Do you have a disciplinary process for non-compliance with information security policy, and are employees made aware of the consequences for non-compliance?
We have the disciplinary process in place for Non-compliance with Information security Policy and we have communicated and made aware of the consequences for non-compliance.
Do you have an employee termination or change of status process?
We have the employee termination process in place.
Do you have documented information security baselines for component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)?
We have implemented the information security policy and Hardening Guidelines.
Do you have documented policies and procedures demonstrating adherence to data retention periods as per legal, statutory or regulatory compliance requirements?
We have implemented the Data Retention and Disposal Policy and attached the same for your referrence.
• Storage Period would be as per regulatory conditions.
• Personal data can be deleted based on a formal written request, with justification.
• Xoxoday would delete the data within 30 days of receiving the request.
Do you perform, at minimum, annual reviews to your privacy and security policies?
All our Privacy and security policies are reviewed every year and approved by the management.
Are formal risk assessments aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods?
At Xoxoday we have developed a Risk Management Framework as part of the Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013 standard and SOC II attestation. The information security team assesses security risks annually and on an ongoing basis when major changes occur or when industry changes occur.
Do you have documentation establishing and defining your encryption management policies, procedures, and guidelines?
Yes. We have implemented the Data Encryption policy
Are policies and procedures established, and supporting business processes and technical measures implemented, for maintaining complete, accurate, and relevant agreements (e.g., SLAs) between providers and customers?
Yes. We have the policies and procesures in place as per the compliane requirements.
Is classification inclusive of all media types (electronic, hard copy)?
Yes. classification inclusive of all media types.
Does your organization have policies and standards in place for the handling of Media?
Yes. we have implemented the Media handling procedures.
Is there capability to support client media handling policies and standards?
We follow Xoxoday media handling procedure.
Are there policies and standard in place for the secure storage of hard copy media? Internal repository? Third-party contractor?
Yes. It’s a part of Media handling procedure and Information security policy implemented.
Are there policies and standards in place for the secure destruction of media?
Yes. we have implemented the Data Retention and Disposal Policy.
Does the organisation have written information security policies?
Yes. We have a written Information security policy.
How often the policy are been reviewed?
These policies are reviewed anually or whenever changes made to it and approved by the management as per the compliance requirements.
Does the organisation have a written password policy that details the required structure of passwords?
Yes. We have implemented the Password Management Policy
Have the information security policy and standards been approved by senior management?
All the information security policy and standards been approved by senior management.
Has the organisation implemented an IT Governance framework such as ITIL, ISO 27001/22301, SSAE18 (SOC) and others?
Yes. Xoxoday is ISO 27001:2013, SOC 2, CCPA/CPRA, HIPAA, CSA START, GDPR certified organization.
Is access restricted to systems that contain sensitive data?
We have implemented the access control policy and access will be provided only upon need and approval basis. Attached the access control policy.
Does the software development lifecycle in the organisation specifically focus on security?
We focus on the security while producting the softwares.