Laserfiche WebLink
SOLICITATION # CH16012 <br />Hybris <br />Upon a breach that directly affects a customer's environment, hybris would <br />notify the customer as quickly as reasonably possible. Furthermore, hybris <br />follows its information security incident management policy as well as Visa's <br />standard process for responding to a breach. The policy includes procedures <br />such as disclosure of sensitive information, disclosure of system vulnerability, <br />public release of vulnerability information, system vulnerability exploitation as <br />well as incident reporting, contacting of law enforcement and forensic <br />investigation. <br />SuccessFactors <br />We have a comprehensive and approved Incident Management Policy and <br />process. Upon the occurrence of a security incident, initial communication is <br />distributed to the appropriate individuals and an escalation process is <br />followed. Upon becoming aware of the incident, measures are promptly taken <br />by the team to resolve the situation. <br />All affected customers should be informed within at most 36 hours of <br />confirming a potential breach in the privacy of their data. Following incident <br />resolution, follow-up is required to ensure that the incident has been resolved <br />effectively and that the threat is no longer present. <br />We are aligned with ISO 27k standards for event and incident management <br />and have formal incident management policies and processes in place. These <br />policies and procedures are tested in the ISO 27k and SOC 2 audits. <br />VMware <br />VMware IaaS Services <br />If VMware determines that there has been unauthorized access to, or use or disclosure of, Your <br />Content, or other incident VMware will use commercially reasonable efforts to notify You, taking <br />into account any applicable law, regulation, or governmental request. <br />VMware will provide security incident response (e.g., detection, severity/threat classification, <br />forensics, and resolution) pertaining to management infrastructure over which VMware has direct, <br />administrative, and/or physical access and control, such as the vCloud Hybrid Service servers, <br />storage, applications, and network devices. <br />Documented escalation procedures and a ticketing system are in place to guide employees in <br />identifying, reporting, and responding to system availability issues and related security incidents. <br />This includes an incident response policy to determine severity of an incident and a breach <br />notification process. <br />All alerting and monitoring at the guest OS\VM level is the responsibility of the customer. <br />In the event of a data breach customers will be notified by VMware vCloud Air Global Support <br />Services via their preferred contact means. VMware will provide security incident response (e.g., <br />detection, severity/threat classification, forensics, and resolution) pertaining to management <br />infrastructure over which VMware has direct, administrative, and/or physical access and control, <br />such as the vCloud Air service servers, storage, applications, and network devices. <br />Notification timeframes are agreed upon between VMware and the customer in standard <br />agreements and contracts. Incidents are handled on a case -by -case basis, but typically occur <br />between 24-48 hours after a breach has been confirmed. <br />VMware will provide security incident response (e.g., detection, severity/threat classification, <br />forensics, and resolution) pertaining to management infrastructure over which VMware has direct, <br />administrative, and/or physical access and control, such as the vCloud Air service servers, <br />storage, applications, and network devices. <br />FireEye <br />FireEye has a developed documented process for reporting client notification for regulatory, legal <br />and contractual issues once a breach has been confirmed. <br />VirtueStream <br />Virtustream shall contact customers in accordance with Service Level Agreements (SLA) and <br />contractual obligations. <br />There are two primary Incident types; Security Incidents, where there is a possible breach in <br />systems or data integrity, and Services, where there is in impacted or affected service. Although <br />there is some overlap, generally any security -related incident should be classified as a Security <br />carahsoft 83 carahsoft <br />