Question
- Risk Assessment questions related to F5 Silverline Security Compliance
- Does F5 Silverline process Personal Data?
- What Certifications F5 Silverline stand for?
- Can I get a copy of F5 Silverline Certifications?
- Do F5 Silverline periodic perform vulnerability scanning and manage the vulnerabilities accordingly to a standard procedure?
- Can I get a report with the most recent vulnerabilities discovered by F5 Silverline and mitigation plans?
- Does F5 Silverline have a security baseline standard for their system and monitor for non-compliance?
- Does F5 Silverline has a Business Continuity Plan?
- Does F5 Silverline perform a Disaster Recovery Testing?
- Does the F5 Silverline WAF portal have password complexity?
- Does F5 Silverline only have admin access to the system's servers hosting F5 Silverline WAF service through the internal network only?
- Internet-facing servers should be deployed at the DMZ. Does F5 Silverline comply with that design principle?
- Does F5 Silverline patch their endpoint devices according to a standard procedure?
- Does F5 Silverline have any escalation/incident response procedure in place?
- Does F5 Silverline store information such as session ID, password and app-specific sensitive data?
- What is F5 Silverline's Policy on Data storage and Retention?
- What are Silverline's RTO (Recovery Time Objective) and RPO (Recovery Point Objective)?
- Other Resources for Customers
Environment
- Silverline DDoS
- Silverline WAF
- Security Compliance - Risk Assessment
Answer
Does F5 Silverline process Personal Data?
No, refer to Silverline Privacy Notice.
What Certifications F5 Silverline stand for?
SOC 2 Type II, PCI-DSS and HIPAA. All certifications are renovated annually.
Can I get a copy of F5 Silverline Certifications?
Yes, you can get a copy of SOC 2 Type II report and PCI-DSS AoC report. Contact your Account Manager or to SOC to request a copy of it.
Does F5 Silverline do periodic vulnerability scanning and manage the vulnerabilities accordingly to a standard procedure?
Yes, stated in our SOC 2 report:
- Production systems are scanned quarterly for vulnerabilities
- Findings identified by the production system scan are evaluated and remediated as necessary
- Both external and internal scans are performed quarterly
Can I get a report with the most recent vulnerabilities discovered by F5 Silverline and mitigation plans?
Customers can consult F5 Vulnerability Policy here. Similarly, F5 releases Quarterly Security Notifications to disclose security vulnerabilities and security exposures for F5 products in advance of the public disclosure date. Thus, customers can schedule necessary updates.
Does F5 Silverline have a security baseline standard for their system and monitor for non-compliance?
Yes, stated in our SOC 2 report:
- A configuration management tool is used to configured systems consistently and manages anomalies of production system configurations
Does F5 Silverline has a Business Continuity Policy? Can I get a copy of it?
Yes, the BCP is reviewed and tested annually. However, policies are internal only and their content cannot be shared externally, only Table of Content.
Does F5 Silverline perform a Disaster Recovery Testing? Can I get a copy of it?
Yes, DR testing is performed annually. Contact your Account Manager or to SOC to obtain a copy.
Does the F5 Silverline WAF portal have/utilize password complexity?
In Edit Customer Info, each customer account has an option to enable options to enforce password complexity:
- Minimum Password Length (default 8 minimum characters required)
- Must be of mixed case
- Must contain a special character
- Password cannot contain the email
- Must contain at least two single-digit numbers
- Force change at next login if existing password too weak
Does F5 Silverline only have admin access to the system's servers hosting F5 Silverline WAF service through the internal network only?
Yes, only F5 Silverline employees are allowed to access the internal network.
Internet-facing servers should be deployed at the DMZ. Does F5 Silverline comply with that design principle?
F5 Silverline complies with this design principle for our production environment.
Does F5 Silverline patch their endpoint devices according to a standard procedure?
Yes. F5 maintains a robust vulnerability and patch management program that is supported by policy and other relevant procedure documents. F5 employs various tools/services to regularly scan our networks (internally and externally), code base or repo, applications, and other dependencies to discover any vulnerabilities. These vulnerabilities are then triaged and remediated by the relevant owners as per the defined SLA. The SLA is defined in our policy and supporting documents and is driven by several factors including but not limited to industry guidelines/best practices, criticality/severity, our environmental factors etc.
Does F5 Silverline have any escalation/incident response procedure in place?
F5 Silverline has an incident response policy in place that includes:
- Escalation
- Containment
- Recovery & Remediation
- Notification
- Follow-up / action plans for incidents are monitored and tracked
Does F5 Silverline store information such as session ID, password and app-specific sensitive data?
Silverline will only capture request headers and not request specific payload unless its content violates security policy then it will be captured from the buffer and used for tuning specific activities.
What is F5 Silverline's Policy on Data storage and Retention?
Please see our F5 Silverline Data Retention Policies & Data Storage for more information.
What are Silverline's RTO (Recovery Time Objective) and RPO (Recovery Point Objective)?
This information is included as part of our "F5 Distributed Cloud-Bot Defense-Silverline SOC 2 Type 2 + HIPAA" Report. If you need a copy of the entire document, please create a ticket with the Silverline SOC team and request a copy.
Other Resources for Customers
- F5 Policies
- End User Services Agreement (EUSA) ›
- EUSA Service-specific Terms ›
- EUSA Acceptable Use Policy ›
- EUSA Data Processing Addendum ›
- EUSA Consolidated Service Level Agreement ›
- F5 Support SLAs