Identity & Access Management

Do you enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems?

Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems.

Do you retain logs for all login attempts for a given time period or as required by the tenant?

Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

Does the solution provide re-authentication at the time of an attempted change to authentication information?

Yes, users can re-authenticate a change in credentials and we comply to any attempted change in authentication information.

Can you provide the capability to present with a login notice to the intended users before being given the opportunity to log onto a system?

No, we do not present login notices to users before they log in as the users are redirected through SAP SuccessFactors.

Do you have controls in place to restrict any information beyond notification of an unsuccessful login attempt prior to successful login?

Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.

Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?

Yes, our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. Please refer to our list of integrations to know more.

Do you support identity federation standards (SAML 2.0, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?

Yes, our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol.

What levels of isolation are used for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc.?

We isolate our machines, network and storage with respect to the AWS Standards in order to keep it safe and secure.

Do you allow tenants to use third-party identity assurance services?

No, tenants are only allowed to use our secure protocols and procedures to prevent cracks and folds in data handling.

Do you support tenant's access review policy?

Yes, we do support our clients' and tenants' access review policies.

Do you support password (minimum length, age, history, complexity, and expiration) and account lockout (lockout threshold, lockout duration) policy enforcement?

Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations.

Do you allow tenants/customers to define password and account lockout policies for their accounts?

No, customers/tenants must comply with Xoxoday's account lockout and password polices that have been incorporated for maximum security.

Do you support the ability to force password changes upon first logon?

No, the user can set their own password from the very first login attempt.

Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?

No. As Xoxoday's products use single sign on (SSO), the users can login via their suite email and credentials.

Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?

Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Is the option of physical and logical user audit log access restricted to authorized personnel only?

Yes, to ensure the maximum safety and authority of data in right hands, the physical and logical adult log access of users can only be accessed by authorized personnel.

Do you support integration of audit logs with tenant Security Operations/SIEM (Security Information and Event Management) solution?

No, logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can shared when asked for by the clients.

Are audit logs centrally stored and retained?

Yes, regular audit logs are stored with Xoxoday and retained for future references.

Describe how event logs are protected from alteration including how access to these logs is controlled.

The event logs are stores in a bucket wherein nobody can access them without an approval from the high authorities i.e. the Chief Technical Officer.

Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidences are analyzed with network intrusion detection (IDS) tools.

Describe the process for investigating all data breaches and security violation events. Describe the process for informing TCCC of the breach, root cause analysis, and remediation.

Please refer to: "Threat & Vulnerabilities Management Procedures"

Does your logging and monitoring framework allow isolation of an incident to specific tenants?

Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.

Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?

Yes, there are measures to limit the access of tenant's data from non-authorized devices. Please refer to "Access Control Procedures".

Does the solution support disabling of dormant accounts (User accounts that have not been used within a minimum of 90 days)?

No. In case the accounts are deactivated or dormant, they would still be in the Xoxoday's domain. The admin would have to manually reach out and disable the accounts that they wish to declare dormant or inactive.

Does the solution maintain a password history technique in order to disallow use of any cyclic passwords?

Yes. Passwords once used cannot be reused with the password history technique in order to disallow the reuse of old passwords. Please refer to "Password Management Policy".

Is there an approval process for access requests to systems handling personal data?

Yes, with access control limit, super admins and admins can give out access to authorized individuals as per requests raised by them in order to handle their platform as well as the personal data accordingly.

Is access to systems containing personal data granted using a role-based criteria?

Yes, the role of "admin" and "super admin" holds the high regards and these roles can process the personal data of users as per their choice with the access control limit capability

Is all Personal Data registered in a standard repository?

Yes, personal data is stored are registered databases that comply to all necessary inputs of a standard inventory repository.

Are credentials stored in a centralized system that is TCCC approved?

Yes, all the given credentials are safely stored in a TCCC-approved centralized system in order to securely process the personal data.

Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?

Yes, our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases.

Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?

Yes, in case an incident occurs with respect to inappropriate access of data, we shall share the reports.

Do you support tenant's multifactor authentication (e.g., RSA Secure ID, PKI Certificates, out of band pin comprised of at least 6 digits, etc.)?

Yes, we do support measures to enforce strong multifactor authentication when it comes to accessing highly restricted data.

Do you support access to tenant sensitive data by only tenant's managed devices?

No, the data can be accessed by Xoxoday's authorized personnel to serve you better with maximum security.

What controls are in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?

We have AWS Identity and Access Management (IAM). Access to data and systems is based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provide centralized control to administer, monitor, and review all critical access events.

Provide a description of the physical security of your Datacenter both inside (security mechanisms and redundancies implemented to protect equipment from utility service outages like for example, power failures, network disruptions, etc.) and outside the DataCenter itself (fences, security guards or patrols, reception desk, authentication mechanisms, etc.) as well as the procedure applied to authorize personnel to enter the premises and how often the authorizations are reviewed?

AWS is responsible for providing physical security to the data center as we have deployed our application on AWS. AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Third-party access - Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires.

Do you have a formal process to manage the termination and or transfer of employees? i.e. All equipment is returned, user ID's disabled in systems, Windows, badges, and/or keys returned. On Transfer is existing access reviewed for relevance?

Yes, we have implemented the process for termination from employment. Once the employee is terminated all the access will be revoked, IDs are disabled, assets are returned and recorded as a part of the exit clearance. We have implemented the access control procedure and all the access will be revoked upon termination or transfer of an employee as per the compliance requirements.

Are employees required to use a VPN when accessing the organisation's systems from all remote locations?

Yes. We use a cloud-hosted VPN with strict access controls to allow our employees to access the official network.

Is a security operations center implemented to monitor the software solution?

Yes, We have implemented the security operations center to monitor, prevent, detect, investigate, and respond to cyber threats around the clock.

More info below:

Questions
Answers
What controls are in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?
We have AWS Identity and Access Management (IAM). Access to data and systems is based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events.
Do you support identity federation standards (e.g., SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?
our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol
Are employees required to use a VPN when accessing the organisation's systems from all remote locations?
We use a cloud hosted VPN with strict access controls to allow our employees to access the official network.
Is wireless access allowed in your organisation?
Wireless access is allowed and handled with high quality routers, password protection and restriction on internet usage etc.
Is there a role based access control & structured process for creation of new user account for the customer operations? Are all users identified to the system by a unique User ID?
All our employees are having a unique email IDs and we have implemented the role based access control. Our product team will create an account for the admin users and the password can be changed immediately.
Is there a well-defined process for removing the user account and access rights at the time of an employee leaving the vendors the customer processing facility?
Yes, we have the exit procedure and all the access provided to an employee will be removed or deleted.
Is there a periodic audit of the user access profile by the SPOC / system administrator?
Yes. We review the access provided every month and the SPOC will be our system administrator.
Is there an automatic lockout for predefined number of unsuccessful attempts?
Yes. We have defined the number of unsuccessful attempts. After 3 unsuccessful logins the account will get locked.
Are different accounts used for applications and OS level access?
Yes, we have the different levels of access. For Ex - Admin, users.
Does the system prompt the change of user passwords at predefined intervals?
Yes. Every 90 days
How does the password reset process work? Is a secure password distribution mechanism in place?
We will get an email for resetting the password. Once we click on it it will take us to a different window and provide an option to change or reset the password.
Is there a defined process for installing & encrypting wireless access points, if any used by vendor?
We use only internet connection through wifi and only after the approval process IT Team will provide an access.
Are following actions performed on all systems used for the customer operations- -Restricted access to shared folders -Restricted USB/CD access -Internet access on need basis -admin privileges restricted
Yes. We have all these controls. We have restricted access to shared folders, USB or external drives, Internet access and privileges access.
Is an inventory of all information assets (e.g. documents, USB devices, passwords etc) provided to employees tracked? Is the return of assets tracked?
Yes. We have a track of all these information and we will remove the access once the empoyee left the organization.
Is there a mechanism for different levels of administrator privileges for system access on the customer specific servers? Is it configured in a secure manner?
Yes, we have different level of access like Admin and users and its configured in a secured manner.
Is inactivity timeout period specified for the customer applications?
It’s an application and it supports SSO and Active directory. Time our period that we configure in SSO/AD would apply.
Is development area segregated from work area? Are proper access controls implemented for development areas?
Yes. We have segregated the areas. We have implemented the controls for having the access only to an authorised individuals for production area.
Are all production hardware, including, but not limited to, network devices, storage, database servers, and application equipment, located in a restricted area with physical access controls?
Yes, we have the controls.
Groups of information services, users and information systems shall be segregated on networks.
Yes. We have segregated the users.
Copy link
Contents
Do you enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems?
Do you retain logs for all login attempts for a given time period or as required by the tenant?
Does the solution provide re-authentication at the time of an attempted change to authentication information?
Can you provide the capability to present with a login notice to the intended users before being given the opportunity to log onto a system?
Do you have controls in place to restrict any information beyond notification of an unsuccessful login attempt prior to successful login?
Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?
Do you support identity federation standards (SAML 2.0, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?
What levels of isolation are used for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc.?
Do you allow tenants to use third-party identity assurance services?
Do you support tenant's access review policy?
Do you support password (minimum length, age, history, complexity, and expiration) and account lockout (lockout threshold, lockout duration) policy enforcement?
Do you allow tenants/customers to define password and account lockout policies for their accounts?
Do you support the ability to force password changes upon first logon?
Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?
Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?
Is the option of physical and logical user audit log access restricted to authorized personnel only?
Do you support integration of audit logs with tenant Security Operations/SIEM (Security Information and Event Management) solution?
Are audit logs centrally stored and retained?
Describe how event logs are protected from alteration including how access to these logs is controlled.
Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
Describe the process for investigating all data breaches and security violation events. Describe the process for informing TCCC of the breach, root cause analysis, and remediation.
Does your logging and monitoring framework allow isolation of an incident to specific tenants?
Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?
Does the solution support disabling of dormant accounts (User accounts that have not been used within a minimum of 90 days)?
Does the solution maintain a password history technique in order to disallow use of any cyclic passwords?
Is there an approval process for access requests to systems handling personal data?
Is access to systems containing personal data granted using a role-based criteria?
Is all Personal Data registered in a standard repository?
Are credentials stored in a centralized system that is TCCC approved?
Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?
Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?
Do you support tenant's multifactor authentication (e.g., RSA Secure ID, PKI Certificates, out of band pin comprised of at least 6 digits, etc.)?
Do you support access to tenant sensitive data by only tenant's managed devices?
What controls are in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?
Provide a description of the physical security of your Datacenter both inside (security mechanisms and redundancies implemented to protect equipment from utility service outages like for example, power failures, network disruptions, etc.) and outside the DataCenter itself (fences, security guards or patrols, reception desk, authentication mechanisms, etc.) as well as the procedure applied to authorize personnel to enter the premises and how often the authorizations are reviewed?
Do you have a formal process to manage the termination and or transfer of employees? i.e. All equipment is returned, user ID's disabled in systems, Windows, badges, and/or keys returned. On Transfer is existing access reviewed for relevance?
Are employees required to use a VPN when accessing the organisation's systems from all remote locations?
Is a security operations center implemented to monitor the software solution?
More info below: