Vulnerability and Threat Management

Do you have the capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?

Yes, policies and procedures are established and mechanisms are implemented to detect, address, and stabilize vulnerabilities in a timeframe that matches the Security Patch Management Standards.

Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your systems?

Yes, Xoxoday's products are supported by leading anti-malware programs. These are connected with our cloud service offerings and are a part of all our systems.

Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?

Yes, we perform periodic scans of operating systems and databases along with server applications for vulnerability and configuration compliance. This is done by using suitable vulnerability management tools as per the industry standards.

Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?

Yes, we ensure that there is no breach in network layers with vulnerability scans as per the industrial standards.

Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?

Yes, to check the hygiene of application layer, our vulnerability scans are done as prescribed by the industrial standard.

Will you make the results of vulnerability scans available to tenants at their request?

Yes, tenants can request for vulnerability scan reports.

Do you have controls and processes in place to perform host/file integrity monitoring for all systems storing and transmitting sensitive data?

Yes, in order to detect any unauthorized changes in the data or system configuration, we have a procedure in place for host/file integrity monitoring.

Do you conduct daily vulnerability scans at the operating system layer?

No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the operating system layer.

Do you conduct daily vulnerability scans at the database layer?

No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the database layer.

Do you conduct daily vulnerability scans at the application layer?

No, our periodic vulnerability scans are conducted just the right number of times to ensure the prominence of security measures and protection of the application layer.

Do you have external third-party services conduct vulnerability scans and periodic penetration tests on your applications and networks?

Yes, vulnerability scans and penetration tests are conducted periodically by third parties and external services to test our security measures.

Whom do we contact if we identify a security issue or breach involving or impacting your product? Please provide an email address and/or full contact information?

Reach out to us at cs@xoxoday.com to raise a ticket, if you happen to notice any potential security issue whilst meeting all the required criteria in our policy. The validation of the reported issue in terms of severity & authenticity will be done by our security team in around 90 days. Post validation, steps will be taken to fix the security issues in accordance with our security policies. The owner of the ticket will be informed once the issue is resolved.

More info below:

QuestionsAnswers

Do you conduct application and infrastructure penetration tests of your infrastructure regularly as prescribed by industry best practices and guidance?

Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing.

Are the results of the penetration tests available to customers at their request?

We have fixed all the issues identified during the VAPT Audit and rescanned it once again to make sure that all the vulnerabilities are remideiated. Post confirmation of these fixes we got the final VAPT Certificate for our product.

Do you have external third party services conduct vulnerability scans and periodic penetration tests on production and publicly facing applications, systems and infrastructure?

Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing.

What are your timelines for remediation on: Critical, High, Medium, and Low vulnerabilities?

60 days.

Do you conduct application and network-layer vulnerability scans regularly as prescribed by industry best practices? What tool? Frequency? Provide evidence.

We conduct the VA/PT on annual basis as per the compliance requirements. Manual and third party tools are used for this assessment.

Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?

Yes. We have the capabilities to patch the vulnerabilities.

Is VA / PT performed at regular intervals? If yes, what is the frequency

We conduct VAPT on annual basis.

How does vendor ensure Application Security for the customer services in Cloud?

we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project. And also we conduct VAPT Assessment for our application and remidiate the findings

How does vendor ensure Secure configurations of Operating System on cloud?

we perform periodic scans of operating systems and databases along with server applications for vulnerability and configuration compliance. This is done by using suitable vulnerability management tools as per the industry standards.

How does vendor ensure Secure configurations of Database on cloud?

our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the database layer.

Clearly defined responsibility for closure of observations as well as adherence to the customer remediation timeframes

We have implemented the Threat and Vulnerability Management procedures. We close the identified vulnerabilities or fixes the issues.

Is there a defined process set by function to review critical transactions

We conduct code reviews, VA-PT assessments, Log monitoring, Incident reportings etc and these controls are monitored and reviewed during the internal and external parties.

Is regular network vulnerability scanning performed?

Attached the latest VAPT Certificate.

Is application vulnerability scanning performed on regular intervals?

Attached the letest VAPT Certificate.

Regular appraisals of security controls as well as security hardening and patching of systems is performed.

Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing. Attached the Threat and Vulnerability Management and Patch Management Procedure.

Does the Company conduct technical security assessments (e.g. vulnerability, penetration tests) on its own IT environment?

We conduct the Vulnerability assessment and penetration testing for maximum security.

How often do you scan for vulnerabilities on your network and applications?

We conduct on yearly basis as per the compliance requirements.

What is your vulnerability remediation process?

Attached the Threat and Vulnerability Management Policy.

Are all 3rd Party Libraries regularly reviewed and checked for potential vulnerabilities?

Yes. As part of every build, the third-party libraries are scanned for security vulnerability.

Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?

Our software will be free from all the vulnerabilities.

Has an independent third party performed a Penetration Test covering the solution to be provided to Customer?

Attached the independent third party performed a Penetration Test report.

The vendor should specify what ongoing security testing they perform on their product, such as static and / or dynamic code analysis and any automated or manual penetration testing.

We conduct the periodical vulnerability and penetration testing as per the compliance requirements which includes Static, Dynamic, API, Manual etc..

Penetration Testing: Does the vendor perform penetration testing on a regular basis?

We perform the VA/PT on an annual basis as per the compliance requirements. Attached the VA/PT report and certificate.

Do you conduct regular vulnerability assessment to the service/platform you are providing for customers? For example, Asset Check/Vulnerability scan/Penetration test?

We do conduct Vulnerability and Penetration testing from the Authorized vendor.

NSE shall comply with the control requirements of Operations Security Policy of NSE for the Operating system, database and application, as applicable.

We comply with the requirements. We also conduct periodical Vulnerability assessment and penetration testing with the help of the authorised third party vendor.

How are these procedures validated?

We conduct internal review and audited by the exteranal auditors for our security standard certification and VAPT assessment

How are security vulnerabilities identified in Supplier developed applications?

We conduct periodical Vulnerability assessment and Penetration Testing from the Inductry approved authorized vendor to make sure that all the vulnerabilities are closed and having secured applications.

What testing is done during a penetration test?

Exhaustive Vulnerability Assessment and Penetration Testing has been conducted along with business logic testing based on OWASP framework which incorporates 120+ test cases like Access Controls, Authentication and Session Management, Cross-site Request Forgery, Cross-site Scripting, Cryptography and Insecure Storage, Data Validation, Information Leakage and Error Handling, Malicious Execution etc.

How is your network security testing performed? Internal, third parties or both? If so, how often is it tested? Explain your methodology

We have conducted Vulnerability assessment and penetration testing with the help of Industry approved third party vendor. We conduct VAPT for every six months. During the testing, if any observations found by the auditor our team will work on those Audit observations and fix the issues.

Please summarise or attach your network vulnerability management processes and procedures?

See Threat and Vulnerabilities Management procedure attached. Periodic scans has been performed on all network assets deployed on Xoxoday by the third party vendor.

What is your timeframe for patching critical vulnerabilities?

The critical vulnerabilities are fixed immediately within a span of 5 days.

What tools do you use for vulnerability managment?

We have the third party vendor called Appknox for scanning the vulnerabilities. They use Appknox tool(Mannual and Automated) for vulnerability management

Please summarise or attach your application vulnerability management processes and procedures?

See Threat and Vulnerabilities Management procedure attached. Periodic scans has been performed for application and the identified observation has been fixed by our engineering team.

What tools do you use for application vulnerability management?

We have the third party vendor called Appknox for scanning the vulnerabilities. They use Appknox tool(Mannual and Automated) for vulnerability management

Avoiding sources of risk

We have Access control policy, and we follow Role based access system and review the access provided periodically to eliminate the risk and make sure that only the Authorised individual have access to avoid risk. We have implemented the controls with regards to avoiding source of Risk and to make sure that we prevent an unauthorised access of the data. We have implemented end point security in all the computers and servers to prevent the unauthorised access. We have Patch Management Procedure and Logging and Monitoring Procedure in place as per the compliance requirements. We also conduct periodical Vulnerability and penetration testing for identifying the source of risk and implement controls for mitigating the risk.

All applications, third-party applications, software and firmware (for all provided system components such as network devices) are covered under patch and vulnerability management processes

Yes. We update the patched and conduct the vulnerability assessment and penetration testing and remidiate the risks identified.

Third parties shall have Incident management process to support the customer during information security incidents including, but not limited to: • Information security incident of supplier-provided system at the customer. • Vulnerability report on supplier provided systems for the customer.

We have implemented the Incident Management Procedure and VAPT Audit periodically. Attached the latest VAPT Certificate.

Third parties shall have vulnerability management process for all its supplied systems.

We have implemented the Threat and Vulnerabilities Management procedures is to proactively expose security flaws and correct them before a malicious attacker can leverage the same weaknesses and cause irrecoverable damages.

Details on how to manage system vulnerabilities and inform the customer on start and resolution of security issue shall be provided.

We have implemented the Threat and Vulnerabilities Management procedures. We conduc the Vulnerabilities assessment and fixes the issue identified during the assessments.

Vulnerability assessments shall be conducted for all new information assets during testing and prior to production operations.

We conduct the Vulnerability assessment for our application during the testing and prior to deployment.

Security and robustness testing of protocols shall be considered during procurement and installation phases in the lifecycle to discover and mitigate security vulnerabilities.

We conduct Vulnerability assessment and penetration testing during the testing and before deployment. And we make sure that all the issues has been fixed and mitigated security vulnerabilities.

As part of system tests (such as Factory Acceptance Test, Loop Test, Integrated Factory Acceptance Test, Functional Test and Site Acceptance Test), the functionality of input/output data validation, control of internal processing and data integrity of systems shall be verified.

We conduct Vulnerability assessment and penetration testing for our application in order to make sure that issues has been fixed and mitigated security vulnerabilities.

Periodic Integrity verification methods shall be performed to detect, record, report, and protect against the effects of tampering.

We conduct Vulnerability assessment and Penetration testing in order to make sure that we identify the vulnerabilities and fixes the issue or mitigate the risk involved.

All products and components shall be hardened as per the customer documented security and operational baselines taking in consideration vendor’s specific recommendations and endorsement.

We have deployed our application on AWS cluod virtual platform and hardened in order to secure a system by reducing its surface of vulnerability.

Configuration baselines shall be continually managed to maintain applicability as software is updated or patched, security vulnerabilities are reported, or configurations are modified to allow the installation of new software or to support new operational requirements.

We continuously monitor the Vulnerabilities and fixes the issue on a periodical basis. We also update the patches regularly to eliminate the security risk.

Identify anti-malicious code protection requirements for networks and hosts.

We make sure that we identify the vulnerabilities and fixes the issues in order to make sure that Information system is secure and free from vulnerabilities.

Security risks associated with technical vulnerabilities, throughout the lifecycle, shall be managed through activities such as: - Identification of potentially applicable technical vulnerabilities. - Evaluation of applicability of technical vulnerabilities. - Evaluation of risk to the customer from applicable technical vulnerabilities. - Remediation of technical vulnerabilities based on criticality. - Mitigation of technical vulnerabilities that remain un-remediated. - Monitoring of risk associated with un-remediated technical vulnerabilities.

We conduct periodical vulnerability and penetration testing and fixes the issue identified and make sure that all the risk associated with these vulnerabilities are identified.

Timelines for each phase of the technical vulnerability management lifecycle shall be defined: • Timelines shall specify the maximum time between Identification, Evaluation, Remediation/Mitigation and Monitoring phases. • Timelines shall be based on the risk to the entity. • Timelines shall be defined in a standard specific to each entity or function.

We have implemented the Threat and Vulnerability Management to identify and eliminate problems that could lead to a breach of confidentiality, availability, or the integrity of application data resources and to ensure adequate protection of client data. The treatment of vulnerabilities consists of the definition and implementation of controls and measures to eliminate vulnerabilities

Technical vulnerabilities shall be identified: • the customer shall identify resources that will be used to identify relevant technical vulnerabilities. • An internal technical vulnerability assessment of all system components storing or processing the customer data and the related system components should be performed after any significant information system network changes and as a minimum once every 90 days. The parameters of the vulnerability scans have to conform to the requirements of ISR, ISO 27001, SANS and OWASP and other best practices. • The relevancy of published technical vulnerabilities may be determined by the customer through the Asset Inventory. • Intrusive scans of systems shall not be considered without appropriate understanding of their impacts to production systems and shall not be used without appropriate approval. • Technical vulnerability assessment tools (e.g. scanners, exploitation tools, scripts, configuration audit, passive monitoring, etc.) shall be pre-approved for the customer environment before it’s use. • An approved technical vulnerability scanner should be implemented and kept current with latest test definitions of signature database. • A continuous process of technical vulnerability identification shall be established, scheduled and maintained for IT and OT the customer environment.

We have implemented the Threat and Vulnerability Management to identify and eliminate problems that could lead to a breach of confidentiality, availability, or the integrity of application data resources and to ensure adequate protection of client data.

Technical vulnerabilities shall be evaluated: • Each relevant technical vulnerability shall be evaluated for both applicability and criticality. • Applicable technical vulnerabilities shall be recorded against applicable assets. This may be incorporated into Asset Inventory. • For all technical vulnerabilities determined to be applicable, the customer shall evaluate the risk to the OT and the customer through Risk Assessment Processes. • Remediation/mitigation and compliance reports shall be produced including topics such as: o List of Vulnerabilities - All discovered vulnerabilities, the severity, and the affected systems. o Remediation and/or mitigation recommendation - Each listed vulnerability shall have detailed information on how the vulnerability will be remediated or mitigated. o Non-compliance summary.

Vulnerabilities will be categorized as Critical, High, Medium, Low and Information. We remidiate all the vulnerabilities identified.

Technical vulnerabilities shall be remediated or mitigated in timely manner following Change Management Processes: - A phased rollout can be used to minimise impact. - Establish expected remediation/mitigation timelines based on the criticality rating level. - Any deviations to the customer defined management of technical vulnerability requirements should be recorded. - Risks due to deviations shall be managed to acceptable levels through compensating controls.

We have implemented the Threat and Vulnerability Management to identify and eliminate problems that could lead to a breach of confidentiality, availability, or the integrity of application data resources and to ensure adequate protection of client data.

Technical vulnerabilities shall be Monitored: • As factors in the risk equation change, un-remediated technical vulnerabilities shall be reviewed at a defined interval to ensure that current controls are still effective at managing risk to an acceptable level.

We monitor the vulnerabilities identified and remidiate it.

All reports of potential technical security vulnerabilities on operational systems must be communicated promptly to all relevant internal stakeholders, in a timely manner, on a restricted basis, in order to effectively manage associated security risks.

We follow this as a part of Threat and Vulnerabilities Management procedure.

Details of technical vulnerabilities shall not be shared outside of the customer, except where required for legal or regulatory purposes by authorised personnel.

We do not share the vulnerabilities to any unauthorised individual.

the customer reserves the right to intercept and monitor information processed by the customer information resources and networks. This activity is solely used to identify threats to company information assets and enable early detection of potential malicious activities.

We conduct Vulnerability assessment and penetration testing periodically and we can make this available for the customer on need to knoe basis.

The appropriate the customer stakeholders shall be informed of all potential vulnerabilities and non-compliance issues on a regular basis and be accountable for providing adequate resources to mitigate these issues.

We inform on our potential vulnerabilities and non-compliance issues aand make sure that we mitifate these issues

Service Provider shall employ an independent security professional to perform penetration testing and other types of security testing on at least an annual basis or after major changes.

We conduct Penetration testing with the help of industry approved thord party vendor

Does the vendor use Third Party vulnerability testing of the infrastructure and the application?

Yes. We conduct third party Vulnerability assessment. Attached the certificate for your reference.

Will any detected security violations and incidents be reported to the "X Company" Information Security Manager?

Yes. We also fix the issues identified and conduct the test once again for confirmation of fixes.

Does the vendor use Third Party vulnerability testing of the infrastructure and the application?

Yes. We conduct third party Vulnerability assessment. Attached the certificate for your reference.

What are the contract termination processes? How will we have access to our data on termination of the service? Would our data be completely deleted from the vendor's servers after termination?

We will delete the data upon termination of the contract and confirm you. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

How often do you perform periodic vulnerability scans on your information technology systems, networks and supporting security systems?i.e. Internal assessments, third party assessments, automated? What is the security patch management cadence to address vulnerabilities identified?

Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a Vulnerability assessment and penetration testing. We conduct the VA/PT on annual basis and Attached the latest certificate. Security patches are rated as Critical, High, Medium and Low. Critical patches will be deployed immediately High patches will get deployed within 5 days Medium Patches will get deployed within 15 day Low will get deployed in 25 days.

Share the vulnerability remediation program.

Attached the Threat and Vulnerabilities Management program.

Do you conduct vulnerability scanning or Penetration tests?

Attached the latest VAPT Certificate

A copy or summary of the most recent vulnerability assessments or penetration tests performed against the product or environment – this summary should include a statement on remediation of vulnerabilities from management.

Attached the VA/PT Executive report and Certificate issued upon remediation of all the vulnerabilities identified during the third party assessment.

Is VA/PT carried on the infrastructure? How frequently? Who conducts the vulnerability assessment. Please share a copy of the latest VA/PT report.

VA/PT has been consucted with the help of the third party VAPT auditor. The name of the vendor is Appknox. We conduct VPAT for every six months and shared the latest VAPT Certificate.

Infrastructure security standard and hardening processes

Attached the Infrastructure Architecture diagram where all the security components are included. Attached the VAPT certificate and Cloud Computing Security Policy

Dynamic application security test report

Attached the Executive summary of VAPT report

Are all 3rd Party Libraries regularly reviewed and checked for potential vulnerabilities?

Yes. As part of every build, the third party libraries are scanned for security vulnerability.

Security safeguards must be in place to protect system from unauthorized code execution.

Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing.

Peform ongoing security assessments to identify and remediate high risk vulnerabilities on servers, data stores, web applications, and dependent systems and software.

We are compliant with this requirements. Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing as per the compliance requirements.

3rd party components shall be evaluated for known vulnerabilities prior to and during use in production. Protect against supply chain threats to the information system, system component, or information system service by employing security safeguards as part of a comprehensive, defense-in-breadth information security strategy. EIS Architecture team shall be notified to conduct an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. Review & replace information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing. Attached the VAPT Certificate and executive report. All the vulnerabilities has been fixed.

Application must ensure that input validation or encoding routines must be performed and enforced on the server side. I.e. a centralized input validation strategy must be used where appropriate. Client-side validation can be implemented as an additional layer of security.

We conduct the VAPT Assessment with the help of the authorised vendor and compliant with the requirement.

How is identification and timely resolution of vulnerabilities taken care? Please elaborate your Vulnerability Management program What process is in place to track the effectiveness of the closure of vulnerabilities? Please share the SLAs defined for closure of vulnerabilities based on their criticality What is the process for notifying Infosys of the steps Infosys must undertake wit respect to any identified vulnerabilities on the infrastructure used to provide service to Infosys?

We conduct Vulnerability assessment and penetration testing from the Authorised vendor, and the identified Vulnerabilities will be closed in a timely manner. The treatment of vulnerabilities consists of the definition and implementation of controls and measures to eliminate vulnerabilities (e.g. applying a patch to the affect system) or to prevent the vulnerabilities from being exploited (e.g. deactivating a service or disallowing a firewall connection). Vulnerabilities will be categorized as Critical, High, Medium, Low and Information. We inform the Infosys Immediatly if any critical Vulnerability to be reported.

Are tere any open vulnerabilities which have not been patched?

All are fixed and there are no open Vulnerabilities.

Is security testing is conducted wherever required before production release and vulnerabilities mitigated before release?

The testing is conducted and vulnerabilities has been mitigated before any releases.

Does the provider perform regular vulnerability assessments/penetration tests to determine security gaps? If so, state the date of the most recent vulnerability assessment/penetration test and provide a comprehensive list of all security risks/gaps identified

We conduct Vulnerability assessment and Penetration testing as per the compliance requirements. The date of the most recent certificate is 01st March, 2021. Attached the vulnerability assessments/penetration tests report.

Last updated