Hi Team,
As part of our standard due diligence when introducing new software to our organization, we need answers to some general questions around Toad data point security controls.
How can i contact the team regarding this. I have a set of set of questions that needs to be clarified with the team.
Welcome to the ToadWorld TDP forum!
Just messaged you with the contact info for our Product Manager, who will be able to help you with your questions. FYI
Hi Gary,
Could you pls help me where i can refer answers to the below questions related to the product.
It would be great to get a support from your team as well.
|1|Provide a brief description of the 3rd party solution and how it integrates with the existing environment (if applicable)||
|2|What type of our data will be stored/processed/accessed by the 3rd party solution? Please provide specific fields/details if the data includes PII, PCI, proprietary, or other confidential/sensitive information.||
|3|What platform and programming language used to develop the application?||
|a. How do you assess the application and underlying technology security vulnerabilities?||
|b. What is the application patch management/release methodology, especially for security fixes?||
|4|Do you support SSO? What are the supported authentication protocol and technology?||
|5|Does the solution provide role-based access permissions to users?||
|a. Would it be possible to customize the roles according to our business needs||
|6|How do you achieve security of data at rest?||
|a. What is the encryption algorithm/key strength?||
|b. How are the encryption keys managed?||
|7|How is the security of data in transit achieved?||
|a. What are the minimum requirements for supported browser?||
|8|How are tenants and data of customer segregated from other tenants/customers (if the solution is offered in a multi-tenant model)||
|9|How can we ensure that solution administrators or system administrators do not access the underlying customer information?||
|10|Can we enable digital rights management to enforce what users can do with the document when they download documents (if document management is applicable)?||
|11|Do you maintain detailed audit logs of user and admin activities?||
|a. How long are the logs stored, and can it be provided to customers if required?||
|b. Would it be possible to integrate/forward these logs to customer log monitoring infrastructure?||
|c. Is it possible for system administrators or power users to remove audit log entries?||
|12|Explain the solution’s DR capability||
|13|Explain secure backup and archival options||
|14|Applicable only when the document management feature is available:||
|a. Ability to integrate with an anti-malware solution to scan documents for malicious content before storing it. Please provide security solution names used for such scans||
|b. Is there any other restriction on files/documents that are stored within the solution||
|15|Device/location-based access control options||
|a. Can we restrict access to the application from a specific customer public IP gateway?||
|b. Do you perform user behaviour analysis to identify malicious activity?||
|16|Please provide details on how security monitoring is performed for the solution.||
|17|How often do you perform penetration testing exercises?||
|18|What is your security incident management process? Please provide the timelines for breach notification to customers.||
Hi Gary,
We are considering purchasing Toad Data point services for our organization, but have some questions about the security policy. Any information would be greatly appreciated. Attached the questionnaire for reference.
Thanks,
Thirumurugan R
(Attachment Security_Questionnaire.docx is missing)
Noticed the attached document was rejected due to technical issues.So listed the questions below:
Sl. No
Queries
Response
1
Provide a brief description of the 3rd party solution and how it integrates with the existing environment (if applicable)
2
What type of our data will be stored/processed/accessed by the 3rd party solution? Please provide specific fields/details if the data includes PII, PCI, proprietary, or other confidential/sensitive information.
3
What platform and programming language used to develop the application?
a. How do you assess the application and underlying technology security vulnerabilities?
b. What is the application patch management/release methodology, especially for security fixes?
4
Do you support SSO? What are the supported authentication protocol and technology?
5
Does the solution provide role-based access permissions to users?
a. Would it be possible to customize the roles according to our business needs
6
How do you achieve security of data at rest?
a. What is the encryption algorithm/key strength?
b. How are the encryption keys managed?
7
How is the security of data in transit achieved?
a. What are the minimum requirements for supported browser?
8
How are tenants and data of customer segregated from other tenants/customers (if the solution is offered in a multi-tenant model)
9
How can we ensure that solution administrators or system administrators do not access the underlying customer information?
10
Can we enable digital rights management to enforce what users can do with the document when they download documents (if document management is applicable)?
11
Do you maintain detailed audit logs of user and admin activities?
a. How long are the logs stored, and can it be provided to customers if required?
b. Would it be possible to integrate/forward these logs to customer log monitoring infrastructure?
c. Is it possible for system administrators or power users to remove audit log entries?
12
Explain the solution’s DR capability
13
Explain secure backup and archival options
14
Applicable only when the document management feature is available:
a. Ability to integrate with an anti-malware solution to scan documents for malicious content before storing it. Please provide security solution names used for such scans
b. Is there any other restriction on files/documents that are stored within the solution
15
Device/location-based access control options
a. Can we restrict access to the application from a specific customer public IP gateway?
b. Do you perform user behaviour analysis to identify malicious activity?
16
Please provide details on how security monitoring is performed for the solution.
17
How often do you perform penetration testing exercises?
18
What is your security incident management process? Please provide the timelines for breach notification to customers.