Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?
Yes, our network environment is designed and configured to restrict any communication and connection between the tenant's environment and our corporate network.
Do you logically and/or physically separate tenant systems from corporate systems?
Yes, our logic to physically separate tenant systems is made possible by assigning each tenant's data a client-specific key that is uniquely encrypted for maximum security.
Are information system documents (e.g., administrator and User guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation, and operation of the information system?
Yes, all the resources that are needed for configuration, installation, and operation of information systems are made available to the authorized personnel for their perusal.
Can you a provide dedicated computing environment for the tenant?
No, we have a holistic computing environment which uses logical methods of isolation to keep the tenant's data secure.
Do you provide the logical segregation of tenant data and the application?
Yes, we logically segregate the tenant's data and the application.
Do you logically and physically segregate production and non-production environments?
Yes, physical segregation is done for production and non-production environments.
Are there any coding standards in place?
As per the SDLC process we have defined General Coding Practice and some salient points are -
We use parameterized queries.
All PI data need will be encrypted
All our communications will be over secure channels only and many more.
Are there any teams that can deploy code into production environments without it passing through the QA process?
No. All the deployments will take place only upon QA Process.
How regularly are backups tested - has the recovery process ever been tested?
Backups are automated and tested/reviewed on a weekly basis. Recovery process has been tested during the annual BCP test to make sure that implemented controls are working effectively. All the customer data backup has been stored on AWS/MS Azure Virtual platform cloud and all the data at rest has been encrypted.
Describe your incident escalation process?
Information security and Technology Team will be responsible for evaluating the incident and appropriately initiating the escalation process and holds the overall responsibility to monitor the activity and facilitate any action. If the problem requires further investigation, IT will assign the ticket to the appropriate Support Groups and escalate it CTO.
Describe your key management processes.
We use a split key mechanism to ensure that every client's key is unique.
We perform annual key rotation.
Keys are generated using the KMS service whenever needed.
We store keys in KMS.
How is product security considered during the development process?
We have implemented the systems development life cycle (SDLC) Procedure. Our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase. We also conduct vulnerability and penetration testing and fix the identified observations. Upon passing all the security and quality checks the new version of the product will be released.