Do you have Encryption of data at rest and data in motion?
ZingHR has both processes that it runs at the same time. We are fully compliant. .ZingHR uses AES 256, SHA 256, FPE protocols for encryption. These are globally validated.
Can customer demand security logs? And for what period? And how often?
Security Logs for LOGIN details is available on Reports Gallery for every customer after choosing from the filter, ON DEMAND. There is no frequency limit or size limit to requests by the customer on the platform. In addition, Customer can go to the Audit Trail Screen on the standard left side menu to get all Configuration related AUDIT Logs - for the entire period. This has been enabled for a 3-month period as standard. Beyond 3 months, the customer will have to download and keep it in their local records folder. Where the customer would ideally like the feature of being able to get audit logs of any/all or filtered activity on any module screen by specific role holders through the admin console for a defined period of time - that feature is currently not available on the front end of the ZingHR platform - web and mobile. Critical screens logs are available and captured backend; however not all. It will come as a feature in due course of time based on customer needs sets.
Does ZingHR have a QUE mechanism to transmit server-side encrypted data?
ZingHR does not use any QUE data lake mechanisms currently. Data encrypted is pushed to the appropriate addresses in the real time.
Are Security Certifications SOC 2 / VAPT etc. certified by approvedagencies?
Yes, it is an annual process of constant re-certifications by ZingHR product organization. Customers choosing to have additional processes do so, at separate commercials with ZingHR as these are customer processes to be taken in both for web and mobile applications.
How the application is patched for security issue?
ZingHR have deployed Barracuda WAF (Web Application Firewall) which detects and prevent attacks and vulnerabilities proactively. Barracuda WAF is a comprehensive web application security platform that secures apps, defends against bots and DDoS attacks, and accelerates application delivery. It provides granular logging, alerting, and reporting for management, compliance, or early warning detection. It is part of a comprehensive line of data protection, network firewall, and security products assisting us in robust protection from ever-increasing cyber threats.
TLS 1.2 protocol is used in ZingHR application model, and ZingHR has defined and build high level architecture with best security practices. ZingHR conduct third party audits and VAPT and follows the best standards.
How frequent application required patching?
ZingHR Product is Global SaaS product on Microsoft Azure Cloud
Patches are applied on UAT server and are reviewed and only after review, patches are then applied on Production servers.
The Operating System Patch Management process is conducted once in a month to address the vulnerabilities identified.
Who is managing the Security Incidents for ZingHR?
ZingHR has designated Security analyst for managing all the security incidents.
How does ZingHR defines Application Security control? What is the Password policy? Is account lockout policy available give the details? Password policy? Account lockout policy?
ZingHR runs the CAPTCHA process to prevent the attacks at the frontend level. There are multiple other processes running at the backend which checks the profiles of logins frequency to arrive at appropriate triggers.
The password policy includes (Minimum 8 digit and maximum 15 digits, Including One Special Character, One Numeric Only and One upper Letter) In complex enterprise implementations, dynamic App only based notification OTPs can be implemented at separate commercials.
Yes, available. If a user tries 5 times the wrong password and/or 90 days of no activity, then the system will lock the user password. Customer authorized HR Admins can only reset the password afterwards. Please reach out to your Sales contact for further information and requirements.
Does ZingHR share security incident with their clients?
ZingHR team communicates through the medium agreed between customer and ZingHR in contract, and notifies impacted customers about security incident. Also, on request security incident summary report with mitigation plan can be shared with customers.
How does ZingHR handles security incidents?
The Incident Management process is structured to manage Incidents reported automatically by an event management tool, by users or service desk technicians via a self-service portal, over the telephone, email or in person. Incidents are identified at a very early stage through automated event monitoring using Alien Vault SIEM, even before it impacts a user. However, sometimes Incidents are identified by the impacted user reporting it to the service desk.
Does ZingHR do External Audit for Infra, Mobile and Web?
Infra, Web and Mobile VAPT is annually done by external Security partner "SumaSoft". Report can be shared on request.
Does ZingHR perform Secure code analysis?
During the SDLC process, ZingHR follows secure coding practices. ZingHR web application is secured with OWASP's latest top 10 security vulnerabilities for coding. Source code security analysis is done in house by the Teams, also using code analytic tools called Burp Suite. In house reports are not shared with the customer ecosystem under any circumstances. Where the customer wants the same, it requests for third Party private Source Code Security Analysis assessment at their own costs. Where customers are desirous of getting SCSA done by a ZingHR approved third Party Provider, they get in touch with their ZingHR Sales contact to get further information of commercials that will have to be approved by the customer along with timelines of the SCSA delivery.
What Ciphers and Cryptography technique ZingHR uses for securing information?
The servers are SSL certified with AES 256-bit encryption which ensures the security of every transaction, ZingHR uses a SHA2 hashing algorithm to encrypt the user passwords and encrypted data is stored in the database.
ZingHR is hosted on Microsoft Azure Cloud Data Center (Central India), and all access is restricted as per Microsoft Policies. Data is secured in transit between an application and Azure by using HTTPs. Azure Storage Services Encryption for data at rest helps to protect the data. With this feature, the Azure Storage platform automatically encrypts the data before persisting and decrypts the data before retrieval. All data written to the Azure storage platform is encrypted through 256-bit AES Encryption.
How does ZingHR protects data from DDos attack?
ZingHR has deployed, Barracuda WAF (Web Application Firewall) which detects and prevents attacks and vulnerabilities proactively. Barracuda WAF is a comprehensive web application security platform that secures apps, defends against bots and DDoS attacks, and accelerates application delivery. It provides granular logging, alerting, and reporting for management, compliance, or early warning detection. It is part of a comprehensive line of data protection, network firewall, and security products assisting us in robust protection from ever-increasing cyber threats.
How is End Point Security done on ZingHR Network?
ZingHR Servers are created in a ZingHR Virtual network and each virtual network is isolated from all other virtual networks. Network security group as security rules are set by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. ZingHR has deployed Barracuda WAF (Web Application Firewall) which detects and prevent attacks and vulnerabilities proactively. Barracuda WAF is a comprehensive web application security platform that secures apps, defends against bots and DDoS attacks, and accelerates application delivery.
Does ZingHR has SOC team 24*7?
Yes, user level authentication (contain success, failure, privilege) is logged in SIEM tools. ZingHR Infra is managed by internal ZingHR IT team, the control has been set to ensure that the users are performing only activities that have been explicitly authorized. ZingHR IT team maintain logs of changes and activities performed in the environment, these logs are also maintained for review by the Security team.
Does ZingHR do Application Logging?
ZingHR is a highly secured and API driven application framework. As it's not an open framework, the integration for Application Logs is not made available unless there is confirmation by the ZingHR Product Technology Teams. ZingHR uses Microsoft Azure Environment for the Attendance Integration process. ZingHR does the integration with the Biometric databases where raw attendance is stored in the Client Biometric Database. Detail Document is available on the support portal. ZingHR uses Mandrill for Email Integration for verified domains.
How ZingHR process the Cookies?
We have implemented Client side and server-side validation both. So, no impact on product and security with clear text cookies and session. Sensitive information we are storing in ENCRYPTED format only in cookies and session. Encryption of PII information is in WIP. For cookies we have all the cookies are secure with expiry time and path identifier.
How does ZingHR is taken care of zero day, spyware, viruses and ransomware attacks?
Advance Malware protection on Server (Includes Zero day vulnerability protection, Spyware, Viruses, Worms, Trojans, Ransomware etc.)
Antimalware solution are embedded into the Azure Portal and deployed on the Virtual Machines using the Extension technology. Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alert when known malicious or unwanted software attempts to install itself or run on your system. Microsoft Antimalware solution is enabled while
creating a VM from Azure Portal. Virus and Spyware definitions are up to date.
Review of the AV updates is done on Weekly basis.