Follow

Q&A: Security Compliance - Risk Assessment FAQ

 

Question

  • Risk Assessment questions related to F5 Silverline Security Compliance 
    • Do F5 Silverline periodic perform vulnerability scanning and manage the vulnerabilities accordingly to a standard procedure?
    • Does F5 Silverline have a security baseline standard for their system and monitor for non-compliance?
    • Does the F5 Silverline WAF portal have password complexity?
    • Does F5 Silverline only have admin access to the system's servers hosting F5 Silverline WAF service through the internal network only?
    • Internet-facing servers should be deployed at the DMZ. Does F5 Silverline comply with that design principle?
    • Does F5 Silverline patch their endpoint devices according to a standard procedure?
    • Does F5 Silverline have any escalation/incident response procedure in place?
    • Does F5 Silverline comply with ISO 27001 Standard?
    • Does F5 Silverline store information such as session ID, password and app-specific sensitive data?
    • What is F5 Silverline's Policy on Data storage and Retention?

 

Environment

  • Silverline DDoS
  • Silverline WAF
  • Security Compliance - Risk Assessment

 

Answer

Does F5 Silverline do periodic vulnerability scanning and manage the vulnerabilities accordingly to a standard procedure?

  • Yes, stated in our SOC 2 report:
    • Production systems are scanned quarterly for vulnerabilities
    • Findings identified by the production system scan are evaluated and remediated as necessary
    • Both external and internal scans are performed quarterly

Does F5Silverline have a security baseline standard for their system and monitor for non-compliance?

  • Yes, stated in our SOC 2 report:
    • A configuration management tool is used to configured systems consistently and manages anomalies of production system configurations

Does the F5 Silverline WAF portal have/utilize password complexity?

  • In Edit Customer Info, each customer account has an option to enable options to enforce password complexity
    • Minimum Password Length (default 8 minimum characters required)
    • Must be of mixed case
    • Must contain a special character
    • Password cannot contain the email
    • Must contain at least two single-digit numbers
    • Force change at next login if existing password too weak

Does F5 Silverline only have admin access to the system's servers hosting F5 Silverline WAF service through the internal network only?

  • Yes, only F5 Silverline employees are allowed to access the internal network

Internet-facing servers should be deployed at the DMZ. Does F5Silverline comply with that design principle?

  • F5 Silverline complies with this design principle for our production environment

Does F5Silverline patch their endpoint devices according to a standard procedure?

  • Yes, please review our Security Patch Prioritization and Security Patch Management Policy (see attached files down below)

Does F5 Silverline have any escalation/incident response procedure in place?

  • F5 Silverline has an incident response policy in place that includes:
    • Escalation
    • Containment
    • Recovery & Remediation
    • Notification
    • Follow-up / action plans for incidents are monitored and tracked

Does F5 Silverline comply with ISO 27001 Standard?

  • No, F5 Silverline does not hold ISO 27001 Standard

Does F5 Silverline store information such as session ID, password and app-specific sensitive data?

  • Silverline will only capture request headers and not request specific payload unless its content violates security policy then it will be captured from the buffer and used for tuning specific activities

What is F5 Silverline's Policy on Data storage and Retention?

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request