maiLink Router

Security information for maiLink Router software.

General

  1. Has maiLink Router undergone any major platform changes, upgrades or enhancements in the past six months? No.

  2. How is maiLink Router integrated with the customer infrastructure? maiLink Router is an independent software device that is network-connected within the customer's facility. The customer IT department can use switch management to limit which IP addresses can be reached from the maiLink Router. The maiLink Router must have access to *.maidata.io on port 443 and 5000.

  3. In what year was maiLink Router first offered? 2022.

  4. Is maiLink Router provided as Software-as-a-Service? Yes, via Partner’s maiLink SRM subscription.

  5. Is maiLink Router to be installed in the cloud (not within the customer location)? No, although it works closely with maiLink SRM, which is cloud-based.

  6. Is maiLink Router to be locally installed (within the customer location)? Yes.

  7. What environment does maiLink Router run in? maiLink Router is provided as an Open Virtual Appliance (OVA) file that is installed in a virtual machine (VM) in the customer facility. It uses Linux as it’s operating system.

  8. What is the purpose of maiLink Router? maiLink Router is designed to allow Partners to gain Access to the systems and software that they are obligated and authorized to service within Customer facilities. From a single maiLink Router within the Customer facility, the Partner can access all network-connected products they need to support.

  9. Who is the best maiData contact for questions or concerns about maiLink Router security? Adam Zenner, CTO and CISO.

  10. Why would a Customer permit installation of maiLink Router? To allow the Partner to service the targeted product(s) or provide the desired service(s) in the Customer facility. maiLink Router allows the Partner to diagnose issues more quickly and provide some service without the time delay of having a field engineer visit the site.

Access

  1. Do all Partner employees access maiLink Router via a single login portal? Yes, via maiLink SRM

  2. Does maiLink Router maintain an account lock-out feature, activated after a number of failed login attempts? Yes, if credentials are federated

  3. Does maiLink Router prohibit re-use of prior passwords? Yes, if credentials are federated

  4. Is each Partner?s implementation accessed via a unique login portal? Yes, via maiLink SRM

  5. What is the URL for the maiLink Router? Each maiLink Router will have a unique URL that is created when the Partner requests access to the maiLink Router. The URL is different each time

Audit Logs

  1. Are maiLink Router audit records time-stamped? Yes.

  2. Are all maiLink Router non-local maintenance and diagnostic activities approved and monitored? Yes, via maiLink SRM.

  3. Can maiLink Router be configured to select which auditable events are captured in the audit log? No.

  4. Do maiLink Router audit logs contain enough information to establish the identify of the user/subject associated with the event? Yes.

  5. Do maiLink Router audit logs contain enough information to establish the source of the event? Yes, user and IP address.

  6. Do maiLink Router audit logs contain enough information to establish what type of event occurred? Yes, when combined with audit log information in maiLink SRM, to the level of log in / log out.

  7. Do maiLink Router audit logs contain enough information to establish when the event occurred? Yes, when combined with audit log information in maiLink SRM, to the level of log in / log out and the user.

  8. Do maiLink Router audit logs contain enough information to establish where the event occurred? Yes.

  9. Does maiLink Router allow generation of custom audit reports? Yes, through maiLink SRM.

  10. Does maiLink Router generate an alert in the event of an audit processing failure? No.

  11. Does maiLink Router keep audit logs? Yes, via maiLink SRM.

  12. “Does maiLink Router protect audit records from unauthorized access, modification and deletion?" Yes, via maiLink SRM.

  13. Does maiLink Router record Failed Log In events in its audit logs? No.

  14. Does maiLink Router record Files / Records Deleted events in its audit logs? maiLink Router has no visibility into file system changes in the target device.

  15. Does maiLink Router record Files / Records Modified events in its audit logs? maiLink Router has no visibility into file system changes in the target device.

  16. Does maiLink Router record Files / Records Viewed events in its audit logs? No.

  17. Does maiLink Router record Log In events in its audit logs? Yes, via maiLink SRM.

  18. Does maiLink Router record Log Out events in its audit logs? Yes, via maiLink SRM.

  19. Does generation of a maiLink Router audit report alter the original content or time stamp of the audit record? No.

  20. Does maiData maintain records for maiLink Router non-local maintenance and diagnostic sessions? Yes.

  21. Is the information captured in maiLink Router audit logs sufficient for system and user performance investigations? Yes, via maiLink SRM.

Authentication

  1. Does maiLink Router protect the authenticity of communication sessions? Yes.

  2. Does maiLink Router support multi-factor authentication? Yes, if configured.

  3. Does maiLink Router system obscure the authenticator/password during the authentication process? Yes.

  4. Does maiLink Router uniquely identify and authenticate devices before establishing communication with the Cloud? Yes, using unique encrypted JSON Web Tokens (JWTs).

  5. Does maiLink Router uniquely identify and authenticate devices before establishing communication within the Customer facility? Yes.

  6. Does maiLink Router use managed LDAP services for identification and authentication? Yes, if configured.

  7. How does maiLink Router achieve MFA? One-Time Password (OTP), if configured.

  8. Is maiLink Router authenticator content protected from unauthorized disclosure and modification? Yes through encryption.

  9. Is token-based authentication used? Yes.

Configuration

  1. How do you do a factory reset on maiLink Router? Remove and reinstall the software.

  2. How is IP Address of the maiLink Router configured? At first power-up, the maiLink Router uses DHCP to establish a network address. Customer IT personnel can then use the operating system to disable DHCP and set it to a fixed IP Address and subnet mask.

  3. How is the configuration of maiLink Router controlled? maiLink Router operating system configuration is controlled with on-system credential access, which can be configured for Single Sign-On or federation with other Customer credentialing. maiLink Router software version is controlled through a maiData Docker repository in the Cloud. Other maiLink Router configuration parameters are contolled locally, on the device.

Credentials

  1. Can a maiLink Router user request a password reset? No.

  2. “Can any user with maiLink Router credentials add, remove or modify Administrator users?" Yes, but that capability will be removed in early 2022.

  3. Can Customer IT personnel be given credentials to maiLink Router? Yes, if the Partner agrees to provide credentials to the Customer.

  4. Can the Customer configure the default requirements for passwords? Yes, if federated.

  5. Does maiLink Router allow federation of credentials? Yes, via maiLink SRM.

  6. Does maiLink Router require passwords to be at least 8 characters long? Yes, if credentials are federated.

  7. Does maiLink Router require passwords to contain at least one non-alphanumeric character? Yes, if credentials are federated.

  8. Does maiLink Router require passwords to contain at least one numeric digit? Yes, if credentials are federated.

  9. Does maiLink Router require passwords to contain mixed-case alpha characters? Yes, if credentials are federated.

  10. Does maiLink Router require passwords to expire every 90 days? Yes, if credentials are federated.

  11. Does maiLink Router support federated identity? No, but it is planned for a future release.

  12. Must a maiLink Router user establish their own password at first login? Yes.

  13. What are the minimum requirements for a maiLink Router password in terms of length and complexity? None at this time unless credentials are federated.

  14. What credentials does a user need to access maiLink Router locally (from inside the Customer firewall)? Customer IT personnel can access maiLink Router using credentials they create. Partner service personnel only access maiLink Router via maiLink SRM.

  15. What credentials does a user need to access maiLink Router remotely (from outside the Customer firewall)? Partner-authorized maiLink SRM credentials and role permissions.

Data Access

  1. Will maiLink Router be used to transmit Customer Employee Information? Only if necessary, authorized and permitted by Customer.

  2. Will maiLink Router be used to transmit PCI? Only if necessary, authorized and permitted by Customer.

  3. Will maiLink Router be used to transmit PHI? Only if necessary, authorized and permitted by Customer.

  4. Will maiLink Router be used to transmit PII? Only if necessary, authorized and permitted by Customer.

  5. Will the Partner be able to access Customer Internal / Proprietary Information via maiLink Router? Only if authorized and permitted by Customer.

  6. Will the Partner be able to access Employee Information via maiLink Router? Only if authorized and permitted by Customer.

  7. Will the Partner be able to access PCI via maiLink Router? Only if authorized and permitted by Customer.

  8. Will the Partner be able to access PHI via maiLink Router? Only if authorized and permitted by Customer.

  9. Will the Partner be able to access PII via maiLink Router? Only if authorized and permitted by Customer.

  10. Will the Partner be able to receive transmitted data from Customer, via maiLink Router? Only if authorized and permitted by Customer.

  11. Will the Partner have access to a database or application, via maiLink Router, that stores or transmits Customer data? Only if authorized and permitted by Customer.

  12. Will the Partner have access to infrastructure, via maiLink Router, that stores or transmits Customer data? Only if authorized and permitted by Customer.

  13. Will the Partner have access to the Customer network, via maiLink Router, for on-site support?" Yes, by remotely accessing the maiLink Router via maiLink SRM.

  14. Will the Partner have access to the Customer network, via maiLink Router, for remote support?" Yes, as authorized and permitted by Customer.

  15. Will the Partner use Customer computer systems to access and/or transmit Customer data via maiLink Router? No.

  16. Will the Partner use Partner computer systems to access and/or transmit Customer data via maiLink Router? Yes. But what can be accessed is based on access authorized and permitted by Customer.

Documentation

  1. Does maiData administrator documentation for maiLink Router include configuration, installation and operation information? Yes, as applicable.

  2. Does maiData administrator documentation for maiLink Router include known vulnerabilities regarding configuration and use of administrator functions? Yes, as applicable.

  3. Does maiData administrator documentation for maiLink Router include security functions and mechanisms information? Yes, as applicable.

  4. Does maiData include requirements, descriptions and criteria in the acquisition contract for maiLink Router? Yes, but only an abbreviated description. The remaining requirements, descriptions and criteria are in publicly available documents.

  5. Does maiData maintain administrator documentation for maiLink Router? Yes, as applicable.

  6. Does maiData maintain any documentation which includes the details of maiLink Router?s security configuration specifications? Yes. Available on request.

  7. Does maiData maintain current accurate documentation of the components in the maiLink Router? Yes.

  8. Does maiData maintain user documentation for maiLink Router? Yes.

  9. Does maiData user documentation for maiLink Router include information on methods for user interaction which make maiLink Router use more secure? Yes, as applicable.

  10. Does maiData user documentation for maiLink Router include information on user responsibility in maintaining maiLink Router security? Yes, as applicable.

  11. Does maiData user documentation for maiLink Router include information on user-accessible security functions and how to use them? Yes, as applicable.

  12. Is any non-local maintenance and diagnostic activity performed on the maiLink Router (E.g. via network)? Yes, via maiLink SRM.

  13. Is there documentation outlining who, when and how maiLink Router can be configured? Yes.

Partner Responsibilities

  1. Are all approved maiLink Router configuration changes implemented in a timely manner? N/A. The Partner controls the application of configuration changes.

  2. Does maiLink Router come with its own antivirus solution? No. However, maiData allows Partners to install antivirus solution on maiLink Router if desired.

  3. Does maiLink Router come with its own malware protection? No. However, maiData allows Partners to install malware protection on maiLink Router if desired.

  4. Does maiData authorize a list of authorized maintenance personnel? No. The Partner authorizes maintenance personnel.

  5. Does maiData document maiLink Router configuration changes that deviate from the established settings? No. The Partner controls configuration changes.

  6. Does maiData ensure that personnel performing maintenance on maiLink Router have the required access authorizations? No. The Partner authorizes maintenance personnel and provides them with access authorization.

  7. Does maiData enter access agreements with employees that have access to maiLink Router? No. It is the responsibility of the Partner to have access agreements with their employees if they are to be authorized to access the maiLink Router.

  8. Does maiData have personnel sanctions policies and procedures? No. It is the responsibility of the Partner to establish third-party access control procedures for external parties who are granted access the Agent.

  9. Does maiData have termination procedures in place for those with access to maiLink Router? No. It is the responsibility of the Partner to handle the termination of any of their employees that is authorized to access the maiLink Router.

  10. Does maiData have third-party access control procedures for external parties granted access to maiLink Router? No. It is the responsibility of the Partner to establish third-party access control procedures for external parties who are granted access the maiLink Router.

  11. Does maiData have transfer procedures in place for those with access to maiLink Router? No. It is the responsibility of the Partner to handle transfer between employees of authorization to access the maiLink Router.

  12. Does maiData maintain a list of authorized maintenance personnel for maiLink Router? No. The Partner authorizes maintenance personnel.

  13. Does maiData periodically review access agreements for employees that have access to maiLink Router? No. It is the responsibility of the Partner to periodically review access agreements with their employees if they are authorized to access the maiLink Router.

  14. Does maiData provide remote support / maintenance services that would involve maiData employees accessing maiLink Router? No, by policy. The Partner may specifically request direct support, and authorize access to the Agent by maiData personnel, however this would not be a common occurrence.

  15. Does maiData restrict or prohibit the use of any maiLink Router functions, ports, protocols and/or service that are not essential? No. The Partner controls configuration changes.

  16. Does maiData retain records of maiLink Router configuration changes? No. The Partner controls configuration changes.

  17. Does maiData review proposed maiLink Router configuration changes using defined security impact analyses? No. Configuration changes are made by the Partner.

  18. Does maiData screen individuals prior to authorizing access to maiLink Router? No. It is the responsibility of the Partner to determine which of their employees is authorized to access the maiLink Router.

  19. “How will maiLink Router access, transmit or store Customer?s data?" Please refer to Partner policies and procedures. maiLink Router does not independently access, transmit or store Customer data.

  20. Is there active monitoring of maiLink Router configuration changes? No. The Partner controls configuration changes.

  21. Who can create credentials for maiLink Router? Partner maiLink SRM Administrator.

  22. Will maiLink Router be used to transmit Customer Employee Information? Please refer to Partner policies and procedures.

  23. Will maiLink Router be used to transmit PCI? Please refer to Partner policies and procedures.

  24. Will maiLink Router be used to transmit PHI? Please refer to Partner policies and procedures.

  25. Will maiLink Router be used to transmit PII? Please refer to Partner policies and procedures.

SDLC Procedures

  1. Are maiLink Router flaws identified, reported and corrected? Yes.

  2. Are maiLink Router software and firmware updates tested for effectiveness and potential side effects before incorporation? Yes.

  3. Are all maiLink Router configuration changes documented? No.

  4. Are configurable changes to maiLink Router documented? Yes.

  5. Do the documented maiLink Router configuration settings reflect the most restrictive mode consistent with operational requirements? No, not at this time.

  6. Does maiData analyze changes to maiLink Router to determine potential security impacts prior to change implementation. Yes.

  7. Does maiData apply information system security engineering principles in the Product Development Life Cycle of maiLink Router? Yes.

  8. Does maiData approve, control and monitor maiLink Router maintenance tools? Yes.

  9. Does maiData automatically apply software patches to maiLink Router? Yes, using an auto-update mechanism.

  10. Does maiData categorize maiLink Router patches based on severity? Yes, maiData classifies patches as ?minor?, ?major?, and ?critical?.

  11. Does maiData check for potential adverse impact on security controls following maintenance or repair actions? Yes.

  12. Does maiData define a comprehensive life cycle for maiLink Router? No, but it is planned as part of our ISO 27001 process.

  13. Does maiData define the timing of maiLink Router patches? Yes, maiLink Router auto-updates occur within 30 days of release of a maiLink Router release.

  14. **Does maiData develop, document and implement a configuration management plan for maiLink Router that addresses roles, responsibilities and No, but it is planned as part of our ISO 27001 process.

  15. Does maiData have a process for identifying configuration items during the SDLC? Yes.

  16. Does maiData maintain a formal security patch management process for maiLink Router? No, not at this time.

  17. Does maiData maintain documented policies and procedures for maintenance of maiLink Router? Yes.

  18. Does maiData perform vulnerability testing as part of maiLink Router?s Software Development LifeCycle (SDLC)? Yes, using Zap software to test against the Open Web Application Security Project (OWASP) requirements.

  19. Does maiData protect the configuration management plan from unauthorized disclosures and modifications? Not applicable.

  20. Does maiData require maiLink Router developers to conform to maiData-approved configuration changes? Yes.

  21. Does maiData require maiLink Router developers to create and implement a security assessment plan for maiLink Router? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  22. Does maiData require the maiLink Router developers security assessment plan to produce evidence of the execution of the security assessment plan? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  23. How often does maiData perform penetration tests on maiLink Router? Once per software release.

  24. Is there documentation outlining the baseline configuration of maiLink Router? Yes.

  25. What environments does maiData use in development of patches for maiLink Router? maiData uses Development, QA (including Test) and Production environments to verify and validate patches.

Security

  1. Are strong authenticators/passwords used in the establishment of maiLink Router non-local maintenance and diagnostic sessions? Yes.

  2. Are there any known vulnerabilities within maiLink Router? No.

  3. Can maiLink Router credentials be federated with maiLink SRM? Not at this time.

  4. Does maiLink Router display the last user logon date and time to the user? No.

  5. Does maiLink Router encrypt data at rest? No.

  6. Does maiLink Router encrypt data in transit? Yes, for data transmitted between maiLink Router and Cloud.

  7. Does maiLink Router have a session lock after a period of inactivity that requires reauthentication? Yes, via maiLink SRM.

  8. Does maiLink Router include any collaborative devices (cameras, microphones, etc)? No.

  9. Does maiLink Router limit the number of concurrent sessions for the user? Yes.

  10. Does maiLink Router prevent user actions that can be performed on the system without identification and authentication? Yes.

  11. Does maiLink Router provide system use notification that includes privacy and security notices before granting access? No.

  12. Does maiLink Router separate user functionality from administrative functionality? Yes.

  13. Does maiLink Router store passwords in an encrypted format? Yes.

  14. Does maiLink Router terminate the session after predefined circumstances? Yes, via maiLink SRM.

  15. Does maiLink Router use cryptographic mechanisms to recognize changes to information (such as hashing)? No.

  16. Does maiLink Router use cryptographic protocols to protect transmitted information? Yes.

  17. Does maiLink Router use mechanisms for authentication to a cryptographic module? No.

  18. Does maiData have any automated or manual monitoring of maiLink Router configuration changes? No, not at this time.

  19. How do you do a factory reset on maiLink Router? First reformat the hard drive (writing all zeroes). Then reinstall the maiLink Router ISO file.

  20. How does maiLink Router keep Customers secure? maiLink Router uses maiLink Agent to establish a secure connection to the Cloud using only outbound communications.

  21. Is user installation of maiLink Router restricted and monitored? Yes.

  22. What cryptographic protocols does maiLink Router use to protect transmitted information, including strength? AES 128-bit.

  23. What encryption method does maiLink Router use to encrypt data at rest? None at this time.

  24. What encryption method does maiLink Router use to encrypt data in transit? AES 128-bit.

  25. What is the inactivity period before maiLink Router terminates a session ? 15 minutes.

  26. What was the date of the most recent maiLink Router vulnerability test? 2021-01-29.

Security Policy

  1. Are maiLink Router non-local maintenance and diagnostic sessions terminated after completion? Yes.

  2. Does maiData implement maiLink Router patches categorized as critical within 72 hours of patch release? Yes, depending on the requirement to notify end-user customers of changes associated with a specific patch.

  3. Does maiData maintain a disaster recovery policy which applies to maiLink Router? Yes. maiData security policies apply to all maiData products.