This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Security FAQs

Frequently Asked Questions about maiLink SRM software security.

1 - maiLink Agent

Security information for the maiLink Agent software module.

General

  1. How is the Agent integrated with the customer infrastructure? The Agent is an independent software module that runs within the product, which is installed and network-connected within the customer’s facility.

  2. In what year was the Agent first offered? 2022

  3. Is the Agent provided as Software-as-a-Service? Yes, via Partner’s maiLink SRM subscription.

  4. Is the Agent to be installed in the cloud (not within the customer location)? No, although it works closely with maiLink SRM, which is cloud-based.

  5. Is the Agent to be locally installed (within the customer location)? Yes, but only as a software component within the product.

  6. What environment does the Agent run in? The Agent is pre-installed into the product by the Partner.

  7. What is the purpose of the Agent? The Agent is designed to allow Partners to gain Access to the systems and software that they are obligated and authorized to service within Customer facilities.

  8. Who is the best maiData contact for questions or concerns about the Agent security? Adam Zenner, CTO and CISO.

  9. Why would a Customer permit installation of a product containing the Agent? To allow the Partner to service the product or provide the desired services in the Customer facility.

Access

  1. Do all Partner employees access the Agent via a single login portal? Yes, via maiLink SRM.

  2. Does the Agent maintain an account lock-out feature, activated after a number of failed login attempts? Not applicable.

  3. Does the Agent prohibit re-use of prior passwords? Not applicable.

  4. Is each Partner's implementation accessed via a unique login portal? Yes, via maiLink SRM.

  5. What is the URL for the the Agent? Each the Agent does not have a URL.

Audit Logs

  1. Are the Agent audit records time-stamped? No. The audit logs in maiLink SRM provide that function.

  2. Are all the Agent non-local maintenance and diagnostic activities approved and monitored? Yes.

  3. Can the Agent be configured to select which auditable events are captured in the audit log? No. The audit logs in maiLink SRM provide that function.

  4. Do the Agent audit logs contain enough information to establish the identify of the user/subject associated with the event? Not applicable. The audit logs in maiLink SRM provide that function.

  5. Do the Agent audit logs contain enough information to establish the source of the event? Not applicable. The audit logs in maiLink SRM provide that function.

  6. Do the Agent audit logs contain enough information to establish what type of event occurred? Not applicable. The audit logs in maiLink SRM provide that function.

  7. Do the Agent audit logs contain enough information to establish when the event occurred? No. The audit logs in maiLink SRM provide that function.

  8. Do the Agent audit logs contain enough information to establish where the event occurred? No. The audit logs in maiLink SRM provide that function.

  9. Does the Agent allow generation of custom audit reports? Yes, through maiLink SRM.

  10. Does the Agent generate an alert in the event of an audit processing failure? No.

  11. Does the Agent keep audit logs? Yes, via maiLink SRM.

  12. Does the Agent protect audit records from unauthorized access, modification and deletion? Yes, via maiLink SRM.

  13. Does the Agent record Failed Log In events in its audit logs? Not applicable.

  14. Does the Agent record Files / Records Deleted events in its audit logs? Not applicable.

  15. Does the Agent record Files / Records Modified events in its audit logs? Not applicable.

  16. Does the Agent record Files / Records Viewed events in its audit logs? Not applicable.

  17. Does the Agent record Log In events in its audit logs? Yes, via maiLink SRM.

  18. Does the Agent record Log Out events in its audit logs? Yes, via maiLink SRM.

  19. Does generation of an the Agent audit report alter the original content or time stamp of the audit record? Not applicable.

  20. Does maiData maintain records for the Agent non-local maintenance and diagnostic sessions? Yes.

  21. Is the information captured in the Agent audit logs sufficient for system and user performance investigations? Yes, via maiLink SRM.

Authentication

  1. Does the Agent protect the authenticity of communication sessions? Yes.

  2. Does the Agent support multi-factor authentication? Not applicable.

  3. Does the Agent system obscure the authenticator/password during the authentication process? Not applicable.

  4. Does the Agent uniquely identify and authenticate devices before establishing communication with the Cloud? Yes, using unique encrypted JSON Web Tokens (JWTs).

  5. Does the Agent uniquely identify and authenticate devices before establishing communication within the Customer facility? Not applicable.

  6. Does the Agent use managed LDAP services for identification and authentication? No.

  7. How does the Agent achieve MFA? Not applicable.

  8. Is the Agent authenticator content protected from unauthorized disclosure and modification? Not applicable.

  9. Is token-based authentication used? Not applicable.

Configuration

  1. How do you do a factory reset on the Agent? Remove and reinstall the software.

  2. How is IP Address of the the Agent configured? The the Agent is a software module within the product. Partner can provide information about configuring product IP address.

  3. How is the configuration of the Agent controlled? The Agent configuration is controlled in Cloud by Partner.

Credentials

  1. Can an the Agent user request a password reset? Not applicable.

  2. Can any user with the Agent credentials add, remove or modify Administrator users? Yes, but that capability will be removed in early 2022.

  3. Can Customer IT personnel be given credentials to the Agent? Yes, if the Partner agrees to provide credentials to the Customer.

  4. Can the Customer configure the default requirements for passwords? Not applicable.

  5. Does the Agent allow federation of credentials? Yes, via maiLink SRM.

  6. Does the Agent require passwords to be at least 8 characters long? Not applicable.

  7. Does the Agent require passwords to contain at least one non-alphanumeric character? Not applicable.

  8. Does the Agent require passwords to contain at least one numeric digit? Not applicable.

  9. Does the Agent require passwords to contain mixed-case alpha characters? Not applicable.

  10. Does the Agent require passwords to expire every 90 days? Not applicable.

  11. Does the Agent support federated identity? No. That function is provided in maiLink SRM.

  12. Must an the Agent user establish their own password at first login? Not applicable.

  13. What are the minimum requirements for an the Agent password in terms of length and complexity? Not applicable.

  14. What credentials does a user need to access the Agent locally (from inside the Customer firewall)? Not supported. All the Agent access is done remotely.

  15. What credentials does a user need to access the Agent remotely (from outside the Customer firewall)? Partner-authorized maiLink SRM credentials and role permissions.

Data Access

  1. Will the Agent be used to transmit Customer Employee Information? Only if necessary, authorized and permitted by Customer.

  2. Will the Agent be used to transmit PCI? Only if necessary, authorized and permitted by Customer.

  3. Will the Agent be used to transmit PHI? Only if necessary, authorized and permitted by Customer.

  4. Will the Agent be used to transmit PII? Only if necessary, authorized and permitted by Customer.

  5. Will the Partner be able to access Customer Internal / Proprietary Information via the Agent? Only if authorized and permitted by Customer.

  6. Will the Partner be able to access Employee Information via the Agent? Only if authorized and permitted by Customer.

  7. Will the Partner be able to access PCI via the Agent? Only if authorized and permitted by Customer.

  8. Will the Partner be able to access PHI via the Agent? Only if authorized and permitted by Customer.

  9. Will the Partner be able to access PII via the Agent? Only if authorized and permitted by Customer.

  10. Will the Partner be able to receive transmitted data from Customer, via the Agent? Yes, as authorized and permitted by Customer.

  11. Will the Partner have access to a database or application, via the Agent, that stores or transmits Customer data? Yes, as authorized and permitted by Customer.

  12. Will the Partner have access to infrastructure, via the Agent, that stores or transmits Customer data? Yes, as authorized and permitted by Customer.

  13. Will the Partner have access to the Customer network, via the Agent, for on-site support? No.

  14. Will the Partner have access to the Customer network, via the Agent, for remote support? Yes, as authorized and permitted by Customer.

  15. Will the Partner use Customer computer systems to access and/or transmit Customer data via the Agent? No.

  16. Will the Partner use Partner computer systems to access and/or transmit Customer data via the Agent? Yes. But what can be accessed is based on access authorized and permitted by Customer.

Documentation

  1. Does maiData administrator documentation for the Agent include configuration, installation and operation information? Not applicable.

  2. Does maiData administrator documentation for the Agent include known vulnerabilities regarding configuration and use of administrator functions? Not applicable.

  3. Does maiData administrator documentation for the Agent include security functions and mechanisms information? Not applicable.

  4. Does maiData include requirements, descriptions and criteria in the acquisition contract for the Agent? Yes, but only an abbreviated description. The remaining requirements, descriptions and criteria are in publicly available documents.

  5. Does maiData maintain administrator documentation for the Agent? Not applicable.

  6. Does maiData maintain any documentation which includes the details of the Agent's security configuration specifications? Yes. Available on request.

  7. Does maiData maintain current accurate documentation of the components in the the Agent? Yes.

  8. Does maiData maintain user documentation for the Agent? Not applicable.

  9. Does maiData user documentation for the Agent include information on methods for user interaction which make the Agent use more secure? Not applicable.

  10. Does maiData user documentation for the Agent include information on user responsibility in maintaining the Agent security? Not applicable.

  11. Does maiData user documentation for the Agent include information on user-accessible security functions and how to use them? Not applicable.

  12. Is any non-local maintenance and diagnostic activity performed on the the Agent (E.g. via network)? Yes, via maiLink SRM.

  13. Is there documentation outlining who, when and how the Agent can be configured? Not applicable.

Partner Responsibilities

  1. Are all approved the Agent configuration changes implemented in a timely manner? Not applicable.

  2. Does maiData authorize a list of authorized maintenance personnel? No. The Partner authorizes maintenance personnel.

  3. Does maiData define the timing of the Agent patches? No. The Partner is responsible for applying such patches.

  4. Does maiData ensure that personnel performing maintenance on the Agent have the required access authorizations? No. The Partner authorizes maintenance personnel and provides them with access authorization.

  5. Does maiData enter access agreements with employees that have access to the Agent? No. It is the responsibility of the Partner to have access agreements with their employees if they are to be authorized to access the the Agent.

  6. Does maiData have personnel sanctions policies and procedures? No. It is the responsibility of the Partner to establish third-party access control procedures for external parties who are granted access the the Agent.

  7. Does maiData have termination procedures in place for those with access to the Agent? No. It is the responsibility of the Partner to handle the termination of any of their employees that is authorized to access the the Agent.

  8. Does maiData have third-party access control procedures for external parties granted access to the Agent? No. It is the responsibility of the Partner to establish third-party access control procedures for external parties who are granted access the the Agent.

  9. Does maiData have transfer procedures in place for those with access to the Agent? No. It is the responsibility of the Partner to handle transfer between employees of authorization to access the the Agent.

  10. Does maiData maintain a list of authorized maintenance personnel for the Agent? No. The Partner authorizes maintenance personnel.

  11. Does maiData periodically review access agreements for employees that have access to the Agent? No. It is the responsibility of the Partner to periodically review access agreements with their employees if they are authorized to access the the Agent.

  12. Does maiData provide remote support / maintenance services that would involve maiData employees accessing the Agent? No, by policy. The Partner may specifically request direct support, and authorize access to the the Agent by maiData personnel, however this would not be a common occurrence.

  13. Does maiData screen individuals prior to authorizing access to the Agent? No. It is the responsibility of the Partner to determine which of their employees is authorized to access the the Agent.

  14. How will the Agent access, transmit or store Customer's data? Partner may access, transmit or store Customer's data using the Agent as a tool. the Agent does not independently access, transmit or store Customer data.

  15. Who can create credentials for the Agent? Not applicable.

SDLC Procedures

  1. Are the Agent flaws identified, reported and corrected? Yes.

  2. Are the Agent software and firmware updates tested for effectiveness and potential side effects before incorporation? Yes. Because the the Agent installs in the Partner’s product, the Partner is responsible for this.

  3. Are all the Agent configuration changes documented? Not applicable.

  4. Are configurable changes to the Agent documented? Not applicable.

  5. Do the documented the Agent configuration settings reflect the most restrictive mode consistent with operational requirements? Not applicable.

  6. Does maiData analyze changes to the Agent to determine potential security impacts prior to change implementation. Yes.

  7. Does maiData apply information system security engineering principles in the Product Development Life Cycle of the Agent? Yes.

  8. Does maiData approve, control and monitor the Agent maintenance tools? Yes.

  9. Does maiData automatically apply software patches to the Agent? Yes, using an auto-update mechanism.

  10. Does maiData categorize the Agent patches based on severity? Yes, maiData classifies patches as minor, major, and critical.

  11. Does maiData check for potential adverse impact on security controls following maintenance or repair actions? Not applicable.

  12. Does maiData define a comprehensive life cycle for the Agent? No, but it is planned as part of our ISO 27001 process.

  13. **Does maiData develop, document and implement a configuration management plan for the Agent that addresses roles, responsibilities and configuration No, but it is planned as part of our ISO 27001 process.

  14. Does maiData document the Agent configuration changes that deviate from the established settings? Not applicable.

  15. Does maiData have a process for identifying configuration items during the SDLC? Yes.

  16. Does maiData maintain a formal security patch management process for the Agent? No, not at this time.

  17. Does maiData maintain documented policies and procedures for maintenance of the Agent? Not applicable.

  18. Does maiData perform vulnerability testing as part of the Agent's Software Development LifeCycle (SDLC)? Yes, using Zap software to test against the Open Web Application Security Project (OWASP) requirements.

  19. Does maiData protect the configuration management plan from unauthorized disclosures and modifications? Not applicable.

  20. Does maiData require the Agent developers to conform to maiData-approved configuration changes? Yes.

  21. Does maiData require the Agent developers to create and implement a security assessment plan for the Agent? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  22. Does maiData require the the Agent developers security assessment plan to produce evidence of the execution of the security assessment plan? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  23. How often does maiData perform penetration tests on the Agent? Once per software release.

  24. Is there active monitoring of the Agent configuration changes? Not applicable.

  25. Is there documentation outlining the baseline configuration of the Agent? Not applicable.

  26. What environments does maiData use in development of patches for the Agent? maiData uses Development, QA (including Test) and Production environments to verify and validate patches.

Security

  1. Are strong authenticators/passwords used in the establishment of the Agent non-local maintenance and diagnostic sessions? Yes.

  2. Are there any known vulnerabilities within the Agent? No.

  3. Can the Agent credentials be federated with maiLink SRM? Yes.

  4. Does the Agent come with its own antivirus solution? No. It is reliant on host computer’s antivirus solution.

  5. Does the Agent come with its own malware protection? No. It is reliant on host computer’s malware protection.

  6. Does the Agent display the last user logon date and time to the user? No.

  7. Does the Agent encrypt data at rest? Yes, if the function is provided by the host computer.

  8. Does the Agent encrypt data in transit? Yes, for data transmitted between the Agent and Cloud.

  9. Does the Agent have a session lock after a period of inactivity that requires reauthentication? Not applicable.

  10. Does the Agent include any collaborative devices (cameras, microphones, etc)? No.

  11. Does the Agent limit the number of concurrent sessions for the user? Not applicable.

  12. Does the Agent prevent user actions that can be performed on the system without identification and authentication? Yes.

  13. Does the Agent provide system use notification that includes privacy and security notices before granting access? No.

  14. Does the Agent separate user functionality from administrative functionality? Not applicable.

  15. Does the Agent store passwords in an encrypted format? Not applicable.

  16. Does the Agent terminate the session after predefined circumstances? Yes, via maiLink SRM.

  17. Does the Agent use cryptographic mechanisms to recognize changes to information (such as hashing)? No.

  18. Does the Agent use cryptographic protocols to protect transmitted information? Yes.

  19. Does the Agent use managed LDAP services for identification and authentication? Not applicable.

  20. Does the Agent use mechanisms for authentication to a cryptographic module? No.

  21. Does maiData have any automated or manual monitoring of the Agent configuration changes? Not applicable.

  22. Does maiData restrict or prohibit the use of any the Agent functions, ports, protocols and/or service that are not essential? Yes.

  23. Does maiData retain records of the Agent configuration changes? Not applicable.

  24. Does maiData review proposed the Agent configuration changes using defined security impact analyses? Not applicable.

  25. Has the Agent undergone any major platform changes, upgrades or enhancements in the past six months? No.

  26. How does the Agent keep Customers secure? The Agent establishes secure communications to Cloud using a small number of outbound ports, encryption and short-term certificates.

  27. Is user installation of the Agent restricted and monitored? Yes. Use of the the Agent is restricted and must be authorized by the Partner.

  28. What cryptographic protocols does the Agent use to protect transmitted information, including strength? AES 128-bit.

  29. What encryption method does the Agent use to encrypt data at rest? Depends on the host computer.

  30. What encryption method does the Agent use to encrypt data in transit? AES 128-bit

  31. What is the inactivity period before the Agent terminates a session ? Not applicable.

  32. What was the date of the most recent the Agent vulnerability test? 2021-01-29.

  33. Will the Agent be used to transmit Customer Employee Information? Only if used by the Partner for that purpose deliberately or inadvertently.

  34. Will the Agent be used to transmit PCI? Only if used by the Partner for that purpose deliberately or inadvertently.

  35. Will the Agent be used to transmit PHI? Only if used by the Partner for that purpose deliberately or inadvertently.

  36. Will the Agent be used to transmit PII? Only if used by the Partner for that purpose deliberately or inadvertently.

  37. Are the Agent non-local maintenance and diagnostic sessions terminated after completion? Yes.

  38. Does maiData implement the Agent patches categorized as critical within 72 hours of patch release? Yes, depending on the requirement to notify end-user customers of changes associated with a specific patch.

  39. Does maiData maintain a disaster recovery policy which applies to the Agent? Yes. maiData security policies apply to all maiData products.

2 - maiData Corporation

Security information for maiData Corporation.

General

  1. Business name? maiData Corporation.

  2. Correspondence address? PO Box 50989, Palo Alto, CA 94303-0989, USA.

  3. Executive or Officer responsible for incident response? Adam Zenner, CTO and CISO.

  4. Executive or Officer responsible for information security? Adam Zenner, CTO and CISO.

  5. Has maiData ever experienced a data breach? No.

  6. Level of cyber liability insurance? $3M / $1M per incident.

  7. Location of maiData employees? maiData has a US-based virtual team.

  8. Number of employees? 6 full-time, 8 contract.

Compliance

  1. Does maiData maintain FedRAMP? Not directly, but our provider AWS does.

  2. Does maiData maintain HIPAA? Not directly, but our provider AWS does.

  3. Does maiData maintain HITRUST? Not directly, but our provider AWS does.

  4. Does maiData maintain ISO 27001:2013? Not yet, but our provider AWS does. maiData follows ISO 27001:2013 guidance and is in the process of adhering to this standard.

  5. Does maiData maintain NIST? Not directly, but our provider AWS does.

  6. Does maiData maintain PCI Compliance? Not directly, but our provider AWS does.

  7. Does maiData maintain SOC 2 Type 2? Not directly, but our provider AWS does.

  8. Does maiData maintain SOC 3? Not directly, but our provider AWS does.

  9. Does maiData maintain SSAE 16 / SOC 1 Type 1? Not directly, but our provider AWS does.

  10. Does maiData maintain SSAE 16 / SOC 1 Type 2? Not directly, but our provider AWS does.

Data Privacy

  1. Do maiData team members have access to Customer PHI or PII data? No, unless viewed in the course of providing technical support to a Partner, who controls that access. A partner may request that maiData enters into BA agreement with that Partners whose deployed systems may contain PHI data.

  2. Do maiData team members have access to Partner data? Yes, but limited. maiData has access to Partner billing information and contact information necessary for providing maiLink products and services. maiData has no access to other Partner data unless specifically requested to provide technical support to the Partner, who controls that access.

  3. Does maiData maintain policies and procedures for access control? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  4. Does maiData share Customer data with any third party? No.

  5. Does maiData share Partner data with any third party? With the permission of the Partner, maiData may publish the fact that Partner uses maiLink software and quotes about the Partner’s experience in using maiLink software.

Incident Management

  1. Does maiData have a comprehensive Incident Response Plan? Yes, it is being developed as part of our ISO 27001 process.

  2. Does maiData have an incident handling process? Yes, it is being developed as part of our ISO 27001 process.

  3. Does maiData report security incidences to the appropriate personnel / government authorities in a timely manner? Yes.

  4. Does maiData respond to information spillage in a timely manner? Yes. Any spillage is treated as an incident.

  5. Does maiData track and document security incidents? Yes.

  6. Does maiData use incident response resources outside of the incident response team? No.

Quality Policy

  1. Does maiData document and monitor security training for its employees? Yes.

SDLC Procedures

  1. Are maiData information security functions outsourced? No.

Security Policy

  1. Does maiData adhere to information system security engineering principles throughout the Product Development Lifecycle for its products. Yes.

  2. Does maiData assign risk designations to all positions? Yes.

  3. Does maiData enter into BA agreements with Customers? Only if requested by the Customer.

  4. Does maiData enter into BA agreements with Partners? Yes.

  5. Does maiData establish screening criteria for individual filling positions of higher risk levels? Yes.

  6. Does maiData have BAAs in place? Yes, as necessary.

  7. Does maiData maintain a formal incident response policy? Yes.

  8. Does maiData maintain policies and procedures for System and Communications protection. No, but we will be developing these as we move towards ISO-27001:2013 conformance.

  9. Does maiData maintain policies and procedures for System and Information Integrity? No, but we will be developing these as we move towards ISO-27001:2013 conformance.

  10. Does maiData maintain policies and procedures for System and Services Acquisitions? No, but we will be developing these as we move towards ISO-27001:2013 conformance.

  11. Does maiData maintain SOC 2 Type 1? Not yet, but our provider AWS does. maiData follows SOC 2 Type 1 guidance and is in the process of adhering to this standard.

  12. Does maiData perform background checks on its employees? Yes, for full-time employees with access to maiData Information Systems.

  13. Does maiData perform incident response tests and analyze the results of those tests? No.

  14. Does maiData review and revise position risk designations periodically? Yes. Every three years.

  15. Does maiData support the capability to use cryptographic mechanisms to protect information at rest? Yes.

  16. Is flaw remediation incorporated into the maiData configuration management process? No, but we will be developing these as we move towards ISO-27001:2013 conformance.

  17. What cryptographic mechanisms and strengths does maiData employ to protect information at rest? AES 128-bit.

Training

  1. Are maiData team members HIPAA trained? Yes.

  2. Are maiData team members PHI trained? Yes.

  3. Are maiData team members PII trained? Yes.

  4. Are maiData team members provided with incident response training? Yes.

  5. Do maiData personnel receive role-based security training? Yes.

  6. Do maiData personnel undergo periodic security awareness training? Yes.

  7. Does maiData maintain policies and procedures for Personnel Security? Yes.

3 - maiLink Router

Security information for maiLink Router software.

General

  1. Has maiLink Router undergone any major platform changes, upgrades or enhancements in the past six months? No.

  2. How is maiLink Router integrated with the customer infrastructure? maiLink Router is an independent software device that is network-connected within the customer's facility. The customer IT department can use switch management to limit which IP addresses can be reached from the maiLink Router. The maiLink Router must have access to *.maidata.io on port 443 and 5000.

  3. In what year was maiLink Router first offered? 2022.

  4. Is maiLink Router provided as Software-as-a-Service? Yes, via Partner’s maiLink SRM subscription.

  5. Is maiLink Router to be installed in the cloud (not within the customer location)? No, although it works closely with maiLink SRM, which is cloud-based.

  6. Is maiLink Router to be locally installed (within the customer location)? Yes.

  7. What environment does maiLink Router run in? maiLink Router is provided as an Open Virtual Appliance (OVA) file that is installed in a virtual machine (VM) in the customer facility. It uses Linux as it’s operating system.

  8. What is the purpose of maiLink Router? maiLink Router is designed to allow Partners to gain Access to the systems and software that they are obligated and authorized to service within Customer facilities. From a single maiLink Router within the Customer facility, the Partner can access all network-connected products they need to support.

  9. Who is the best maiData contact for questions or concerns about maiLink Router security? Adam Zenner, CTO and CISO.

  10. Why would a Customer permit installation of maiLink Router? To allow the Partner to service the targeted product(s) or provide the desired service(s) in the Customer facility. maiLink Router allows the Partner to diagnose issues more quickly and provide some service without the time delay of having a field engineer visit the site.

Access

  1. Do all Partner employees access maiLink Router via a single login portal? Yes, via maiLink SRM

  2. Does maiLink Router maintain an account lock-out feature, activated after a number of failed login attempts? Yes, if credentials are federated

  3. Does maiLink Router prohibit re-use of prior passwords? Yes, if credentials are federated

  4. Is each Partner?s implementation accessed via a unique login portal? Yes, via maiLink SRM

  5. What is the URL for the maiLink Router? Each maiLink Router will have a unique URL that is created when the Partner requests access to the maiLink Router. The URL is different each time

Audit Logs

  1. Are maiLink Router audit records time-stamped? Yes.

  2. Are all maiLink Router non-local maintenance and diagnostic activities approved and monitored? Yes, via maiLink SRM.

  3. Can maiLink Router be configured to select which auditable events are captured in the audit log? No.

  4. Do maiLink Router audit logs contain enough information to establish the identify of the user/subject associated with the event? Yes.

  5. Do maiLink Router audit logs contain enough information to establish the source of the event? Yes, user and IP address.

  6. Do maiLink Router audit logs contain enough information to establish what type of event occurred? Yes, when combined with audit log information in maiLink SRM, to the level of log in / log out.

  7. Do maiLink Router audit logs contain enough information to establish when the event occurred? Yes, when combined with audit log information in maiLink SRM, to the level of log in / log out and the user.

  8. Do maiLink Router audit logs contain enough information to establish where the event occurred? Yes.

  9. Does maiLink Router allow generation of custom audit reports? Yes, through maiLink SRM.

  10. Does maiLink Router generate an alert in the event of an audit processing failure? No.

  11. Does maiLink Router keep audit logs? Yes, via maiLink SRM.

  12. “Does maiLink Router protect audit records from unauthorized access, modification and deletion?" Yes, via maiLink SRM.

  13. Does maiLink Router record Failed Log In events in its audit logs? No.

  14. Does maiLink Router record Files / Records Deleted events in its audit logs? maiLink Router has no visibility into file system changes in the target device.

  15. Does maiLink Router record Files / Records Modified events in its audit logs? maiLink Router has no visibility into file system changes in the target device.

  16. Does maiLink Router record Files / Records Viewed events in its audit logs? No.

  17. Does maiLink Router record Log In events in its audit logs? Yes, via maiLink SRM.

  18. Does maiLink Router record Log Out events in its audit logs? Yes, via maiLink SRM.

  19. Does generation of a maiLink Router audit report alter the original content or time stamp of the audit record? No.

  20. Does maiData maintain records for maiLink Router non-local maintenance and diagnostic sessions? Yes.

  21. Is the information captured in maiLink Router audit logs sufficient for system and user performance investigations? Yes, via maiLink SRM.

Authentication

  1. Does maiLink Router protect the authenticity of communication sessions? Yes.

  2. Does maiLink Router support multi-factor authentication? Yes, if configured.

  3. Does maiLink Router system obscure the authenticator/password during the authentication process? Yes.

  4. Does maiLink Router uniquely identify and authenticate devices before establishing communication with the Cloud? Yes, using unique encrypted JSON Web Tokens (JWTs).

  5. Does maiLink Router uniquely identify and authenticate devices before establishing communication within the Customer facility? Yes.

  6. Does maiLink Router use managed LDAP services for identification and authentication? Yes, if configured.

  7. How does maiLink Router achieve MFA? One-Time Password (OTP), if configured.

  8. Is maiLink Router authenticator content protected from unauthorized disclosure and modification? Yes through encryption.

  9. Is token-based authentication used? Yes.

Configuration

  1. How do you do a factory reset on maiLink Router? Remove and reinstall the software.

  2. How is IP Address of the maiLink Router configured? At first power-up, the maiLink Router uses DHCP to establish a network address. Customer IT personnel can then use the operating system to disable DHCP and set it to a fixed IP Address and subnet mask.

  3. How is the configuration of maiLink Router controlled? maiLink Router operating system configuration is controlled with on-system credential access, which can be configured for Single Sign-On or federation with other Customer credentialing. maiLink Router software version is controlled through a maiData Docker repository in the Cloud. Other maiLink Router configuration parameters are contolled locally, on the device.

Credentials

  1. Can a maiLink Router user request a password reset? No.

  2. “Can any user with maiLink Router credentials add, remove or modify Administrator users?" Yes, but that capability will be removed in early 2022.

  3. Can Customer IT personnel be given credentials to maiLink Router? Yes, if the Partner agrees to provide credentials to the Customer.

  4. Can the Customer configure the default requirements for passwords? Yes, if federated.

  5. Does maiLink Router allow federation of credentials? Yes, via maiLink SRM.

  6. Does maiLink Router require passwords to be at least 8 characters long? Yes, if credentials are federated.

  7. Does maiLink Router require passwords to contain at least one non-alphanumeric character? Yes, if credentials are federated.

  8. Does maiLink Router require passwords to contain at least one numeric digit? Yes, if credentials are federated.

  9. Does maiLink Router require passwords to contain mixed-case alpha characters? Yes, if credentials are federated.

  10. Does maiLink Router require passwords to expire every 90 days? Yes, if credentials are federated.

  11. Does maiLink Router support federated identity? No, but it is planned for a future release.

  12. Must a maiLink Router user establish their own password at first login? Yes.

  13. What are the minimum requirements for a maiLink Router password in terms of length and complexity? None at this time unless credentials are federated.

  14. What credentials does a user need to access maiLink Router locally (from inside the Customer firewall)? Customer IT personnel can access maiLink Router using credentials they create. Partner service personnel only access maiLink Router via maiLink SRM.

  15. What credentials does a user need to access maiLink Router remotely (from outside the Customer firewall)? Partner-authorized maiLink SRM credentials and role permissions.

Data Access

  1. Will maiLink Router be used to transmit Customer Employee Information? Only if necessary, authorized and permitted by Customer.

  2. Will maiLink Router be used to transmit PCI? Only if necessary, authorized and permitted by Customer.

  3. Will maiLink Router be used to transmit PHI? Only if necessary, authorized and permitted by Customer.

  4. Will maiLink Router be used to transmit PII? Only if necessary, authorized and permitted by Customer.

  5. Will the Partner be able to access Customer Internal / Proprietary Information via maiLink Router? Only if authorized and permitted by Customer.

  6. Will the Partner be able to access Employee Information via maiLink Router? Only if authorized and permitted by Customer.

  7. Will the Partner be able to access PCI via maiLink Router? Only if authorized and permitted by Customer.

  8. Will the Partner be able to access PHI via maiLink Router? Only if authorized and permitted by Customer.

  9. Will the Partner be able to access PII via maiLink Router? Only if authorized and permitted by Customer.

  10. Will the Partner be able to receive transmitted data from Customer, via maiLink Router? Only if authorized and permitted by Customer.

  11. Will the Partner have access to a database or application, via maiLink Router, that stores or transmits Customer data? Only if authorized and permitted by Customer.

  12. Will the Partner have access to infrastructure, via maiLink Router, that stores or transmits Customer data? Only if authorized and permitted by Customer.

  13. Will the Partner have access to the Customer network, via maiLink Router, for on-site support?" Yes, by remotely accessing the maiLink Router via maiLink SRM.

  14. Will the Partner have access to the Customer network, via maiLink Router, for remote support?" Yes, as authorized and permitted by Customer.

  15. Will the Partner use Customer computer systems to access and/or transmit Customer data via maiLink Router? No.

  16. Will the Partner use Partner computer systems to access and/or transmit Customer data via maiLink Router? Yes. But what can be accessed is based on access authorized and permitted by Customer.

Documentation

  1. Does maiData administrator documentation for maiLink Router include configuration, installation and operation information? Yes, as applicable.

  2. Does maiData administrator documentation for maiLink Router include known vulnerabilities regarding configuration and use of administrator functions? Yes, as applicable.

  3. Does maiData administrator documentation for maiLink Router include security functions and mechanisms information? Yes, as applicable.

  4. Does maiData include requirements, descriptions and criteria in the acquisition contract for maiLink Router? Yes, but only an abbreviated description. The remaining requirements, descriptions and criteria are in publicly available documents.

  5. Does maiData maintain administrator documentation for maiLink Router? Yes, as applicable.

  6. Does maiData maintain any documentation which includes the details of maiLink Router?s security configuration specifications? Yes. Available on request.

  7. Does maiData maintain current accurate documentation of the components in the maiLink Router? Yes.

  8. Does maiData maintain user documentation for maiLink Router? Yes.

  9. Does maiData user documentation for maiLink Router include information on methods for user interaction which make maiLink Router use more secure? Yes, as applicable.

  10. Does maiData user documentation for maiLink Router include information on user responsibility in maintaining maiLink Router security? Yes, as applicable.

  11. Does maiData user documentation for maiLink Router include information on user-accessible security functions and how to use them? Yes, as applicable.

  12. Is any non-local maintenance and diagnostic activity performed on the maiLink Router (E.g. via network)? Yes, via maiLink SRM.

  13. Is there documentation outlining who, when and how maiLink Router can be configured? Yes.

Partner Responsibilities

  1. Are all approved maiLink Router configuration changes implemented in a timely manner? N/A. The Partner controls the application of configuration changes.

  2. Does maiLink Router come with its own antivirus solution? No. However, maiData allows Partners to install antivirus solution on maiLink Router if desired.

  3. Does maiLink Router come with its own malware protection? No. However, maiData allows Partners to install malware protection on maiLink Router if desired.

  4. Does maiData authorize a list of authorized maintenance personnel? No. The Partner authorizes maintenance personnel.

  5. Does maiData document maiLink Router configuration changes that deviate from the established settings? No. The Partner controls configuration changes.

  6. Does maiData ensure that personnel performing maintenance on maiLink Router have the required access authorizations? No. The Partner authorizes maintenance personnel and provides them with access authorization.

  7. Does maiData enter access agreements with employees that have access to maiLink Router? No. It is the responsibility of the Partner to have access agreements with their employees if they are to be authorized to access the maiLink Router.

  8. Does maiData have personnel sanctions policies and procedures? No. It is the responsibility of the Partner to establish third-party access control procedures for external parties who are granted access the Agent.

  9. Does maiData have termination procedures in place for those with access to maiLink Router? No. It is the responsibility of the Partner to handle the termination of any of their employees that is authorized to access the maiLink Router.

  10. Does maiData have third-party access control procedures for external parties granted access to maiLink Router? No. It is the responsibility of the Partner to establish third-party access control procedures for external parties who are granted access the maiLink Router.

  11. Does maiData have transfer procedures in place for those with access to maiLink Router? No. It is the responsibility of the Partner to handle transfer between employees of authorization to access the maiLink Router.

  12. Does maiData maintain a list of authorized maintenance personnel for maiLink Router? No. The Partner authorizes maintenance personnel.

  13. Does maiData periodically review access agreements for employees that have access to maiLink Router? No. It is the responsibility of the Partner to periodically review access agreements with their employees if they are authorized to access the maiLink Router.

  14. Does maiData provide remote support / maintenance services that would involve maiData employees accessing maiLink Router? No, by policy. The Partner may specifically request direct support, and authorize access to the Agent by maiData personnel, however this would not be a common occurrence.

  15. Does maiData restrict or prohibit the use of any maiLink Router functions, ports, protocols and/or service that are not essential? No. The Partner controls configuration changes.

  16. Does maiData retain records of maiLink Router configuration changes? No. The Partner controls configuration changes.

  17. Does maiData review proposed maiLink Router configuration changes using defined security impact analyses? No. Configuration changes are made by the Partner.

  18. Does maiData screen individuals prior to authorizing access to maiLink Router? No. It is the responsibility of the Partner to determine which of their employees is authorized to access the maiLink Router.

  19. “How will maiLink Router access, transmit or store Customer?s data?" Please refer to Partner policies and procedures. maiLink Router does not independently access, transmit or store Customer data.

  20. Is there active monitoring of maiLink Router configuration changes? No. The Partner controls configuration changes.

  21. Who can create credentials for maiLink Router? Partner maiLink SRM Administrator.

  22. Will maiLink Router be used to transmit Customer Employee Information? Please refer to Partner policies and procedures.

  23. Will maiLink Router be used to transmit PCI? Please refer to Partner policies and procedures.

  24. Will maiLink Router be used to transmit PHI? Please refer to Partner policies and procedures.

  25. Will maiLink Router be used to transmit PII? Please refer to Partner policies and procedures.

SDLC Procedures

  1. Are maiLink Router flaws identified, reported and corrected? Yes.

  2. Are maiLink Router software and firmware updates tested for effectiveness and potential side effects before incorporation? Yes.

  3. Are all maiLink Router configuration changes documented? No.

  4. Are configurable changes to maiLink Router documented? Yes.

  5. Do the documented maiLink Router configuration settings reflect the most restrictive mode consistent with operational requirements? No, not at this time.

  6. Does maiData analyze changes to maiLink Router to determine potential security impacts prior to change implementation. Yes.

  7. Does maiData apply information system security engineering principles in the Product Development Life Cycle of maiLink Router? Yes.

  8. Does maiData approve, control and monitor maiLink Router maintenance tools? Yes.

  9. Does maiData automatically apply software patches to maiLink Router? Yes, using an auto-update mechanism.

  10. Does maiData categorize maiLink Router patches based on severity? Yes, maiData classifies patches as ?minor?, ?major?, and ?critical?.

  11. Does maiData check for potential adverse impact on security controls following maintenance or repair actions? Yes.

  12. Does maiData define a comprehensive life cycle for maiLink Router? No, but it is planned as part of our ISO 27001 process.

  13. Does maiData define the timing of maiLink Router patches? Yes, maiLink Router auto-updates occur within 30 days of release of a maiLink Router release.

  14. **Does maiData develop, document and implement a configuration management plan for maiLink Router that addresses roles, responsibilities and No, but it is planned as part of our ISO 27001 process.

  15. Does maiData have a process for identifying configuration items during the SDLC? Yes.

  16. Does maiData maintain a formal security patch management process for maiLink Router? No, not at this time.

  17. Does maiData maintain documented policies and procedures for maintenance of maiLink Router? Yes.

  18. Does maiData perform vulnerability testing as part of maiLink Router?s Software Development LifeCycle (SDLC)? Yes, using Zap software to test against the Open Web Application Security Project (OWASP) requirements.

  19. Does maiData protect the configuration management plan from unauthorized disclosures and modifications? Not applicable.

  20. Does maiData require maiLink Router developers to conform to maiData-approved configuration changes? Yes.

  21. Does maiData require maiLink Router developers to create and implement a security assessment plan for maiLink Router? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  22. Does maiData require the maiLink Router developers security assessment plan to produce evidence of the execution of the security assessment plan? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  23. How often does maiData perform penetration tests on maiLink Router? Once per software release.

  24. Is there documentation outlining the baseline configuration of maiLink Router? Yes.

  25. What environments does maiData use in development of patches for maiLink Router? maiData uses Development, QA (including Test) and Production environments to verify and validate patches.

Security

  1. Are strong authenticators/passwords used in the establishment of maiLink Router non-local maintenance and diagnostic sessions? Yes.

  2. Are there any known vulnerabilities within maiLink Router? No.

  3. Can maiLink Router credentials be federated with maiLink SRM? Not at this time.

  4. Does maiLink Router display the last user logon date and time to the user? No.

  5. Does maiLink Router encrypt data at rest? No.

  6. Does maiLink Router encrypt data in transit? Yes, for data transmitted between maiLink Router and Cloud.

  7. Does maiLink Router have a session lock after a period of inactivity that requires reauthentication? Yes, via maiLink SRM.

  8. Does maiLink Router include any collaborative devices (cameras, microphones, etc)? No.

  9. Does maiLink Router limit the number of concurrent sessions for the user? Yes.

  10. Does maiLink Router prevent user actions that can be performed on the system without identification and authentication? Yes.

  11. Does maiLink Router provide system use notification that includes privacy and security notices before granting access? No.

  12. Does maiLink Router separate user functionality from administrative functionality? Yes.

  13. Does maiLink Router store passwords in an encrypted format? Yes.

  14. Does maiLink Router terminate the session after predefined circumstances? Yes, via maiLink SRM.

  15. Does maiLink Router use cryptographic mechanisms to recognize changes to information (such as hashing)? No.

  16. Does maiLink Router use cryptographic protocols to protect transmitted information? Yes.

  17. Does maiLink Router use mechanisms for authentication to a cryptographic module? No.

  18. Does maiData have any automated or manual monitoring of maiLink Router configuration changes? No, not at this time.

  19. How do you do a factory reset on maiLink Router? First reformat the hard drive (writing all zeroes). Then reinstall the maiLink Router ISO file.

  20. How does maiLink Router keep Customers secure? maiLink Router uses maiLink Agent to establish a secure connection to the Cloud using only outbound communications.

  21. Is user installation of maiLink Router restricted and monitored? Yes.

  22. What cryptographic protocols does maiLink Router use to protect transmitted information, including strength? AES 128-bit.

  23. What encryption method does maiLink Router use to encrypt data at rest? None at this time.

  24. What encryption method does maiLink Router use to encrypt data in transit? AES 128-bit.

  25. What is the inactivity period before maiLink Router terminates a session ? 15 minutes.

  26. What was the date of the most recent maiLink Router vulnerability test? 2021-01-29.

Security Policy

  1. Are maiLink Router non-local maintenance and diagnostic sessions terminated after completion? Yes.

  2. Does maiData implement maiLink Router patches categorized as critical within 72 hours of patch release? Yes, depending on the requirement to notify end-user customers of changes associated with a specific patch.

  3. Does maiData maintain a disaster recovery policy which applies to maiLink Router? Yes. maiData security policies apply to all maiData products.

4 - maiLink SRM

Security information for the maiLink SRM platform.

General

  1. How is maiLink SRM integrated with the customer infrastructure? The Agent software module, built into the Partner’s product, communicates with the maiLink SRM Cloud.

  2. In what year was maiLink SRM first offered? 2022

  3. Is maiLink SRM provided as Software-as-a-Service? Yes.

  4. Is maiLink SRM to be installed in the cloud (not within the customer location)? Yes.

  5. Is maiLink SRM to be locally installed (within the customer location)? No.

  6. What environment does maiLink SRM run in? The Cloud portion of maiLink SRM runs in AWS. The Agent portion runs in the product installed in the customer location.

  7. What is the purpose of maiLink SRM? maiLink SRM is a Service Relationship Management platform that provides Partners with the ability to manage their fleet of deployed devices, track product ownership, and better service the products through integrated, secure remote access.

  8. Who is the best maiData contact for questions or concerns about maiLink SRM security? Adam Zenner, CTO and CISO.

  9. Why would a Customer permit installation of maiLink SRM? Customers that allow use of maiLink SRM enjoy high security, faster service response times, and greater uptime.

Access

  1. Do all Partner employees access maiLink SRM via a single login portal? Yes, via maiLink SRM.

  2. Does maiLink SRM maintain an account lock-out feature, activated after a number of failed login attempts?" Yes, if credentials are federated.

  3. Does maiLink SRM prohibit re-use of prior passwords? Yes, if credentials are federated.

  4. Is each Partner’s implementation accessed via a unique login portal? Yes.

  5. What is the URL for the maiLink SRM? https://app.maidata.io

Audit Logs

  1. Are maiLink SRM audit records time-stamped? Yes.

  2. Are all maiLink SRM non-local maintenance and diagnostic activities approved and monitored? No.

  3. Can maiLink SRM be configured to select which auditable events are captured in the audit log? No.

  4. Do maiLink SRM audit logs contain enough information to establish the identify of the user/subject associated with the event? Yes.

  5. Do maiLink SRM audit logs contain enough information to establish the source of the event? No.

  6. Do maiLink SRM audit logs contain enough information to establish what type of event occurred? Yes, when combined with audit log information in maiLink SRM, to the level of log in / log out.

  7. Do maiLink SRM audit logs contain enough information to establish when the event occurred? Yes.

  8. Do maiLink SRM audit logs contain enough information to establish where the event occurred? No.

  9. Does maiLink SRM allow generation of custom audit reports? Yes, through maiLink SRM.

  10. Does maiLink SRM generate an alert in the event of an audit processing failure? No.

  11. Does maiLink SRM keep audit logs? Yes.

  12. Does maiLink SRM protect audit records from unauthorized access, modification and deletion?" Yes.

  13. Does maiLink SRM record Failed Log In events in its audit logs? No.

  14. Does maiLink SRM record Files / Records Deleted events in its audit logs? No.

  15. Does maiLink SRM record Files / Records Modified events in its audit logs? No.

  16. Does maiLink SRM record Files / Records Viewed events in its audit logs? No.

  17. Does maiLink SRM record Log In events in its audit logs? Yes.

  18. Does maiLink SRM record Log Out events in its audit logs? Yes.

  19. Does generation of a maiLink SRM audit report alter the original content or time stamp of the audit record? No.

  20. Does maiData maintain records for maiLink SRM non-local maintenance and diagnostic sessions? Yes.

  21. Is the information captured in maiLink SRM audit logs sufficient for system and user performance investigations? Yes.

Authentication

  1. Does maiLink SRM protect the authenticity of communication sessions? Yes.

  2. Does maiLink SRM support multi-factor authentication? Yes, if configured.

  3. Does maiLink SRM system obscure the authenticator/password during the authentication process? Yes.

  4. Does maiLink SRM uniquely identify and authenticate devices before establishing communication with the Cloud? Yes, using unique encrypted JSON Web Tokens (JWTs).

  5. Does maiLink SRM uniquely identify and authenticate devices before establishing communication within the Customer facility? Yes.

  6. Does maiLink SRM use managed LDAP services for identification and authentication? No.

  7. How does maiLink SRM achieve MFA? One-Time Password (OTP), if configured.

  8. Is maiLink SRM authenticator content protected from unauthorized disclosure and modification? Yes through encryption.

  9. Is token-based authentication used? Yes.

Configuration

  1. How do you do a factory reset on maiLink SRM? This is not necessary.

  2. How is IP Address of the maiLink SRM configured? Not applicable because maiLink SRM is not on-premise.

  3. How is the configuration of maiLink SRM controlled? maiLink SRM configuration is controlled my maiData. The maiLink SRM configuration for the Partner is controlled by Partner administrators.

Credentials

  1. Can a maiLink SRM user request a password reset? Yes.

  2. Can any user with maiLink SRM credentials add, remove or modify Administrator users? Yes, but that capability will be removed in early 2022.

  3. Can Customer IT personnel be given credentials to maiLink SRM? Yes, but the Partner should not agree to this.

  4. Can the Customer configure the default requirements for passwords? Yes, if federated.

  5. Does maiLink SRM allow federation of credentials? Yes, if credentials are federated.

  6. Does maiLink SRM require passwords to contain at least one non-alphanumeric character? Yes, if credentials are federated.

  7. Does maiLink SRM require passwords to contain at least one numeric digit? Yes, if credentials are federated.

  8. Does maiLink SRM require passwords to contain mixed-case alpha characters? Yes, if credentials are federated.

  9. Does maiLink SRM require passwords to expire every 90 days? Yes, if credentials are federated.

  10. Does maiLink SRM support federated identity? No, but it is planned for a future release.

  11. Must a maiLink SRM user establish their own password at first login? Yes.

  12. What are the minimum requirements for a maiLink SRM password in terms of length and complexity? None at this time unless credentials are federated.

  13. What credentials does a user need to access maiLink SRM locally (from inside the Customer firewall)? There is no local access to maiLink SRM.

  14. What credentials does a user need to access maiLink SRM remotely (from outside the Customer firewall)? Partner-authorized maiLink SRM credentials and role permissions.

Data Access

  1. Will maiLink SRM be used to transmit Customer Employee Information? Only if necessary, authorized and permitted by Customer.

  2. Will maiLink SRM be used to transmit PCI? Only if necessary, authorized and permitted by Customer.

  3. Will maiLink SRM be used to transmit PHI? Only if necessary, authorized and permitted by Customer.

  4. Will maiLink SRM be used to transmit PII? Only if necessary, authorized and permitted by Customer.

  5. Will the Partner be able to access Customer Internal / Proprietary Information via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  6. Will the Partner be able to access Employee Information via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  7. Will the Partner be able to access PCI via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  8. Will the Partner be able to access PHI via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  9. Will the Partner be able to access PII via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  10. Will the Partner be able to receive transmitted data from Customer, via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  11. Will the Partner have access to a database or application, via maiLink SRM, that stores or transmits Customer data? Only if necessary, authorized and permitted by Customer.

  12. Will the Partner have access to infrastructure, via maiLink SRM, that stores or transmits Customer data? Only if necessary, authorized and permitted by Customer.

  13. Will the Partner have access to the Customer network, via maiLink SRM, for on-site support? No.

  14. Will the Partner have access to the Customer network, via maiLink SRM, for remote support? Yes, as authorized and permitted by Customer.

  15. Will the Partner use Customer computer systems to access and/or transmit Customer data via maiLink SRM? No.

  16. Will the Partner use Partner computer systems to access and/or transmit Customer data via maiLink SRM? Yes.

Documentation

  1. Does maiData administrator documentation for maiLink SRM include configuration, installation and operation information? Yes, as applicable.

  2. Does maiData administrator documentation for maiLink SRM include known vulnerabilities regarding configuration and use of administrator functions? Yes, as applicable.

  3. Does maiData administrator documentation for maiLink SRM include security functions and mechanisms information? Yes, as applicable.

  4. Does maiData include requirements, descriptions and criteria in the acquisition contract for maiLink SRM? Yes, but only an abbreviated description. The remaining requirements, descriptions and criteria are in publicly available documents.

  5. Does maiData maintain administrator documentation for maiLink SRM? Yes, as applicable.

  6. Does maiData maintain any documentation which includes the details of maiLink SRM’s security configuration specifications? Yes. Available on request.

  7. Does maiData maintain current accurate documentation of the components in maiLink SRM? Yes.

  8. Does maiData maintain user documentation for maiLink SRM? Yes.

  9. Does maiData user documentation for maiLink SRM include information on methods for user interaction which make maiLink SRM use more secure? Yes, as applicable.

  10. Does maiData user documentation for maiLink SRM include information on user responsibility in maintaining maiLink SRM security? Yes, as applicable.

  11. Does maiData user documentation for maiLink SRM include information on user-accessible security functions and how to use them? Yes, as applicable.

  12. Is any non-local maintenance and diagnostic activity performed on maiLink SRM (E.g. via network)? Yes.

  13. Is there documentation outlining who, when and how maiLink SRM can be configured? Yes.

Partner Responsibilities

  1. Are all approved maiLink SRM configuration changes implemented in a timely manner? Yes.

  2. Does maiData authorize a list of authorized maintenance personnel? No. The Partner authorizes maintenance personnel.

  3. Does maiData ensure that personnel performing maintenance on maiLink SRM have the required access authorizations? Yes.

  4. Does maiData enter access agreements with employees that have access to maiLink SRM? No. It is the responsibility of the Partner to have access agreements with their employees if they are to be authorized to access maiLink SRM.

  5. Does maiData periodically review access agreements for employees that have access to maiLink SRM? Yes. But it is the responsibility of the Partner to periodically review access agreements with their employees if they are authorized to access maiLink SRM.

  6. Does maiData provide remote support / maintenance services that would involve maiData employees accessing maiLink SRM? No, by policy. The Partner may specifically request direct support, and authorize access to the Agent by maiData personnel, however this would not be a common occurrence.

  7. Does maiData screen individuals prior to authorizing access to maiLink SRM? No. It is the responsibility of the Partner to determine which of their employees is authorized to access maiLink SRM.

  8. How will maiLink SRM access, transmit or store Customer’s data? Partner may access, transmit or store Customer’s data using maiLink SRM as a tool. maiLink SRM does not independently access, transmit or store Customer data.

  9. Who can create credentials for maiLink SRM? Partner maiLink SRM Administrator.

Policies and Procedures

  1. Does maiData have personnel sanctions policies and procedures? No, but it is planned as part of our ISO 27001 process.

  2. Does maiData maintain a list of authorized maintenance personnel for maiLink SRM? Yes, maiLink SRM maintains a list of authorized maintenance personnel as authorized by the Partner.

SDLC Procedures

  1. Are maiLink SRM flaws identified, reported and corrected? Yes.

  2. Are maiLink SRM software and firmware updates tested for effectiveness and potential side effects before incorporation? Yes.

  3. Are all maiLink SRM configuration changes documented? Yes.

  4. Are configurable changes to maiLink SRM documented? Yes.

  5. Do the documented maiLink SRM configuration settings reflect the most restrictive mode consistent with operational requirements? Yes.

  6. Does maiData analyze changes to maiLink SRM to determine potential security impacts prior to change implementation. Yes.

  7. Does maiData apply information system security engineering principles in the Product Development Life Cycle of maiLink SRM? Yes.

  8. Does maiData approve, control and monitor maiLink SRM maintenance tools?" Yes.

  9. Does maiData automatically apply software patches to maiLink SRM? Yes, using an auto-update mechanism.

  10. Does maiData categorize maiLink SRM patches based on severity? Yes, maiData classifies patches as “minor”, “major”, and “critical”.

  11. Does maiData check for potential adverse impact on security controls following maintenance or repair actions? Yes.

  12. Does maiData define a comprehensive life cycle for maiLink SRM? No, but it is planned as part of our ISO 27001 process.

  13. Does maiData define the timing of maiLink SRM patches? Yes, maiLink SRM auto-updates occur within 30 days of release of a maiLink SRM release.

  14. Does maiData develop, document and implement a configuration management plan for maiLink SRM that addresses roles, responsibilities and configuration? No, but it is planned as part of our ISO 27001 process.

  15. Does maiData document maiLink SRM configuration changes that deviate from the established settings? Yes.

  16. Does maiData have a process for identifying configuration items during the SDLC? Yes.

  17. Does maiData maintain a formal security patch management process for maiLink SRM? No, not at this time.

  18. Does maiData maintain documented policies and procedures for maintenance of maiLink SRM? Yes.

  19. Does maiData perform vulnerability testing as part of maiLink SRM’s Software Development LifeCycle (SDLC)? Yes, using Zap software to test against the Open Web Application Security Project (OWASP) requirements.

  20. Does maiData protect the configuration management plan from unauthorized disclosures and modifications? Not applicable.

  21. Does maiData require maiLink SRM developers to conform to maiData-approved configuration changes? Yes.

  22. Does maiData require maiLink SRM developers to create and implement a security assessment plan for maiLink SRM? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  23. Does maiData require the maiLink SRM developers security assessment plan to produce evidence of the execution of the security assessment plan? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  24. How often does maiData perform penetration tests on maiLink SRM? Once per software release.

  25. Is there active monitoring of maiLink SRM configuration changes? No.

  26. Is there documentation outlining the baseline configuration of maiLink SRM? No.

  27. What environments does maiData use in development of patches for maiLink SRM? maiData uses our QA environment to verify and validate patches.

Security

  1. Are strong authenticators/passwords used in the establishment of maiLink SRM non-local maintenance and diagnostic sessions? Yes.

  2. Are there any known vulnerabilities within maiLink SRM? No.

  3. Can maiLink SRM credentials be federated with Partner’s IT credentialing authority? Yes, with SAML.

  4. Does maiLink SRM come with its own antivirus solution? Not applicable.

  5. Does maiLink SRM come with its own malware protection? Not applicable.

  6. Does maiLink SRM display the last user logon date and time to the user? No.

  7. Does maiLink SRM encrypt data at rest? Yes.

  8. Does maiLink SRM encrypt data in transit? Yes.

  9. Does maiLink SRM have a session lock after a period of inactivity that requires reauthentication? Yes.

  10. Does maiLink SRM include any collaborative devices (cameras, microphones, etc)? No.

  11. Does maiLink SRM limit the number of concurrent sessions for the user? No.

  12. Does maiLink SRM prevent user actions that can be performed on the system without identification and authentication? Yes.

  13. Does maiLink SRM provide system use notification that includes privacy and security notices before granting access? No.

  14. Does maiLink SRM separate user functionality from administrative functionality? Yes.

  15. Does maiLink SRM store passwords in an encrypted format? Yes.

  16. Does maiLink SRM terminate the session after predefined circumstances? Yes.

  17. Does maiLink SRM use cryptographic mechanisms to recognize changes to information (such as hashing)? No.

  18. Does maiLink SRM use cryptographic protocols to protect transmitted information? Yes.

  19. Does maiLink SRM use managed LDAP services for identification and authentication? Yes, if configured.

  20. Does maiLink SRM use mechanisms for authentication to a cryptographic module? No.

  21. Does maiData have any automated or manual monitoring of maiLink SRM configuration changes? No, not at this time.

  22. Does maiData have termination procedures in place for those with access to maiLink SRM? _Yes, but is the responsibility of the Partner to handle the termination of any of their own employees that are authorized to access maiLink SRM. _ **Does maiData have third-party access control procedures for external parties granted access to maiLink SRM?**1. Yes. maiData does not grant third-party access to maiLink SRM.

  23. Does maiData have transfer procedures in place for those with access to maiLink SRM? No. It is the responsibility of the Partner to handle transfer between employees of authorization to access maiLink SRM.

  24. Does maiData restrict or prohibit the use of any maiLink SRM functions, ports, protocols and/or service that are not essential? Yes.

  25. Does maiData retain records of maiLink SRM configuration changes? Yes.

  26. Does maiData review proposed maiLink SRM configuration changes using defined security impact analyses? No.

  27. Has maiLink SRM undergone any major platform changes, upgrades or enhancements in the past six months? No.

  28. How does maiLink SRM keep Customers secure? The user federation available in maiLink SRM ensures that the only Partner-approved service techinicians have access to the products in the customer facility. In addition, the Agent software built into each product only uses outbound ports to connect with maiLink SRM.

  29. Is user installation of maiLink SRM restricted and monitored? Yes.

  30. What cryptographic protocols does maiLink SRM use to protect transmitted information, including strength? AES 128-bit.

  31. What encryption method does maiLink SRM use to encrypt data at rest? No.

  32. What encryption method does maiLink SRM use to encrypt data in transit? AES 128-bit.

  33. What is the inactivity period before maiLink SRM terminates a session? 15 minutes.

  34. What was the date of the most recent maiLink SRM vulnerability test? 2021-01-29.

Security Policy

  1. Are maiLink SRM non-local maintenance and diagnostic sessions terminated after completion? Yes.

  2. Does maiData implement maiLink SRM patches categorized as critical within 72 hours of patch release? Yes, depending on the requirement to notify end-user customers of changes associated with a specific patch.

  3. Does maiData maintain a disaster recovery policy which applies to maiLink SRM? No, but it is planned as part of our ISO 27001 process.