Laserfiche WebLink
SOLICITATION # CH16012 <br />6.7 — Best Practices <br />6.7 Specify your policies and procedures in ensuring visibility, compliance, data security and threat <br />protection for cloud -delivered services; include any implementations of encryption or tokenization to control <br />access to sensitive data. <br />Carahsoft utilizes varying procedures for ensuring visibility, compliance, data security and threat protection <br />for cloud -delivered services. Please see the below examples of potential options for meeting the State's <br />expectations: <br />ServiceNow Response: ServiceNow applications have the advantage of being built on a single cloud <br />platform that consists of one user interface, one code base and one data model; delivering holistic visibility <br />into processes, creating a single source of truth, irrespective of whether the processes and systems are <br />within the customer's environment or hosted in the cloud. ServiceNow invests significant resources in <br />providing its services in a secure manner. This includes global teams delivering 247 operations and <br />technical support from ServiceNow staff. ServiceNow currently has offices with staff focused on the <br />management of the private cloud in Australia, the Netherlands, the UX, North America, and Asia. The <br />ServiceNow environment is a private cloud, fully owned and operated by ServiceNow, which supports a <br />logically single tenant architecture. Customer data is isolated from other customer data by leveraging an <br />enterprise -grade cloud architecture and a dedicated database and application set per instance. This gives <br />ServiceNow customers cost reduction through shared infrastructure, while having the security benefits of <br />customer -specific isolation at the application and data layers. In addition to the security features that come <br />standard within the platform and each customer instance, customers can leverage the additional security <br />features within ServiceNow to augment the security configuration of their instances based on their own <br />needs and risk profile. <br />CA Response: This is addressed throughout all of our policies and procedures. CA SaaS Operations and <br />Delivery runs an Information Security Management Framework (ISMS), which includes security <br />organization, documentation, monitoring, and continuous improvement cycle. The security documentation <br />comprises of CA SaaS Operations information security policies, procedures, guidelines and checklists. <br />ISMS documentation is reviewed along with applicable controls annually. CA offers a variety of SaaS <br />solutions, details for each offering has been provided in Exhibit 1 and 2 of this proposal. <br />Salesforce Response: Salesforce has many customers that are subject to laws pertaining to the <br />processing of personally identifiable information (PII) or personal data. Salesforce offers its customers a <br />broad spectrum of functionalities and customer -controlled security features that its customers may <br />implement in their respective uses of the Salesforce services. Salesforce believes that these provide its <br />customers the flexibility to comply with laws with stringent privacy and security requirements. Encryption <br />options vary based on Salesforce Commercial Cloud or Salesforce Government Cloud offering. <br />Government Cloud Encryption: <br />As part of the Salesforce Government Cloud, Salesforce is capable of responding to FIPS 140-2 <br />cryptographic implementations for data being transferred between the State's web browser and Salesforce. <br />Data that resides within Salesforce's protected boundary does not use FIPS 140-2 validated encryption as <br />compensating/mitigating controls are in place to protect data. Additional information is provided below. <br />Data In Motion: <br />carahsoft <br />carahsoft <br />