Qusetions and Aanswers:
What level of TLS is used currently in production? TLS 1.2 with a SHA256-bit signature
What are the encryption algorithms and authentication techniques used to ensure that unauthorized users cannot access or intercept the transport of client data? The SHA-256-bit signature generates an almost unique 256-bit (32-byte) signature for text. These protocols provide communications security.
Where, domestically or internationally, will the system/application and data be hosted? USA
Is data transmitted outside the United States? No
Do you allow tenants to specify which of your geographic locations their data is allowed to traverse into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)? If there are specific needs of the tenant we can make special provisions for them at an additional cost.
Is any software/hardware farmed out to a 3rd party—what piece and to whom? Software is developed by our partners whom we work with who are 3rd party vendors. Changes and updates to the system are handled by them.
Is client data only accessible by users authorized by client? Yes
What are the mechanism (s) in place to ensure that client data can only be accessed by authorized users and the administrator(s) of the system(s)? Each database instance is separated so that only those allowed in the system have access to their information.
Do you allow system administrators or other support staff to manage, maintain and access to client data through non-company devices? The only time data would be accessed would be if there was a support issue that required assistance from our 3rd party developer.
Do you segregate duties, using Role-based Access Control (RBAC) that are required for critical roles within the system/application? Yes
Will users require different levels of authorization in order to access different parts of the system/application, to access specific functions within individual parts of the system/application or anything else of this nature? Yes
Do you perform code reviews and testing to identify vulnerabilities in the system/application code? Our system is tested weekly/monthly to maintain best practices
Are all your developers trained on secure coding practices? Yes
Do you perform code reviews and testing to identify vulnerabilities in the system/application code (e.g., Open Web Application Security Project, or OWASP, Top 10); for every build: including static code, dynamic code scanning, code peer reviews, pre-production penetration testing of system/application? Yes
Does a 3rd party perform the testing? Yes
Where and how do you store user passwords? Are they encrypted and/or hashed and salted? They are stored internally within the system and are hashed and salted.
Are all events including Identity and Access Management (IAM) events (login, logoff, failed login, etc.) and changes to virtual machine images logged and stored so that any security problems can be later analyzed—are all events/accesses audited with logs? Yes, events are logged by our system for security audits.
Does your logging and monitoring framework allow isolation of an incident to specific tenants?
How do you communicate to a client if unauthorized individuals with access to the system read/update client data? The Senior HireGate Support team would communicate directly with our main contact at client’s location to let them know of unauthorized access.
Where does the application/solution reside in terms of your firewall placement? Resides inside of our hosted platforms firewall.
Where do the servers reside - your data center or externally? They are hosted in an external Datacenter.
Functions within Datacenter that support the hosting environment are:
- Physical security is responsible for the safety of the buildings in which our Datacenter operates
- Datacenter operations performs day-to-day operation of servers and related peripherals in addition to break-fix hardware support
- IT Security is responsible for oversight of the IT Security Policy and for maintaining and upgrading security equipment
- Computer Security Incident Response Team (CSIRT) is a 24x7 operation that responds to security detection events, inventory events for analysis, and monitors industry trends in IT Security
- Identity and Access Management team is responsible for provisioning and de-provisioning user access
- Network Operations Center (NOC) maintains the communication environment and monitors the network infrastructure for any downtime