[docs] Create Security page

[poliarush]

1. Introduction

   • Brief overview of the importance of security for the SaaS product.
   • Commitment statement to user and data protection.

2. Servers Security

   • Data center security measures.
   • Access control to physical infrastructure.
   • Surveillance and monitoring details.

3. Data Security

   • Data encryption (in transit and at rest).
   • Data backup and redundancy strategies.
   • Data retention and deletion policies.

4. Access Control

   • Authentication mechanisms (e.g., multi-factor authentication, single sign-on).
   • Role-based access controls.
   • User session management.

5. Network Security

   • Firewalls and intrusion detection/prevention systems.
   • DDoS protection measures.
   • VPN and private network access details.

6. Application Security

   • Secure development practices and lifecycle.
   • Regular software updates and patch management.
   • Vulnerability assessment and penetration testing.

7. Incident Response

   • Procedures for identifying and responding to security incidents.
   • Communication plans for users in the event of a breach.

8. Third-party Integrations

   • Security vetting of third-party providers.
   • Ensuring third-party components meet security standards.
   • JIRA integration
   • CI\CD intetegration

9. Compliance and Certifications

   • Overview of industry-specific regulations and standards the SaaS product adheres to (e.g., GDPR, HIPAA, ISO 27001).
   • Details of any security certifications earned.

10. Employee Training and Awareness

    • Onboarding and continuous training on security best practices.
    • Ensuring a security-first culture.

11. Security Audits

    • Details of periodic external and internal security audits.
    • Summary of key findings (if transparency is a goal).

12. User Best Practices

    • Recommendations for users to maintain their security (e.g., password guidelines, ensuring secure connections).

13. Resources and Tools

    • Offer downloadable resources, guides, or tools that can help users understand or maintain security.

14. Feedback and Reporting

    • Contact information or methods for users to report potential security concerns.
    • Encourage a proactive security community.

15. Updates and Changelog

    • Periodic updates on changes made to the security infrastructure or policies.
    • Transparent reporting of past incidents and steps taken to rectify.

16. Conclusion and Assurance

    • Reiterate the commitment to security.
    • Call to action, if any (like encouraging users to reach out with concerns or to read FAQs).

---

Also, users requests following questions, we should have answers for such questions on the page:

• Recent Pentest report along with the Remediation Test report; //thats partially done
• BCP Test results;
• Data center SOC2 type II report;
• What are the RPO and RTO?
• How do you review accesses within your team? Please answer in more detail how you track accesses and manage access requests/revocations. How do you ensure that all access is removed upon an employee’s termination?
• Security Incident Response Plan;
• What SAST do you use?
• Confirm GDPR compliance by providing the GDPR controls implementation summary.
• is there a document specifying how are these credentials securely stored on Testomat. Since these are admin credentials, in case these get leaked, it’ll have a large impact
• Can you check with them maybe if they can set up the Jira integration by us only configuring an API key so we can control exactly what they can get access to and what not?
• Can we also ask if we were to connect the Jira app, what access would they gain theoretically? As in can they theoretically access all projects? I’m not looking here after “what they will access” but “what can they access”.
• It’s also bit sad to see they are not part of the Marketplace Bug Bounty program. And they neither provide privacy not security information. This is concerning. Do you have any additional details on this to give us confidence?
• can pls confirm what project data can be accessed through the jira user? Is it just jira id and issue name or everything?
• where servers are located?
• can user choose server location or data location?

[poliarush]

• Testomat accounts do not have SSO. What is the policy of accounts granted\revoked?
• Also - will each separate JIRA project require individual admin authorization?

[poliarush]

What technical measures protect the data in relation to this asset? Please choose from the following, and/or add your own.

Select all that apply:

1. Access Control Lists
2. Anti-Malware
3. Data Backup
4. Firewalls
5. Logging
6. Mobile Device Management (MDM) Tools
7. Network Authentication
8. Regular Software Updates
9. Other Anonymization
10. Breach Detection Tools
11. Encryption
12. Intrusion Detection Tools
13. Logical Access Control
14. Multi-Factor Authentication
15. Pseudonymization
16. Vulnerability Detection Tools

[poliarush]

What organisational measures protect the data in relation to the product/service provided by this vendor? Please choose from the following, and/or add your own.

1. Acceptable Use Policies
2. Awareness and Training
3. Business Continuity Plans
4. Disaster Recovery Plans
5. Need-To-Know Restrictions
6. Password Policies
7. Regular Test Plan
8. Secure Premises
9. Supervision
10. Tabletop Exercises
11. Other Access Reviews
12. Background Checks
13. Data Processing Agreements
14. Incident Management Plans
15. Non-Disclosure Agreements
16. Penetration Tests
17. Secure Disposal
18. Segmented Access Control
19. Surveillance
20. Vendor Assessments

[poliarush]

I'm undertaking an analysis of Test Management tools and have the following questions on Testomat: a) Does it provide 2FA or something similar in terms of access/logon? b) Where is the data hosted? Is it possible to choose the location? c) Does the Product have ISO27001 Accreditation or similar? If similar what accreditation.

[poliarush]

I just need some additional security documentation for my review. Typically, we look for our vendors to have security documentation to the level of a current SOC2 report, ISO27001 certification, or at least a Security Whitepaper covering industry standards for critical security controls.

Additionally, I can see that you have attached external penetration reports to the vendor form. Are you able to also provide a high level overview confirming actions taken to mitigate the findings within these reports?

[poliarush]

• Considering Data (either in transit, at rest, or at endpoints), and
• Confidentiality, Integrity and Availability of services provided

The Answer needs to be provided with either of the 3 options; Yes, No, or Not Applicable, followed by the responses in detail for all the questions.

Meanwhile, if you can share the SOC 2 report, ISO 27001:2013 certificate, and Information Security Policies, to enable us to begin the Vendor Security review process?

[poliarush]

• Control Group Control Question
• Information Gathering Which Cloud Service Provider (CSP) is used by the Vendor?
• What is the deployment model used? (Private Cloud/Public Cloud/Hybrid Cloud/Community Cloud)
• Is there a segregation implemented between tenants data? If yes, explain in detail.
• "What is the type of data hosted on the cloud environment?
• (i.e. secrets, confidential, PII ). Please specify the data fields collected."
• What is the service delivery model being used? (IaaS/PaaS/SaaS)
• What is the mechanism used for integrating the solution with our organization's environment ? (E.g. API, VPN, SFTP, etc.)
• Control Group Control Question
• Architecture Please provide the application architecture and Data flow diagram.
• Asset Management Does the organization maintain its asset inventory for all software and hardware assets to ensure there are no unsecured assets left within the network?
• Data Backup & Restore Does the vendor has robust backup procedure? If yes, what is the backup schedule?
• Data Backup & Restore What is the frequency at which organization performs backups of business-critical data? Share details of the backup plan.
• Data Backup & Restore Are backups regularly tested to validate the accuracy and integrity of the data and their ability to restore data as quickly as possible with the least business impact in case of an attack on the availability of data ? When was the last testing activity performed ?
• BCP and DR management Does the vendor has documented and tested Business Continuity (BCP) and Disaster Recovery Plan (DRP) available? If Yes, attach the BCP plan and specify information around availability zones.
• BCP and DR management Does the organisation ensure high availability of business critical infrastructure to ensure business continuity requirements are met in case of an incident?
• BCP and DR management What are the RTO and RPO timelines as per BCP plan?
• BCP and DR management Does the organization perform a Disaster Recovery (DR) drill to ensure the effectiveness and efficiency of its disaster recovery plan?
• Data Security Does the vendor have access to organization's data? If yes, please provide the purpose and the data set collected?
• Data Security Does any integration module require the Admin credentials? if yes, please explain
• Data Security What are the measures implemented to ensure security of data collected? Also, specify who all have access to this data?
• Data Security Are access requests to data stored being logged and monitored ?
• Data Security If data is being stored in shared environment, what are the security controls in place to segregate the data from other tenants’ data?
• Data Security If other tenants’ information / data gets compromised, how does the vendor ensure that the organization's data is not impacted? Explain in detail.
• Data Security Does the organization implement encryption for the transmission and storage of sensitive and confidential information as per the relevant compliance requirements of the organization ? Specify the encryption algorithm used.
• Data Security What is the retention time for storage of data which is required for legal, regulatory, and business requirements?
• Data Security What is the procedure followed for secure deletion/purging of all information / data from Vendors environment? Give details of the procedure.
• Data Security What is the process of risk assessment for ciphers, key sizes, key exchange control protocols, hashing functions and random number generators?
• Data Security Are compromised keys immediately revoked, destroyed and replaced? Specify the revocation/deletion timelines.
• Identity and Access management Is the procedure defined and followed for user access management for provisioning/ de-provisioning of user access ? Specify the name of the tool, if applicable.
• Identity and Access management Has the organization implemented a identity and access management (IAM) solution? If yes, specify the solution used.
• Identity and Access management Has the organization implemented the removal of system access, user accounts, and associated access rights as part of the process to terminate the contract of employees, temporary employees, contractors, or vendors?
• Identity and Access management Is two factor authentication in place to access the application/system hosted for users?
• Password Policy Has the organization implemented a password policy?, If yes, please specify the password policy rule set implemented.
• Password Policy Does the organization ensure that the vendor supplied default passwords on all computer systems changed?
• Password Policy Does the organization ensure that passwords are rotated at a set frequency?
• Incident management Does the service provider has a formal Incident Response and Management Process / Plan which clearly defines the method of detecting and responding to information security incidents? If yes, are they regularly reviewed?
• Incident management Does the organization track incidents and effectively ensure that the recurrence rate of security events is minimal?
• Incident management Does the organization have Security Incident Response Team (SIRT) to provide timely response to security incidents? Specify the Email address used for incident reporting.
• Logging and monitoring Please provide details about Logging and Monitoring solution configured for recording privileged user activity, authorized and unauthorized access attempts, system exceptions, information security events etc. Kindly attach relevant evidence for the same.
• Logging and monitoring Has the organization implemented a Security Incident and Event Management (SIEM) solution? If yes, specify the solution used.
• Logging and monitoring Are historical statistics available on the number of attacks detected and blocked? If yes, give evidence showcasing the statistics.
• Network security Is the network connectivity between organization/Vendor premise and cloud setup encrypted with latest encryption methodology? If yes, specify the tool/ service/ encryption algorithm used.
• Network security What steps has the organization taken for network segregation of WEB, Application, Database, Management console, UAT for preventing the movement of an attacker in case of a breach?
• Network security Has the organization implemented security hardening of its network and security devices? Give details of the hardening guidelines used.
• Network security Does the organization have a Next-Generation Firewall (NGFW) solution capable of in-line Deep Packet Inspection (DPI) to reduce risks arising from network vulnerabilities? If yes, specify the tool/service used.
• Network security Has the organization implemented a Network-based Intrusion Detection and Prevention (NIDS/NIPS) solution to detect and prevent any malicious activity by monitoring the network traffic? If yes, specify the tool/service used.
• Network security Has the organization implemented active and passive network discovery solutions capable of rogue device detection within their network so that only authorized devices are given access, while unauthorized and unmanaged devices are found and prevented from gaining access? If yes, specify the tool/service/method used.
• Network security Has the organization implemented a Web Application Firewall (WAF) capable of preventing the exploitation of web application vulnerabilities covering at least OWASP’s Top 10 threats? Please provide relevant evidence.
• Network security What are the security measures implemented to prevent DDoS attacks?
• Network security Has the organization implemented load balancing techniques to maintain the availability of critical resources?
• Network security What security measures are implemented by the organization to ensure confidentiality of data in transit when employees are connecting remotely?
• Network security What measures are implemented by the organization to ensure security of customer data in transit? Explain in detail.
• Host Security Has the organization implemented host-based firewall solutions on end-user devices and servers?
• Host Security Has the organization implemented a host-based intrusion detection and prevention solution (HIDS/HIPS) on end-user devices and servers to detect and prevent any malicious activity on assets?
• Host Security Name the anti-malware solution implemented on end points by the organization?
• Host Security Has the organization implemented an application whitelisting solution on end-user devices and servers to limit the use of only authorized licensed applications on the assets? Explain the process used in detail
• Host Security Name the DLP Solution used by the organization.
• Host Security Does the organization restrict the use of legacy (out of date/end of life) software and/or hardware that is officially not provided with security updates by manufacturers/providers (e.g. Windows XP) to prevent risk arising from legacy systems?
• Host Security Name the Mobile Device Management (MDM) solution implemented to monitor, manage, and secure employee's mobile devices?
• Vulnerability Management and Penetration Testing Specify the frequency at which the VAPT is conducted in the organization. Please share the latest VAPT report.
• Vulnerability Management and Penetration Testing Specify the security best practices followed as part of SDLC
• Patch Management What are the Patching timelines for application and OS patches? Also, specify patching timelines for critical and high risk vulnerabilities.
• Change Management Does the organization have a defined Change management procedure in place?
• Change Management Is there a provision between your organization and customer to notify on the change of infrastructure / security configuration? If yes, specify the timelines and process for notification.
• Policy, Procedures, Standards, & Guidelines What are the security policies, procedures, standards & guidelines followed by Vendor?
• Policy, Procedures, Standards, & Guidelines Does the organization perform a cybersecurity risk assessment prior to conducting business with all third-party vendors and a continual assessment every financial year to identify if all their third-party security requirements are met?
• Certification Does the vendor comply with the applicable industry certifications such as ISO 27001, PCI-DSS, COBIT, SOC etc.?, if yes, please share the list of all certifications and attach the reports.
• Virtualization Does the Vendor ensure the integrity of all virtual machine images at all times? Are any changes made to virtual machine images logged and an alert raised?
• Virtualization Are secured and encrypted communication channels used for migration and, is the network segregated from production-level networks for migrations?
• Virtualization What access control mechanisms are in place to access hypervisor (e.g., two-factor authentication, audit trails, IP address filtering, firewalls, and TLS encapsulated communications to the administrative consoles)?
• HR Security Are security roles and responsibilities of employees, contractors and Third Party users defined and documented in accordance with the organization’s information security Policy?
• HR Security Will background screening be performed on all candidates for employment, employees, contractors and or other Third Party users prior to allowing access to customers data?
• HR Security Are new hires, employees, contractors, or other third party users who handle personal data required to sign any confidentiality agreements upon being hired?
• Awareness Training What type of Information Security and Privacy Awareness Trainings are provided to employees? Also, specify the frequency of such trainings.
• Physical and Environmental Security Are the Physical and Environmental Security measures implemented in the organization?
• Physical and Environmental Security Is the visitor access to the organization premises is restricted and provided only after the approval?
• Privacy What are the breach notification timelines?
• Privacy Applicable only if customers PII is collected : Does the organization maintain a PII inventory ?
• Privacy Does the organization maintain a privacy policy ? Please provide the privacy policy.
• Privacy Applicable only if customers PII is collected : Specify the customer PII data retention timeline upon termination of contract.
• Privacy Applicable only if customers PII is collected : Does the organization perform DPIA?