Here is Part 2 of Findem's security FAQ documentation. For Part 1, click here.
Does Findem support a configurable session timeout?
Yes.
Please explain how the session cookies are managed.
We use ExpressSession to manage the session cookies.
Are there any long-lived cookies being set upon first logon that an end user could leverage to login to the scoped Application/Platform(s) outside of the buyers SSO?
No. Nothing that would help the users to bypass SSO.
If Findem's application supports authentication, are authentication cookies marked with the secure attribute?
Yes, the authentication cookies are marked secure.
Is the session token timeout configured to be the same value set in the default session timeout mentioned above?
Yes.
If no, how long are session tokens valid for?
Not Applicable.
Does the service support a central interface for viewing tenant-specific security logs & audit events by the buyer?
No. Findem is a recruiting platform. We can provide audit logs upon request.
Please describe what tenant specific security logs & audit events are made available to the buyer through the central interface.
N/A.
Has Findem established a formally documented Data Classification Policy and Procedure that defines the classification, disclosure, and handling of sensitive data that has been documented, approved by management, published, and communicated to your workforce?
Yes.
Does Findem classify information according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification?
Yes.
Does Findem's Record Retention policy cover paper & electronic records, including email in support of applicable regulations, standards and contractual requirements?
Yes.
Has Findem established a formal Data Deletion / Destruction process that identifies requirements for the secure deletion and/or destruction of sensitive data?
Yes.
Does Findem's Data Deletion / Destruction process include requirements for periodic identification and deletion of stored data that exceeds defined retention requirements?
Yes.
When will Findem return/destroy scoped data provided by clients in the post-contract termination process?
We delete the data upon contract termination within 48-72 hours.
When will Findem return/destroy backups of the scoped data provided by clients in the post-contract termination process?
We also delete the data backups upon contract termination within 48-72 hours.
Should the need arise during an active engagement, how can client's data be removed from Findem's environment?
Clients can anytime request data to be deleted which will be done within 48-72 hrs.
Does Findem's Application/Platform(s) have the ability to allow or provide clients an export of Okta Data via CSV, API or other means?
Yes - This can be done at individual user<>search level in the platform.
Does Findem segment and separate one client's data from other client data?
Yes.
Does Findem conduct semi-annual segmentation testing of production environments?
Yes.
How does Findem encrypt your client's data-at-rest?
Yes.
How does Findem encrypt your client's data-in-transit?
Yes.
Does Findem support secure deletion of archived and backed-up data as determined by the client?
Yes.
Has Findem implemented a Data Loss Prevention (DLP) solution or compensating controls established to prevent data loss?
Yes - Findem has a DR and data backup policy in place.
Has Findem implemented change detection mechanisms to identify unauthorized modification of critical assets or sensitive data?
Yes.
Does Findem encrypt backups containing client data?
Yes.
Has Findem established an Encryption & Cryptography Policy and Procedure that identifies minimum required cryptographic algorithms, protocols, and cyphers?
Yes.
Has Findem established a formally documented Secrets Management policy and procedure that documents minimum requirements for key generation, storage, use, vetting, replacement, and rotation?
Yes.
Does Findem generate encryption keys in a manner consistent with key management industry standards?
Yes.
If yes, what standards is it aligned to?
Yes we use Amazon KMS service to generate the keys in a secure fashion and hash them while storing.
Does Findem have the ability to rotate encryption keys in the event of a compromise?
Yes.
Does Findem allow tenants to bring their own encryption keys?
No.
Does Findem hash & salt user password information with a hash & salt technique considered secure by NIST?
Yes.
Does Findem perform annual review of security and privacy policies?
Yes.
Does Findem have documented information security baselines for every component of the infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)?
Yes.
Are periodic risk assessments conducted to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI?
Yes.
Are malicious code protection mechanisms updated when new releases are available?
Yes.
Does Findem conduct independent reviews and assessments on an annual basis to address nonconformities to established policies, standards, procedures, and compliance obligations?
Yes.
Does Findem have an information security program that has been documented, approved by management, published, and communicated to your workforce?
Yes.
Have all information security policies and standards been reviewed in the last 12 months?
Yes.
Does Findem clearly define information security responsibilities for all personnel?
Yes.
Does Findem establish an individual leader responsible for the management of your Information Security Program?
Yes.
Does Findem's information security program control framework capture regulatory, legal, and statutory requirements applicable to the organization?
Yes.
Does Findem review the control framework requirements at least annually to ensure changes in the regulatory, legal, or statutory requirements that could affect business processes are appropriately reflected in the framework?
Yes.
Does Findem monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls?
Yes.
Does Findem have documented security and hardening standards, including infrastructure components such as Firewalls, Switches, Routers and Wireless Access Points (baseline configuration, patching, passwords, Access control)?
Yes.
Are the baseline images for servers hardened to provide only the necessary ports, protocols and services to meet business needs?
Yes.
Does Findem have a systems management and configuration strategy to ensure configurations are maintained globally across all production servers?
Yes.
Are audit logs securely, immutably and centrally stored and retained as per applicable guidelines?
Yes.
Does Findem have anti-virus/malware protection on all systems which support the Scoped Services?
Yes.
Does Findem perform real-time scans of files from external sources as files are downloaded, opened, or executed?
Yes.
Is every connection to an external network terminated at a firewall e.g., the Internet, partner networks?
Yes.
Are network or security technologies used to establish and enforce security requirements and block unauthorized traffic between segregated systems and other networks and systems?
Yes.
Are remote devices prevented from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e. split tunneling)?
Yes.
Does Findem deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)?
Yes.
Does Findem implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks?
Not Applicable.
Does Findem terminate network communications associated with communications sessions at the end of the sessions or after a defined period of inactivity?
Yes.
Does Findem review firewall rules, at a minimum, annually?
Yes.
Does Findem restrict, disable, and prevent the use of nonessential functions, ports, protocols, and services?
Yes.
Does Findem perform automated port scans on a regular basis against scoped systems and alert if unauthorized or unexpected ports are in use?
Yes.
Does Findem utilize change detection mechanisms to notify personnel of failures and unauthorized modification of critical system configuration, and/or content files?
Yes.
Does Findem maintain current diagrams that show the flow of sensitive data across providers, accounts, systems, and networks? Network architecture diagrams should clearly identify high-risk environments and data flows.
Yes.
Does Findem utilize Network Intrusion Detection / Prevention Systems (NIDS/NIPS) used to detect and/or prevent intrusions into the network?
Yes.
Does Findem utilize an active discovery tool to identify sensitive information stored, processed, or transmitted by the organization's technology systems, including those located onsite, at a remote service provider or within cloud services?
No.
Please provide Findem's architectural diagrams of the platform.
Link to Findem's architectural diagrams
Link to Findem's architectural diagrams
I believe what SoCalGas is asking for is Findem's current diagram that shows the flow of sensitive data across providers, accounts, systems, and networks?
Yes - Per SOC2 Compliance.
Does Findem formally document the time synchronization infrastructure to protect system clocks and time data sources?
Yes - Per SOC2 Compliance.
Does Findem ensure systems have correct time and receive time settings only from trusted sources?
Yes.
Has Findem established and formally documented a process to protect audit logs including technical controls such as change detection tools?
Yes.
Has Findem established technical measures to identify and respond to network-based attacks associated with anomalous ingress or egress traffic patterns and/or distributed denial-of-service attacks?
Yes.
Does Findem control and monitor the use of mobile code in your information systems?
No.
Does Findem manage the ongoing operational use of ports, protocols, and services on networked devices?
Yes.
Does Findem determine which persons, computers, and applications have a need and right to access these information assets based on an approved classification?
Yes.
Does Findem define and enforce physical security perimeters and restricted areas to protect your facilities and systems?
Yes.
Has Findem established and formally documented a schedule, process, and procedure to monitor and maintain physical security equipment and environmental safeguards?
Yes.
Does Findem protect power and telecommunications cabling from interception, interference, and damage?
Not Applicable.
Does Findem limit physical access to workforce members based on job function?
Not Applicable - All of Findem's services are on the cloud. We restrict access to members based on job function.
Does Findem maintain audit logs of physical access?
Not Applicable - However access to the office building is restricted - Outsiders need to be accompanied by an employee with access to come inside the building and office.
Does Findem require all individuals including visitors that need access to inspect a facility, property, vehicle, or other asset in-person required to provide photo ID and credentials, including name and account number or other corroborating information?
Yes - This process is owned by the building management and owner where they collect the information and provide a key fob to access.
Does Findem require visitors to check in, obtain visitor badges, authorization to enter, be escorted, and surrender badges before leaving for each visit?
Yes.
Does Findem require a visitor log audit trail to be retained for a period of at least one year?
No.
Does Findem supervise the maintenance activities of maintenance personnel without required access authorization?
Yes - The building owner takes care of the maintenance activities and accesses.
Does Findem secure data centers from unauthorized access and protected from environmental threats in accordance with the organization's risk tolerance?
Yes - All data is stored on the cloud.
Does Findem conduct physical access reviews, at minimum, annually?
Yes - Findem's business admin evaluates all the access permissions annually.
Has Findem established an incident management program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program?
Yes.
Does Findem's Incident Response Plan include annual testing?
Yes.
Does Findem's Incident Management Program require lessons learned reviews arising from disruptive incidents to identify actions to improve the processes and update the documentation?
No.
Does Findem communicate security alerts and events to all members of the workforce as appropriate?
Yes.
Does Findem coordinate post-incident activities with internal and external parties including management of public relations?
Yes.
Does Findem's Incident Response Plan notification procedures require notifying any required government, self-regulatory, or other supervisory bodies within 72 hours from the determination that a Cybersecurity Event with a reasonable likelihood of materially harming any material part of normal business operations has occurred?
Yes.
Will Findem notify customers In the event of a security incident?
Yes.
What information will Findem provide to clients in the event of a security Incident?
Yes - Findem will provide track, log, resolve, and provide the complete RCA corresponding to the incident to the involved/affected parties.
Does Findem log scoped systems (app logs, firewall logs, IDS/IPS logs, physical access logs, etc.) for granular analysis and alerting?
Yes.
Does Findem monitor system security alerts and advisories and take appropriate actions in response?
Yes.
How long does Findem retain the logs?
90 Days.
Does Findem have systems and records in place to ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions?
Yes.
Does Findem review and update audited events?
Yes.
Does Findem generate an alert in the event of an audit process failure?
Yes.
Does Findem correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity?
Yes.
Does Findem have audit reduction and report generation to support on-demand analysis and reporting?
Yes.
Does Findem protect audit information and audit tools from unauthorized access, modification, and deletion?
Yes.
Does Findem limit the management of audit functionality to a subset of privileged users?
Yes.
Will Findem have their own workstations or any other devices connected to our network?
No.
Does Findem foster a cybersecurity culture within its organization?
Yes.
Does Findem have an established vulnerability management process (in regards to the products/services they offer)?
Yes.
Does Findem (not their third parties) have a Cybersecurity certification? Proof of certification is required.
SOC2 Certified.
If 'other' or 'multiple' Cybersecurity certifications selected in question above, named them here:
SOC2 - Johanson Group and Penetration Testing (TAC Security).
a) Does Findem organization have a Cybersecurity department?
No, but Findem has dedicated team members with information security duties.
b) Does Findem have written Cybersecurity policies?
Yes.
c) Does Findem cybersecurity policies, processes and procedures align with industry standards (ISO-27001, NIST Cybersecurity Framework, CoBIT, etc.)?
Yes.
Does your application protect all state-changing actions against XSRF?
Yes, all state-changing actions are protected. We have a way to ensure that no actions are missed (such as enforcing XSRF-token checks in a central place).
What strategy do you use to protect against XSRF?
We use a custom fixed header that we add to requests.
Does your application employ protection against clickjacking?
Our application employs protections against clickjacking (such as using the X-Frame-Options header).
What is your strategy to protect against XXS (Cross-Site Scripting)?
We use a templating system that automatically escapes all user input before displaying it. Our application has a central choke point where all user input is validated and escaped, depending on the context in which it will be interpreted. Some of the pages (or all of them) escape user input.
In addition to applying the strategies you've identified, does the application set a valid and appropriate content type and character set for each page (in the Content-Type HTTP header)?
Yes, we take great care to set this, knowing that otherwise we might be introducing XSS vulnerabilities.
Do you protect against DOM-based XXS?
We know about DOM-based XSS, and we take specific steps to protect against this kind of vulnerability.
Applications served over SSL may still be vulnerable to attacks if resources (often JavaScript, style sheets, or other active content) are included over plain HTTP. This defeats the purpose of SSL, because the active content loaded through plain HTTP will have access to the DOM of content protected by SSL. Make sure no resources are included from plain HTTP sites. Typically, browsers will help identify cases where resources from non-SSL sites are included, by displaying mixed content warnings.
To avoid these issues, do you have checks in place to ensure that all references to resources either point to SSL or are protocol-relative?
Yes, Findem is careful and has specific controls in place to prevent mixed-content issues.
How do you protect against SQL Injection?
Findem uses an object reference model that cannot be directly tied to a database table which prevents any SQL injection because all the table and database references are known only to the backend.
What type of files does your application whitelist?
PDF, DOC, CSV.
How does the application enforce these file type restrictions?
We look at the content type that is sent by the user. We verify the file type by checking the file extension on the server side.
Will fourth parties critical to the products and/or services provided to the client (e.g., backup vendors, service providers, subcontractors, equipment support maintenance, software maintenance vendors, data recovery vendors, hosting providers, etc.) be utilized for this engagement?
Findem manages all vendors ourselves. There are no intermediaries or aggregators that manage 3rd party vendors for us resulting in no 4th party vendors. Furthermore, Findem does not have any 4th party vendor helping us setup our environment like:
- Doing initial assessments of our platform
- AWS setup and configuration
- Monitoring
- Security & compliance
- Incident response
- Cost management
- Reporting
In the event of a data breach (involving a consumers name together with either that person's 1) SSN 2) Drivers license number, 3) financial account information together with the means of accessing their funds 4) Passport numbers or 5) Medical/Health/Biometric information), do you warrant you will disclose this event immediately (unless delayed for criminal investigation purposes)?
By default our customers will not provide or receive any personally identifiable information via the Findem platform. We do not collect or share sensitive information such as browser history, health or financial information, or any other information about a person in a family or household capacity.
(CCPA) Prior to collection of personal information, do you inform consumers as to the categories of personal information to be collected and the purposes for which this will be used?
We are registered as a data broker in California and Vermont. The requirement to notify the consumers/candidates is not applicable to data brokers.
Does your organization have a mechanism to provide a copy of the collected consumer personal information, free of charge, to the consumer with 45 calendar days of receiving the request?
When a user asks us to provide a copy of all the data we have on them - we do provide it to the user.
They can email us at privacy@findem.ai or visit this link.
Does your organization have a mechanism to delete your collected consumer personal information, free of charge, upon receiving a verified consumer deletion request?
Yes - link.
Are the following available on your public website:
- The categories of personal information you collect about consumers.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- Description of procedure the consumer may follow to obtain a copy of the specific pieces of personal information the you have collected about that consumer.
Details are available in our privacy policy maintained up to date.
If you resell personal information obtained other than directly from your consumers: do you refrain from selling personal information about a consumer unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out?
We do not sell information that is collected directly from the consumer. The consumer has the right to opt-out through mechanisms mentioned in privacy policy.
If your business sells personal information to third parties, how do you inform customers?
We are registered as a data broker per CCPA requirement and the candidates have the right to opt-out using mechanisms mentioned in privacy policy.
Do you assure the same level of service to consumers who have exercised their rights under CCPA?
If the consumer exercised their right to be forgotten, as a controller we cannot share this information with any other business.
Do you provide a minimum of two methods to contact you to submit consumer requests for information (e.g. website address, toll free number)?
Yes - link
Do you have a publicly available notice on your website and/or App describing CCPA rights, and how requests should be submitted?
Yes - located here: link
Do you have a clear and conspicuous link on your homepage titled: "Do Not Sell My Personal Information" which enables a consumer to opt out of the sale of personal information?
We have "Opt out request" located at the bottom of our website.
Are the people handling personal information trained in their privacy obligations, at least annually?
Per SOC2 compliance, everyone goes through the annual security training.
Does your organization meet all applicable global privacy requirements? (ex. GDPR, CCPA, etc.)?
Yes.
Will your organization be collecting any personal data from its clients in these below categories or anything sensitive?
This info is provided in our privacy policy: link
GDPR - Which Findem modules are GPDR compliant?
There are 2 aspects to GDPR compliance -
- Data and Our Operations:
- Compliance regarding the data subjects that we have in our platform. We are GDPR compliant, we operate in GDPR compliant manner, and we provide tools to ensure all our customers also adhere to GDPR compliance - we have compliance officers stationed in EU, and per our privacy policy we have a mechanism to request “right for information” and “right to be forgotten”.
- GDPR from our Business Standpoint:
- We have legitimate business interests, in terms of collecting this data without which we do not have a business.
- Regarding Privacy Notification to Data Subjects - which has been a new law. We have established that it is physically not possible to notify all the subjects regarding the data that we collected which would amount to 1B data subjects and most of whom we do not have contact information.
Is your organization a processor, controller, or joint controller in its relationship with each client?
Findem is a combination of both processor and controller depending on the functionality used.
Does your organization process personal data provided by its clients only in accordance with the data processing instructions in the contracts and agreements with the client?
Yes.
What privacy laws is Findem required to comply with?
Findem is required to comply with GDPR and CCPA.
Will Findem notify clients (unless prohibited by the law) in instances where it receives a request to share client data with law enforcement?
Yes.
Does Findem provide mechanisms for addressing data subject rights requests from each client? Yes.
Will Findem require access to any of the client systems that include the client's Customer Data (i.e. data input by Okta customers into the product)?
No.
Does Findem possess an APEC PRP certification issued by a certification body (or Accountability Agent)? No. Findem is GDPR and CCPA compliant.
Are audit trails and logs generated and reviewed for systems and applications that have access to client data?
Yes - User and system activities are logged and stored by an automated logging service.
What type of activity does Findem log (product specific)?
The exact customer data will not be part of the audit logs. We store the workflow-related data (unique IDs) that might have led a customer to an incident - this is to perform root cause analysis on the incident.
What basic set and standard queries should we start with for a non-technical HR/TA/Sourcing audience who is learning to use competitive intelligence? Provide at least one example of what other companies are doing that is similar to this solution. Please show us one visual that another company developed based on a direct connection to your data lake. How could a competitive intelligence data scientist write code to query your data lake for ad hoc analysis?
Through this partnership, JnJ will have access to Findem’s entire data lake. We will provide an interface to generate tabular data. The tabular data can then be called by JnJ via the API we will provide. JnJ will be able to generate custom queries through this interface for consumption in downstream systems via API or for visualization leveraging the native reporting / dashboard catalog. A recommended starting point for a non-technical audience is to first define the skills/attributes associated with the ideal candidate profile (ICP). With these parameters in place, identify the global talent supply grouped by Country and City. Further analyze allocation of talent by Current Company, Past Company, Education, Job Titles, Skills, Experience, Gender, Ethnicity.
Provide a narrative of two scenarios:
- Data does not transfer: In case data does not transfer, Findem will investigate the issue and work with JnJ to troubleshoot and resolve the problem promptly. For example, if there is an API integration issue, our technical team will debug the code to ensure seamless data transfer.
- Data transfers but data is incorrect or incomplete: If data is transferred but found to be incorrect or incomplete, Findem will conduct a thorough analysis to identify the root cause of the discrepancy. For instance, if there is a mismatch in skill mappings, we will review the mapping process and make necessary adjustments to ensure accuracy.
Tell us about the SLAs to respond to our questions and concerns. Please identify any corrections or resolutions that would not be covered by annual fees but would not be a change request.
JnJ will have an assigned Customer Success Manager and Support Engineer to remedy both scenarios. Findem will respond within 24 hours to any service requests. These terms will be included in the MSA.
Provide detailed steps in your recommended approach to match our skills and job data to your skill and job data. Detail scenarios where mapping is not simple and how you would address it. Provide a real-life example. Detail how mapping would work as requirements evolve.
The Findem reporting structure is flexible. Data outputs can be generated that are consistent with JnJ’s requirements. Once JnJ shares their global job architecture and skill ontology, Findem will map to it. As changes to the architecture and ontology occur, Findem will update the definition and mapping.
Does Findem log Integration Activity?
Yes. This is required for incident response and compliance depending on data classification.
Can clients Easily Revoke/Disable Integrations?
Yes. In the event a data leak or vulnerability exposure is discovered due to the integration, this must be done ASAP upon request by Security.
Is Data In Transit Secured Over TLS1.2 or Higher?
Yes, TLS 1.2+ Only.
As a Result of This Integration, Will Data Be Pulled From The Existing Vendor (ATS Vendor) and Stored in Findem's Systems?
Findem creates a sandbox that can only be accessed by the client where only the client users can access the data in the sandbox and make changes. If the client decides to remove the integrations, Findem will delete the data within 48 - 72 hours.
How is Data-at-Rest Encrypted?
AES-256.
If Data is Pulled From the Existing Vendor (ATS) & Stored In Findem's Systems, Can the client Delete This Data?
Yes, on demand.
Comments
0 comments
Please sign in to leave a comment.