Identity & Access Management

Do you enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems?

Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems.

Do you retain logs for all login attempts for a given time period or as required by the tenant?

Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

Does the solution provide re-authentication at the time of an attempted change to authentication information?

Yes, users can re-authenticate a change in credentials and we comply to any attempted change in authentication information.

Can you provide the capability to present with a login notice to the intended users before being given the opportunity to log onto a system?

No, we do not present login notices to users before they log in as the users are redirected through SAP SuccessFactors.

Do you have controls in place to restrict any information beyond notification of an unsuccessful login attempt prior to successful login?

Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.

Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?

Yes, our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. Please refer to our list of integrations to know more.

Do you support identity federation standards (SAML 2.0, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?

Yes, our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol.

What levels of isolation are used for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc.?

We isolate our machines, network and storage with respect to the AWS Standards in order to keep it safe and secure.

Do you allow tenants to use third-party identity assurance services?

No, tenants are only allowed to use our secure protocols and procedures to prevent cracks and folds in data handling.

Do you support tenant's access review policy?

Yes, we do support our clients' and tenants' access review policies.

Do you support password (minimum length, age, history, complexity, and expiration) and account lockout (lockout threshold, lockout duration) policy enforcement?

Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations.

Do you allow tenants/customers to define password and account lockout policies for their accounts?

No, customers/tenants must comply with Xoxoday's account lockout and password polices that have been incorporated for maximum security.

Do you support the ability to force password changes upon first logon?

No, the user can set their own password from the very first login attempt.

Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?

No. As Xoxoday's products use single sign on (SSO), the users can login via their suite email and credentials.

Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?

Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Is the option of physical and logical user audit log access restricted to authorized personnel only?

Yes, to ensure the maximum safety and authority of data in right hands, the physical and logical adult log access of users can only be accessed by authorized personnel.

Do you support integration of audit logs with tenant Security Operations/SIEM (Security Information and Event Management) solution?

No, logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can shared when asked for by the clients.

Are audit logs centrally stored and retained?

Yes, regular audit logs are stored with Xoxoday and retained for future references.

Describe how event logs are protected from alteration including how access to these logs is controlled.

The event logs are stores in a bucket wherein nobody can access them without an approval from the high authorities i.e. the Chief Technical Officer.

Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidences are analyzed with network intrusion detection (IDS) tools.

Describe the process for investigating all data breaches and security violation events. Describe the process for informing TCCC of the breach, root cause analysis, and remediation.

Please refer to: "Threat & Vulnerabilities Management Procedures"

Does your logging and monitoring framework allow isolation of an incident to specific tenants?

Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.

Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?

Yes, there are measures to limit the access of tenant's data from non-authorized devices. Please refer to "Access Control Procedures".

Does the solution support disabling of dormant accounts (User accounts that have not been used within a minimum of 90 days)?

No. In case the accounts are deactivated or dormant, they would still be in the Xoxoday's domain. The admin would have to manually reach out and disable the accounts that they wish to declare dormant or inactive.

Does the solution maintain a password history technique in order to disallow use of any cyclic passwords?

Yes. Passwords once used cannot be reused with the password history technique in order to disallow the reuse of old passwords. Please refer to "Password Management Policy".

Is there an approval process for access requests to systems handling personal data?

Yes, with access control limit, super admins and admins can give out access to authorized individuals as per requests raised by them in order to handle their platform as well as the personal data accordingly.

Is access to systems containing personal data granted using a role-based criteria?

Yes, the role of "admin" and "super admin" holds the high regards and these roles can process the personal data of users as per their choice with the access control limit capability

Is all Personal Data registered in a standard repository?

Yes, personal data is stored are registered databases that comply to all necessary inputs of a standard inventory repository.

Are credentials stored in a centralized system that is TCCC approved?

Yes, all the given credentials are safely stored in a TCCC-approved centralized system in order to securely process the personal data.

Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?

Yes, our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases.

Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?

Yes, in case an incident occurs with respect to inappropriate access of data, we shall share the reports.

Do you support tenant's multifactor authentication (e.g., RSA Secure ID, PKI Certificates, out of band pin comprised of at least 6 digits, etc.)?

Yes, we do support measures to enforce strong multifactor authentication when it comes to accessing highly restricted data.

Do you support access to tenant sensitive data by only tenant's managed devices?

No, the data can be accessed by Xoxoday's authorized personnel to serve you better with maximum security.

Contents
Do you enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems?
Do you retain logs for all login attempts for a given time period or as required by the tenant?
Does the solution provide re-authentication at the time of an attempted change to authentication information?
Can you provide the capability to present with a login notice to the intended users before being given the opportunity to log onto a system?
Do you have controls in place to restrict any information beyond notification of an unsuccessful login attempt prior to successful login?
Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?
Do you support identity federation standards (SAML 2.0, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?
What levels of isolation are used for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc.?
Do you allow tenants to use third-party identity assurance services?
Do you support tenant's access review policy?
Do you support password (minimum length, age, history, complexity, and expiration) and account lockout (lockout threshold, lockout duration) policy enforcement?
Do you allow tenants/customers to define password and account lockout policies for their accounts?
Do you support the ability to force password changes upon first logon?
Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?
Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?
Is the option of physical and logical user audit log access restricted to authorized personnel only?
Do you support integration of audit logs with tenant Security Operations/SIEM (Security Information and Event Management) solution?
Are audit logs centrally stored and retained?
Describe how event logs are protected from alteration including how access to these logs is controlled.
Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
Describe the process for investigating all data breaches and security violation events. Describe the process for informing TCCC of the breach, root cause analysis, and remediation.
Does your logging and monitoring framework allow isolation of an incident to specific tenants?
Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?
Does the solution support disabling of dormant accounts (User accounts that have not been used within a minimum of 90 days)?
Does the solution maintain a password history technique in order to disallow use of any cyclic passwords?
Is there an approval process for access requests to systems handling personal data?
Is access to systems containing personal data granted using a role-based criteria?
Is all Personal Data registered in a standard repository?
Are credentials stored in a centralized system that is TCCC approved?
Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?
Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?
Do you support tenant's multifactor authentication (e.g., RSA Secure ID, PKI Certificates, out of band pin comprised of at least 6 digits, etc.)?
Do you support access to tenant sensitive data by only tenant's managed devices?