Skip to main content

V10 Client FAQ

Encryption of Data Over Private Networks

Question:

  1. Is the solution customer data at rest within your or your hosting provider's private network encrypted? If yes, please provide details of the encryption scope and encryption algorithm used.
  • Note: Data at rest refers to all data in computer storage (e.g., hard drives, backup tapes, databases, mobile devices, file systems, etc.).
  • Is the solution customer data transmitted within your or your hosting provider's private network encrypted? If yes, please provide details on the encryption scope and encryption algorithm used.

    • Identity, Entitlement, and Access Management

    Question:

    1. Does the solution technically enforce a password length of a minimum of 16 characters for the Privileged (Admin) User Accounts? If no, please provide details on the configuration.
    2. Does the solution technically enforce a password length of a minimum of 10 characters for the standard End User Accounts? If no, please provide details on the configuration.
    3. Does the solution technically enforce password change at a minimum of 90 days? If no, please provide details on the configuration.
    4. Is the solution configured to allow a maximum of 5 failed login attempts before the account gets locked out/wiped? If no, please provide details on the configuration.
    5. Does the solution technically enforce password history control to a minimum of 8 passwords? (e.g., How many unique new passwords a user must use before an old password can be reused?) If no, please provide details on the configuration.
    6. Does the solution technically enforce idle session timeout of a maximum of 15 minutes? (e.g., After a maximum of 15 minutes of idle time, the user's session will be terminated/required to log back in?) If no, please provide details on the configuration.
    7. Does the solution technically enforce at least three of the following password complexity requirements?
    • Uppercase characters (A to Z)
    • Lowercase characters (a to z)
    • Digits (0 to 9)
    • Special characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ etc.)
    • If no, please provide details on the configuration.
  • Are credentials stored at rest encrypted by using a one-way hashing algorithm (SHA-256, equivalent, or higher security) together with a salt?
  • Are credentials in transit encrypted? (e.g., not transmitted in clear text)
  • Does the solution offer audit and reporting capabilities regarding user management and modification of access permissions?
  • Does the system support Single-Sign-On (SSO) using Identity and Access management standard protocols? (e.g., SAML, OAuth, OpenID Connect) If no, please provide details on the configuration.

    • Logging/Tools

    Question:

    1. Do you log any administrative and configuration changes to the Services?
    2. Is physical and logical user access to audit logs restricted to authorized personnel?
    3. Are audit logs centrally stored and retained? If so, please provide details on the retention policy.
    4. Are the retained logs sufficient to permit forensic analysis on security events?
    5. Are there any tools in place to continuously monitor, detect, and prevent intrusion/attacks to the solution (IDS, IPS, WAF, etc.)? If yes, please share what tools exactly.
    Back to top