Identity & Access Management

Do you enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems?

Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems.

Do you retain logs for all login attempts for a given time period or as required by the tenant?

Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

Does the solution provide re-authentication at the time of an attempted change to authentication information?

Yes, users can re-authenticate a change in credentials and we comply to any attempted change in authentication information.

Can you provide the capability to present with a login notice to the intended users before being given the opportunity to log onto a system?

No, we do not present login notices to users before they log in as the users are redirected through SAP SuccessFactors.

Do you have controls in place to restrict any information beyond notification of an unsuccessful login attempt prior to successful login?

Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.

Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?

Yes, our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. Please refer to our list of integrations to know more.

Do you support identity federation standards (SAML 2.0, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?

Yes, our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol.

What levels of isolation are used for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc.?

We isolate our machines, network and storage with respect to the AWS Standards in order to keep it safe and secure.

Do you allow tenants to use third-party identity assurance services?

No, tenants are only allowed to use our secure protocols and procedures to prevent cracks and folds in data handling.

Do you support tenant's access review policy?

Yes, we do support our clients' and tenants' access review policies.

Do you support password (minimum length, age, history, complexity, and expiration) and account lockout (lockout threshold, lockout duration) policy enforcement?

Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations.

Do you allow tenants/customers to define password and account lockout policies for their accounts?

No, customers/tenants must comply with Xoxoday's account lockout and password polices that have been incorporated for maximum security.

Do you support the ability to force password changes upon first logon?

No, the user can set their own password from the very first login attempt.

Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?

No. As Xoxoday's products use single sign on (SSO), the users can login via their suite email and credentials.

Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?

Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Is the option of physical and logical user audit log access restricted to authorized personnel only?

Yes, to ensure the maximum safety and authority of data in right hands, the physical and logical adult log access of users can only be accessed by authorized personnel.

Do you support integration of audit logs with tenant Security Operations/SIEM (Security Information and Event Management) solution?

No, logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can shared when asked for by the clients.

Are audit logs centrally stored and retained?

Yes, regular audit logs are stored with Xoxoday and retained for future references.

Describe how event logs are protected from alteration including how access to these logs is controlled.

The event logs are stores in a bucket wherein nobody can access them without an approval from the high authorities i.e. the Chief Technical Officer.

Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidences are analyzed with network intrusion detection (IDS) tools.

Describe the process for investigating all data breaches and security violation events. Describe the process for informing TCCC of the breach, root cause analysis, and remediation.

Please refer to: "Threat & Vulnerabilities Management Procedures"

Does your logging and monitoring framework allow isolation of an incident to specific tenants?

Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.

Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?

Yes, there are measures to limit the access of tenant's data from non-authorized devices. Please refer to "Access Control Procedures".

Does the solution support disabling of dormant accounts (User accounts that have not been used within a minimum of 90 days)?

No. In case the accounts are deactivated or dormant, they would still be in the Xoxoday's domain. The admin would have to manually reach out and disable the accounts that they wish to declare dormant or inactive.

Does the solution maintain a password history technique in order to disallow use of any cyclic passwords?

Yes. Passwords once used cannot be reused with the password history technique in order to disallow the reuse of old passwords. Please refer to "Password Management Policy".

Is there an approval process for access requests to systems handling personal data?

Yes, with access control limit, super admins and admins can give out access to authorized individuals as per requests raised by them in order to handle their platform as well as the personal data accordingly.

Is access to systems containing personal data granted using a role-based criteria?

Yes, the role of "admin" and "super admin" holds the high regards and these roles can process the personal data of users as per their choice with the access control limit capability

Is all Personal Data registered in a standard repository?

Yes, personal data is stored are registered databases that comply to all necessary inputs of a standard inventory repository.

Are credentials stored in a centralized system that is TCCC approved?

Yes, all the given credentials are safely stored in a TCCC-approved centralized system in order to securely process the personal data.

Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?

Yes, our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases.

Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?

Yes, in case an incident occurs with respect to inappropriate access of data, we shall share the reports.

Do you support tenant's multifactor authentication (e.g., RSA Secure ID, PKI Certificates, out of band pin comprised of at least 6 digits, etc.)?

Yes, we do support measures to enforce strong multifactor authentication when it comes to accessing highly restricted data.

Do you support access to tenant sensitive data by only tenant's managed devices?

No, the data can be accessed by Xoxoday's authorized personnel to serve you better with maximum security.

What controls are in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?

We have AWS Identity and Access Management (IAM). Access to data and systems is based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provide centralized control to administer, monitor, and review all critical access events.

Provide a description of the physical security of your Datacenter both inside (security mechanisms and redundancies implemented to protect equipment from utility service outages like for example, power failures, network disruptions, etc.) and outside the DataCenter itself (fences, security guards or patrols, reception desk, authentication mechanisms, etc.) as well as the procedure applied to authorize personnel to enter the premises and how often the authorizations are reviewed?

AWS is responsible for providing physical security to the data center as we have deployed our application on AWS. AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Third-party access - Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires.

Do you have a formal process to manage the termination and or transfer of employees? i.e. All equipment is returned, user ID's disabled in systems, Windows, badges, and/or keys returned. On Transfer is existing access reviewed for relevance?

Yes, we have implemented the process for termination from employment. Once the employee is terminated all the access will be revoked, IDs are disabled, assets are returned and recorded as a part of the exit clearance. We have implemented the access control procedure and all the access will be revoked upon termination or transfer of an employee as per the compliance requirements.

Are employees required to use a VPN when accessing the organisation's systems from all remote locations?

Yes. We use a cloud-hosted VPN with strict access controls to allow our employees to access the official network.

Is a security operations center implemented to monitor the software solution?

Yes, We have implemented the security operations center to monitor, prevent, detect, investigate, and respond to cyber threats around the clock.

More info below:

Questions

Answers

What controls are in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?

We have AWS Identity and Access Management (IAM). Access to data and systems is based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events.

Do you support identity federation standards (e.g., SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?

our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol

Are employees required to use a VPN when accessing the organisation's systems from all remote locations?

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network.

Is wireless access allowed in your organisation?

Wireless access is allowed and handled with high quality routers, password protection and restriction on internet usage etc.

Is there a role based access control & structured process for creation of new user account for the customer operations? Are all users identified to the system by a unique User ID?

All our employees are having a unique email IDs and we have implemented the role based access control. Our product team will create an account for the admin users and the password can be changed immediately.

Is there a well-defined process for removing the user account and access rights at the time of an employee leaving the vendors the customer processing facility?

Yes, we have the exit procedure and all the access provided to an employee will be removed or deleted.

Is there a periodic audit of the user access profile by the SPOC / system administrator?

Yes. We review the access provided every month and the SPOC will be our system administrator.

Is there an automatic lockout for predefined number of unsuccessful attempts?

Yes. We have defined the number of unsuccessful attempts. After 3 unsuccessful logins the account will get locked.

Are different accounts used for applications and OS level access?

Yes, we have the different levels of access. For Ex - Admin, users.

Does the system prompt the change of user passwords at predefined intervals?

Yes. Every 90 days

How does the password reset process work? Is a secure password distribution mechanism in place?

We will get an email for resetting the password. Once we click on it it will take us to a different window and provide an option to change or reset the password.

Is there a defined process for installing & encrypting wireless access points, if any used by vendor?

We use only internet connection through wifi and only after the approval process IT Team will provide an access.

Are following actions performed on all systems used for the customer operations- -Restricted access to shared folders -Restricted USB/CD access -Internet access on need basis -admin privileges restricted

Yes. We have all these controls. We have restricted access to shared folders, USB or external drives, Internet access and privileges access.

Is an inventory of all information assets (e.g. documents, USB devices, passwords etc) provided to employees tracked? Is the return of assets tracked?

Yes. We have a track of all these information and we will remove the access once the empoyee left the organization.

Is there a mechanism for different levels of administrator privileges for system access on the customer specific servers? Is it configured in a secure manner?

Yes, we have different level of access like Admin and users and its configured in a secured manner.

Is inactivity timeout period specified for the customer applications?

It’s an application and it supports SSO and Active directory. Time our period that we configure in SSO/AD would apply.

Is development area segregated from work area? Are proper access controls implemented for development areas?

Yes. We have segregated the areas. We have implemented the controls for having the access only to an authorised individuals for production area.

Are all production hardware, including, but not limited to, network devices, storage, database servers, and application equipment, located in a restricted area with physical access controls?

Yes, we have the controls.

Groups of information services, users and information systems shall be segregated on networks.

Yes. We have segregated the users.

a) Whether Desktop/ Laptop sharing is allowed? b) Whether data card is accessible on desktop/ laptop? c) Whether software installation permissions present on desktop/ laptop?

Sharing device is not allowed. All the permisson needs to be taken from the IT Team. Not provided these access to the employees.

What controls are in place to provide logical segregation of duties at CSP end in shared environment?

We have different levels of users and only upon approval and need basis will get access.'

How vendor is performing logging and monitoring of privilege access (if any) at Cloud environment?

At Xoxoday for all the critical applications the 2FA has been enabled.

By any mean, does the vendor/ CSP having access to the customer data? For what purpose?

only Xoxoday authorised individual will have an access

Are external drives such as CDs and USB drives disabled on all desktops and laptops, servers containing personal data, customer data, business data ?

All the computer machines are restricted with Access to CDs, USB or any other hard drives. We do not grant access for security reasons.

Are photographic, video, audio or other recording equipment, such as cameras in mobile restricted to be carried inside secure areas/ work areas/ information processing facilities ? Are vacant secure areas physically locked and periodically reviewed ?

The secured areas are restricted and does not have access with electronic devices or mobiles. These areas are physically locked and periodically reviewed as a part of internal and external audits. Also these restricted area are secured with CCTV cameras and monitored 24*7 for security reasons.

Are procedures defined and followed for employees for removal of all access rights (Logical Access and Physical Access) provided to them during course of employment?

We have implemented the access control procedure and we revoke the access rights of the employees when not needed or termination from the employment. Access granted and revoked will be reviewed regularly and validated during the internal and external audits.

Are the system utility programs that could be used to override system and application controls strictly controlled and their use restricted and that admin privileges are not assigned to all users ?

Access to the systems are based on the principles of least privilege for access. All the users have restrictions on installing and uninstalling the application/softwares, they are not provided with Admin access. Admin access will be with the the IT support head and will not be available for the normal users.

Are there documented procedures in place regarding steps to be followed for voluntary and involuntary employee terminations (unnecessary user entitlements) including access revocations? Are cases of voluntary or involuntary terminations addressed immediately and access is revoked immediately? Do you agree to inform BSLI incase of any involuntary termination of an employee working on client account immediately or within a reasonable timeframe incase of voluntary termination or reassignment of staff member?

We remove the access immediately after termination of an employees as a part of exit procedures. We inform the BSLI incase of any involuntary termination of an employee working on client account within a reasonable timeframe

Are user access provisions monitored and reviewed on an ongoing basis (Access reconciliation review) to ensure additions, deletions and changes to the accounts and access rights are properly tracked ?

We have implemented the role based access control policy. We regularly monitor the user access controls and make neccessary reconciliation for security reasons.

Are Users Handling BSLI data given access to Corporate / Public Mails ? If Yes, Are there any restrictions on domains to which the mails can be sent ?

Our employees are provided access for corporate emails. But we have restricted for accessing other email service provider, sending the PII on emails, sending an email to personal email Ids etc for maximum security.

Are users handling BSLI data provided access to Internet? Is there a Proxy / Content Filtering Solution in place for cotrolled access to Internet? Are Proxy / Content Filtering Solution logs monitored and reviewed ?

All our employees are not provided with access to the client data. Only authorised individual will have access on need and approval basis. The approvers are either the Product Heads or CTO. Content Filtering Solution in place for cotrolled access to Internet and all the logs are monitored.

Do you have a documented procedure in place for user access management ? Whether access to system and data is granted exclusively on a need to know/access and Principle of Least privilege and that the approvals are documented by accountable party ?

We have the documented procedure in place for user access management. Attached the Access Control Procedure. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Access to data and systems are based on the principles of least privilege for access and need to know basis. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. Only authorised individual will have access on need and approval basis. The approvers are either the Product Heads or CTO.

Do you maintain a policy, operational plan and procedures for teleworking activities ? And whether teleworking activity is authorized and β€Žcontrolled by management and does it ensure that β€Žsuitable arrangements are in place for this way of β€Žworking.β€Ž (Teleworking refers to all forms of work outside of the office, including non-traditional work environments, such as those referred to as β€œtelecommuting”, β€œflexible workplace”, β€œremote work” and β€œvirtual work” environments)

We provide option of work from home/remotely to our employees. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory.

Does patch management process ensure all system are installed with latest security patches (OS layer, Application layer, Data base layer, Network layer) ? Do you have a formal vulnerability assessment and penetration testing (VAPT) process / procedure / policy / manual is documented and operational? Do you have security hardening (technical specification, minimum baseline security MBSS guidelines for all infrastructure elements such as Application, OS, Network and Database) ? Are external drives such as CDs and USB drives disabled on all desktops and laptops, servers containing personal data, customer data, business data ?

All the computer machines are restricted with Access to CDs, USB or any other hard drives. We do not grant access for security reasons. We have Changed default credentials and turned off services that are not needed. MFA has been enabled to make sure that only authorised individuals have access. We have implemented Cloudflare web application firewall, IDS, Guard Duty etc in order to prevent DDOS-type attacks. (Attached the evidence of Cloudflare web application firewall, IDS, VA/PT reports, guard Duty etc) We have implemented the role-based access control system and Only authorized users have access to the servers. logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our ElasticSearch server and retained in the long-term cloud storage. mechanisms are implemented to detect, address, and stabilize vulnerabilities We also have implemented the backup plan. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. Data backups are done daily and in a secured way in AWS.

Have you deployed controls to protect computer systems against virus and spywares, malwares, Trojans, malicious codes, etc.? Do you log the Anti-Virus compliance status of all systems ?

All the systems are secured with Bitdefender end point security, VPN, Active directory, Firewall etc for maximum security.

Is access to sensitive areas (server location, tape library, computer room, etc.) physically restricted to authorized personnel? If Yes, does the physical access system log the access capturing the data, time, door access, employee coordinates during logging physical access ? Are all physical access control logs periodically reviewed and retained per retention requirements? Are visitors signed into the building by an employee who accepts responsibility for the visitors during the course of their visit?

All the sensitive areas are restricted and authorized personnel only can have access. Our facility is having Biometric access system and all the logs are maintained and periodically reviewed. We also have visitors management guidelines and All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Does the Vendor support on-premise / in the Cloud Third Party Cloud Access Security Broker (CASB) services

AWS Identity and Access Management (IAM) enables us to manage access to AWS services and resources securely

If application is Internet exposed and contains Informaation related to Customers, Finance or employee should implement mandatory 2FA

we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

Ability to have clearly defined roles with fine grained accesses to be created as per Functional roles and maintain SoD when creating the same

We have 3 types of roles - User, Admin and Super Admin. Based on the roles and responsibility these access can be provided on need and and approval basis.

Ability to rename / disable default IDs within application

Data Confidentiality is compromised (Misuse of the customer Policyholder / Employee information, leakage of critical customer personal / policy details resulting in financial or reputational loss for the customer )

Xoxoday application platform collects PII like Name, email ID and Phone number of the employees those who will be using this platform. Xoxoday is ISO 27001:2013 certified, GDPR compliant and SOC 2 type I certified organization and have all the required technical and organizational controls in place and auditred during the internal and external audits. We have implemented the role-based access control system and Only authorized users have access to the servers. We use Amazon IAM for Identity access management. logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our ElasticSearch server and retained in the long-term cloud storage. mechanisms are implemented to detect, address, and stabilize vulnerabilities We also have implemented the backup plan. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. Data backups are done daily and in a secured way in AWS.

Describe the mechanisms in place (processes, tools, etc.) to check for vulnerabilities at the application, Operating System, middleware and the network layers both internally and externally and how frequently these controls are performed.

Our network is protected through the use of key cloud security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks. Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a Vulnerability assessment and penetration testing.

Describe the Access management process in place at the provider's end pointing out how you ensure timely removal of accesses that are no longer required and how you control the adequacy of the privileges to the job role. Also describe the revalidation processes and the frequency of its execution.

Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access. We conduct the access control review on frequent basis and revoke all the access provided for exit employees.

Provide the procedure implemented at your end to manage your Shared Ids (e.g. root, Sys, System, etc.), Group IDs (generic accounts used by several individual belonging to a same team for example) and Local accounts. Describe how you restrict, log and monitor privileged accounts usage and access to security devices (E.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.), how you ensure users changing team or leaving can no longer access the Group ID and what is the level of traceability of such IDs

We have unique user IDs for all and does not use generic user IDs.Access to data and systems are based on the principles of least privilege for access. We conduct the access control review on frequent basis and revoke all the access provided for exit employees. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates. Attached the Access control procedure.

Describe the process to ensure and monitor that Segregation of Duties is respected and how frequently it is controlled

An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties.

Do employees have a unique log-in ID when accessing data?

All our employees are having the unique log in IDs.

Are employees required to use a VPN when accessing the organisation's systems from all remote locations?

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network.

Does your organisation provide any web applications used by the customer or containing the customer data?

We provide application web application.

Is there an Internet-accessible self-service portal available that allows clients to configure security settings and view access logs, security events and alerts?

Admins can control the application and will have an access to alerts and security events.

If an employee no longer requires remote access to the customer network, is there a process to inform the the customer in a timely manner to revoke access?

We inform the the customer to revoke access.

In case of any exceptions due to which anti-malware activities fail (e.g. antivirus scans cannot be conducted or patches cannot not be applied), are alternative controls implemented to reduce the exposure on remote endpoints?

We have the alerting system in place and we perfom the scaning immediately in order to reduce the risk.

Do fourth-parties, (e.g., subcontractors, sub-processors, sub-service organizations) have access to or process client scoped data?

They do not have access.

Is proper access control implemented for secure access to the customer data ?

Yes. We have role-based access system through access control policy to make sure that only the authorised individual has access to the required information. All the Access to data and systems are based on the principles of least privilege for access. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need-to-know basis and support segregation of duties. The approvers are either the Product Heads or respective function Heads are their authorized delegates.

Are there necessary controls for securing sensitive information according to the data classification (like Identity access management, access rights)?

Yes, We have the necessary controls in place in order to protec the information according to the data classification. For ex - Identity access management (IAM)

Do you have a SIEM for monitoring and maintaining logs over security incidents from various components (e.g. IDS, IPS, firewall logs )?

Yes. We have a SIEM in pance for monitoring and maintaining logs over security incidents from various components.

what kind of identity and access management services are provided by cloud : 1- Independent IDM Stack - all information related to user account is managed by SAAS vendor 2: Using credentials provided by enterprise - user account creation done at tenant within the enterprise boundary used by SAAS vendor to provide Sign On services 3: Federated IDM : User account details are managed by enterprise /tenant.SAAS vendor uses federated idnetity details on demand basis to allow sign on and access control

Share the privilege account reconciliation policy.

Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access. We have role-based access system through access control policy to make sure that only the authorised individual has access to the required information. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles

Will vendor employees be accessing any the customer application? How access to those applications is managed? (e.g. through SSO).

Only authorised individual would access on need and approval basis. We also use SSO.

Are vendor Employees who are associated with the customer process are using their official email IDs for communication with the customer?

All our employees are using official email IDs

Who will have access to the customer users / customers data in your organization and if any Access Control (Role Base Access Control or any other) is imposed on server / database where the customer users / customers data will be stored?

We have implemented Role based Access control policy and only authorised individual will have access upon need and approval basis.

Supplier applies security controls and measures on remote access.

Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory.

Supplier has a security monitoring process in place.

We monitor and review these privileged access provided and do the necessary reconciliation as per the Access control policy implemented .

The solution provides possibilities for identity integration with the customer Microsoft Azure AD, and supports Single Sign On (SSO). E2. SSO may be achieved either through a SAML 2.0 federated trust setup or through Microsoft Azure SaaS integration. E3. Additional factors may be used in authentication as well (MFA).

1. Xoxoday application has a rich set of integrations with HRMS, HRIS, CRM, Survey, Marketing automation, SSO, SAML tools like SAP SuccessFactors, Zoho People, Darwin Box, Hubspot, Freshworks, Zapier, Hubspot, Type Form, Survey Monkey, Survey Gizmo, SAML 2.0, etc 2. SSO SSO Redirection - The client has to generate temporary token for SSO and redirect the user to Xoxoday with this temporary token. Please click here - https://xoxoday.gitbook.io/application/developer-resources/storefront-integration/api-endpoints/sso-redirection#sso-token-from-company-session

Vendor has privileged identity and access management policies in place, by ensuring that there are multiple access layers and requiring multi-factor authentication for superuser/administrator access.

Access to our production environment is allowed only via Xoxoday corporate network and access is allowed only to authorized individuals of the infrastructure and engineering team. Given the pandemic/WFH situation, VPN access has been enabled with 2FA For such authorized individuals, for ensuring business continuity. All our admins accounts has been sealed with MFA. and also we use AWS IAM for managing privileged identities.

Privileged accounts are terminated when not required for use, and this process ensures that the change is propagated throughout the services provided to the customer.

We revoke the access once the tasks is performed or terminated from the organization as per the access control policy and part of the HR Exit clearance. Yes. access revocation process synchronized throughout all the systems. Attached the Access control policy.

Whenever user access to the customer data is to be maintained by the vendor, access to the customer services is provided on a need-to-have basis and according to users' roles (RBAC) and by notifying the customer in advance. E2. Access rights are continuously reviewed.

We have implemented the Role-Based Access Control (RBAC) An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates. We review the access rights on monthly basis. Attached the access control policy.

Roles and responsibilities of the customer as a customer are clearly specified in the incident handling process.

We have implemented the incident management procedure and attached the same. We communicate with Preliminary Incident Synopsis and Root Cause Analysis report (RCA) including the details of Business Impact, Issue Description, Root Cause, and Corrective Actions.

The customer data integrity is protected from incidents or unauthorized changes occurring in other tenants sharing the same infrastructure.

We use logical data isolation with the help of company specific encryption keys. We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. The incidents in other tenants would have no effect on the customer’s services.

Which security protocols and standards do the cloud vendor adhere to?

We are adhered to ISO 27001:2013, GDPR, CPRA, SOC 2, CSA STAR and VA/PT - Shared these certifications and Audit reports. We have implemented the Access control policy and shared the same for your reference. All our admins’ accounts have been sealed with MFA. and also, we use AWS IAM for managing privileged identities. All our Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long-term cloud storage. The audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Do you support the use of single sign on (SSO) and federation where we leverage our identity provider for authentication and authorisation services

application support many SSO options such as - Google workspace. Azure AD, OKTA SSO, Onelogin, Ping Identity, Centrify etc..

Does the solution supports role based access control to enable separation of duties

There are four access roles : Super Admin, General Admin, Manager and Employee. Manage the level of access for each role through the access controls page

Is there a Web UI available? What browsers are supported?

application is a web application and also supports Android and iOS apps. application is supported by a comprehensive web application that can be accessed via desktop and mobile browsers on all compatible devices. For ex -Google chrome, Internet explorer, Microsoft edge etc..

Access Control - Is there an access control mechanism like RBAC built in the application?

The access control mechanism like RBAC is built in the application. We have a Super Admin, Admin, and user’s account.

Does the application support for SCIM based automated User Provisioning and Deprovisioning?

Please click here to know more about SSO integration - https://www.application.io/integrations It supports Azure AD, Google workspace, Okta SSO, One login, Ping identity SSO, Centrify etc..

Does the application support AD Integration?

Its supports Azure AD integration.

Does the application allow users to set/reset password and login with password even when SSO is enabled?

No. it does not. Once SSO is enabled, the users are not presented with any password options.

Access to data by your employees:

Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provide a centralized control to administer, monitor and review all critical access. We have a role-based access system through access control policy to make sure that only the authorised individual has access to the required information. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need-to-know basis and support segregation of duties. The approvers are either the Product Heads or respective function Heads are their authorized delegates.

What is the set of security configuration / features implemented for standard employee issued device? (full disk encryption, firewall, etc.)

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team, and it's linked with the SSO/Active Directory In addition to that we also use Encryption, Firewall, Bitdefender end point security etc.

Does the company allow its employees to work remotely? If so:

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team, and it's linked with the SSO/Active Directory

How do you secure your APIs? Which methodology is followed for API security and its testing?

We have implemented the Web application firewall, IDs/IPs and amazon guard duty etc for maximum security. OAuth2 is used to authorize all API requests. We also conduct code review to make sure that the APIs are secure.

Does the platform support SSO with PwC Indentity

Yes. application supports SSO like Okta SSO, Onelogin SSO, Ping Identity SSO, Centrify etc.. Please click here to know more about application SSO - https://www.application.io/integrations?tab=tab-sso

Authentication requirements - what is the software. PwC uses SAML 2.0, OpenAm authentication

Our identity federation standards include SAML 2.0, SPML, WS-Federation

Products should support user directory integration via LDAP or Microsoft Active Directory to simplify the user provisioning process

It Supports MS Azure active directory.

Is Multi-Factor Authentication supported?

No.

Does this mean they do not store passwords hashed?

We store password hashed. We have SHA512 hash with unique salt for every password

Is 2FA required when logging in? If required, which types of 2FA are supported?( E.g. Google Authenticator ?)

No. 2FA is not required for logging into the application. We only support SSO with the help of SAML2.0 protocol.

Is SSO and OKTA integration supported?

Yes. It supports SSO and OKTA Integration

Is there detection for concurrent logins? When there is multiple logins using the same username, do account holders have awareness of this?

Yes. The account owner will receive an email notification and all the activities are logged.

How long will the account be invalid when it is deleted? After how long will the user be kicked off when logged in, if his/her account has been deleted?

The account owner will receive an email notification and immediately and user can act on it.

For customer support, what is the process for password reset? Could you identify correctly if the requestor is from our company? How?

We have enabled password reset process. It identifies from the domain name of the email ID. We can Change the password of the application account by navigate to Setting in the Quick Access menu.

For customer support, what is the process for 2FA reset? Could you identify correctly if the requestor is from our company? How?

2FA is not supported.

Does the account management system support role-based permissions and access control?

Yes. We have defined accessibility features, role-based permissions, access control and can Manage user access to various account functionality based on organizational needs.

hen Okta/SSO is enabled, whether the login method for the original system is technically prohibited?

When SSO (via SAML2.0) is enabled login via password will be technically prohibited

When only enabling username and password login, is it possible to customize password complexity requirements ( upper case, lower case, special character )? Also, is it possible to force users to change their password at regular intervals - every 90 days for example.

Yes. Users can provide complex password to make sure that the account is secure.

Multi factor authentication shall be implemented for all access to NSE's data.

Yes. We have enabled Multi factor authentication. Our application also support multi factor authentication.

All access to NSE’s data, managed by NSE shall be as per the Access Control policy of NSE.

We have implemented the access control policy to make sure that only the authorised individual have an access to the data. You may suggest if anything needs to be added as per NSE access control policy.

Administrative activities required to be done by NSE shall be carried out by NSE employees or NSE authorised staff only.

Super admin have complete control of the platform and can configure everything.

NSE shall ensure all web applications are accessible only via Web Application Firewall (WAF) to the internet with appropriate policies.

We have the controls in place. As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks.

Describe the controls in place that monitor and record user access to systems that store or support UP data.

We have controls in place to monitor the user access system. We have implemented Role based access management system through access control policy. We also conduct internal review, Audit and external Audit from the third party auditors to make sure that we are complying with the requirements.

Does the Supplier support SAML 2 (Browser POST profile) to enable Single Sign-On for Union Pacific users?

Yes, our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol.

What technology enforces the authorization?

We use Freshdesk and Jira for Authorizing access.

Describe how your organization decides who does and does not have access to sensitive data

We have role based access system to make sure that only the authorised individual have an access to the required information. We also have Access Control Procedure as per the compliance requirements.

Do employees/contractors have ability to remotely connect to your production systems? (i.e. VPN)

Yes. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory.

Is MFA required for employees/contractors to log in to production systems?

Yes. We have enabled MFA for maximum security

Do internal applications leverage SSO for authentication?

Yes

Are documented procedures followed to govern change in employment and/or termination including for timely revocation of access and return of assets?

Yes. We have access control policy and change manangement policy in place. Our IT team periodically review the access granted to all the users and take necessary actions. Revocation of access and Asset submission is part of our exit procedure upon termination from the employment.

Is all network traffic over public networks to the production infrastructure sent over cryptographically sound encrypted connections? (TLS, VPN, IPSEC, etc). If there are plaintext connections, what is sent unencrypted?

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory.

What cryptographic frameworks are used to secure data at rest?

We use AES 256-bit encryption for data at rest for securing digital identities

What cryptographic frameworks are used to store passwords?

We store password hashed. We have SHA512 hash with unique salt for every password

How are crytographic keys(key management system, etc) managed within your system?

The cryptographic keys, including data encryption and SSL certificates are managed by Xoxoday for optimal security of sensitive data. Each tenant data is uniquely encrypted using client specific key. We use AES 256 bit encryption for data at rest to ensure maximum security measures.

Does application allow user MFA to be enforced by admins?

Yes

Does application support IP whitelisting for user authentication?

Yes

Does your application support standardized roles and permissions for users (ie admin, user)?

Yes

Does your application enable custom granular permissions and roles to be created?

Yes

How does your application store API keys?

API Keys are stored in high availability ephemeral storage and not in any disc.

Are your confidential data acess controls in line with your data classification matrix?

Yes

Are documented procedures followed to govern change in employment and/or termination including for timely revocation of access and return of assets?

Yes. We have access control policy and change manangement policy in place. Our IT team periodically review the access granted to all the users and take necessary actions. Revocation of access and Asset submission is part of our exit procedure upon termination from the employment.

Are user/ privileged access rights for your staff regularly reviewed?

Yes

Are user/ privileged access rights for your staff regularly reviewed?

Yes

Will the customer staff be able to manage the customer system access and data? If so what controls are in place to restrict and control privileged access rights?

Yes. We follow role-based access system. We have implemented an access control policy and it will restrict access of the authorised individuals only.

Please state what system enforced password settings are active for: Password Minimum Length/Complexity Password Change Interval Lockout (after incorrect password entries) Password aging/history

At least 8 characters

45 days

5 attempts

Have all default passwords been changed in regard to hardware identified in the architectural details section in 3.5?

Yes

How long will logs be retained?

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in long-term cloud storage

All users shall be assigned a unique ID (user account) for access to system components, information or network files or sensitive data following clear user naming convention standards.

All users have benn assigned a unique user account. We have implemeted the Access control Policy and all the system components, network files, sensitive data will be accessed my the unique user accounts.

User accounts shall keep historical uniqueness and will not be reused by other people in the future.

All users have benn assigned a unique user account. And will not be reused by other people in the future.

Centralised directory services shall be provided for the customer systems, where applicable, to effectively manage the users and computers.

Admins will have a Centralised directory and can manage the users. For ex - Creation and deletion of the users.

AAA services shall be provided, where applicable, for network equipment (switch, firewall, etc.) authentication, authorisation and accounting.

We are Compliant. We have implemented the Network Access Control and Security Procedure. We are diligently controlling access to computer resources, enforcing policies, Firewall, Switches etc

Privileged access to assets shall be managed through formal processes for the allocation of defined privileges that should: Β· Address the full lifecycle, including requirements for expiry. Β· Ensure the competencies of users are in line with the privileges to be approved. Β· Allocate privileges to users on a need-to-use basis and on an event-by-event basis for a fixed period of time in line with the access control policy. Β· Not grant privileges until the authorisation process is complete.

We review the access controls on periodical basis and make sure that only authorised individual will have an access to the Information system. We grant privileges only upon the need and approval basis as per the access control policy.

Ensure that all privileged access is logged and periodically audited

We review the access controls on periodical basis and make sure that only authorised individual will have an access to the Information system

Where technically feasible implement network and/or host-based technical controls that detect access and/or attempt to use diagnostic and configuration ports and services.

We have the monitoring system in place. Unauthorised access or attempts will be detected and prevented

Where technically feasible, implement network (e.g. network gateways using traffic inspection to limit the capabilities of users) and/or host-based (e.g. Application Control) technical controls that control shared networks and resources access to specifically approved users and business applications.

We have implemented the role based access control system. Only approved users will have an access to the Business application.

Role-based user accounts shall be implemented for users (operators, supervisors, shift controller, engineer, domain administrator etc.) with specific and defined privileges based on the principle of least privilege for each role.

We have controls in place to monitor the user access system. We have implemented Role based access management system through access control policy.

Access to programming source code shall be granted on need to know basis.

We are compliant. Only authorised individual have an acces.

Remote access shall be granted based on business need and approved by Information owner.

We are compliant

Multi factor authentication should be used, where technically feasible, for all remote access (network-level access originating from internet) by employees, Administrators and third parties.

We use 2FA wherever is required to safeguard the information system.

Access for vendors for remote maintenance or support must only be enabled during a limited time period and should be discontinued immediately after the task is completed. Vendors’ access shall be auditable.

We grant an access to the vendor whenever is necessary on approval basis and access will be revoked upon the tasks completion.

Remote access activities shall be logged, monitored and analysed.

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory for more security.

Third Parties are only granted logical access after verification that any contract or agreement with third parties addresses all aspects of the the customer information security requirements regarding accessing, processing, communicating or managing the the customer information or information systems, or adding products or services to information systems.

We have granted the logical access to the third parties upon approval and Agreement in place.

All unnecessary ports, services and applications that are not required for normal operations have been disabled or uninstalled, following the β€œleast functionality” principle.

We have disabled all the access for security purposes. The access will be provided only on need and approval basis for a specific period of time.

Security measures listed below shall be undertaken to safeguard the development and testing environment: - Development, test and integration environments are restricted to authorised personnel. - Configuration management process is in place for development, test and integration environments. - Sensitive information such as new account or password information delivery process is secure and protected by encryption and authentication mechanisms. - All mobile devices (of vendors and third parties) used to access the customer confidential data, including emails, shall have strong security controls enforced. - Any wireless access to development, test or integration environments shall be protected using strong authentication and encryption protocols. - Malware protection mechanisms are in place on all development, test or integration systems. - Appropriate backup and restore processes to maintain continuity of its development processes.

We are compliant. We have role based access system to make sure that only the authorised individual have an access to the required information All the devices and emails are having adequate security controls. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access.We have SDLC Policy as per ISMS requirements and we follow General Coding Practice. For example - We Conduct data validation on a trusted system, All cryptographic functions used to protect secrets from the application user.We also have Implemented least privilege; restrict users to only the functionality, data and system information that is required to perform their tasks.

Prevention strategies for information leakage shall be established. Consider topics such as: β€’ Periodically determine whether sensitive data is present on assets in clear text. Searching for patterns that indicate the presence of sensitive information can help identify if a business or technical process is leaving behind, or otherwise leaking, sensitive information. Regular monitoring of employees, third parties and system activities, where permitted under existing legislation or regulation. β€’ Monitoring resource usage in computer systems and shares. β€’ Denying all unapproved traffic. β€’ Monitoring outbound media and communications for hidden information/data, covert channels or unauthorised use of encryption.

We have installed the firewalls to monitor and control the incoming and outgoing network traffic based on predetermined security rules. It helps us to establishes a barrier between a trusted network and an untrusted network. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory for more security.

If additional security controls are required within a security zone, a sub-security zone should be created (e.g. different vendors or systems might require limited data access between production areas).

we can provide limited access to different vendors or systems.

Information assets shall not be shared in dual networks where technically feasible and where not, compensating controls shall be implemented based on a security risk assessment.

We are compliant. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network.

Document network services (e.g. provision of optical fibre connections between sites), whether these services are provided in-house or outsourced, management requirements, service levels, and needed security mechanisms.

We have implemented the Network Access Control and Security Procedure. Network services are provided in house. We maintain the records for the service levels and reviewed during the internal and external Audits.

Configuration baselines should ensure that components are configured to the most restrictive mode consistent with technical and entity operational requirements.

We always make sure that components are configured to the most restrictive mode.

All software and functionality not required for the intended functional purpose of the system shall be disabled or uninstalled.

We provide access to our employees to only required amount of functionalities for any software applications.We uninstall the softwares or disable the features wherever is not required.

Auto-play of audio CD/DVD and USB drives shall be disabled on all systems.

We have disabled all the access for security purposes.

All activities related to administrator and operator privileges shall be a logged and audited on a regular basis.

We review these access frequently.

15.2.4 Securing facilities. Β· Restrict access to only the necessary and authorised personnel. Β· Physical locations, internal telephone directories or any other information identifying locations of confidential information processing facilities shall be accessible to personnel on a need to know basis and shall not be readily available to anyone publicly.

We are compliant.

Equipment Siting and Protection. Β· Physical access to equipment shall be restricted to only necessary and authorised personnel Β· Systems handling sensitive data shall be positioned carefully to reduce the risk of information being viewed by unauthorised persons during their use. Β· Information assets shall be configured to fail in a state (fail safe) that ensures safety related and important-to-safety functions, security functions, and emergency preparedness functions, including offsite communications, are not adversely impacted by the asset failure.

We are compliant. Physical access to equipment has been restricted to only necessary and authorised personnel

As a minimum, contracts with third parties for provision of third parties with access to the customer information assets shall include (but not be limited to) confidentiality, non-disclosure and the customer security policies compliance clauses. Following requirements must be consider: β€’ The level of physical and logical security controls that shall be provided to maintain the confidentiality, integrity and availability of the customer information assets. β€’ Provision for confidentiality, non-disclosure and acceptable use relating to the customer information assets managed by the outsourced function or service. β€’ the customer rights to review, monitor and audit compliance with the security terms of contract

We are compliant.

All third-party access to the customer information assets and infrastructure shall be formally authorized by the information owner and other relevant parties

Only authorised individual have an acces to the approved information assets.

Access to restricted areas shall be provided to the authorised and approved assessors for assessment purposes.

We provide access to authorised individual on approval basis

Service Provider shall use two-factor authentication for administrative activities.

Our application doesn't have a 2FA for admin functions.

Infrastructure components such as network devices, servers, workstations should be hardened based on least functionality and least privilege perspective

We have role based access system to make sure that only the authorised individual have an access to the required information.

Is the communication between client and server encrypted in order to prevent eavesdropping, man in the middle or similar attacks?

Yes. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest.

Does the infrastructure provide mechanisms for access control lists or capabilities?

As per the access control policy our application controls the access of an unauthorised individual through diference levels of users like Admin, super admin and users.

Are the Authorisation and Access Control procedures for both end users and administrators compliant with ISO27002 generally and with our password policy specifics?

Yes. We are complied. We have the access control policy and password policies.

How does the vendor control and monitor access to customer's data by their administrators?

We have access control polic and only the authorosed individual have an access to the PII on need and approval basis. We also review these access granted on monthly basis.

Describe the system’s security methodology to ensure that only authorized users can access information.

We have access control system in place and only the authorised individual have an access. Attached the procedure for your reference.

Is SSO provided out of box?

application supports SSO.

What type of SSO options are available? SAML, HTTP-Fed etc.

our identity federation standards include SAML 2.0, SPML, WS-Federation,Google SSO Login and more as means of authenticating and authorizing users with airtight security protocol

What other type of user authentication options do you provide?

The application have robust authentication methods. We are integrated SAML 2.0 with SAP SuccessFactors, we also support OAuth 2.0 for seamless authentication.

Integration to TSL It Systems

Yes -SSO

Does the infrastructure provide mechanisms for access control lists or capabilities?

As per the access control policy our application controls the access of an unauthorised individual through diference levels of users like Admin, super admin and users.

Are the Authorisation and Access Control procedures for both end users and administrators compliant with ISO27002 generally and with our password policy specifics?

Yes. We are complied. We have the access control policy and password policies.

Will any detected security violations and incidents be reported to the "X Company" Information Security Manager?

Yes. We also fix the issues identified and conduct the test once again for confirmation of fixes.

How does the vendor control and monitor access to customer's data by their administrators?

We have access control polic and only the authorosed individual have an access to the PII on need and approval basis. We also review these access granted on monthly basis.

Describe the system’s security methodology to ensure that only authorized users can access information.

We have access control system in place and only the authorised individual have an access. Attached the procedure for your reference.

Explain how the system supports single sign-on and an external roles based access control system.

Our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go.

What type of SSO options are available? SAML, HTTP-Fed etc.

our identity federation standards include SAML 2.0, SPML, WS-Federation,Google SSO Login and more as means of authenticating and authorizing users with airtight security protocol

What other type of user authentication options do you provide?

The application have robust authentication methods. We are integrated SAML 2.0 with SAP SuccessFactors, we also support OAuth 2.0 for seamless authentication.

Do you have effective physical access controls (e.g., door locks, badge / electronic key ID and access controls) in place that prevent unauthorised access to facilities and a facility security plan?

Yes. We have physical access controls in place and only authorised individuals will have access. We have provided the access cards to all the employees and installed biometric machines at all the entry and exit areas. We have also installed the CCTV cameras in our building and will be monitored 24*7 for maximum security.

How are systems and applications configured to restrict access only to authorized individuals?

We have implemented the access control policy and only authorised individual will have access to the systems/application. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties Access to the production environment is restricted to a limited set of authorized users based on their job responsibilities. Users from the development and testing or QA teams do not have access to the production environment. Access to migrate changes is limited to designated and authorized individuals. Access to the production environment is approved by the Product Owner and the systems of the authorized users are registered and authenticated during login. The access is controlled through the AWS Identity and Access Management system that also enforces two-factor authentication.

Is there a list maintained of authorized users with access (administrative access) to operating systems? i.e. Active Directory user lists, within sensitive application, Excel spreadsheet of users, HR file?

Yes. The list of users who have admin access have been maintained through AD, IAM, HRMS etc..and reviewed periodically and during the internal and external audits.

Does a list of 'accepted mobile devices' (e.g., smart phones, cell phones) exist based on testing? Are accepted mobile devices tested prior to production use?

Mobile devices are not allowed for production use.

Is sensitive information (e.g., opportunities and sales contracts) removed from, or encrypted within, documents and or websites before it is distributed?i.e. de-identifying of sensitive information prior to being distributed.

Yes. All the sensitive information has been encrypted. All the data at rest also has been encrypted for maximum security.

Is software installation restricted for desktops, laptops and servers?i.e. Restricted User access to workstations, Group Policy enforcement, AD privileges on servers

Yes. All the software installation restricted for desktops, laptops and servers. Users does not have permission to install any software or make any changes.

Is access to source application code restricted? If so, how? Is a list of authorized users maintained?

Yes. Access to source application code restricted. Application code has been stored in the code repository and have access only to the authorised individuals. We have implemented SDLC Policy as per ISMS requirements and we follow General Coding Practice. For example - We Conduct data validation on a trusted system, All cryptographic functions used to protect secrets from the application user. We also have Implemented least privilege; restrict users to only the functionality, data and system information that is required to perform their tasks we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project.

Are user IDs for your system uniquely identifiable? a) Any shared accounts at all?i.e. hard coded into applications, someone is sick, emergency access to sensitive information?

Yes. All our users uses unique IDs. There are no shared accounts.

Do you have a process to review user accounts and related access? i.e. manual process of reviewing system accounts to user accounts in AD for both users and privileged access ( E.g. Admins and Developers) ?

Yes. We have implemented the access control policy and we review the use accounts on frequent basis for both admin and normal users.

Will vendor employees be accessing any the customer application? How access to those applications is managed? (e.g. through SSO).

Only authorised individual would access on need and approval basis. We also use SSO.

Are vendor Employees who are associated with the customer process are using their official email IDs for communication with the customer?

All our employees are using official email IDs

Who will have access to the customer users / customers data in your organization and if any Access Control (Role Base Access Control or any other) is imposed on server / database where the customer users / customers data will be stored?

We have implemented Role based Access control policy and only authorised individual will have access upon need and approval basis.

Is proper access control implemented for secure access to the customer data ?

Yes. We have role-based access system through access control policy to make sure that only the authorised individual has access to the required information. All the Access to data and systems are based on the principles of least privilege for access. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need-to-know basis and support segregation of duties. The approvers are either the Product Heads or respective function Heads are their authorized delegates.

What kind of access the vendor employees will have on the application and how access to the customer data in the application is restricted from being accessed by Vendor employees?

Our employees will not have access by default. The data will be accessed only upon need an approval basis. The access is controlled through the AWS Identity and Access Management system that also enforces two-factor authentication

Is user access controlled and has limited access to the data and configuration settings on cloud?

Yes.

Does the SAAS support MFA such as OTP or security tokens or biometrics ?

No, we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

Are there necessary controls for securing sensitive information according to the data classification (like Identity access management, access rights)?

Yes, We have the necessary controls in place in order to protec the information according to the data classification. For ex - Identity access management (IAM)

Does access provided to users and administrators are based on Need to Know basis?

Yes.

Does access to privilege users / admin has MFA enabled?

Yes.

Have you implemented Physical and Logical access controls to protect Personal Data ?

We have implemented the physical access control and logical access control to protect the personal data. We have security guards, CCTV cameras, access cards etc for monitoring purposes. We use logical data isolation with the help of company specific encryption keys. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256

Is product/service application/solution provided protected against unauthorized access to personal information?

Only authorised individual will have an access.

Is there any way for the system administrator to terminate an active user who is suspected performing malicious action? Please describe the mechanism

Yes. The administrator has the privileged access and can add or terminate the users. Admins have complete control of the platform and can configure the addition and deletion of the users through the admin console.

Is the security services provided by the system integrate ready and able to be integrated to Active Directory or LDAP system?

Yes. application comes with a full set of integration with various platforms like AD.

Does the solution use open source 3rd party application framework? If yes, does it uses latest/stable patch? Please describe the libraries and its patch version.

No. We do not use 3rd party application framework

Is there a Single User ID/ Password access to all the systems?

It’s a SAAS Solution and can login in the multiple system by using the Single user ID/Password.

The number of unsuccessful attempts

Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.

Can the system check for over-simplified passwords (e.g., inclusion of UserID into the password itself)or force passwords to use more than just plain text, and numbers ? Dictrionary searches etc?

Yes. We have this mechanism.

Can the solution disable the User ID automatically if the unsuccessful attempts exceeds the maximum of trial?

Yes. solution disable the User ID automatically if the unsuccessful attempts exceeds the maximum of trial

Do passwords have an expiry date?

Yes

Are passwords always stored in an encrypted form?

Yes.

Are passwords never shown in the clear on screen, or sent via e-mails?

Its not shown in the screen or sent via email.

Describe the recommended mechanism/process for resetting passwords (should a supervisor forgets his/her password) and the mechanism/process of setting the initial password

Password will be reset upon the email confirmation through password reset link. Once we click on the reset my password.it will redirected to the platform and ask us to Set a new password for our account.

Describe the recommended mechanism/process for resetting passwords (should a user forgets his/her password) and setting the initial password

Password will be reset upon the email confirmation through password reset link. Once we click on the reset my password.it will redirected to the platform and ask us to Set a new password for our account

Describe the role-based security mechanism provided!

We have enabled the role-based access system to provide an access to only authorized individuals.

Does the solution provide the centralized access control management tool?

Yes. It can be managed centrally.

Can the solution logged-off a terminal automatically ; i.e. time-out feature during β€œidle” state?

The platform will get locked out as configured in AD or SSO ect

Can the security module support to create the same user with different roles but validating the dual control rule (e.g. transaction imitator should not be the same as transaction approver) ? If yes, please describe the mechanism?

No. Its linked with the Email IDs

Does solution have the capability to set up a user based on another user’s profile?

Yes. We can set up an account with the help of unique email IDs

Does the solution provide the centralized access control management tool?

Yes

Does your solution support multiple choices of authentication? What are they?

It supports Email and Mobile phone Authentication.

Does your solution provide Token authentication? Please provide detail

JSON-based token is available for maximum security direct-email logins.

CLOUD SERVICE PROVIDER (CSP) must have and use least privilege concept for its security regulation regarding access management such as authentication, authorization and audit log.

We have implemented the role-based access system to make sure that only the authorized individual have access to the required information.

What is the FTE allocation for Information and IT security functions and roles?

We have more than 100 employees for the application product including support functions. Few important positions those who are involved in Infosec and IT Security Functions Chief Operating Officer Vice president - application DevOps Head - application Product Head - application Infosec Manager IT Head

What are the access management policies, procedures and processes?

We have Access Control Procedure and role based access system to make sure that only the authorised individual has access to the required information.

How is user data provided to the system? (AAD integration/data loads/manually created)

application collaborated with the tools like MS Teams, Slack and HRMS tools like Gusto, Keka, SAP Successfactor, BambooHr, Ramco HRMS, people strong, Zohopeople and darwinbox. Users can also login via G Suite, Azure AD, Okta SSO, One login SSO, Ping identity SSO and Centrify.

How are user roles provisioned?

We have 4 user access roles - Super admin, General Admin, Manager and Employee.

Does the product support modern web-based integration methods? Please provide details.

application collaborated with the tools like MS Teams, Slack and HRMS tools like Gusto, Keka, SAP Successfactor, BambooHr, Ramco HRMS, people strong, Zohopeople and darwinbox. Users can also login via G Suite, Azure AD, Okta SSO, One login SSO, Ping identity SSO and Centrify.

Does the organization is having physical security (facilities containing and/ or used to process Fincare data) in place? If yes please share and explain?

Yes. we have the Physical security controls in place. Attached the Physical and Environmental Security Procedure. All the Fincare data will be stored on AWS Cloud virtual platform and will not store anything locally. The purpose of this procedure is to prevent unauthorized physical access, damage, interference, theft or compromise to assets owned or controlled by Nreach Online Services Private Limited.

Do you have an access control policy? If yes please explain and share evidence?

Yes. We have the Access control policy to make sure that the data os available only to an authorised individual.. Attached the Access control policy.

Does CSP provide Identity and Access Management (IAM) with extensive Role Based Access Control (RBAC) support (who, what, when, where, how, etc.) for all provided services and What is your key management process for encryption

Yes.

User and User access provisioning, de-provisioning process

Attached the Access control policy

Does the application allow users to set/reset password and login with password even when SSO is enabled?

No.. it does not. Once SSO is enabled, the users are not presented with any password options.

How many key custodians are there?

Super Admin (CTO) and Devops team are the custodians of the key.

If SSO is not technically feasible, every case of not using SSO shall be reviewed & approved by EIS Security Architecture, ISRA. Access is to be provisioned and tracked to all users via unique usernames and passwords. Follow standard password protection guidelines of Providence. IAM team shall be consulted.

Inactive logon sessions are to be locked and require the user to re-authenticate after 15 minutes of inactivity.

Since empluls is SaaS platform this can be configured with the help of the Active directory so that the users who are inactive for more than 15 mins can re-login.

Default accounts must be removed or (disabled/ renamed and passwords reset).

Yes. Account can be created, disabled and password can be reset.

Passwords must be masked during entry rendering contents in the password field unreadable. Passwords must be hashed with salt by using Providence approved algorithm.

Password is masked during the entry. We store password hashed. We have SHA512 hash with unique salt for every password.

The least amount of privilege necessary for user to perform their required functions will be provided to users. Access to be provisioned based on user roles (RBAC) and align with job function.

The application in context shall a. Displays to users (workforce members and non-PSJH users) a notification message on acceptable use of the system before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: a.1. Information system usage may be monitored, recorded, and subject to audit; a.2. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and a.3. Use of the information system indicates consent to monitoring and recording; b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and c. For publicly accessible systems: c.1. Displays system use information before granting further access; c.2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and c.3. Includes a description of the authorized uses of the system.

Following 6 failed login attempts, the system or service shall be configured to either disable an account for 15 minutes or lock users out for at least 30 minutes.

Since empluls is SaaS platform this can be configured with the help of the Active directory.

Initial/ default password must be changed upon first login.

Yes. This can be configured and users can reset the password.

Any user-defined routes must be requested and approved by PSJH Cloud Engineering. Subscription owners/ contributors must never add their own Routes.

Admins will have a centralised controls on the platform and will have access for creation/deletion of the users as per the requirements. Please click here to know more - https://help.application.io/platform-management/platform-settings/access-controls

Access to the subscription is coordinated by IAM team, privileged access should be determined by business justification, and granted by IAM.

Admins will have a centralised controls on the platform and will have access for creation/deletion of the users as per the requirements. Please click here to know more - https://help.application.io/platform-management/platform-settings/access-controls

Application/ System of interest must restrict access to confidential information to authorized personnel of PSJH.

application has four different user access levels, namely Super Admin, General Admin, Manager, User. Please click here to know more - https://help.application.io/platform-management/platform-settings/access-controls Application can be used only by the authorised individuals.

Implement authenticated session tokens with secure settings.

We have implemented the oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

Non-interactive identities (eg. service accounts) used to authenticate with any upstream/downstream systems (e.g. database) must be identified by the design. The design must adopt a policy of using least-privileged accounts. This needs to be reviewed by Security Architecture on a case to case basis.

At Xoxoday, the access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. A strong identification and authentication system(AWS IAM) and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events.

The application must ensure all requests submitted via application URLs are checked against known authorization/access controls of the user to prevent privilege escalation attacks. The application must mandate users and devices to re-authenticate during the execution of privileged functions.

Yes the application have robust authentication methods. The users can re-authenticate a change in credentials and we comply to any attempted change in authentication information. our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol.

Periodic review of access to be performed, to monitor priviliges.

At Xoxoday we review the access controls on frequent basis.

Remove/disable inactive user accounts according to organizational defined frequency. eg., disables information system access within defined hours of termination and within defined hours of adverse circumstances termination. Terminates/revokes any authenticators/credentials associated with the individual;

We remove/revoke the access of the users upon termination or the access is not required and maintain these records for Audit purposes.

On-demand access reviews to be performed whenever there is a change to the existing RBAC, eg., when a caregiver moves from one department to other, or takes more responsibilities, or assuming reduced responsibilities that may warrent limiting existing access to sensitive systems.

At Xoxoday we review the access controls on frequent basis. Compliant. Attached the Access control policy.

If application is exposed to internet (upon review and approval from Security Architecture). The application's admin console must only be allowed to be accessed from a PSJH managed endpoint by a enabling conditional remote access policy.

Yes. The customer will have control on the Application as they will be having the Super admin access.

The mobile application must require users to enter a password, PIN, and/or biometric authentication mechanism in order to access mobile application content.

Yes. The users can access the mobile application only upon successful login.

If external, non-PSJH support is required and the vendor must agree to conduct remote support using a PSJH-provided remote access tools rather than vendor tools. Support activites shall be carried out under supervison of Providence's representative and sessions to be recorded.

We provide remote support using the client remote access tools.

The solution must be configured so that end users do not need local administrative privileges on workstations or systems running the application.

Implement controls to restrict export of data based on role and the availability and implementation of controls to protect the information once exported.

We have implemented the Role based access control machanism. Attached the Access control policy. We have the controls in place on who access the information and what level of access needs to be provided etc..

Web Services must be authenticated using a service account/ managed identity principal.

At Xoxoday we have implemented the Identity access management and all the applications are authenticated before login.

Implement controls to ensure that service response script code is not directly executable.

We conduct the code review and get an approval from the CTO before releasing any new versions or updates.

Implement controls to provide notice of direct changes to user authorizations.

At Xoxoday we have implemented the Identity access management and all the applications are authenticated before login.

Prevent resources from being exposed or directly accessible by authorized (or unauthorized) users, to prevent direct object referencing attacks.

Compliant. Only authorised individuals can have access to the application with the help of the valid credentials.

Is the system accessed via a direct Internet connection, VPN, or dedicated network circuit?

No. Its not accessed via direct internet connection. Access to our production environment is allowed only via our corporate network and access is allowed only to authorized individuals. We use a cloud hosted VPN with strict access controls. VPN access has been enabled with 2FA For such authorized individuals.

Detail out the different roles configured and the privileges associated with each role. Also, please specify how user access management (access provisioning and de-provisioning) is being performed

We have Role-based access control (RBAC) system and make sure that only the autorized individual have an access to the data. And we review these access provisoining regularly and deactive the users access as per the change management policy.

Are there any shared or Generic IDs being used to access access Infosys data? If yes, please provide details of the same and the security controls in place for managing the resulting security risk.

No. We do not use generic IDs to access data

Are admin or privilege accounts are separate from user accounts in application?

application application has four different user access levels, namely Super Admin, General Admin, Manager, User.

Do access rights follow need-to-know, need-to-use and least privilege concepts?

Super Admins are the default admins of application. They are also the Group Admins of Townhall. Super Admins can view what access permissions are available to various user access levels using Access Control settings. Super Admins can also delegate access for various features and tasks to General Admin, Manager & User. Within Xoxoday, Access to data and systems are based on the principles of least privilege for access. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events.

Are the roles and access rights are reviewed atleast annually?

We have implimeneted the Access Control policy and follow the role based access control system. And all the access has been reviewed and make the necessary adjustments. The roles and access rights are reviewed during the internal and external Audits as well.

Is the account authenticated before access?

Our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use 's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. our identity federation standards include SAML 2.0

Are critical roles and privilege accounts login enforced by 2-FA?

At Xoxoday we have enabled MFA for all the critical roles and privilege accounts for maximum security.

Are users accounts locked after a successive failure login attempts?

At Xoxoday user accounts will lockout after 5 unsuccessful failure login attempts.

Are users enforced to change password periodically?

At Xoxoday all the users enforced to change the password for every 90 days.

Are the password are hashed and not mentioned as clear text in code?

We store password hashed. We have SHA512 hash with unique salt for every password.

Is the application server comply with identity and access control policy?

We have implemented the Identity access management and follow the Access control policy.

Is the application server comply with password policy?

At Xoxoday we follow the password policy.

Is the database comply with identity & access control policy?

We have implemented the Identity access management and follow the Access control policy.

Is the database comply with password policy?

At Xoxoday we follow the password policy. Attached the same for your reference.

Who all have access to the hosted environment and/ or data? (Include the third party access if applicable)

Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access.

How is their access controlled?

We have role-based access system through access control policy to make sure that only the authorised individual has access to the required information. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need-to-know basis and support segregation of duties. The approvers are either the Product Heads or respective function Heads are their authorized delegates.

How does the provider segregate the the customer environment from other tenants?

We logically segregate the the customer environment from other clients, each customer is uniquely identified by a tenant ID. It is segregated with a client-specific key for proper handling and security reasons. The application is engineered and verified to ensure that it always fetches data only for the logged-in tenant. Per this design, no customer has access to another customer’s data.

How is data integrity assured? What controls exist over internal processing?

An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need-to-know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates. Developers do not have access to the production environment. Access to the production environment is restricted to a limited set of authorized users based on their job responsibilities

Authorization: Explain in detail how roles are managed.

Within Xoxoday Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access. We use Active directory and SSO for authentication purposes.

Does the application support multi-factor authentication (MFA / 2FA)? If yes, please elaborate.

Does the provider have access to the customer data, and if so, what restrictions are there over this level of access?

Within Xoxoday Access to data and systems are based on the principles of least privilege for access. Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need-to-know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the department heads or the management.

Who has access to these logs?

At Xoxoday only authorised personnel from our technical team will have access. For Ex – CTO/production head, Devops Lead etc.. The event logs are stores in a bucket wherein nobody can access them without an approval from the high authorities i.e. the Chief Technical Officer.

Last updated