maiLink Agent

Security information for the maiLink Agent software module.

General

  1. How is the Agent integrated with the customer infrastructure? The Agent is an independent software module that runs within the product, which is installed and network-connected within the customer’s facility.

  2. In what year was the Agent first offered? 2022

  3. Is the Agent provided as Software-as-a-Service? Yes, via Partner’s maiLink SRM subscription.

  4. Is the Agent to be installed in the cloud (not within the customer location)? No, although it works closely with maiLink SRM, which is cloud-based.

  5. Is the Agent to be locally installed (within the customer location)? Yes, but only as a software component within the product.

  6. What environment does the Agent run in? The Agent is pre-installed into the product by the Partner.

  7. What is the purpose of the Agent? The Agent is designed to allow Partners to gain Access to the systems and software that they are obligated and authorized to service within Customer facilities.

  8. Who is the best maiData contact for questions or concerns about the Agent security? Adam Zenner, CTO and CISO.

  9. Why would a Customer permit installation of a product containing the Agent? To allow the Partner to service the product or provide the desired services in the Customer facility.

Access

  1. Do all Partner employees access the Agent via a single login portal? Yes, via maiLink SRM.

  2. Does the Agent maintain an account lock-out feature, activated after a number of failed login attempts? Not applicable.

  3. Does the Agent prohibit re-use of prior passwords? Not applicable.

  4. Is each Partner's implementation accessed via a unique login portal? Yes, via maiLink SRM.

  5. What is the URL for the the Agent? Each the Agent does not have a URL.

Audit Logs

  1. Are the Agent audit records time-stamped? No. The audit logs in maiLink SRM provide that function.

  2. Are all the Agent non-local maintenance and diagnostic activities approved and monitored? Yes.

  3. Can the Agent be configured to select which auditable events are captured in the audit log? No. The audit logs in maiLink SRM provide that function.

  4. Do the Agent audit logs contain enough information to establish the identify of the user/subject associated with the event? Not applicable. The audit logs in maiLink SRM provide that function.

  5. Do the Agent audit logs contain enough information to establish the source of the event? Not applicable. The audit logs in maiLink SRM provide that function.

  6. Do the Agent audit logs contain enough information to establish what type of event occurred? Not applicable. The audit logs in maiLink SRM provide that function.

  7. Do the Agent audit logs contain enough information to establish when the event occurred? No. The audit logs in maiLink SRM provide that function.

  8. Do the Agent audit logs contain enough information to establish where the event occurred? No. The audit logs in maiLink SRM provide that function.

  9. Does the Agent allow generation of custom audit reports? Yes, through maiLink SRM.

  10. Does the Agent generate an alert in the event of an audit processing failure? No.

  11. Does the Agent keep audit logs? Yes, via maiLink SRM.

  12. Does the Agent protect audit records from unauthorized access, modification and deletion? Yes, via maiLink SRM.

  13. Does the Agent record Failed Log In events in its audit logs? Not applicable.

  14. Does the Agent record Files / Records Deleted events in its audit logs? Not applicable.

  15. Does the Agent record Files / Records Modified events in its audit logs? Not applicable.

  16. Does the Agent record Files / Records Viewed events in its audit logs? Not applicable.

  17. Does the Agent record Log In events in its audit logs? Yes, via maiLink SRM.

  18. Does the Agent record Log Out events in its audit logs? Yes, via maiLink SRM.

  19. Does generation of an the Agent audit report alter the original content or time stamp of the audit record? Not applicable.

  20. Does maiData maintain records for the Agent non-local maintenance and diagnostic sessions? Yes.

  21. Is the information captured in the Agent audit logs sufficient for system and user performance investigations? Yes, via maiLink SRM.

Authentication

  1. Does the Agent protect the authenticity of communication sessions? Yes.

  2. Does the Agent support multi-factor authentication? Not applicable.

  3. Does the Agent system obscure the authenticator/password during the authentication process? Not applicable.

  4. Does the Agent uniquely identify and authenticate devices before establishing communication with the Cloud? Yes, using unique encrypted JSON Web Tokens (JWTs).

  5. Does the Agent uniquely identify and authenticate devices before establishing communication within the Customer facility? Not applicable.

  6. Does the Agent use managed LDAP services for identification and authentication? No.

  7. How does the Agent achieve MFA? Not applicable.

  8. Is the Agent authenticator content protected from unauthorized disclosure and modification? Not applicable.

  9. Is token-based authentication used? Not applicable.

Configuration

  1. How do you do a factory reset on the Agent? Remove and reinstall the software.

  2. How is IP Address of the the Agent configured? The the Agent is a software module within the product. Partner can provide information about configuring product IP address.

  3. How is the configuration of the Agent controlled? The Agent configuration is controlled in Cloud by Partner.

Credentials

  1. Can an the Agent user request a password reset? Not applicable.

  2. Can any user with the Agent credentials add, remove or modify Administrator users? Yes, but that capability will be removed in early 2022.

  3. Can Customer IT personnel be given credentials to the Agent? Yes, if the Partner agrees to provide credentials to the Customer.

  4. Can the Customer configure the default requirements for passwords? Not applicable.

  5. Does the Agent allow federation of credentials? Yes, via maiLink SRM.

  6. Does the Agent require passwords to be at least 8 characters long? Not applicable.

  7. Does the Agent require passwords to contain at least one non-alphanumeric character? Not applicable.

  8. Does the Agent require passwords to contain at least one numeric digit? Not applicable.

  9. Does the Agent require passwords to contain mixed-case alpha characters? Not applicable.

  10. Does the Agent require passwords to expire every 90 days? Not applicable.

  11. Does the Agent support federated identity? No. That function is provided in maiLink SRM.

  12. Must an the Agent user establish their own password at first login? Not applicable.

  13. What are the minimum requirements for an the Agent password in terms of length and complexity? Not applicable.

  14. What credentials does a user need to access the Agent locally (from inside the Customer firewall)? Not supported. All the Agent access is done remotely.

  15. What credentials does a user need to access the Agent remotely (from outside the Customer firewall)? Partner-authorized maiLink SRM credentials and role permissions.

Data Access

  1. Will the Agent be used to transmit Customer Employee Information? Only if necessary, authorized and permitted by Customer.

  2. Will the Agent be used to transmit PCI? Only if necessary, authorized and permitted by Customer.

  3. Will the Agent be used to transmit PHI? Only if necessary, authorized and permitted by Customer.

  4. Will the Agent be used to transmit PII? Only if necessary, authorized and permitted by Customer.

  5. Will the Partner be able to access Customer Internal / Proprietary Information via the Agent? Only if authorized and permitted by Customer.

  6. Will the Partner be able to access Employee Information via the Agent? Only if authorized and permitted by Customer.

  7. Will the Partner be able to access PCI via the Agent? Only if authorized and permitted by Customer.

  8. Will the Partner be able to access PHI via the Agent? Only if authorized and permitted by Customer.

  9. Will the Partner be able to access PII via the Agent? Only if authorized and permitted by Customer.

  10. Will the Partner be able to receive transmitted data from Customer, via the Agent? Yes, as authorized and permitted by Customer.

  11. Will the Partner have access to a database or application, via the Agent, that stores or transmits Customer data? Yes, as authorized and permitted by Customer.

  12. Will the Partner have access to infrastructure, via the Agent, that stores or transmits Customer data? Yes, as authorized and permitted by Customer.

  13. Will the Partner have access to the Customer network, via the Agent, for on-site support? No.

  14. Will the Partner have access to the Customer network, via the Agent, for remote support? Yes, as authorized and permitted by Customer.

  15. Will the Partner use Customer computer systems to access and/or transmit Customer data via the Agent? No.

  16. Will the Partner use Partner computer systems to access and/or transmit Customer data via the Agent? Yes. But what can be accessed is based on access authorized and permitted by Customer.

Documentation

  1. Does maiData administrator documentation for the Agent include configuration, installation and operation information? Not applicable.

  2. Does maiData administrator documentation for the Agent include known vulnerabilities regarding configuration and use of administrator functions? Not applicable.

  3. Does maiData administrator documentation for the Agent include security functions and mechanisms information? Not applicable.

  4. Does maiData include requirements, descriptions and criteria in the acquisition contract for the Agent? Yes, but only an abbreviated description. The remaining requirements, descriptions and criteria are in publicly available documents.

  5. Does maiData maintain administrator documentation for the Agent? Not applicable.

  6. Does maiData maintain any documentation which includes the details of the Agent's security configuration specifications? Yes. Available on request.

  7. Does maiData maintain current accurate documentation of the components in the the Agent? Yes.

  8. Does maiData maintain user documentation for the Agent? Not applicable.

  9. Does maiData user documentation for the Agent include information on methods for user interaction which make the Agent use more secure? Not applicable.

  10. Does maiData user documentation for the Agent include information on user responsibility in maintaining the Agent security? Not applicable.

  11. Does maiData user documentation for the Agent include information on user-accessible security functions and how to use them? Not applicable.

  12. Is any non-local maintenance and diagnostic activity performed on the the Agent (E.g. via network)? Yes, via maiLink SRM.

  13. Is there documentation outlining who, when and how the Agent can be configured? Not applicable.

Partner Responsibilities

  1. Are all approved the Agent configuration changes implemented in a timely manner? Not applicable.

  2. Does maiData authorize a list of authorized maintenance personnel? No. The Partner authorizes maintenance personnel.

  3. Does maiData define the timing of the Agent patches? No. The Partner is responsible for applying such patches.

  4. Does maiData ensure that personnel performing maintenance on the Agent have the required access authorizations? No. The Partner authorizes maintenance personnel and provides them with access authorization.

  5. Does maiData enter access agreements with employees that have access to the Agent? No. It is the responsibility of the Partner to have access agreements with their employees if they are to be authorized to access the the Agent.

  6. Does maiData have personnel sanctions policies and procedures? No. It is the responsibility of the Partner to establish third-party access control procedures for external parties who are granted access the the Agent.

  7. Does maiData have termination procedures in place for those with access to the Agent? No. It is the responsibility of the Partner to handle the termination of any of their employees that is authorized to access the the Agent.

  8. Does maiData have third-party access control procedures for external parties granted access to the Agent? No. It is the responsibility of the Partner to establish third-party access control procedures for external parties who are granted access the the Agent.

  9. Does maiData have transfer procedures in place for those with access to the Agent? No. It is the responsibility of the Partner to handle transfer between employees of authorization to access the the Agent.

  10. Does maiData maintain a list of authorized maintenance personnel for the Agent? No. The Partner authorizes maintenance personnel.

  11. Does maiData periodically review access agreements for employees that have access to the Agent? No. It is the responsibility of the Partner to periodically review access agreements with their employees if they are authorized to access the the Agent.

  12. Does maiData provide remote support / maintenance services that would involve maiData employees accessing the Agent? No, by policy. The Partner may specifically request direct support, and authorize access to the the Agent by maiData personnel, however this would not be a common occurrence.

  13. Does maiData screen individuals prior to authorizing access to the Agent? No. It is the responsibility of the Partner to determine which of their employees is authorized to access the the Agent.

  14. How will the Agent access, transmit or store Customer's data? Partner may access, transmit or store Customer's data using the Agent as a tool. the Agent does not independently access, transmit or store Customer data.

  15. Who can create credentials for the Agent? Not applicable.

SDLC Procedures

  1. Are the Agent flaws identified, reported and corrected? Yes.

  2. Are the Agent software and firmware updates tested for effectiveness and potential side effects before incorporation? Yes. Because the the Agent installs in the Partner’s product, the Partner is responsible for this.

  3. Are all the Agent configuration changes documented? Not applicable.

  4. Are configurable changes to the Agent documented? Not applicable.

  5. Do the documented the Agent configuration settings reflect the most restrictive mode consistent with operational requirements? Not applicable.

  6. Does maiData analyze changes to the Agent to determine potential security impacts prior to change implementation. Yes.

  7. Does maiData apply information system security engineering principles in the Product Development Life Cycle of the Agent? Yes.

  8. Does maiData approve, control and monitor the Agent maintenance tools? Yes.

  9. Does maiData automatically apply software patches to the Agent? Yes, using an auto-update mechanism.

  10. Does maiData categorize the Agent patches based on severity? Yes, maiData classifies patches as minor, major, and critical.

  11. Does maiData check for potential adverse impact on security controls following maintenance or repair actions? Not applicable.

  12. Does maiData define a comprehensive life cycle for the Agent? No, but it is planned as part of our ISO 27001 process.

  13. **Does maiData develop, document and implement a configuration management plan for the Agent that addresses roles, responsibilities and configuration No, but it is planned as part of our ISO 27001 process.

  14. Does maiData document the Agent configuration changes that deviate from the established settings? Not applicable.

  15. Does maiData have a process for identifying configuration items during the SDLC? Yes.

  16. Does maiData maintain a formal security patch management process for the Agent? No, not at this time.

  17. Does maiData maintain documented policies and procedures for maintenance of the Agent? Not applicable.

  18. Does maiData perform vulnerability testing as part of the Agent's Software Development LifeCycle (SDLC)? Yes, using Zap software to test against the Open Web Application Security Project (OWASP) requirements.

  19. Does maiData protect the configuration management plan from unauthorized disclosures and modifications? Not applicable.

  20. Does maiData require the Agent developers to conform to maiData-approved configuration changes? Yes.

  21. Does maiData require the Agent developers to create and implement a security assessment plan for the Agent? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  22. Does maiData require the the Agent developers security assessment plan to produce evidence of the execution of the security assessment plan? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  23. How often does maiData perform penetration tests on the Agent? Once per software release.

  24. Is there active monitoring of the Agent configuration changes? Not applicable.

  25. Is there documentation outlining the baseline configuration of the Agent? Not applicable.

  26. What environments does maiData use in development of patches for the Agent? maiData uses Development, QA (including Test) and Production environments to verify and validate patches.

Security

  1. Are strong authenticators/passwords used in the establishment of the Agent non-local maintenance and diagnostic sessions? Yes.

  2. Are there any known vulnerabilities within the Agent? No.

  3. Can the Agent credentials be federated with maiLink SRM? Yes.

  4. Does the Agent come with its own antivirus solution? No. It is reliant on host computer’s antivirus solution.

  5. Does the Agent come with its own malware protection? No. It is reliant on host computer’s malware protection.

  6. Does the Agent display the last user logon date and time to the user? No.

  7. Does the Agent encrypt data at rest? Yes, if the function is provided by the host computer.

  8. Does the Agent encrypt data in transit? Yes, for data transmitted between the Agent and Cloud.

  9. Does the Agent have a session lock after a period of inactivity that requires reauthentication? Not applicable.

  10. Does the Agent include any collaborative devices (cameras, microphones, etc)? No.

  11. Does the Agent limit the number of concurrent sessions for the user? Not applicable.

  12. Does the Agent prevent user actions that can be performed on the system without identification and authentication? Yes.

  13. Does the Agent provide system use notification that includes privacy and security notices before granting access? No.

  14. Does the Agent separate user functionality from administrative functionality? Not applicable.

  15. Does the Agent store passwords in an encrypted format? Not applicable.

  16. Does the Agent terminate the session after predefined circumstances? Yes, via maiLink SRM.

  17. Does the Agent use cryptographic mechanisms to recognize changes to information (such as hashing)? No.

  18. Does the Agent use cryptographic protocols to protect transmitted information? Yes.

  19. Does the Agent use managed LDAP services for identification and authentication? Not applicable.

  20. Does the Agent use mechanisms for authentication to a cryptographic module? No.

  21. Does maiData have any automated or manual monitoring of the Agent configuration changes? Not applicable.

  22. Does maiData restrict or prohibit the use of any the Agent functions, ports, protocols and/or service that are not essential? Yes.

  23. Does maiData retain records of the Agent configuration changes? Not applicable.

  24. Does maiData review proposed the Agent configuration changes using defined security impact analyses? Not applicable.

  25. Has the Agent undergone any major platform changes, upgrades or enhancements in the past six months? No.

  26. How does the Agent keep Customers secure? The Agent establishes secure communications to Cloud using a small number of outbound ports, encryption and short-term certificates.

  27. Is user installation of the Agent restricted and monitored? Yes. Use of the the Agent is restricted and must be authorized by the Partner.

  28. What cryptographic protocols does the Agent use to protect transmitted information, including strength? AES 128-bit.

  29. What encryption method does the Agent use to encrypt data at rest? Depends on the host computer.

  30. What encryption method does the Agent use to encrypt data in transit? AES 128-bit

  31. What is the inactivity period before the Agent terminates a session ? Not applicable.

  32. What was the date of the most recent the Agent vulnerability test? 2021-01-29.

  33. Will the Agent be used to transmit Customer Employee Information? Only if used by the Partner for that purpose deliberately or inadvertently.

  34. Will the Agent be used to transmit PCI? Only if used by the Partner for that purpose deliberately or inadvertently.

  35. Will the Agent be used to transmit PHI? Only if used by the Partner for that purpose deliberately or inadvertently.

  36. Will the Agent be used to transmit PII? Only if used by the Partner for that purpose deliberately or inadvertently.

  37. Are the Agent non-local maintenance and diagnostic sessions terminated after completion? Yes.

  38. Does maiData implement the Agent patches categorized as critical within 72 hours of patch release? Yes, depending on the requirement to notify end-user customers of changes associated with a specific patch.

  39. Does maiData maintain a disaster recovery policy which applies to the Agent? Yes. maiData security policies apply to all maiData products.