Laserfiche WebLink
SOLICITATION # CH16012 <br />Database administrator account activity is logged. These logs are sent to the security information <br />and event management (SIEM) system. These database activities logs are reviewed for <br />appropriateness by the Computer Security Incident Response Team (CSIRT) team on a regular <br />basis. This log data is also available as a forensic audit trail to support CSIRT during incident <br />investigations. <br />A customer's instance (org) of Salesforce is an aggregate of the raw data. The data model is very <br />complicated, normalized, and the rows are identified by base62 encoded keys (primary and <br />foreign). Re-establishing data ownership and a business context for the data would be very difficult <br />to do at the database level. In order to reassemble any given customer's application (org), <br />someone would need access to our source code in order to reassemble the raw data in a manner <br />that could be interpreted and understood, and would need the entire set of tapes or disks/arrays <br />supporting a given Instance, as the data for any one customer is spread across several <br />tapes/disks. Data center engineers with physical access to the servers do not have logical access <br />to the production environment and administrators with logical access to the systems do not have <br />h sical access to the data centers. <br />ServiceNow <br />ServiceNow applies the same data classification for all hosted customer data. ServiceNow does <br />not inspect or monitor its customers' information and therefore has no ability to sub -classify <br />customer data. The overriding requirement of the assigned classification is that customer data <br />remains hosted in the private cloud until the customer terminates their subscription. It is never <br />stored anywhere apart from the private cloud. <br />Customers remain the data owner and data controller for all data placed into their instance. <br />ServiceNow does not examine, inspect, monitor or analyze customers' data. <br />Customers apply access controls to restrict access to data within their instances based on their <br />own requirements and needs, including their own data classification. <br />QTS <br />The customer will be assigned one or more Org Administrators. All users will be configured with <br />RSA AD two -factor Risk Based authentication as a requirement for cloud portal access. <br />SAP <br />Ariba <br />We participate in the following national and international standards <br />committees: <br />WebTrust: (2001 - current) The Security, Availability, Processing Integrity and <br />Confidentiality of our applications are based on the Trust Services Principles <br />now incorporated into the SSAE16/ISAE 3000 SOC 2 standards <br />SSAE16: (formerly SAS 70) certification: (Since 2011) <br />ISAE 3402: (The International Standard on Assurance Engagements since <br />2014) every six months we undergo a rigorous ISAE 3402 audit by <br />independent auditor PricewaterhouseCoopers (PwC) <br />Payment Card Industry (PCI) Data Security Standard (DSS): (Since 2008) we <br />have adopted and adhere to the PCI-DSS). PCI certification and compliance <br />with the Visa USA Cardholder Information Security Program (CISP) and <br />MasterCard Site Data Protection (SDP) program <br />Safe Harbor: (Since 2007) Current on the Safe Harbor list for ""Online Data <br />for the ASN and Cloud Solutions/Services <br />A firewall separates the Ariba corporate network from Ariba infrastructure <br />computers. Therefore, unauthorized Ariba employees cannot access Ariba <br />data from the Ariba corporate network infrastructure. Access is limited to <br />specific roles or functions within Ariba Operations. Additionally, access is <br />managed on an "exception" basis whereby personnel need clearance to be <br />carahsoft <br />carahsoft <br />