Sensei Common Controls
Our responses to CSA CCM v.3.0.1 are below:
AIS Application & Interface Security
| Control | Requirement | Vendor Response |
|---|---|---|
| E1 | Provide any vulnerability and penetration test (VAPT) reports for externally accessible interfaces (user, administrative and API access) within the solution. | The Reporting Hub and associated applications are security assessed and penetration tested by 3rd party CREST certified tester Sense Of Security. A summary is available in this document and the complete documents are available on request. |
| E2 | Provide details of methodologies, frameworks and development practices that ensure that the software components of the solution are developed securely and are not vulnerable to the OWASP top 10 vulnerabilities. | For semantic security, all developers who contributed code toward the project have been made aware of the OWASP security vulnerabilities precautions - and while many are not applicable to this type of solution, regular code reviews and continuing education ensures a robust approach to security. As PaaS consumer of Microsoft infrastructure, Sensei defers to Microsoft for infrastructure vulnerability management. The Microsoft Azure trustworthy foundation concept ensures application security through a process of continuous security improvement with its Security Development Lifecycle (SDL) and Operational Security Assurance (OSA) programs using both Prevent Breach and Assume Breach security postures. |
| E3 | Provide test reports from any automated source code analysis tool(s) used to detect OWASP vulnerabilities. | While we don't currently have any automated OWASP test reports available to share at this time, we are planning on making this information available in the future. |
| E4 | Demonstrate that weaknesses identified through VAPT and any other methods is remediated. | While we don't currently have any automated VASP remediation examples available to share at this time, we are planning on making this information available in the future. |
AAC Audit Assurance & Compliance
| Control | Requirement | Vendor Response |
|---|---|---|
| E5 | Provide your auditing plans, including scope and schedules. | As PaaS customer of Microsoft Azure we acknowledge and endorse the trustworthiness of their security auditing procedures available at the Azure Trust Center website (http://azure.microsoft.com/trustcenter). Microsoft Azure independent audit reports and certifications are shared with customers in the format native to the type of audit. These certifications and attestations accurately represent how we obtain and meet our security and compliance objectives and serve as a practical mechanism to validate our promises for customers. |
| E6 | Provide any applicable internal and/or external (independent) audit reports and evidence of approved remediation plans. | Sensei chooses to be a PaaS consumer rather than an IaaS consumer so that the infrastructure is managed exclusively by Microsoft under ISO 27001 and other certified conditions. SOC, ISO 27001 certifications and other audit reports for Microsoft Azure and Microsoft Cloud Infrastructure and Operations (global datacenters) can be found on the Azure Trust Center website (http://azure.microsoft.com/trustcenter) and the website of our external ISO auditor, the BSI Group. Additional audit information is available under NDA upon request by prospective and existing customers through their Microsoft Account Representative. Applicable audits of Azure infrastructure and platform services are carried out at least annually by certified independent assessors, including SOC 1 / 2, ISO 27001, FedRAMP, PCI, CDSA, and others. |
BCR Business Continuity Management & Operational Resilience
| Control | Requirement | Vendor Response |
|---|---|---|
| E7 | Provide your business continuity plans, continuity and ICT disaster recovery plans or otherwise demonstrate they are in alignment with ISO 22301 and ISO 27031 requirements. | The BCP plan for the Reporting Hub is aligned with that of the underlying infrastructure. BCPs have been documented and published for critical Azure services, which provide roles and responsibilities and detailed procedures for recovery and reconstitution of systems to a known state per defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Plans are reviewed on an annual basis, at a minimum. The BCP team conducts testing of the business continuity and disaster recovery plans for critical services, per the defined testing schedule for different loss scenarios. Each loss scenario is tested at least annually. Issues identified during testing are resolved during the exercises and plans are updated accordingly. Once alerted to a BCP incident Sensei and depending on the severity of the incident Sensei will ensure that alternative infrastructure services are sourced at one of the 3 alternative locations. |
| E8 | Demonstrate that the solution will continue to operate in the event of total loss of a datacenter, interruption of power or telecommunications, or failure of other equipment and supporting systems. | Currently Sensei Reporting Hub has active nodes in 3 Microsoft Datacenters on different continents. The Sensei Reporting Hub itself is an add-on aggregation service to Project Online and so contains no unique data by default. In the event of a disaster and Microsoft implements its BCP and moves your service to a different datacenter, a matching move of service will be initiated by Sensei for the Reporting Hub Service. We then inherit the same RTO and RPO as the parent Microsoft service. Azure runs in geographically distributed Microsoft facilities, in some cases sharing space and utilities with other Microsoft Online Services (paired datacenters are located at least 300 miles apart in order to provide failover in the event of a large-scale regional disaster). Each facility is designed to run 24x7x365 and employs various measures to help protect operations from power failure, physical intrusion, and network outages. These datacenters comply with industry standards (such as ISO 27001) for physical security and availability. They are managed, monitored, and administered by Microsoft operations personnel. Microsoft Azure also provides multiple mechanisms for fault-tolerance within their Azure subscription environment, including the configuration of failover clusters, geo-redundant storage, and load balancing. |
CCC Change Control & Configuration Management
| Control | Requirement | Vendor Response |
|---|---|---|
| E9 | Provide your change control policies and processes and/or guidelines or otherwise demonstrate they align to industry good practice such as ITIL. | ITIL (Information Technology Infrastructure Library) defines change control procedures relevant to infrastructure. As a PaaS consumer, the Sensei Reporting Hub inherits Azure's approach and standard operating procedures with regard to infrastructure management. Azure has developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1 / SOC 2, NIST 800-53, and others. Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft, including the Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape. OSA combines this knowledge with the experience of running hundreds of thousands of servers in datacenters around the world. Microsoft uses OSA to minimize risk by ensuring that ongoing operational activities follow rigorous security guidelines and by validating that guidelines are actually being followed effectively. When issues arise, a feedback loop helps ensure that future revisions of OSA contain mitigations to address them.The foundation of secure online services consists of the following elements: SDL, to ensure the software that underlies the service is designed and developed with security in mind throughout its entire lifecycle. OSA, to ensure the deployment and operation of the service includes effective security practices throughout its lifecycle. The OSA process also uses feedback from online services teams within Microsoft to continuously evaluate and improve the OSA process. This feedback is also considered confidential, and it is protected in accordance with Microsoft internal policies. The three key processes of OSA are: Ensuring that OSA inputs (such as organizational learning, threat intelligence, and security technologies) are up-to-date and relevant. Developing and applying centralized review processes to consolidate requirements to establish the OSA baseline requirements. Engaging and implementing the new requirements and baselines. Additional information on how Microsoft Azure uses OSA for change and configuration management can be found at http://www.microsoft.com/en-us/download/confirmation.aspx?id=40872 |
| E10 | Provide evidence that your change control process outputs are followed such as approved and completed change requests. | Sensei utilizes the Continuous Integration features of Visual Studio Online build and release management for the Reporting Hub product to manage changes. When code is checked in, in response to a logged work item, the 'Latest' environment is automatically rebuilt and unit tests run using the new code. When this version has passed testing the same binary files are then deployed to staging. When the change is ready to move to production, the production release is triggered which starts an approval process. When the approval process is completed by one of the 2 nominated product owners, the staging slot is warmed up and then swapped with production. This allows us the ability to release changes and updates to the service without creating any outages, and also affords us the safety of reverting to the previous version at any time by swapping the slots again. This is an automated process that happens at all 3 datacenters automatically. |
| E11 | Demonstrate by way of regular audits, automated scans or other means, that only approved changes are migrated into production. | Visual Studio Release management approval workflow ensures that only approved changes are released to production. In the process of approving a release for production the workflow approver is presented with a list of work items and code check-in that are present in this release, with the opportunity to review all the changes before they move to production. All changes can also be tried in the 'Latest' environment for regression testing. See E10 for more detail |
DSI Data Security & Information Lifecycle Management
| Control | Requirement | Vendor Response |
|---|---|---|
| E12 | Provide your policies, procedures and/or guidelines in respect of data classification, data handling and disposal. Provide details of how customer data is classified, handled and disposed of. | As a PaaS consumer the Sensei Reporting Hub also does not classify customer data and defers to Microsoft for proper management and disposal of hardware assets used in the provision of the service. Azure classifies data according to the Microsoft Azure data classification scheme and then implements a standard set of Security and Privacy attributes. Microsoft does not classify data uploaded and stored by customers. Hardware is uniquely identified using software monitoring tools and hardware asset tags as part of the Azure Data Classification program. Azure follows NIST 800-88 Guidelines on Media Sanitization, which address the principal concern of ensuring that data is not unintentionally released. These guidelines encompass both electronic and physical sanitization. Customer data can be returned on request up to 90 days after subscription termination, and will be provided as a BACPAC file download link. |
| E13 | Provide evidence that data is handled in accordance with its classification and policy. Ensure that such evidence covers data at rest, data in transit, and data in use. | HTTPS is enforced with a minimum TLS version of 1.2. RSA with a 4096 bit key is employed as the encryption protocol for SQL data in transit. The 'Transparent Data Encryption' SQL Azure feature is enabled for all customer databases that ensures the data is encrypted using AES-256 before it is written to disk. More information about this is available here: https://msdn.microsoft.com/library/dn948096?f=255&MSPPError=-2147217396 |
DCS Datacenter Security
| Control | Requirement | Vendor Response |
|---|---|---|
| E14 | Provide any recent audit reports of the security and availability of the datacenter and service management environments for the solution (where permitted), or otherwise demonstrate that the environments are subject to relevant security certifications. | As a PaaS consumer the datacenter security, availability and management is handled exclusively by Microsoft. No solution components or customer data is hosted outside of Microsoft datacenter facilities. Microsoft datacenters receive SSAE16/ISAE 3402 Attestation and are ISO 27001 Certified. Microsoft datacenters are located in non-descript buildings that are physically constructed, managed, and monitored 24-hours a day to protect data and services from unauthorized access as well as environmental threats. Datacenters are surrounded by a fence with access restricted through badge controlled gates. |
| E15 | Provide evidence that controls cover physical and network access, asset identification and ownership, removal, relocation and disposal of equipment and storage media. | Azure follows NIST 800-88 Guidelines on Media Sanitization, which address the principal concern of ensuring that data is not unintentionally released. These guidelines encompass both electronic and physical sanitization. |
EKM Encryption & Key Management
| Control | Requirement | Vendor Response |
|---|---|---|
| E16 | Provide your policies, procedures and/or guidelines in respect of the management of cryptographic keys both within the solution and the operations management systems. | Sensei uses Azure best practices for storage of cryptographic secrets where via Azure Key Vault where possible. Microsoft has policies, procedures, and mechanisms established for effective key management to support encryption of data in storage and in transmission for the key components of the Microsoft Azure service. |
| E17 | Provide details of cryptographic algorithms and standards including cipher suites used to protect information from confidentiality and integrity compromise both at rest and in transit. | Key management encompasses the entire life cycle of cryptographic keys. A key has three phases during its life, namely - Pre-Operational, Operational and Post-Operational. Azure Crypto algorithms / Key lengths: Symmetric Block: AES >=256 bit, Block Cipher Modes: CBC, CCM, GCM, Asymmetric: RSA (>=2048bit), Diffie-Hellman (>= 2048bit), ECC (>= 256bit), Elliptic Curve Cryptography P-256 or greater, Hash (including HMAC usage): SHA-2 (SHA-256, SHA-384, SHA-512), HMAC Key Lengths: >=128 bit |
GRM Governance and Risk Management
| Control | Requirement | Vendor Response |
|---|---|---|
| E18 | Demonstrate that an Information Security Management System (ISMS) is in place and aligned with the controls in ISO/IEC 27001 or other industry control framework. | Sensei treats the confidentiality, integrity and availability of customer information very seriously and data is available only to employees actively contracted to undertake customer work where they already have been granted access to the customer Office 365 tenant and therefore granting them access to the Reporting Hub data does not increase their exposure of customer data. The underlying infrastructure is governed by Microsoft Azure ISMS: Microsoft Azure has designed and implemented an ISMS framework that addresses industry best-practices for information security and privacy. The ISMS has been documented and communicated in a customer-facing Information Security Policy, which can be made available upon request (customers and prospective customers must have a signed NDA or equivalent in place to receive a copy). This policy is reviewed and approved annually by Microsoft Azure management, who has established roles and responsibilities to oversee implementation of the policy. Each management-endorsed version of the Information Security Policy and subsequent updates are distributed to relevant stakeholders. The Information Security Policy is made available to new and existing Microsoft Azure employees for review as part of an information security education and awareness program. Azure employees represent that they have reviewed, and agree to adhere to, all policies within the Information Security Policy documents. Microsoft Azure Contractor Staff agree to adhere to the relevant policies within the Information Security Policy. In addition, MCIO-managed network devices are configured to log and collect security events, and monitored for compliance with established security standards. Prior to any deployment, a change to the baseline must follow and adhere to the change and release management process. Tickets are opened to track any configuration or configuration deployment changes. Tickets are also opened for any baseline settings/rules changes before being deployed. |
| E19 | Demonstrate that risk assessments are performed at least annually or at planned intervals and that risks are identified, evaluated, and their treatment is managed through assigned owners. | Azure performs an annual risk assessment. As part of the overall ISMS framework, baseline security requirements are constantly being reviewed, improved and implemented. Azure's controls for risk and vulnerability assessment of the Azure infrastructure encompass all areas in this section and meet the requirements of the standards against which we audit, as demonstrated by reports identified on the Azure Trust Center website. |
HRS Human Resources
| Control | Requirement | Vendor Response |
|---|---|---|
| E20 | Demonstrate that personnel are made aware of their information security responsibilities and obligations on an ongoing basis and are legally bound to policies and procedures in respect of those obligations. | Sensei Staff are legally bound by the non-disclosure provisions of their employment contract and are periodically updated on their obligations through the Sensei SYNK process (Stuff you need to know) at least annually. All administrators of the system have valid Australian Federal Police checks. Microsoft staff take part in a Microsoft Azure and/or MCIO-sponsored security training program, and are recipients of periodic security awareness updates when applicable. Security education is an ongoing process and is conducted regularly in order to minimize risks. An example of an internal training is Microsoft Security 101. Microsoft also has non-disclosure provisions in employee contracts. Microsoft requires employees and contractors to sign agreements that include non-disclosure provisions and asset protection responsibilities, upon hire and annually thereafter. In addition, employees must acknowledge Microsoft's Employee Handbook, which describes the responsibilities and expected behavior with regard to information and information system usage, on an annual basis. |
| E21 | Demonstrate that personnel involved in the development, operation and management of the service are subject to background checks and are not hired if they have criminal convictions recorded. | All Sensei staff involved in the development, operation and management of the service have valid Australian Federal Police checks. Pursuant to local laws, regulations, ethics and contractual constraints, Microsoft US-based full-time employees (FTE) are required to successfully complete a standard background check as part of the hiring process. Background checks may include but are not limited to review of information relating to a candidate's education, employment, and criminal history. Third-party contractors are subject to the hiring practices of their organizations, and contractor agencies must adhere to equivalent standards exercised by Microsoft. |
| E22 | Demonstrate that customer data is returned when personnel leave the organisation or there is a significant change of job function. Demonstrate that processes ensure that further access to customer data is prevented. | As part of the off-boarding process a Sensei ex-employee's account is blocked from login and email data placed in on-hold archive. Any relevant temporary Reporting Hub credentials are revoked. This prevents any customer data from being accessed after the culmination of the employment. |
IAM Identity & Access Management
| Control | Requirement | Vendor Response |
|---|---|---|
| E23 | Provide your policies and procedures in respect of the identity and access management of personnel involved in the development, operations and management of the solution. Demonstrate that role separation/segregation of duties is employed. | Sensei shares Microsoft's "need-to-know" and "least-privilege" approach to the implementation of information security policy. Microsoft Azure has adopted applicable corporate and organizational security policies, including an Information Security Policy. The policies have been approved, published and communicated across Azure teams. The Information Security Policy requires that access to Microsoft Azure assets to be granted based on business justification, with the asset owner's authorization and limits based on "need-to-know" and "least-privilege" principles. In addition, the policy also addresses requirements for access management lifecycle including access provisioning, authentication, access authorization, removal of access rights and periodic access reviews. |
| E24 | Provide details of authentication mechanisms used for privileged and/or administrative/operator accounts within the solution. Describe authentication methods for both remote access over the internet vs access within the organisations management environment. | Administration of the Reporting Hub via Sensei Administrators is performed after successful Azure AD account authentication. All users at the administrator level have multi-factor authentication enabled. Password policies for corporate domain accounts are managed through Microsoft corporate Active Directory policy that specifies minimum requirements for password length, complexity and expiry. Temporary passwords are communicated to users using Microsoft's established processes. Azure services and infrastructure must at a minimum meet Microsoft corporate requirements, but an internal organization can increase the strength beyond this standard, on their own discretion and to meet their security needs. |
| E25 | Demonstrate that all access is logged securely (to prevent unauthorised disclosure and modification) and that access logs are actively monitored to detect intrusion, suspicious behaviour or other anomalies. | Sensei enables access logging both through the Application Insights Azure service and also SQL Audit logging service that is part of the SQL Azure service. Audit logs for your service can be provided for the preceding 31 days on request. Longer logging timeframes can be arranged on request. Log and monitor access is highly restricted to only authorized staff with a business need to access such systems. Microsoft Azure platform components (including OS, Virtual Network, Fabric, etc.) are configured to log and collect security events. |
| E26 | Demonstrate that timely account provisioning, de-provisioning and authorisation of operator, administrator and service accounts occurs in response to change in status, business relationship, role or function of the account holder. | Sensei uses an on-boarding/off-boarding process that is largely automated to ensure that the appropriate access is granted and revoked at the appropriate times. Microsoft Azure uses Active Directory (AD) to manage user accounts. Security group membership must be approved by the designated security group owners within Microsoft Azure. Automated procedures are in place to disable AD accounts upon the user's leave date. Domain-level user accounts are disabled after 90 days of inactivity. |
| E27 | Demonstrate that your solution has the capability to integrate with SAML based identity provider (currently ADFS) for user authentication. Provide details of the standards, protocols, configuration parameters and/or integration requirements for your solution. | The Sensei Reporting Hub Product utilizes Azure AD which provides an abstraction layer over SAML compliant authentication and federation providers like ADFS. It is fully compliant. |
IVS Infrastructure & Virtualization Security
| Control | Requirement | Vendor Response |
|---|---|---|
| E28 | Provide independent audit reports of the security and availability of the IaaS, or PaaS environment(s) for the solution (where permitted), or otherwise demonstrate that the environments are subject to relevant security certifications. | While Sensei doesn't conduct its own audit of services in Microsoft Azure, Microsoft provides a comprehensive list of 3rd party audits performed on a regular basis including SOC 1 Type 2 reports and ISO/IEC 27001 and ISO/IEC 27018 audit reports. https://www.microsoft.com/en-us/trustcenter/guidance/risk-assessment |
| E29 | Provide details of your service management channels including protocols, encryption layers and authentication mechanisms used. Decribe how access is managed and restricted to authorised personnel only. | Administrative activities are logged via tickets and distributed to nominated service administrators. Tickets are then actioned via the Microsoft Azure Portal website. The portal is secured in transit via SSL/TLS and authenticated by Azure AD. |
| E30 | Describe how your design, controls and configurations used to secure networks (virtual/physical/wireless), internet gateways, platform components & servers (including VM's) prevent unauthorised access and use. | The Sensei Reporting Hub utilizes the Provider Hosted SharePoint Add-In model. This Add-In has a Service Principal Name created in the customer Azure AD containing a Client ID and Cryptographic Secret. The Azure Web Application authenticates with SharePoint and acquires an App+User OAUTH token via the low-trust authorization model and the user identity is verified as being part of the Project Online instance. https://msdn.microsoft.com/EN-US/library/office/fp142382.aspx\#OAuth\_ProcessFlowSteps\ For all other infrastructure concerns, Sensei defers the Microsoft Azure managed infrastructure services. |
| E31 | Describe how non-production infrastructure is separated from production infrastructure using industry standard methods. | Sensei utilizes industry best practices of Continuous Integration (CI) to deploy changes first to the "Latest" environment where testing and validation can occur. Once successful the same binary files are then deployed to staging and then ultimately to production through automated release management orchestrated by Visual Studio online build & release scripts. This gives us the assurance that the binary files we tested are the same ones running in Production. The other opportunity this affords us is that in the unlikely event that a regression is discovered in Production we can "Swap the slots" to switch Production and Staging -- this gives us the opportunity to return to the previous version without any interruption in service. |
| E32 | Describe how each customer's data is separated and not accessible by other customers or users unless explicitly authorised. | In the Sensei Reporting Hub, each customer is allocated a completely separate SQL Azure Database. This database is operated in 'contained' mode (https://msdn.microsoft.com/en-us/library/ff929188.aspx) which allows the database to be completely independent both from a security and data point of view. No details that affect the database's operations are stored outside the database. |
| E33 | Demonstrate how service access logs and VM images and other service and software components and configuration data are protected from unauthorised modification. | Other than administrative accounts, no users are permitted to log into infrastructure components. No customer data is stored in any location other than the nominated SQL Azure database. This allows us to tear down and re-create the infrastructure pieces on a regular basis as is best practice. In the future we plan to implement an automation of the tear-down and recreation procedure so that no infrastructure piece is older than 90 days. |
| E34 | Provide log extracts, reports or other means demonstrating that intrusion prevention/detection systems are implemented for network and system activity both within the hosted solution and the environments used to manage it. | For machines used to manage the system, we have Windows 10 defender, InTune/MDM policy. For the infrastructure Microsoft is responsible for providing the protection and for the SQL Azure data storage we have SQL Audit logging and Threat Detection enabled, for SQL Injection and logins from unusual locations. We can produce the logs for your database via helpdesk request. |
| E35 | Demonstrate that network access, infrastructure and virtualisation security events are logged securely and actively monitored. Provide details of the design, integrity and confidentiality controls, monitoring regime, dashboards and a sample of log events. | Microsoft Azure platform components (including OS, Virtual Network, Fabric, etc.) are configured to log and collect security events. We have SQL Azure Audit logging enabled and can provide you with the logs for your own database for the preceding 31 days. Longer log retention periods can be arranged on request. |
IPY Interoperability & Portability
| Control | Requirement | Vendor Response |
|---|---|---|
| E36 | Provide API documentation for all customer accessible service interfaces including network access and security protocols, data descriptions and formats. | Reporting Hub operational functions are accessed via SharePoint and Project Online add-in model provided by Microsoft. The Reporting Hub also offers data connectivity and migration options are accessed via SQL Azure connections secured via credentials issued via logged helpdesk tickets that are only valid when used from pre-arranged whitelisted public IP addresses. |
| E37 | Provide details of any customer configuration capabilities and data migration environments (if applicable). | The Reporting Hub does offers some configuration options via Microsoft Teams for users already authenticated with Azure AD to the target site collection. |
MOS Mobile Security
| Control | Requirement | Vendor Response |
|---|---|---|
| E38 | Where mobile devices (including BOYD) are used in operating or managing the service, provide your mobile device policy and procedures and demonstrate that they are followed. | No Sensei mobile devices are used to operate or manage the service, however internally Sensei utilizes Microsoft Mobile Device Manager to institute security and threat mitigation policies which are available on request. |
| E39 | Where mobile devices are used in operating or managing the solution demonstrate that only approved applications are permitted, data at rest is encrypted, scanning and quarantine of malware, and devices require authentication and re-authentication after inactivity. | No mobile devices are used to operate or manage the service. |
SEF Security Incident Management, E-Discovery & Cloud Forensics
| Control | Requirement | Vendor Response |
|---|---|---|
| E40 | Provide your policies and procedures in respect of information security incident response and demonstrate that they are followed. Include a sample of recent incidents/events and test reports. | While Sensei relies on Microsoft for the provision of the infrastructure and application level services, there is a shared model for incident response. Where applicable we follow the principles laid out in the Microsoft Azure Security Response Plan. There have been no reportable security incidents to date. Download the incident response plan here (https://gallery.technet.microsoft.com/Azure-Security-Response-in-dd18c678) |
| E41 | Provide your forensic procedure (including controls in respect of chain of custody) for the presentation of evidence to support potential legal action after an information security incident. | In the event a follow-up action concerning a person or organization after an information security incident requires legal action, Microsoft would be informed and proper forensic procedures including chain of custody shall be required for preservation and presentation of evidence to support potential legal action subject to the relevant jurisdiction. Upon notification, impacted customers (tenants) and/or other external business relationships of a security breach shall be given the opportunity to participate as is legally permissible in the forensic investigation. Security incident response plans and collection of evidence adheres to ISO 27001 standards. MCIO has established processes for evidence collection and preservation for troubleshooting an incident and analyzing the root cause. In case a security incident involves legal action such as subpoena form, the guidelines described in the TSG are followed. |
| E42 | Provide details of your SIEM integration capability including supported protocols and formats. | With respect to security information and event management the Reporting Hub data is available via SQL over a secure SQL Azure connection from whitelisted locations. This includes read-only access to security events and operational logging. |
STA Supply Chain Management, Transparency and Accountability
| Control | Requirement | Vendor Response |
|---|---|---|
| E43 | Provide any relevant policies and procedures in respect of supply chain management and demonstrate that they are followed. | Sensei's supply chain consists wholly of Microsoft Azure component and services. With respect to Microsoft, third party vendors are required to comply with Microsoft security policies and are audited. The Hardware Supply Management (HSM) group works with the MCIO business groups to protect against supply chain threats throughout the supply chain lifecycle. HSM supports MCIO in creating purchase orders, accelerating deliveries, performing quality checks, processing warranty claims and obtaining spares |
| E44 | List any relevant security and availability audit reports of your hosting and service providers which have been reviewed over the past 2 years and where permitted provide those reports or otherwise demonstrate that appropriate security certifications exist. | See the Security Testing section, as well as Microsoft's comprehensive list of 3rd party audits performed on a regular basis including SOC 1 Type 2 reports and ISO/IEC 27001 and ISO/IEC 27018 audit reports. https://www.microsoft.com/en-us/trustcenter/guidance/risk-assessment |
| E45 | Provide a sample of any security incident reports and advisories from third party service providers as relevant to the solution over the past 2 years and any associated reports and/or guidance that you have issued to your customers as a result. | No relevant security incidents have taken please to date. |
| E46 | Provide details of any risks that have been identified in respect of third parties hosting the solution that have been identified through review of audit reports, security incident reports, security advisories or otherwise. | No relevant examples are available. |
| E47 | Demonstrate that claimed availability, security, capacity and performance SLA's are achievable through the SLA's of your supply chain. | The achievable SLA for Sensei Reporting Hub depends on the SLA's of the component parts: Web App http://azure.microsoft.com/en-us/support/legal/sla/app-service/v1\_0/ 99.95%, SQL Database http://azure.microsoft.com/en-us/support/legal/sla/sql-database/v1\_0/ 99.99%, Azure Storage http://azure.microsoft.com/en-us/support/legal/sla/storage/v1\_0/ 99.9%. While Sensei makes no claims to provide such, the theoretical achievable SLA would be the result of the serial failure of all components within their SLA's which would result in 1104 minutes of downtime or 99.79% uptime. |
TVM Threat and Vulnerability Management
| Control | Requirement | Vendor Response |
|---|---|---|
| E48 | Demonstrate that execution of unauthorized software including malicious and mobile code -- i.e. "malware" is prevented, detected within the solution and any environments used to manage the solution. | Sensei uses the latest version of Windows 10 with Microsoft InTune & Windows Defender anti-malware service active on all corporate PC's. This is supplemented by the safe computing initiative via the Sensei SYNK process. When providing the Antimalware solution for Virtual Machines, Azure is responsible for ensuring the service is highly available, definitions are updated regularly, that configuration through the Azure Management Portal is effective and that the software detects and protects against known types of malicious software. MCIO-managed hosts in the scope boundary are scanned to validate anti-virus clients are installed and current signature-definition files exist. |
| E49 | Provide evidence (technologies used, logs or screenshots) that uploaded content (e.g. images, files and attachments) is scanned and malicious content is rejected or appropriately quarantined. | From a Sensei point of view executable content cannot be uploaded to the PaaS environment, and from an Azure perspective MCIO-managed hosts in the scope boundary are scanned to validate anti-virus clients are installed and current signature-definition files exist. |
| E50 | Provide a sample of security advisories that have been considered and which have resulted in configuration changes, software changes, or recorded as not applicable. Provide evidence of the time and date of production changes and the respective CVE. | No relevant examples exist. |
| E51 | Provide the most recent two ICT penetration test reports and a sample of the risks that were identified and remediated as a result of those reports. Provide evidence that identified risks were remediated. | See the Security Testing section for a summary of the most recent results, and the complete report is available on request. |
| E52 | Provide the most recent two vulnerability scans, and a sample of the risks that were identified and remediated as a result of those scans. Provide evidence that identified risks were remediated. | See the Security Testing section for a summary of the most recent results, and the complete report is available on request. |