maiLink SRM

Security information for the maiLink SRM platform.

General

  1. How is maiLink SRM integrated with the customer infrastructure? The Agent software module, built into the Partner’s product, communicates with the maiLink SRM Cloud.

  2. In what year was maiLink SRM first offered? 2022

  3. Is maiLink SRM provided as Software-as-a-Service? Yes.

  4. Is maiLink SRM to be installed in the cloud (not within the customer location)? Yes.

  5. Is maiLink SRM to be locally installed (within the customer location)? No.

  6. What environment does maiLink SRM run in? The Cloud portion of maiLink SRM runs in AWS. The Agent portion runs in the product installed in the customer location.

  7. What is the purpose of maiLink SRM? maiLink SRM is a Service Relationship Management platform that provides Partners with the ability to manage their fleet of deployed devices, track product ownership, and better service the products through integrated, secure remote access.

  8. Who is the best maiData contact for questions or concerns about maiLink SRM security? Adam Zenner, CTO and CISO.

  9. Why would a Customer permit installation of maiLink SRM? Customers that allow use of maiLink SRM enjoy high security, faster service response times, and greater uptime.

Access

  1. Do all Partner employees access maiLink SRM via a single login portal? Yes, via maiLink SRM.

  2. Does maiLink SRM maintain an account lock-out feature, activated after a number of failed login attempts?" Yes, if credentials are federated.

  3. Does maiLink SRM prohibit re-use of prior passwords? Yes, if credentials are federated.

  4. Is each Partner’s implementation accessed via a unique login portal? Yes.

  5. What is the URL for the maiLink SRM? https://app.maidata.io

Audit Logs

  1. Are maiLink SRM audit records time-stamped? Yes.

  2. Are all maiLink SRM non-local maintenance and diagnostic activities approved and monitored? No.

  3. Can maiLink SRM be configured to select which auditable events are captured in the audit log? No.

  4. Do maiLink SRM audit logs contain enough information to establish the identify of the user/subject associated with the event? Yes.

  5. Do maiLink SRM audit logs contain enough information to establish the source of the event? No.

  6. Do maiLink SRM audit logs contain enough information to establish what type of event occurred? Yes, when combined with audit log information in maiLink SRM, to the level of log in / log out.

  7. Do maiLink SRM audit logs contain enough information to establish when the event occurred? Yes.

  8. Do maiLink SRM audit logs contain enough information to establish where the event occurred? No.

  9. Does maiLink SRM allow generation of custom audit reports? Yes, through maiLink SRM.

  10. Does maiLink SRM generate an alert in the event of an audit processing failure? No.

  11. Does maiLink SRM keep audit logs? Yes.

  12. Does maiLink SRM protect audit records from unauthorized access, modification and deletion?" Yes.

  13. Does maiLink SRM record Failed Log In events in its audit logs? No.

  14. Does maiLink SRM record Files / Records Deleted events in its audit logs? No.

  15. Does maiLink SRM record Files / Records Modified events in its audit logs? No.

  16. Does maiLink SRM record Files / Records Viewed events in its audit logs? No.

  17. Does maiLink SRM record Log In events in its audit logs? Yes.

  18. Does maiLink SRM record Log Out events in its audit logs? Yes.

  19. Does generation of a maiLink SRM audit report alter the original content or time stamp of the audit record? No.

  20. Does maiData maintain records for maiLink SRM non-local maintenance and diagnostic sessions? Yes.

  21. Is the information captured in maiLink SRM audit logs sufficient for system and user performance investigations? Yes.

Authentication

  1. Does maiLink SRM protect the authenticity of communication sessions? Yes.

  2. Does maiLink SRM support multi-factor authentication? Yes, if configured.

  3. Does maiLink SRM system obscure the authenticator/password during the authentication process? Yes.

  4. Does maiLink SRM uniquely identify and authenticate devices before establishing communication with the Cloud? Yes, using unique encrypted JSON Web Tokens (JWTs).

  5. Does maiLink SRM uniquely identify and authenticate devices before establishing communication within the Customer facility? Yes.

  6. Does maiLink SRM use managed LDAP services for identification and authentication? No.

  7. How does maiLink SRM achieve MFA? One-Time Password (OTP), if configured.

  8. Is maiLink SRM authenticator content protected from unauthorized disclosure and modification? Yes through encryption.

  9. Is token-based authentication used? Yes.

Configuration

  1. How do you do a factory reset on maiLink SRM? This is not necessary.

  2. How is IP Address of the maiLink SRM configured? Not applicable because maiLink SRM is not on-premise.

  3. How is the configuration of maiLink SRM controlled? maiLink SRM configuration is controlled my maiData. The maiLink SRM configuration for the Partner is controlled by Partner administrators.

Credentials

  1. Can a maiLink SRM user request a password reset? Yes.

  2. Can any user with maiLink SRM credentials add, remove or modify Administrator users? Yes, but that capability will be removed in early 2022.

  3. Can Customer IT personnel be given credentials to maiLink SRM? Yes, but the Partner should not agree to this.

  4. Can the Customer configure the default requirements for passwords? Yes, if federated.

  5. Does maiLink SRM allow federation of credentials? Yes, if credentials are federated.

  6. Does maiLink SRM require passwords to contain at least one non-alphanumeric character? Yes, if credentials are federated.

  7. Does maiLink SRM require passwords to contain at least one numeric digit? Yes, if credentials are federated.

  8. Does maiLink SRM require passwords to contain mixed-case alpha characters? Yes, if credentials are federated.

  9. Does maiLink SRM require passwords to expire every 90 days? Yes, if credentials are federated.

  10. Does maiLink SRM support federated identity? No, but it is planned for a future release.

  11. Must a maiLink SRM user establish their own password at first login? Yes.

  12. What are the minimum requirements for a maiLink SRM password in terms of length and complexity? None at this time unless credentials are federated.

  13. What credentials does a user need to access maiLink SRM locally (from inside the Customer firewall)? There is no local access to maiLink SRM.

  14. What credentials does a user need to access maiLink SRM remotely (from outside the Customer firewall)? Partner-authorized maiLink SRM credentials and role permissions.

Data Access

  1. Will maiLink SRM be used to transmit Customer Employee Information? Only if necessary, authorized and permitted by Customer.

  2. Will maiLink SRM be used to transmit PCI? Only if necessary, authorized and permitted by Customer.

  3. Will maiLink SRM be used to transmit PHI? Only if necessary, authorized and permitted by Customer.

  4. Will maiLink SRM be used to transmit PII? Only if necessary, authorized and permitted by Customer.

  5. Will the Partner be able to access Customer Internal / Proprietary Information via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  6. Will the Partner be able to access Employee Information via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  7. Will the Partner be able to access PCI via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  8. Will the Partner be able to access PHI via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  9. Will the Partner be able to access PII via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  10. Will the Partner be able to receive transmitted data from Customer, via maiLink SRM? Only if necessary, authorized and permitted by Customer.

  11. Will the Partner have access to a database or application, via maiLink SRM, that stores or transmits Customer data? Only if necessary, authorized and permitted by Customer.

  12. Will the Partner have access to infrastructure, via maiLink SRM, that stores or transmits Customer data? Only if necessary, authorized and permitted by Customer.

  13. Will the Partner have access to the Customer network, via maiLink SRM, for on-site support? No.

  14. Will the Partner have access to the Customer network, via maiLink SRM, for remote support? Yes, as authorized and permitted by Customer.

  15. Will the Partner use Customer computer systems to access and/or transmit Customer data via maiLink SRM? No.

  16. Will the Partner use Partner computer systems to access and/or transmit Customer data via maiLink SRM? Yes.

Documentation

  1. Does maiData administrator documentation for maiLink SRM include configuration, installation and operation information? Yes, as applicable.

  2. Does maiData administrator documentation for maiLink SRM include known vulnerabilities regarding configuration and use of administrator functions? Yes, as applicable.

  3. Does maiData administrator documentation for maiLink SRM include security functions and mechanisms information? Yes, as applicable.

  4. Does maiData include requirements, descriptions and criteria in the acquisition contract for maiLink SRM? Yes, but only an abbreviated description. The remaining requirements, descriptions and criteria are in publicly available documents.

  5. Does maiData maintain administrator documentation for maiLink SRM? Yes, as applicable.

  6. Does maiData maintain any documentation which includes the details of maiLink SRM’s security configuration specifications? Yes. Available on request.

  7. Does maiData maintain current accurate documentation of the components in maiLink SRM? Yes.

  8. Does maiData maintain user documentation for maiLink SRM? Yes.

  9. Does maiData user documentation for maiLink SRM include information on methods for user interaction which make maiLink SRM use more secure? Yes, as applicable.

  10. Does maiData user documentation for maiLink SRM include information on user responsibility in maintaining maiLink SRM security? Yes, as applicable.

  11. Does maiData user documentation for maiLink SRM include information on user-accessible security functions and how to use them? Yes, as applicable.

  12. Is any non-local maintenance and diagnostic activity performed on maiLink SRM (E.g. via network)? Yes.

  13. Is there documentation outlining who, when and how maiLink SRM can be configured? Yes.

Partner Responsibilities

  1. Are all approved maiLink SRM configuration changes implemented in a timely manner? Yes.

  2. Does maiData authorize a list of authorized maintenance personnel? No. The Partner authorizes maintenance personnel.

  3. Does maiData ensure that personnel performing maintenance on maiLink SRM have the required access authorizations? Yes.

  4. Does maiData enter access agreements with employees that have access to maiLink SRM? No. It is the responsibility of the Partner to have access agreements with their employees if they are to be authorized to access maiLink SRM.

  5. Does maiData periodically review access agreements for employees that have access to maiLink SRM? Yes. But it is the responsibility of the Partner to periodically review access agreements with their employees if they are authorized to access maiLink SRM.

  6. Does maiData provide remote support / maintenance services that would involve maiData employees accessing maiLink SRM? No, by policy. The Partner may specifically request direct support, and authorize access to the Agent by maiData personnel, however this would not be a common occurrence.

  7. Does maiData screen individuals prior to authorizing access to maiLink SRM? No. It is the responsibility of the Partner to determine which of their employees is authorized to access maiLink SRM.

  8. How will maiLink SRM access, transmit or store Customer’s data? Partner may access, transmit or store Customer’s data using maiLink SRM as a tool. maiLink SRM does not independently access, transmit or store Customer data.

  9. Who can create credentials for maiLink SRM? Partner maiLink SRM Administrator.

Policies and Procedures

  1. Does maiData have personnel sanctions policies and procedures? No, but it is planned as part of our ISO 27001 process.

  2. Does maiData maintain a list of authorized maintenance personnel for maiLink SRM? Yes, maiLink SRM maintains a list of authorized maintenance personnel as authorized by the Partner.

SDLC Procedures

  1. Are maiLink SRM flaws identified, reported and corrected? Yes.

  2. Are maiLink SRM software and firmware updates tested for effectiveness and potential side effects before incorporation? Yes.

  3. Are all maiLink SRM configuration changes documented? Yes.

  4. Are configurable changes to maiLink SRM documented? Yes.

  5. Do the documented maiLink SRM configuration settings reflect the most restrictive mode consistent with operational requirements? Yes.

  6. Does maiData analyze changes to maiLink SRM to determine potential security impacts prior to change implementation. Yes.

  7. Does maiData apply information system security engineering principles in the Product Development Life Cycle of maiLink SRM? Yes.

  8. Does maiData approve, control and monitor maiLink SRM maintenance tools?" Yes.

  9. Does maiData automatically apply software patches to maiLink SRM? Yes, using an auto-update mechanism.

  10. Does maiData categorize maiLink SRM patches based on severity? Yes, maiData classifies patches as “minor”, “major”, and “critical”.

  11. Does maiData check for potential adverse impact on security controls following maintenance or repair actions? Yes.

  12. Does maiData define a comprehensive life cycle for maiLink SRM? No, but it is planned as part of our ISO 27001 process.

  13. Does maiData define the timing of maiLink SRM patches? Yes, maiLink SRM auto-updates occur within 30 days of release of a maiLink SRM release.

  14. Does maiData develop, document and implement a configuration management plan for maiLink SRM that addresses roles, responsibilities and configuration? No, but it is planned as part of our ISO 27001 process.

  15. Does maiData document maiLink SRM configuration changes that deviate from the established settings? Yes.

  16. Does maiData have a process for identifying configuration items during the SDLC? Yes.

  17. Does maiData maintain a formal security patch management process for maiLink SRM? No, not at this time.

  18. Does maiData maintain documented policies and procedures for maintenance of maiLink SRM? Yes.

  19. Does maiData perform vulnerability testing as part of maiLink SRM’s Software Development LifeCycle (SDLC)? Yes, using Zap software to test against the Open Web Application Security Project (OWASP) requirements.

  20. Does maiData protect the configuration management plan from unauthorized disclosures and modifications? Not applicable.

  21. Does maiData require maiLink SRM developers to conform to maiData-approved configuration changes? Yes.

  22. Does maiData require maiLink SRM developers to create and implement a security assessment plan for maiLink SRM? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  23. Does maiData require the maiLink SRM developers security assessment plan to produce evidence of the execution of the security assessment plan? No, but maiData is in the process of developing such policies and procedures for conformance with ISO 27001:2013.

  24. How often does maiData perform penetration tests on maiLink SRM? Once per software release.

  25. Is there active monitoring of maiLink SRM configuration changes? No.

  26. Is there documentation outlining the baseline configuration of maiLink SRM? No.

  27. What environments does maiData use in development of patches for maiLink SRM? maiData uses our QA environment to verify and validate patches.

Security

  1. Are strong authenticators/passwords used in the establishment of maiLink SRM non-local maintenance and diagnostic sessions? Yes.

  2. Are there any known vulnerabilities within maiLink SRM? No.

  3. Can maiLink SRM credentials be federated with Partner’s IT credentialing authority? Yes, with SAML.

  4. Does maiLink SRM come with its own antivirus solution? Not applicable.

  5. Does maiLink SRM come with its own malware protection? Not applicable.

  6. Does maiLink SRM display the last user logon date and time to the user? No.

  7. Does maiLink SRM encrypt data at rest? Yes.

  8. Does maiLink SRM encrypt data in transit? Yes.

  9. Does maiLink SRM have a session lock after a period of inactivity that requires reauthentication? Yes.

  10. Does maiLink SRM include any collaborative devices (cameras, microphones, etc)? No.

  11. Does maiLink SRM limit the number of concurrent sessions for the user? No.

  12. Does maiLink SRM prevent user actions that can be performed on the system without identification and authentication? Yes.

  13. Does maiLink SRM provide system use notification that includes privacy and security notices before granting access? No.

  14. Does maiLink SRM separate user functionality from administrative functionality? Yes.

  15. Does maiLink SRM store passwords in an encrypted format? Yes.

  16. Does maiLink SRM terminate the session after predefined circumstances? Yes.

  17. Does maiLink SRM use cryptographic mechanisms to recognize changes to information (such as hashing)? No.

  18. Does maiLink SRM use cryptographic protocols to protect transmitted information? Yes.

  19. Does maiLink SRM use managed LDAP services for identification and authentication? Yes, if configured.

  20. Does maiLink SRM use mechanisms for authentication to a cryptographic module? No.

  21. Does maiData have any automated or manual monitoring of maiLink SRM configuration changes? No, not at this time.

  22. Does maiData have termination procedures in place for those with access to maiLink SRM? _Yes, but is the responsibility of the Partner to handle the termination of any of their own employees that are authorized to access maiLink SRM. _ **Does maiData have third-party access control procedures for external parties granted access to maiLink SRM?**1. Yes. maiData does not grant third-party access to maiLink SRM.

  23. Does maiData have transfer procedures in place for those with access to maiLink SRM? No. It is the responsibility of the Partner to handle transfer between employees of authorization to access maiLink SRM.

  24. Does maiData restrict or prohibit the use of any maiLink SRM functions, ports, protocols and/or service that are not essential? Yes.

  25. Does maiData retain records of maiLink SRM configuration changes? Yes.

  26. Does maiData review proposed maiLink SRM configuration changes using defined security impact analyses? No.

  27. Has maiLink SRM undergone any major platform changes, upgrades or enhancements in the past six months? No.

  28. How does maiLink SRM keep Customers secure? The user federation available in maiLink SRM ensures that the only Partner-approved service techinicians have access to the products in the customer facility. In addition, the Agent software built into each product only uses outbound ports to connect with maiLink SRM.

  29. Is user installation of maiLink SRM restricted and monitored? Yes.

  30. What cryptographic protocols does maiLink SRM use to protect transmitted information, including strength? AES 128-bit.

  31. What encryption method does maiLink SRM use to encrypt data at rest? No.

  32. What encryption method does maiLink SRM use to encrypt data in transit? AES 128-bit.

  33. What is the inactivity period before maiLink SRM terminates a session? 15 minutes.

  34. What was the date of the most recent maiLink SRM vulnerability test? 2021-01-29.

Security Policy

  1. Are maiLink SRM non-local maintenance and diagnostic sessions terminated after completion? Yes.

  2. Does maiData implement maiLink SRM patches categorized as critical within 72 hours of patch release? Yes, depending on the requirement to notify end-user customers of changes associated with a specific patch.

  3. Does maiData maintain a disaster recovery policy which applies to maiLink SRM? No, but it is planned as part of our ISO 27001 process.