audits.

SOC 2 audit

Established by the American Institute of Certified Public Accountants (AICPA), the SOC 2 examination is designed for organizations of any size, regardless of industry and scope, to ensure the personal assets of their potential and existing customers are protected. SOC 2 reports are recognized globally and affirm that a company’s infrastructure, software, people, data, policies, procedures and operations have been formally reviewed.

Optera will perform a SOC 2 assessment on an annual basis and can make the report available to current or potential customers upon execution of a non-disclosure agreement.

ISO 27001:2013 certification

A-LIGN found Optera to have technical controls in place and formalized IT Security policies and procedures. A-LIGN is an ISO / IEC 27001 certification body accredited by the ANSI National Accreditation Board (ANAB) to perform ISMS 27001 certifications. Optera has implemented several security measures and countermeasures that protect it from unauthorized access or compromise and IT personnel were found to be conscientious and knowledgeable in best practices.

Compliance with this internationally recognized standard confirms that Optera’s security management program is comprehensive and follows leading practices. The scope of our ISO/IEC 27001:2013 certification includes:

• Our corporate carbon and ESG management platform and other web-based software and services
• Our corporate website, opteraclimate.com, and other websites including subdomains and mobile versions
• All activities taken by Optera staff during development, management, and oversight of the platform, website, operations, and professional services.

In addition, Optera conducts the following critical measures to improve its risk awareness and mitigation capabilities:

• Frequent vulnerability scanning both on internal and external address spaces
• Annual penetration testing of its sustainability application and platform, with demonstrated remediations of findings
• Creation of standardized policies, procedures, and requirements expected across all operations that have an impact on security
• The adoption of a Secure Software Development Lifecycle (SSDLC) intended to improve security awareness among its developers and to reduce likelihood of vulnerabilities in its applications
• Annual risk assessment of the entire organization
• Regularly maintained asset and data inventory
• Regularly updated risk register and mitigation measures necessary to reduce risk to an acceptable level
• Standardized monitoring and logging of all events surrounding critical assets, data, and user actions

We understand that “Security” is never finished, so it will always be an ongoing effort that requires significant vigilance and dedication.