Policies & Procedures - Plum by Xoxoday

Answers Do you have a disciplinary process for non-compliance with information security policy, and are employees made aware of the consequences for non-compliance? We have the disciplinary process in place for Non-compliance with Information security Policy and we have communicated and made aware of the consequences for non-compliance. Do you have an employee termination or change of status process? We have the employee termination process in place. Do you have documented information security baselines for component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)? We have implemented the information security policy and Hardening Guidelines. Do you have documented policies and procedures demonstrating adherence to data retention periods as per legal, statutory or regulatory compliance requirements? We have implemented the Data Retention and Disposal Policy and attached the same for your referrence. • Storage Period would be as per regulatory conditions. • Personal data can be deleted based on a formal written request, with justification. • Xoxoday would delete the data within 30 days of receiving the request. Do you perform, at minimum, annual reviews to your privacy and security policies? All our Privacy and security policies are reviewed every year and approved by the management. Are formal risk assessments aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods? At Xoxoday we have developed a Risk Management Framework as part of the Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013 standard and SOC II attestation. The information security team assesses security risks annually and on an ongoing basis when major changes occur or when industry changes occur. Do you have documentation establishing and defining your encryption management policies, procedures, and guidelines? Yes. We have implemented the Data Encryption policy Are policies and procedures established, and supporting business processes and technical measures implemented, for maintaining complete, accurate, and relevant agreements (e.g., SLAs) between providers and customers? Yes. We have the policies and procesures in place as per the compliane requirements. Is classification inclusive of all media types (electronic, hard copy)? Yes. classification inclusive of all media types. Does your organization have policies and standards in place for the handling of Media? Yes. we have implemented the Media handling procedures. Is there capability to support client media handling policies and standards? We follow Xoxoday media handling procedure. Are there policies and standard in place for the secure storage of hard copy media? Internal repository? Third-party contractor? Yes. It’s a part of Media handling procedure and Information security policy implemented. Are there policies and standards in place for the secure destruction of media? Yes. we have implemented the Data Retention and Disposal Policy. Does the organisation have written information security policies? Yes. We have a written Information security policy. How often the policy are been reviewed? These policies are reviewed anually or whenever changes made to it and approved by the management as per the compliance requirements. Does the organisation have a written password policy that details the required structure of passwords? Yes. We have implemented the Password Management Policy Have the information security policy and standards been approved by senior management? All the information security policy and standards been approved by senior management. Has the organisation implemented an IT Governance framework such as ITIL, ISO 27001/22301, SSAE18 (SOC) and others? Yes. Xoxoday is ISO 27001:2013, SOC 2, CCPA/CPRA, HIPAA, CSA START, GDPR certified organization. Is access restricted to systems that contain sensitive data? We have implemented the access control policy and access will be provided only upon need and approval basis. Attached the access control policy. Does the software development lifecycle in the organisation specifically focus on security? We focus on the security while producting the softwares. Is code review performed on all changes to the source code with an emphasis on secure coding principles? It’s a part of our system devolopment life cycle. As per the customer policy, personal devices (BYOD) are restricted. If BYOD is permitted to process/access/storethe customer scoped data, are there appropriate approval obtained from the customer for the same? We have implemented the BYOD policy and all our employees follow the Xoxoday Information security and IT Policies. Is there a process to perform modify / change the access review process for additional focus on remote access connections to client (the customer) network? Yes. we have implemented the access control policy. Is there a documented third-party risk management program in place for the selection, oversight and risk assessment of Subcontractors (e.g. service providers, dependent service providers, sub-processors)? We have implemented the Risk Management Procedure Is there a Documented Information Security Policy approved by management? If yes, is the same communicated to all employees? Yes. Its approved by the management and communicated to all the employees. Are the key roles and responsibilities of the organizations Information Security Processes covered as a part of IS policy for the customer activities? Yes. Aattached the Information security policy, Roles and responsibilities policies. Is the Information Security Policy reviewed at regular intervals & on changes in the customer scope of work? Yes. All the policies have been reviewed at regular intervals. Is there a role based access control for accessing critical facilities used for the customer operations? Yes. We have implemented the role based access control mechanism and only authorised individual will get access. Has the vendor documented detailed procedure for identifying of changes to be notified to the customer, sending an approval request & communication process? Yes, we have the policies and procedures in place and we will notify the customer if there is any changes took place in terms of security and privacy. Does the vendor provider have a management approved change management process for activities of the customer? Yes. We have a Change Management process and approved by the management. Does the vendor’s change management / change control process include some of the following: • Request, review and approval of proposed changes • Review for potential security impact • Security approval • Review for potential operational impact • Approval from the customer (when applicable) • Documentation of changes • Pre-implementation testing • Post-implementation testing • Rollback procedures Yes. We have implemented the change management procedure. Has provider documented a process for handling emergency changes in the customer operations to ensure that these types of changes are carried out in controlled & timely manner? Yes. We implemented the the change management procedure. Does the organization has a mechanism to classify & protect the customer data? Yes. We have implemented the Data clasification policy. Does the vendor follow a defined retention period for the customer data? Does it follow a structured mechanism to remove the customer data once retention period is expired? Yes. We have the data retension and disposal policy. We will have the data till you use our platform and will be deleted upon termnination of the contracts and will confirm. What is your retention policy for retaining these logs? (30 days, 60 days, 1 year, etc) 1 year Does the organization have controls implemented for monitoring the use of all information processing facilities handling sensitive data? Yes. We have implemented data security policy and have controls in place to monitor the processing of personal information. Since we have deployed our application of AWS cloud only authorised individual have an access. Are roles & responsibilities defined clearly for reporting suspected security incidents to the customer? Is root cause analysis performed? Yes. We have the incident management response team and roles and responsibilities has been clearly defined. As per our policies and procedure we condut Root Cause Analysis report (RCA) including the details of Business Impact, Issue Description, Root Cause, and Corrective Actions. Is a list of Emergency contact names and phone numbers of your company, client and Vendor clearly defined and readily accessible to allow prompt escalation? Yes. We have communicated on this to a concerned parties. Is there adequate segregation of duties to protect the the customer operations network where appropriate? Yes, we segregated the duties. Is 2-factor authentication used for very critical applications? Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems. Does the development team have access to production environment? We have segregated the teams according to their roles and responsibilites. Please explain your Software Development Lifecycle. • Do you have a process for the review of applications source code for security flaws and backdoors? • Describe who performs this process • Describe when in the software development life cycle is it performed We have the SDLC Procedure and attached the same for your reference. We have defined rules and guidelines for secure development of software and systems. Is a media labelling procedure in place, with sufficient information? Yes. We have implemented the media protection procedure. Is there BCP plan / policy covering people, process & systems related to the customer operations? Is it communicated to concerned employees? Yes. We have BCP policy and procedures in place and test it every year. Do you have a documented password management policy ? Have you deployed password security controls within the environment on application, OS, database and network layers ? At Xoxoday we have implemented the password management policy. Attached the same for your referrence. We have deployed password security controls accross the organization for maximum security. Do you have a policy/procedure on change management ? Are all changes to production environment recorded and follows the change management procedure ? Attached the Change Management Procedure. All the chnages to production environment is recorded and followed the change management procedure. Do you maintain an asset classification schema at par with BSLI Information classification policy and maintain a mapping of the same ? We have implemented the Asset classification policy. Attached the policy for your referrence. Has a formal policy been developed that addresses the risks of working with mobile computing facilities, including requirements for physical protection, access controls, cryptographic techniques, back-up, and virus protection? We have the policies in place and audited during the internal and external audits. We have the policies with regards to Access control, Ceyptography, Anti virus protection, Back up and recovery etc.. Is the acceptable use of assets policy documented ? Yes. We have implemented the Acceptable Usage Policy Is there a clear desk and clear screen policy in force in the organization? Yes. We have implemented Clear Screen and Clear Desk Policy Whether the Information Security Policy is reviewed at ‎planned intervals, or if significant changes occur to ‎ensure its continuing suitability, adequacy and ‎effectiveness ? Whether the management review of the information security policy documentation is recorded ‎? All the information security policies has been reviewed annually or upon any changes to the policies. All the management review and approvals has been recorded. Has your organisation identified employees and resources (e.g., suppliers, subcontractors, products, and logistics) that are critical for business continuity in the event of a pandemic. Attached the Business continuity documents. Describe the backup and retention policy proposed, including the possible capacity to restore a VM to a previous state in time. Also detail how frequently backup/restore tests are performed. Data backups are done daily and in a secured way in AWS. Attached the Backup Recovery Procedure. Provide your IS Security Policy (or Information Security Management Program) as well as Data Security and Privacy Program and describe the associated magement system (review, monitoring, method to share this information with tenants, etc.). Attache the Information Security Policy and Data Security policy. Provide your Endpoint Security Policy Attached the policies with regards to - IT, Virtual Private Network, Threat and vulnerabilities, Virus management, patch management, access control, logging and monitoring etc. Provide the technical security policies implemented on all components of your infrastructure (microcode vulnerabilities, HSM management, Management of the virtualization, Hypervisors, OS, network elements, etc…) inclusive of custom changes or solution-specific modifications of these elements (especially hypervisors). Also describe the management system in place to monitor continuous compliance to these policies. Attached the below mentioned policies - 1. Cloud Computing Security Policy 2. Encryption Policy 3. Password Management Policy 4. Threat and Vulnerability Management 5. Infrastructure Change Control Procedure 6. Virtual Private Network Policy 7. Information Classification Policy 8. Cyber Crisis Management Plan 9. Network Access Control and Security Procedure 10. Information System Acquisition Development and Maintenance Procedure Describe how you implement Segregation of Duties and monitor potential conflict of interests The policy, process, and procedure is implemented to ensure proper segregation of duties. Provide the standard contractual RACI between your teams and the tenants’. Attached the Roles Responsibilities_Authorities Policy. What file integrity (host) and network intrusion detection (IDS/IPS/WAF) systems using signatures, lists or behavioural patterns have you implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Provide an overview of how these tools are updated and controled. Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidences are analyzed with network intrusion detection (IDS) tools. Describe the change management in place and how changes performed on the infrastructure (virtual or physical) are monitored and logged We have implemented the change management procedure. Attached the Change Management Procedure Provide an overview of your security incident response plan, showing your contacts with local authorities, the possibility to integrate customer’s requirements, roles and responsibilities between the provider and the customer during a security incident, how you manage responses to litigation hold or legal subpoenas for a specific customer. The overview should mention how frequently the plan is tested, and what type of information is made available to customers (statistical information, information to affected customers only, etc..) in case an incident occur. Attached the Security Incident Reporting \ _ Response Procedure Does the organisation have written information security policies? Yes. We have a written Information security policy. Attached the same for your reference. How often the policy are been reviewed? These policies are reviewed anually or whenever changes made to it and approved by the management as per the compliance requirements. Does the organisation have a formal change control process for IT changes? We have implemented the change management Procedure. All the IT changes takes place as per the Change management procedure. Attached the same for your reference. Are all systems security configuration standards documented and based on external industry or vendor guidance? Attached the IT policy. We also have communicated these to all the employees to spread awareness among them. Is there formal control of access to System Administrator privileges? We have implemented the access control policy and access will be provided only upon need and approval basis. Attached the access control policy. Does the organisation have have a established business continuity / Disaster recovery management framework? Attached the Business continuity policy. Does the oragnisation has Business Continuity / DR Plans? Attached the Business continuity plan Is code review performed on all changes to the source code with an emphasis on secure coding principles? It’s a part of our system devolopment life cycle. Attached the policy. Is there a formal change control policy or process within your organisation supported by source code and release management tools? Attached the Change management process. Does your organisation have a formal vendor management program that evaluates information security for your suppliers? (for example attestation reports / SOC 2 Type 2 reports review, site assessments) Attached the Supplier Management Procedure As per the customer policy, personal devices (BYOD) are restricted. If BYOD is permitted to process/access/storethe customer scoped data, are there appropriate approval obtained from the customer for the same? We have implemented the BYOD policy. Attached the same for your reference. Is there a process to perform modify / change the access review process for additional focus on remote access connections to client (the customer) network? Attached the Change management process. Is there collection of, access to, processing of, or retention of any client scoped Data that includes any classification of non-public personal information or personal data of individuals? Please find attached Data Protection Policy and Data Retention and Disposal Policy Is a Training and Awareness Program maintained that addresses data privacy and data protection obligations based on role? Data privay and Data protection is a part of our Infoarmation security awareness training. Is there a mechanism to classify data as per the criticality and requirement ? Yes. Attached the Information Classification Policy what backup and disaster recovery plans are in place to avoid data loss / service loss in the time of contingency We have Business Continuity Policy and Business Continuity Management Procedure in place and tested periodically. And also, our Policies has been reviewed and Audited annually. Attached the Business continuity policy, plan and procedures. We have test the BCP every 12 months and this has been reviewed as a part of Internal and external Audits. Share the security policy you have to protect your environment. Attached the Information security Policy Share the business continuity and disaster recovery plan including DR diagram, RTO & RPO Attached the business continuity documents. Cloud supplier has a written information security program that contains appropriate administrative, physical and technical safeguards, consistent with best practices, to protect personal information against unauthorized loss, use, disclosure, alteration or destruction. E2. Program includes regular risk assessments and updating of security measures in view of changing threat profile. Attached the Information Security Policy and Risk Management Procedure There is a proper change management process in place to protect the customer data integrity, for addressing changes to the common environment, and that all tenants are notified about in advance. Yes, We have implemented the change management procedure and atatched the same for your referrence. The changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications. There is a Software Development LifeCycle (SDLC) process in place for the development of the software providing services to the customer, where security is incorporated in each phase.

We have implimented the systems development life cycle (SDLC) and atatched the same for your referrence. 2. Our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase. 3. We also conduct vulnerability and penetration testing and fix the identified observations. 4. Upon passing all the security and quality checks the new version of the product will be released.

Does the cloud provider have a disaster recovery plan? Does the plan say what triggers a recovery, how long does it take to recover or restore data from backup? Xoxoday has a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) defined and implemented to enable people and process support during any crisis or business interruptions. The BCP and DR Plan is tested and reviewed on a yearly basis as per the compliance requirements. Does the contract empower the customer to audit processing operations on personal data performed by Supplier and its sub-contractors? We provide applicable compliance Policies/Procedures, Audit/attestation reports, certifications etc.. on need basis. Is there a change management procedure in place pertaining to the information security management? Kindly share the artefacts? Attached the Change Management Procedure How are incidents identified, managed, communicated and contained? is there an incident management framework in place? if Yes, kindly share the artefact Attached the Security Incident Reporting & Response Procedure. Describe procedures used for business continuity and disaster recovery that would include your applications and all data, as well as evidence that you have tested those procedures during the past 12 months. We have Business Continuity Policy and Business Continuity Management Procedure in place and tested periodically. And also, our Policies have been reviewed and Audited annually. Attached the Business continuity policy, plan and procedures. We have tested the BCP every 12 months and this has been reviewed as a part of Internal and external Audits. Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness? As per the compliance requirement and Business continuity policy we test the BCP plan every 12 months or upon significant organizational or environmental changes. The vendor should detail their HA and DR plans, including recovery point objective (RPO) and recovery time objective (RTO) targets, geographic diversity in their hosting arrangements, and any periodic testing that takes place. We conduct the BCP/DR Test on an annual basis as per the compliance requirements and audited during the internal and external audits. Our RTO & RPO is 60 minutes, Attached to the BCP/DR Policy. If the answer for #6 is yes, then how often is it? Also, do you make testing backups a routine task to ensure that the data is valid and accessible as intended? Data backups are done daily and in a secured way in AWS. We also do test to comply with the business continuity plan. Do you have a Business Continuity Plan to ensure service availability under extreme situations such as power outages/natural disasters? Yes. We have Business continuity plan. How is a planned and unplanned service disruption communicated? We communicate as per the BCP or the agreements or contracts Do you have a procedure for securely destroying hard copy sensitive data? Yes. We have Media handling procedure. Please ensure your documented information security policy has been uploaded in section in ‘Service Overview’ Sure. We will provide the same. Do your information security and privacy policies align with industry standards (ISO-27001, NIST Cyber Security Framework, ISO-22307, CoBIT, etc.)? Yes Do you have a policy exception process? We adhere to all the policies and procedures of the organization. Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures? Yes. We have disciplinary policy Are all personnel required to sign an Acceptable Use Policy? Please attach Yes. See Acceptable Use Policy attached. Do you have a policy exception process? We adhere to all the policies and procedures of the organization. Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures? Yes. We have disciplinary policy Protecting against non-human sources of risks We are ISO 27001:2013 and GDPR Compliant organization. We have policies and procedures in place to comply with all the requirements and working effectively. We have Information security policy, Mobile Device Management Policy, Encryption Policy, Password Management Policy, Risk Management Procedure, Email Security Policy, Access control policy etc as per the compliance requirements. We also have implemented end point security in all our computers and servers to make sure that the data stored are safe, secure, and Protecting against non-human sources of risks. Have all information security responsibilities within your organisation been defined and allocated including: maintaining appropriate contacts with relevant authorities and groups ensuring information security is addressed in project management ensuring that conflicting duties and areas of responsibility are segregated Yes. We have a well-defined policy for roles and responsibilities. We have communicated each employee about their responsibilities across the organization. We do maintain appropriate contracts with relevant authorities and ensure that applicable regulations are complied with Are these policies, approved by the senior management within your organisation, regularly reviewed and communicated to all your staff? Yes. How will you decide which of your staff (support, development etc.) need access to the the customer system and data? How will you manage that access and what controls are in place, to ensure that privileged access rights will be restricted and controlled? We have an access control policy. The policy is attached for reference. Only authorised employees will have access to the data. Who will have access to log files and how is access controlled? Authorised Xoxoday employees only will have access controlled per the relevant policies attached Do you have an information security incident response plan in place to ensure effective response and management of information security incidents? Yes Will password hashing be used within the system? If so to what standard and will any salting be used? Yes We store password hashed. We have SHA512 hash with unique salt for every password User identity shall be always verified before performing passwords resets and it shall be conducted only by authorized personnel. Resetting passwords on behalf of somebody else is forbidden. Any exception of this rule should be documented and approved accordingly. We have implemented the Password Management Policy. Only verified or authorised users can reset the password. No one can reset the password on behalf of somebody. We also follow the best practices for Password Protection and incorporated the same in the Password Management Policy. Ensure that change control procedures are in place to maintain program source code and associated items. All the changes takes place as per the change management procedure. Security shall be considered at all stages of the life cycle of an information asset (i.e. feasibility, planning, development, implementation, maintenance, and retirement) in order to: - ensure conformance with all appropriate security requirements, - protect sensitive information throughout its life cycle, - facilitate efficient implementation of security controls, - prevent introduction of new risks associated with systems modifications, - ensure proper removal of the customer data when the system is retired or disposed. We have implemented the SDLC policy and made applicable to all the development and maintenance services, architecture, software and systems that are part of the Information Security Management System. Information security requirements for Systems and Assets shall be identified and documented. Implemeted the asset management policy Systems and application development ether performed internally or by third party shall: - Follow a Secure Software Development Life Cycle (S-SDLC). - Perform Threat Modelling throughout Secure Software Development Life Cycle. - Include Quality Assurance (QA) process. - Include thorough and rigorous testing and verification of security functionality during the development processes for new and updated systems. Detailed schedule of activities and test inputs and expected outputs under a range of conditions, in proportion to the importance and nature of the system shall be included. - Ensure that secure coding (code reviews, static/dynamic code analysis, vulnerability scans, industry certifications etc.) and development practices are utilized. - Ensure it has the capability to perform security risk assessment of software and hardware components and shall be able to support the customer when security information is needed. - Provide a list of third-party components and libraries used in system or application and ensure no inherited risk is been introduced by this use. - Ensure control and document changes within the development lifecycle: o Through the use of a formal change control process. o Maintaining an audit trail of all change requests. o Mandating a risk assessment, analysis of the impacts of changes and specification of security controls needed. o Ensuring that any change does not compromise existing security and control measures. o Ensuring that existing documentation is updated as needed to remain appropriate. o Ensuring that testing is performed in an environment segregated from both the production and development environments and results are documented. o Considering, based on change perceived risk, an extra independent acceptance testing to validate if the system behaves only as expected. We are compliant. Attached the SDLC procedure. We folow General Coding Practice, test the information security features, Vulnerability scanning, Penetration Testing etc and mitigate all the risks identified. Protection of physical media and any device in transit carrying information/data must be according to the highest level of information sensitivity it will contain. This may include physical locking mechanisms, digital encryption and/or packaging sufficient to prevent harm from environmental (e.g. extreme heat/cold, moisture), electromagnetic, or radiation exposure. We have implemented the Media protection procedures in order to make surer that the data is protected if we store it in any external drives. Physical media carrying “Secret” information shall be documented. We have implemented the Media protection procedures in order to make surer that the data is protected. Receipt notifications or other tracking mechanisms shall be implemented. We have asset management policy and Media protection procedure to track the customer maintain the records. For each asset, document the entity’s required maintenance designed to support the availability and integrity of the equipment. It’s a part of of Asset management policy. Any hardware/software change in the systems, assets and networks shall follow the Management of Change (MoC)/Change Request. We have implemented the change management procedure Security aspects shall be taken in consideration for reviewing of all major software changes and upgrades to the systems. We have implemented the change management procedure System capacity requirements shall be identified and aligned with business goals, objectives and criticality. Capacity management has been well defined in our IT Policy For updates such as OS and application patches, firmware, drivers, fixes, security updates, etc. as part of maintenance/service activities, necessary internal approval shall be obtained and performed by authorised personnel. It’s a part of our change management and IT Policy. Physical Access Controls. · Allow access on a need-to-access basis; · Adopt single or double authentication; · Adopt alarms. We have Implemented the Physical security Policy and allowed access to only an authorised individual. Physical security level associated with information asset’s location shall be identified based on information asset’s criticality, vulnerabilities, and threats to that particular information asset. We have protected all the area as per the physical security Policy and allowed access to only an authorised individual. Monitoring and review of third parties’ services shall ensure that the security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly. We have implemented the Security Incident Reporting & Response Procedure All changes communicated by the external/third party to the customer shall be performed in accordance with the customer Change Management processes. Attached the application Change management procedure Each critical system shall have a recovery procedure with defined RTO/RPO. This shall be decided based on business impact analysis (HSE, financial, operational or reputational impacts to the business and customers). Our RPO/RTO is 6 mins. Attached the Business continuity documents Any changes or updates to the Disaster Recovery Plans shall be communicated to all concerned stakeholders internal and external to organisation. The BCP Test and lessons learned has been documented. The management of information security incidents in the customer shall follow an established process: • Preparation; • Detection and Analysis; • Containment, Eradication, and Recovery; • Post-incident Activity. We have implemented the Incident Management Procedure and attached the same for your reference Information security incident documentation shall include: · All information security events identified and their characterisation (entry points, spread methods, services/data/assets impacted, etc.). · Lessons learned from real incidents and from the training exercises. · Collection and preservation of forensics analysis data, to serve as evidence. Its part of our Incident Management Procedure Employees and third parties shall note and report any observed or suspected information security event or weaknesses in the customer environment. We report the incidents Service Provider shall have solid security incident management process, including a computer security incident response team (CSIRT) that has been trained to handle security incidents. This process should in line with the customer security incident management requirements Attached our Incident management procedure. Are the processes for User Administration (including user identification and adding / removing user accounts) compliant with ISO27002? Yes. We have Policies and procedures in place. Our application also support for adding and removing users. What type of DR options do your provide for my data within your offering? We have implemented policies and procedure with regards to DR. Since we have deployed our application on AWS cloud they only provide DR Services. Are the processes for User Administration (including user identification and adding / removing user accounts) compliant with ISO27002? Yes. We have Policies and procedures in place. Our application also support for adding and removing users. Do you have a formal information classification procedure? Please describe it. In particular, how would sensitive data be categorised? For example, critical, essential, and normal. Yes. We have an Information Classification Policy and attached the same for your referrence. Information classification policy is primarily concerned with the management of information to ensure that sensitive information is handled well with respect to the threat it poses to an organization. It also demonstrates how gathered data is being used and structured within an organization to allow authorized personnel to get the right pieces of information at the right time, while also ensuring that only those who are authorized can view or access information. Sensitive data has been categorised as Confidential, Restricted, Internal, Public etc.. Have formal acceptable use rules been established for assets? Example assets include data assets, computer equipment, communications equipment, etc. Do you have formal processes in place for security policy maintenance and deviation? Yes. We have implemented the Acceptable Usage Policy and attached the same for your referrence. The policy outline the usage of Email, Computer Resources, Internet, Clean Desk and Clean Screen, Punitive actions, General guidelines etc.. We have a formal processess in place for security policies review and approval by the top level management as per the compliance requirements. Do you have a process that addresses: the identification and measurement of potential risks, mitigating controls (measures taken to reduce risk), and the acceptance or transfer (Insurance policies, warranties for example) of the remaining (residual) risk after mitigation steps have been applied? Yes. Xoxoday has developed a Risk Management Framework as part of the Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013 standard and SOC II compliance. The information security team assesses security risks annually and on an ongoing basis when major changes occur or when industry changes occur. Xoxoday Risk management process includes Risk Treatment, Mitigating Actions, Action Owners, Action Due Dates, Risk Acceptance, Risk Mitigation, Risk Avoiding, Risk Transfer, exceptins etc.. We also conduct the Risk assessment on annual basis and this has been audited as a part of an internal and external Audits. Is there a facility security plan? Yes. Attached the Physical and Environmental Security Procedure. Are there policies and procedures require to documenting repairs and modifications to physical components of the facility that are related to security? Yes. All the repair/modification or installation will be as per the change management procedure upon appropriate approvals. Whenever there is a requirement for additions or changes impacting security of the site, approval shall be taken from the site, Physical Security team prior to implementation. Attached the Physical and Environmental Security Procedure Do you have a mechanism to back up critical IT systems and sensitive data? i.e. nightly, weekly, quarterly backups? Taken offsite? a) Have you had to restore files after a systems outage? Does a Disaster Recovery plan exist for the organization and does it consider interruption to, or failure of, critical IT systems? a) Are disaster recovery plans updated at least annually? b) If not, has the backup and restoration process been tested? Yes. Data backups are done daily and in a secured way in AWS. All the data backup will be stored on AWS virtual platform cloud. We also have implemented the Business Continuity Policy and Business Continuity Management Procedure in place and effectivly working. Out DR/BCP plans are reviewed and approved by the management and tested on annual basis as per the compliance requirements. DR/BCP controls are validated during the internal and external audits. Data purging policy for the customer related process. We have Data Retention and Disposal Policy. Our data cleaning process goes through an organized purge. Once the data is purged, it’s purged from all places. Please share details of Data Backup Procedures. Data backups are done on daily and in a secured way in AWS. Attached the Backup Recovery Procedure. Is the data classified top secret/ confidential /PII stored separately from public data / data of other organizations residing on same cloud ? Yes Share the privilege account reconciliation policy. Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access. We have role-based access system through access control policy to make sure that only the authorised individual has access to the required information. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles Share the security policy you have to protect your environment. Attached the Information security Policy Is there a managed process in place for developing and maintaining business continuity & Disaster Recovery?If yes please explain and share evidence? Yes. we have implemented the Business Continuity Plan to ensure that the data is managed during the conduct of business in a safe and secure manner in delivering the business values to the interested parties. Attached the BCP/DR policies and procedures. Do you have an Acceptable usage policy? If yes please explain and share evidence? Yes. we have Acceptable usage policy to outline the acceptable use of Information Security at Xoxoday.This policy applies to all employees – part time or full time, temporary or permanent, service providers with in-house engineers or consultants, contractors, and other workers at Xoxoday, including all personnel affiliated with third parties. This policy applies to all Information Security that is owned or leased by Xoxoday. Attached the Acceptable Usage Policy Incident management policy and procedure Attached the Security Incident Reporting & Response Procedure and ncident Management Procedure Follow change control processes and procedures for all changes to system components, applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. We adhered to the change management procedure and all the changes to the production systems will be upon review and approval of Chief Technology Officer (CTO) Attached change management procedures. Formally define and approve process controls for implementing minimum security requirements. We have implemented the change management policy and all the changes to the platform takes palce as per the compliance process. Application in context shall develop a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements. Provides recovery objectives, restoration priorities, and metrics. Addresses contingency roles, responsibilities, assigned individuals with contact information. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; Periodic & surprise execution of Contingency plan to conducted/ tested, results are to be documented, retrospected to update/ upgrade the Contingency plan Application teams to ensure that the contingency plan Is reviewed and approved by the authorized personnel of PSJH periodically. At Xoxoday we have a documented Business Continuity and Disaster Recovery Plan defined and implemented to enable people and process support during any crisis or business interruptions. Appropriate roles and responsibilities have been defined and documented as part of the BC plan. At Xoxoday the BCP and DR Plan is tested and reviewed on a yearly basis. The BCP and DR plan of Xoxoday is reviewed and audited as part of internal and external audits. Enforce controls over external file sharing. We have implemente the Software Development Life Cycle (SDLC) procedures and attached the same for your reference. We have controls on external file sharing. Detail out the process in place within the organization for a) identifying and reporting information security incidents b) responding to information security incidents (e.g., escalation investigation, containment and eradication of the cause of the information security incident) c) recovering from information security incidents d) following up information security incidents (e.g., post-incident activities such as root cause analysis, forensic investigation, reporting to the business and notifying relevant authorities of a security breach) e) SLA’s in place for closure of security incidents as per severity Sure. We will provide our Incident Management Procedure Is a cybersecurity policy & standard defined, approved and implemented? Attached the Cyber Crisis Management Plan Is application development follow change management process? We adhered to the change management procedure and all the changes to the production systems will be upon review and approval of Chief Technology Officer (CTO) Is the data is classified within database as per data classification Policy? Attached the data classificaiton policy. Do you have a disaster recovery plan? Yes. A formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) defined and implemented to enable people and process support during any crisis or business interruptions. Does the provider have a rigorous physical access protocol? Consider: > All secure areas use card swipe technology / biometric scanners / other technology to control access > A sign-in process exists for third-party individuals (visitors, providers, couriers, etc.) > Visitors to secure areas are escorted by authorized personnel at all times > All employees/contractors / etc. must display security ID badges at all times > All secure and perimeter areas are monitored 24x7x365 by CCTV. Yes. At Xoxoday we have implemented the Physical and Environmental Security Procedure. Physical entries have been restricted based on the role of the personnel within the organization. The restriction will be enforced using electronic locks with access through access cards and biometric machines. Third-party Access - The entrance premise of Xoxoday has been manned by security guards on a 24-hour basis. The guards shall verify all the visitors and direct them to the reception and provide temporary access cards. At the reception, the concerned employee shall be intimated, and he/she will escort the visitor on premises always. CCTVs has been placed at strategic points inside the facility Reception lobby, Entry and exit doors of the Xoxoday office, Entry and exit to parking areas, delivery, and dispatch areas etc. and monitored 24x7x365. Describe the provider’s process to report an incident involving the customer environment/data to the customer Our information security team and Customer support team will inform the POC of Client via email communication with Preliminary Incident Synopsis and Root Cause Analysis report (RCA) including the details of Business Impact, Issue Description, Root Cause, and Corrective Actions Describe the provider’s reporting mechanism for security and/or other incidents. In what format do notifications go out, and what information do they contain? Attached the Incident Management Procedure Will the area be developing a business continuity plan for when the solution/service or data is not available? If so, by when? If not, why not? We have implemented the Business Continuity Policy and Business Continuity Management Procedure and BCP controls has been tested annually as per the compliance requirements and reviewed during the internal and external audits. Is the database comply with identity & access control policy? We have implemented the Identity access management and follow the Access control policy.