Follow

Security Compliance - Risk Assessment FAQ

 

Question

  • Risk Assessment questions related to F5 Silverline Security Compliance 
    • Does F5 Silverline process Personal Data?
    • What Certifications F5 Silverline stand for?
    • Can I get a copy of F5 Silverline Certifications?
    • Do F5 Silverline periodic perform vulnerability scanning and manage the vulnerabilities accordingly to a standard procedure?
    • Can I get a report with the most recent vulnerabilities discovered by F5 Silverline and mitigation plans?
    • Does F5 Silverline have a security baseline standard for their system and monitor for non-compliance?
    • Does F5 Silverline has a Business Continuity Plan?
    • Does F5 Silverline perform a Disaster Recovery Testing? 
    • Does the F5 Silverline WAF portal have password complexity?
    • Does F5 Silverline only have admin access to the system's servers hosting F5 Silverline WAF service through the internal network only?
    • Internet-facing servers should be deployed at the DMZ. Does F5 Silverline comply with that design principle?
    • Does F5 Silverline patch their endpoint devices according to a standard procedure?
    • Does F5 Silverline have any escalation/incident response procedure in place?
    • Does F5 Silverline store information such as session ID, password and app-specific sensitive data?
    • What is F5 Silverline's Policy on Data storage and Retention?
    • Other Resources for Customers

 

Environment

  • Silverline DDoS
  • Silverline WAF
  • Security Compliance - Risk Assessment

 

Answer

Does F5 Silverline process Personal Data?

No, refer to Silverline Privacy Notice

 

What Certifications F5 Silverline stand for?

SOC 2 Type II, PCI-DSS and HIPAA. All certifications are renovated annually. 

 

Can I get a copy of F5 Silverline Certifications? 

Yes, you can get a copy of SOC 2 Type II report and PCI-DSS AoC report. Contact your Account Manager or to SOC to request a copy of it. 

 

Does F5 Silverline do periodic vulnerability scanning and manage the vulnerabilities accordingly to a standard procedure?

Yes, stated in our SOC 2 report:

  • Production systems are scanned quarterly for vulnerabilities
  • Findings identified by the production system scan are evaluated and remediated as necessary
  • Both external and internal scans are performed quarterly

 

Can I get a report with the most recent vulnerabilities discovered by F5 Silverline and mitigation plans?

Customers can consult F5 Vulnerability Policy here. Similarly, F5 releases Quarterly Security Notifications to disclose security vulnerabilities and security exposures for F5 products in advance of the public disclosure date. Thus, customers can schedule necessary updates.

 

Does F5 Silverline have a security baseline standard for their system and monitor for non-compliance?

Yes, stated in our SOC 2 report:

  • A configuration management tool is used to configured systems consistently and manages anomalies of production system configurations

 

Does F5 Silverline has a Business Continuity Policy? Can I get a copy of it?

Yes, the BCP is reviewed and tested annually. However, policies are internal only and their content cannot be shared externally, only Table of Content. 

 

Does F5 Silverline perform a Disaster Recovery Testing? Can I get a copy of it?

Yes, DR testing is performed annually. Contact your Account Manager or to SOC to obtain a copy. 

 

Does the F5 Silverline WAF portal have/utilize password complexity?

In Edit Customer Info, each customer account has an option to enable options to enforce password complexity:

  • Minimum Password Length (default 8 minimum characters required)
  • Must be of mixed case
  • Must contain a special character
  • Password cannot contain the email
  • Must contain at least two single-digit numbers
  • Force change at next login if existing password too weak

 

Does F5 Silverline only have admin access to the system's servers hosting F5 Silverline WAF service through the internal network only?

Yes, only F5 Silverline employees are allowed to access the internal network.

 

Internet-facing servers should be deployed at the DMZ. Does F5 Silverline comply with that design principle?

F5 Silverline complies with this design principle for our production environment.

 

Does F5 Silverline patch their endpoint devices according to a standard procedure?

Yes. F5 maintains a robust vulnerability and patch management program that is supported by policy and other relevant procedure documents. F5 employs various tools/services to regularly scan our networks (internally and externally), code base or repo, applications, and other dependencies to discover any vulnerabilities. These vulnerabilities are then triaged and remediated by the relevant owners as per the defined SLA. The SLA is defined in our policy and supporting documents and is driven by several factors including but not limited to industry guidelines/best practices, criticality/severity, our environmental factors etc. 

 

Does F5 Silverline have any escalation/incident response procedure in place?

F5 Silverline has an incident response policy in place that includes:

  • Escalation
  • Containment
  • Recovery & Remediation
  • Notification
  • Follow-up / action plans for incidents are monitored and tracked

 

Does F5 Silverline store information such as session ID, password and app-specific sensitive data?

Silverline will only capture request headers and not request specific payload unless its content violates security policy then it will be captured from the buffer and used for tuning specific activities.

 

What is F5 Silverline's Policy on Data storage and Retention?

Please see our F5 Silverline Data Retention Policies & Data Storage for more information.

 

Other Resources for Customers

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request