Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
CAG2019-510 - Extension - Armorer Link - Police Firearms and Certification Tracking - 11/1/24
FOR CITY OF KENT OFFICIAL USE ONLY Sup/Mgr: Agreement Routing Form Dir Asst: • For Approvals,Signatures and Records Management Dir/Dep: KE N T This form combines&replaces the Request for Mayor's Signature and Contract Cover (Optional) WASHINGTON Sheet forms. Originator: Department: Ikhra Mohamed IT Date Sent: Date Required: > 09/06/2024 09/13/2024 CL Director or Designee to Sign. Date of Council Approval: Q N/A Budget Account Number: Grant?:Yes ZNo 52001770.64260.1800 Budget? Yes:No Type: N/A Vendor Name: Category: ArmorerLink Contract Vendor Number: Sub-Category: = 1896917 Extension 0 a Project Name: ArmorerLink Firearms and Certification Tracking Renewal E C Project Details:Annual renewal of ArmorerLink Firearms and Certification Tracking subscription, at a = cost of $5,399.80, including any applicable Washington State Use Tax, under Director's signature authority. C Agreement Amount: $5 399.80 Basis for Selection of Contractor: Direct Negotiation *Memo to Mayor must be attached Start Date: 11/01/2024 Termination Date: 10/31/2025 Im Q Local Business?F--]YesFv(-]No* If meets requirements per KCC3.70.100,please complete"Vendor Purchase-Local Exceptions'form on Cityspace. Business License Verification:Yes:ln-Process:Exempt(KCC 5.01.045) Notice required prior to disclosure? Contract Number: F]Yes7No CAG2019-510 Comments: <<Signature on attached quote pg. 2/80>> 0 3 0 Mike Carrington, IT Director N 'A�> i Date: <<date on attached quote pg. 2/80>> c in Date Routed to the City Clerk's Office: Interlocal Agreement has been uploaded to website: ,c«w»373__,0 Visit Documents.KentWA.gov to obtain copies of all agreements rev.20210513 ArmorerLink Quote 4660 NE Belknap Court, Suite 101 Hillsboro, OR 97124 +18005710753 ArmorerLink__"' tana.ganete@armorerlink.com ADDRESS SHIP TO City of Kent City of Kent 220 4th Ave S City Fire Training Center Kent, WA 98032 24523 116 Ave SE Kent, WA 98030 QUOTE# DATE EXPIRATION DATE 17789 09/05/2024 11/03/2024 CUSTOMER CUSTOMER SHIP DATE SHIP VIA TRACKING NO. ACCOUNT MGR. P.O. NO. 11/01/2024 On-Line N/A Joe D. Ganete imohamed@Kent 06159 Activation WA.gov DESCRIPTION QTY RATE AMOUNT 09/05/2024 ArmorerLink Firearm Management System Suite Subscription 1 4,900.00 4,900.00 Starting: 11/01/24 through 10/31/25 APPLICATION SaaS License for 250 Users Data Servers on AWS-GOV Cloud SOC2 and ISO 27001 Certified SaaS Desktop Applications (U.S. Patent Pending) Rangemaster Mobile Application iOS Native Single Sign-on for OKTA Subscribers Two-Factor Authentication (2FA) Strong Password Enabled I.P. Address Whitelist Capable Quarterly Application Updates Cyber/Liability Insurance $2,000,000 Policy SUPPORT Support Team Based in U.S.A. Support by ArmorerLink Email Ticket System Support Response 2 Hours Support Resolution 4 to 6 Hours Standard Support Available M-F 0800 - 1700 PST Emergency Support 24 x 7 x 365 Toll-free (800) 571-0753 Hot Servers & Data Backup at AWS-GOV Data Centers TRAINING Instructed by Live Certified ArmorerLink Trainers Training Available Mon-Fri 0830, 1130, or 1430 PST Daily Training Capped at 2 Hour Sessions (10 Hours Weekly) User Manual .PDF Download Training Tutorial Videos DESCRIPTION QTY RATE AMOUNT Course Handouts and Training Recordings Included Quarterly Webinars and Continuous Improvement Training Courses Presented in English Language ACH PAYMENT TOTAL 4,900.00 Ganete Solutions, Inc. DBA: ArmorerLink Bank of America, NA Business Checking Routing Number: 323070380 Account Number: 485011497476 WIRE TANSFER PAYMENT Ganete Solutions, Inc. DBA: ArmorerLink Bank of America, NA Business Checking Routing Number: 026009593 Account Number: 485011497476 SWIFT USD: BOFAUS31N CREDIT CARD PAYMENT (Surcharge 3%) https://link.clover.com/urlshortener/MbzQnQ Payment Terms: Net 30 Prices Include Shipping FEIN: 81-4200279 Accepted By Accepted Date 09/10/24 ArmorerLink° LEGAL NOTICE AND LICENSE AGREEMENT The ArmorerLink service is offered and provided by Armorer Link, a division of Ganete Solutions,Inc. All material at www.armorerlink.com ("content") is subject to U.S. and international copyright law. ArmorerLink® is a United States Federal registered trademark. Each page is subject to this Copyright and Legal Terms page, as well as the copyright notice(s) and any additional conditions the page contains. You may display or print content, or save it to electronic or magnetic storage,for your own use only. You may link to pages at www.armorerlink.com provided that you do not misrepresent the nature,content,or source of the linked pages. You may republish pages from www.armorerlink.com on the following terms: The republication must be for non- commercial purposes. You may not alter the content, and you must include all authorship notices or attributions that are contained in the page. If the page includes links to pages at www.armorerlink.com other than this one,you must either link to or include those pages in the republication as well. If republication occurs electronically, you must include(or include a link to)this page. If republication occurs in printed form(for example,in a book or newsletter), you must include the following notice: For other uses,please contact us. CONTENT IS PROVIDED ON AN "AS-IS" BASIS WITHOUT WARRANTY OF ANY KIND, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. YOU USE IT AT YOUR OWN RISK. Neither Armorer Link,nor any content contributor will be liable for damages,which you,or anyone else,directly,or indirectly suffer because you visit www.armorerlink.com. Content about Armorer Link,products and services is for informational purposes only and does not constitute binding specifications or representations relating to them. This site includes links to non-Armorer Link web sites.When you click on a link to one of those sites,Armorer Link is not responsible for the consequences. What you find there is not under our control and is not our responsibility. We strongly believe in respecting copyright and other intellectual property rights. Material that infringes the intellectual property rights o f any person will not be permitted at this site.If you become aware of such material,please contact us so that we may take appropriate action. AGREEMENT This Agreement between you and Armorer Link("Armorer Link")governs your use of the Armorer Link Software as a Service application ("Service") and the related equipment ("Equipment") and client software and updates ("Software")that Armorer Link provides you in connection with the Service(together, "Products").Additional terms are stated at the Armorer Link web site, www.armorerlink.com and are incorporated by reference. Updates to this Agreement and those terms will be effective 30 days after they are published on the Web Site; you may elect not to accept an update by canceling your subscription to the Service. 1. The Service 1.1 Subject to this Agreement and your timely meeting of the financial terms, including payment of applicable fees and charges, stated on the web site where you activated your subscription to the Service,Armorer Link grants you a personal,non-exclusive,and non-transferable license to access and use the Service for your internal use on your own behalf and not for the benefit of any third party. The Service will be available to you 24 hours per day via Internet access, other than for interruptions due to service maintenance and upgrades, system failure, system back-up and recovery, and for causes beyond 's control. Armorer Link may cancel this Agreement and the Service by sending notice to your email address on file not less than 30 days before the discontinuation date. Page 1 of 7 Armorer Link Legal Notice and License Agreement Revised April 2024 1.2 Depending on your Service configuration, you will be required to provide your own mobile devices and to download and install the Software. The Software is licensed to you subject to any terms and conditions presented when you downloaded it from a source authorized by, as well as those contained in this Agreement. If there is a conflict,this Agreement will control.You are licensed to use the Software only with the Service,and your license will end when your subscription to the Service ends. The Software is copyrighted and licensed,not sold, and is Armorer Link's confidential and unpublished information, or that of Armorer Link's licensors. You will retain any copyright notices and proprietary legends on all copies of the Software and the media on which it is delivered. Any attempt to transfer the Software is void and will automatically cause your license to end. 1.3 You are licensed to possess and use only the object code form of the Software.Except as this Agreement expressly permits,you may not(a)use,copy,modify,publish,or display the Software;or(b)disclose,rent,loan,or transfer it to any other party. You may not reverse engineer the Software or derive a source code equivalent of it other than as authorized by statute. You are not licensed to use the Software in conjunction with software or hardware other than that authorized by Armorer Link, and Armorer Link does not warrant that the Service will be compatible with your hardware. Use of hardware that has been modified contrary to the manufacturer's specifications or guidelines, including modifications that disable hardware or software controls(e.g., "jail breaking"),is expressly prohibited,and your use of such hardware will entitle Armorer Link to terminate this Agreement and access to the Services immediately,without further obligation to you.Your license will automatically end if you fail to comply with any part of this Agreement.When your license ends,you will immediately stop using the Software and will destroy all copies unless Armorer Link directs otherwise. 1.4 You may choose to or we may invite you to submit comments or ideas about the Service, including without limitation about how to improve the Service or our other products("Ideas").By submitting any Idea,you acknowledge that your disclosure is gratuitous,unsolicited, and without restriction; that it will not place Armorer Link under any fiduciary or other obligation; and that Armorer Link is free to use the Idea without any additional compensation to you, or to disclose the Idea on a non-confidential basis or otherwise to anyone. You further acknowledge that, by acceptance of your submission, Armorer Link does not waive any rights to use similar or related ideas previously known to Armorer Link,or developed by its employees,or obtained from sources other than you. 2. Armorer Link Responsibilities 2.1 Your monthly subscription fee includes support during the term of this Agreement for Armorer Link Firearm Management System(ALFMS)including: 2.1.1 Desktop and Mobile Applications 2.1.2 User Manual.PDF Download 2.1.3 Training Tutorial Videos for Entire Program 2.1.4 Unlimited Online Training with Live Instructor 2.1.5 Software Support by Email and/or Telephone M-F 08:00- 17:00 PST 2.1.6 Server Infrastructure Supported 24x7x365 2.1.7 Quarterly Software Updates 2.1.8 Data Storage 2.1.9 Daily Data Backup 2.1.10 Customer Service Live Operator 24x7x365 Toll Free(800)571-0753 2.1.11 Equipment warranty support on the terms stated at the Website 2.2 Armorer Link will use commercially reasonable efforts to provide you with seven days' advance notice of any scheduled downtime and will notify you as soon as reasonably possible of any significant disabling of the Services for security reasons. Page 2 of 7 Armorer Link Legal Notice and License Agreement Revised April 2024 3. Your Responsibilities 3.1 You are responsible for installing,configuring,and using the Service,Software,and Equipment,including account set up, configuration settings, compliance with applicable laws and regulations (including those related to data privacy),and establishing any credit card processing or other services. 3.2 To use the Service,you must maintain Internet access at your own expense.Armorer Link is not responsible for and does not warrant the performance of any Internet service or other provider or its services, and you agree that Armorer Link has no liability to you for such performance or services. 3.3 Title to hardware, software, systems, documentation, and other intellectual property used by Armorer Link to provide the Services will remain with Armorer Link or its licensors,unless otherwise agreed in writing.You will take reasonable actions to protect Armorer Link's intellectual property rights.You will use all reasonable efforts to prevent any unauthorized access to,or use of,the Services,the Software,or their documentation and you will promptly notify Armorer Link if any such unauthorized access or use occurs. 3.4 This agreement applies only to the United States, and all Services performed in the United States,regardless of where the end user of the Service is located.If you or your customers are located outside the United States,you will take all actions necessary to comply with the laws and regulations of all relevant countries. 4. Data and System Security 4.1 Armorer Link has implemented physical, technical, and organizational measures designed to secure Personal Information(as defined in Section 9)from unauthorized access,use, alteration,or disclosure.Armorer Link will: (a) maintain an appropriate level of physical security controls over its data center including,but not limited to,appropriate alarm systems,fire suppression,and access controls(including off-hour controls);(b)periodically test its systems for security breach vulnerabilities; (c) use commercially reasonable efforts to protect its systems from unauthorized access,including the use of firewall and data Armorer Link option technologies as applicable;and(d)maintain safety and physical security procedures with respect to its access and maintenance of your data which are materially consistent with general industry practice.Notwithstanding the foregoing,you acknowledge that Armorer Link cannot guarantee that unauthorized third parties will never be able to defeat those measures or use Personal Information for improper purposes and that you provide Personal Information to Armorer Link at your own risk. 4.2 "Customer Data" means Personal Information relating to your employees or end users. Customer Data is your Confidential Information and will remain your property. Armorer Link will not disclose Customer Data to any third party without your consent,but you acknowledge that Customer Data and your other Confidential Information may be subject to regulation and examination by auditors and regulatory agencies with oversight of your business, and Armorer Link may disclose it to them upon their request. You are responsible for all Customer Data, including its legality, reliability, integrity, accuracy, and quality. You will determine whether any privacy laws, regulations, or other legal duties apply to Customer Data and will implement appropriate measures to ensure compliance.You warrant that you have obtained and will maintain all authorization from all parties (including customers and end users) necessary for Armorer Link to provide the Service without violating any law or regulation, and you will not use the Service in any manner that would violate a law or regulation. 4.3 Armorer Link may retain,disclose,and use Transaction Data which it creates in the course of the Services and which may be based upon Customer Data. "Transaction Data"is anatomized or aggregated data that has had all personally identifiable information removed. 4.4 You acknowledge that it is your responsibility to secure and protect your data. Page 3 of 7 Armorer Link Legal Notice and License Agreement Revised April 2024 4.5 You acknowledge that Armorer Link does not control the transfer of data over telecommunications facilities,and that use of or connection to the Internet is inherently insecure and provides opportunity for unauthorized access by third parties. Armorer Link will not be responsible for any delays, delivery failures, or any other loss or damage resulting from such transfer. Armorer Link does not warrant that third-party Internet sites will be accessible without interruption, will meet your requirements or expectations or those of any third party, or will be free from errors, defects, design flaws, or omissions. All data backup download recoveries are your responsibility. You will follow Armorer Link's password security guidelines,and you will guard passwords against misuse.Armorer Link may direct you to change the password to one that is more secure. 4.6 You will not use,nor will you permit any third party to use,the Services to upload,post,or otherwise transmit any data that: (a) is deceptive, misleading, unlawful, harmful, threatening, abusive, harassing, tortuous, defamatory, vulgar,obscene,libelous,invasive of others'privacy,hateful,or racially,ethnically,or otherwise objectionable;(b)is harmful to minors in any way;(c)you do not have a right to transmit under any law or under contractual or fiduciary relationships; (d)infringes any patent,trademark,trade secret,copyright,or other proprietary rights of any party; (e) constitutes unsolicited or unauthorized advertising or promotional materials, including but not limited to junk mail, Spam, chain letters, and pyramid schemes; (f) is designed to access or monitor any material or information on any Armorer Link system using any manual process or robot, spider, scraper, or other automated means; (g) violates privacy or other laws; or (h) contains software viruses or any other computer code, files, or programs designed to interrupt,destroy,impose an unreasonable or disproportionally large load on,or limit the functionality of any computer hardware or software,or telecommunications equipment.You will defend and hold Armorer Link harmless from any claim or loss resulting from your failure to comply with this section. 4.7 With respect to any Armorer Link computer system, network, or service,you agree not to: (a) impersonate any person or entity; (b)forge headers or otherwise manipulate identifiers in order to disguise the origin of any data; (c) develop or deploy restricted access pages or hidden pages or images (i.e., those not linked from another accessible page); (d) interfere with or disrupt Armorer Link websites, servers, systems, or networks; (e)violate any applicable law or regulation; (f)stalk or otherwise harass another; (g)use,or attempt to use, any system or account without the owner's permission; or (h) interfere with, defeat, or circumvent any security function. You will defend and hold Armorer Link harmless from any claim or loss resulting from your failure to comply with this section. 5. Warranties 5.1 Armorer Link warrants that the Service and Software will be materially as described and published.Provided that you have timely paid all subscription and other fees due,Armorer Link will promptly at its expense correct any Service or Software that fails to materially conform to this warranty. If Armorer Link is unable reasonably to do so, as your sole remedy you may terminate the Service by giving written notice to Armorer Link within 30 days after the non- conformance.You will pay Armorer Link for all Services actually provided through the termination date.Equipment is warranted against defects in manufacture and at Armorer Link sole discretion,Armorer Link will replace or refund the purchase price of nonconforming Equipment. Warranty claims must be submitted in accordance with the terms stated at the Web Site.These are the sole and exclusive warranties made by Armorer Link There are no warranties of merchantability or fitness for a particular purpose.There are no other warranties or warranty remedies,oral or written, express or implied. 5.2 You warrant that: (a)you are at least eighteen years of age;(b)you are eligible to register and use the Service and have the right,power,and ability to enter into and perform under this Agreement;(c)the name you identify when you register is your real name or the business name under which you sell goods and services;(d)any sales transaction you submit will represent a bona fide sale by you,will accurately describe the goods or services sold and delivered to a purchaser,and will be properly reported for tax(including sales and ad valorem tax)purposes;and(e)you will fulfill all your obligations to each customer for which you submit a transaction and will resolve any consumer dispute or complaint directly with the purchaser. Page 4 of 7 Armorer Link Legal Notice and License Agreement Revised April 2024 6. Infringement Claims 6.1 Armorer Link will, at its expense, defend you against any intellectual property("IP") Claim. Armorer Link will also pay the damages,costs,and attorneys'fees that are awarded against you in a final,non-appealable court judgment for the IP Claim, or required to be paid by you or on your behalf in a settlement of the IP Claim that Armorer Link has agreed to in writing.As used in this Section 6,an"IP Claim"means a suit brought against you by a third party to the extent the suit alleges that your use of a Product provided to you by Armorer Link infringes a patent or copyright of the third party. 6.2 Armorer Link's obligations under an IP Claim are subject to you: (a)providing prompt written notice that the IP Claim has been threatened or brought, whichever is sooner(the "Claim Notice"); (b)providing Armorer Link sole control of the defense,appeal,and/or settlement of the IP Claim; (c)cooperating with respect to the defense,appeal, and/or settlement of the IP Claim;(d)providing requested documentation and information relevant to the IP Claim or its defense,appeal,and/or settlement;and(e)complying with all court orders.If delay in providing the Claim Notice causes detriment to Armorer Link with respect to the defense or resolution of the IP Claim,the obligations set forth in Section 6.1 will not apply to the IP Claim.Notwithstanding any other provision of this Agreement,Armorer Link is not responsible for any fees(including attorneys'fees),expenses,costs,judgments,or awards that are incurred prior to its receipt of the Claim Notice. Armorer Link will have the sole right to select counsel. You may, at your sole expense,engage additional counsel of your choosing for purposes of conferring with Armorer Link's counsel. 6.3 The obligations set forth in Section 6.1 will not apply to an IP Claim if the alleged infringement is based on,caused by,or results from(a)Armorer Link's compliance with your designs,specifications,or instructions;(b)modification of the Product other than by Armorer Link; (c) any product or service not provided by Armorer Link to you; or(d) combination or use of the Product with any product or service not provided by Armorer Link to you. 6.4 If an intellectual property infringement allegation is brought or threatened against the Product, or Armorer Link believes that such an allegation may be brought or threatened, Armorer Link may obtain a license for the Product; modify the Product;or replace the Product with a product having substantially the same functionality.If Armorer Link in its discretion determines that none of the foregoing is available on a reasonable basis,upon Armorer Link's written notice to you: (a)Armorer Link may cease delivering the Services and refund any amount that you have pre-paid for Services not yet delivered;and(b)you will promptly return any Software or Equipment to Armorer Link,and Armorer Link will refund the price you paid Armorer Link for that Software or Equipment, less depreciation on a five-year straight-line basis. 6.5 This Section 6 sets forth Armorer Link's entire obligations and your exclusive remedies with respect to any IP Claim or any intellectual property infringement. 7. Mutual Liability Limitations 7.1 Neither party will be liable to the other, whether in an action in contract, tort, product liability, strict liability, statute,law,equity,or otherwise arising under or related to this Agreement:for any indirect,incidental,consequential, special,or punitive damages;for loss of profits or revenue(other than in an action by Armorer Link to recover payment of a price owed); or for loss of time, opportunity, or data. Neither party will be liable to the other for any amount greater than the cumulative purchase price,fees,and charges paid for the Products at issue.As used in this Section 7, a "party" includes a party to this Agreement and its affiliates, employees, agents, contractors, and suppliers when acting in that capacity with respect to the Products, and any persons or entities claiming by or through a party to this Agreement. 7.2 Section 7.1 will not limit a party's liability for direct damages for personal injury, including death, to the extent caused by its negligence or willful misconduct; or its liability for direct damages resulting from violating the other's intellectual property rights or intentionally breaching Section 9; or a party's obligation to defend, hold harmless, or indemnify the other under Sections 4.6,4.7,or 6.A party will be liable for physical damage to real or tangible personal Page 5 of 7 Armorer Link Legal Notice and License Agreement Revised April 2024 property to the extent caused by its negligence or willful misconduct, but its liability will be limited to one million dollars per occurrence(such limitation applying collectively to all persons or entities defined as a"party" in Section 7.1). 7.3 Each clause and phrase of this Section 7 is separate from each other clause and phrase,and from the remedy limitations and exclusions elsewhere in this Agreement and will apply notwithstanding any failure of essential purpose of a remedy,any termination of this Agreement,or severability of any clause or phrase in this Agreement. 8. Third Party Products Your rights to use any Product bearing the logo or copyright of a third party provided to you by Armorer Link is as stated on any agreement provided with them. You acknowledge and agree that all third-party Products are provided "as-is"without a warranty from Armorer Link Accordingly,Armorer Link expressly disclaims all warranties of any nature with respect to any third-party Products,whether oral or written,express or implied,including but not limited to the implied warranties of merchantability,fitness for a particular purpose,and non-infringement of any third-party rights. 9. Confidentiality 9.1 "Confidential Information"is proprietary information disclosed by one party to the other related to the disclosing party,this Agreement, or the Products.As it applies to the Products,input data you provide to Armorer Link and all Personal Information(as defined below)are considered Confidential Information.In addition,business plans,pricing information,software in human-readable form,and any other information that,by its nature or on its face,reasonably should be understood by the receiving party to be confidential are considered Confidential Information whether or not marked as such. Other Confidential Information disclosed in documents or other tangible form must be clearly designated,labeled,or marked as confidential or its equivalent at the time of disclosure,and Confidential Information disclosed in oral or other intangible form must be identified as confidential at the time of disclosure,and summarized in tangible form marked as confidential and delivered to the recipient within 10 days after disclosure. "Personal Information" is information relating to an identified or identifiable individual and includes information relating to identification (including age, gender, social security number, address, telephone number, email address, and other contact information), finances, employment, or health that is subject to confidentiality obligations under any applicable law or regulation. 9.2 Confidential Information does not include information that is or becomes available without restriction through no wrongful act. 9.3 All Confidential Information remains the disclosing party's property. Upon the disclosing party's request, all Confidential Information(other than materials that have been licensed to the recipient and with respect to which the recipient is in full compliance with its obligations)will be destroyed or returned to the disclosing party, less a single archival copy which may be used only for the purpose of business discussions with the other party addressing compliance issues or disputes related to that Confidential Information. 9.4 Each party will use reasonable efforts to prevent the disclosure of the others Confidential Information to third parties and its employees who do not have a need to know. Confidentiality obligations under this Agreement with respect to Personal Information, your data, customer information, financial records,business plans, and software in human-readable form will continue indefinitely.Otherwise,confidentiality obligations under this Agreement will end three years after the date of disclosure. 9.5 Either party may disclose Confidential Information to its accountants, lawyers, and other professional advisers; and to its affiliates,consultants, and contractors who have a need to know it to further permitted use of the Services; provided that each agrees in writing to confidentiality obligations consistent with this Agreement, including its Page 6 of 7 Armorer Link Legal Notice and License Agreement Revised April 2024 intellectual property and confidentiality provisions. Each parry is an intended third-party beneficiary of any such agreement and will have the right to directly enforce it. 10. Governing Law and Disputes 10.1 Customer City and State law governs this Agreement, and the relationships created by it, except for its laws regarding conflicts of law and arbitrability;the Federal Arbitration Act will govern all issues of arbitrability.Neither party may bring a claim more than two years after the underlying cause of action first accrues. 10.2 Each party agrees to give the other prompt written notice of any claim,controversy,or dispute arising under or related to this Agreement,and both parties agree to engage in good faith discussions to resolve the matter.If that fails to resolve the matter promptly,either party may request the other to participate in mediation before a mutually agreed mediator.Any controversy, claim, or dispute which is not resolved through the procedures set forth above within 60 days(or such longer period as the parties may agree)will be resolved by arbitration before a sole arbitrator who is an attorney,under the then-current Commercial Arbitration Rules of the American Arbitration Association.The duty and right to arbitrate will extend to any employee,officer,director,shareholder,agent,or Affiliate,of a party to the extent that right or duty arises through a party or is related to this Agreement. The decision and award of the arbitrator will be final and binding,and the award rendered may be entered in any court having jurisdiction.The arbitrator is directed to hear and decide potentially diapositive motions in advance of a hearing on the merits by applying the applicable law to uncontested facts and documents.The arbitration will be held at the customer City and State.This Section 10.2, and the obligation to mediate and arbitrate,will not apply to claims for misuse or infringement of a party's intellectual property or Confidential Information,or collection of sums owed to Armorer Link under this Agreement.A party may at any time seek an injunction or other equitable relief in aid of arbitration. The arbitrator will not have authority to award punitive damages,non-compensatory damages,or any damages other than direct damages,or have authority to award direct damages inconsistent with the limitations and exclusions set forth in this Agreement. 11. General Terms 11.1 Except for your obligation to make payments when due, neither party will be liable for failing to fulfill its obligations due to acts of God or government, civil commotion,military authority,war,riots,terrorism, strikes,fire, or other causes beyond its reasonable control. 11.2 Except as permitted by this Section 11.2, neither party may assign this Agreement or its rights or obligations under it without the express consent of the other party. Armorer Link may use affiliates, contractors, or suppliers to act on its behalf(but doing so will not alter Armorer Link's obligations to you,and those parties will be bound to the same confidentiality obligations as Armorer Link),and may assign this Agreement to its parent, subsidiary, or other affiliated company,or to an assignee or transferee upon Armorer Link's entry into a merger, consolidation or sale of assets transaction.In this Agreement,references to"Armorer Link" include its employees,contractors,and agents. 11.3 The parties are independent contractors to one another. Employees of one will not be deemed to be or act as employees or other representatives of the other.A party will not be responsible for compensating;providing insurance or benefits; making unemployment, Social Security or Medicare contributions; or withholding taxes or other withholdings against earnings of the other's employees or contractors. 11.4 If any provision of this Agreement is held to be illegal, invalid, or unenforceable in whole or in part, it will be enforced to the maximum extent permissible so as to affect the intent of the parties,and the remaining provisions will remain in full force and effect. Terms intended by the parties to survive termination of this Agreement will survive termination. Failure to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. Copyright©2024 by Armorer Link All Rights Reserved Originally published at www.armorerlink.com Page 7 of 7 Armorer Link Legal Notice and License Agreement Revised April 2024 Arm orerLink" Infrastructure Security Guide Revised August 14, 2024 Ganete Solutions, Inc. d.b.a. ArmorerLink® 4660 NE Belknap Court, Suite 101 Hillsboro, Oregon 97124 U.S.A. (800) 571-0753 Armorerl-ink Infrastructure Security Guide Revised 08/14/2024 Table of Contents Purpose ..................................................................................................................................... 5 Introduction................................................................................................................................ 6 SecurityApproach .................................................................................................................. 7 PolicyModel........................................................................................................................... 8 Architecture...........................................................................................................................10 Security Information and Event Management........................................................................10 DevOpsControls...................................................................................................................12 Network, Security and IAM (Requirement 1) ......................................................................12 Secret Management (Requirement 2)................................................................................14 Encryption and Key Management (Requirement 3)............................................................16 Transport Encryption (Requirement 4) ...............................................................................17 Access Control (Requirements 7 & 8)................................................................................18 SecOpsControls ...................................................................................................................23 Vulnerability Detection (Requirement 6.1)..........................................................................23 CIS Benchmarks (Requirement 1) .....................................................................................23 Cloud Vulnerabilities & Intrusion Detection (Requirement 11.4) .........................................24 File Integrity Monitoring (Requirement 10.5.5) ...................................................................27 Virus Scanning (Requirements 5.1, 5.2 & 5.3) ...................................................................28 Network Intrusion Detection (Requirement 11.4)................................................................29 Inventory Management (Requirement 11)..........................................................................31 Host Intrusion Detection (Requirement 10.6.1) ..................................................................33 HostAnomaly Detection.....................................................................................................34 EmailAlerting.....................................................................................................................35 IncidentManagement ........................................................................................................36 Control-by-Control PCI Implementation Detail .......................................................................36 Control-by-Control HIPAA Implementation Detail...............................................................54 Dynamic Application Security Testing....................................................................................60 GeneralSecurity Controls.........................................................................................................61 ConfidentialityStatement...................................................................................................61 Page 2 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 BackgroundCheck.............................................................................................................61 Workstation/Laptop Encryption ..........................................................................................61 ServerSecurity ..................................................................................................................61 MinimumNecessary ..........................................................................................................61 Removable Media Devices ................................................................................................61 AntivirusSoftware..............................................................................................................61 PatchManagement............................................................................................................61 User IDs and Password Controls .......................................................................................62 EscortingVisitors...............................................................................................................62 DataSecurity ............................................................................................................................63 Management......................................................................................................................63 Confidentiality ....................................................................................................................63 Sanitization ........................................................................................................................63 Ownership and Retention...................................................................................................63 Credit Card Transactions ...................................................................................................63 Restoration and Purge Process .........................................................................................63 Encryption..........................................................................................................................64 System Security Controls..........................................................................................................64 SystemTimeout.................................................................................................................64 SystemLogging .................................................................................................................64 AccessControls.................................................................................................................64 Transmission Encryption....................................................................................................64 IntrusionDetection.............................................................................................................64 Paper Document Controls.........................................................................................................65 Documents.........................................................................................................................65 ConfidentialDestruction.....................................................................................................65 Telecopies .........................................................................................................................65 Mailing ...............................................................................................................................65 AuditControls ...........................................................................................................................66 SystemSecurity Review ....................................................................................................66 LogReviews ......................................................................................................................66 ChangeControl..................................................................................................................66 Rightto Audit Security........................................................................................................66 Business Continuity / Disaster Recovery Controls.....................................................................67 Page 3 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 DatabaseAvailability..........................................................................................................67 DisasterRecovery..............................................................................................................67 DataBackup Plan ..............................................................................................................67 Cyber Insurance Policy......................................................................................................67 Single Sign-on (SSO) Authentication ........................................................................................68 Compliance...............................................................................................................................69 Standards ..........................................................................................................................69 Personal Identifiable Information (PII) ................................................................................69 Terms of Use and Privacy.........................................................................................................69 Page 4 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Purpose ArmorerLink operates as a mature IT organization according to best practices. This infrastructure security document provides the basis for evaluating the information security maturity and compatibility of ArmorerLink cloud services. President and CEO Date: August 14, 2024 Page 5 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Introduction Since ArmorerLink was founded in 2013, we have not had any security or credit card breaches. This is most likely because of several reasons. First,the PHP code of the application is not publicly available off-the-shelf, PHP code such as a WordPress plug-in. Second, the application contains no credit card data. Third, the application is not interconnected with any outside networks, and it cannot be used to bootstrap into a customer network. It therefore represents a target that would require a lot of work to break into, with little value to be obtained that is not already public record (such as the officer's name and badge number)which is public information. Employees are required to pass a background check upon employment and subject to random background and drug screening. Customer databases are accessed by ArmorerLink I.T. Director and our database developers. Database access is logged, monitored, and audited. Data center security access is not available directly to customers. Point of contact for security incident management is 24x7x365 (800) 571-0753. Page 6 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Security Approach ArmorerLink Infrastructure is based on PCI-DSS v3.2.1 framework as described in the AWS Best Practices for PCI-DSS at: https://docs.aws.amazon.com/confiq/latest/developerguide/operational-best-practices-for-pci-dss.htmI These Infrastructure controls are further combined with controls from AWS Foundational Best practices and CIS AWS Foundations Benchmark v1.2.0. The final control set subsumes SOC 2, HIPAA, and ISO standards from an AWS infrastructure perspective. These controls are achieved by leveraging the DuploCloud platform and services. The details of the approach are described in the following white papers: Deploy Applications 10x Faster with No-Code/Low-Code DevOps PCI, HIPAA, and HITRUST Compliance with DuploCloud DuploCloud is a software platform, that provides the infrastructure deployment configurations that enables a compliant infrastructure. Further, the DuploCloud operations team deploys, maintains and monitors the infrastructure so that controls are maintained. Security posture is monitored and maintained via cloud platform services and tools such as AWS Security Hub and the Wazuh SIEM. As needed, ArmorerLink can provide isolation between customers at three different layers, Cloud Automation Platform Tenant, Cloud Automation Platform Infrastructure, and at the cloud account level (Cloud Automation Platform constructs described in the Policy Model section below). The customer creates and maintains ownership of the cloud account provisioned in the DuploCloud software. This ensures that the customer retains sole root access to the cloud account. Page 7 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Policy Model • Infrastructure. A DuploCloud Infrastructure maps 1:1 with a VPC and can be in any AWS region. Each infrastructure has a set of subnets spread across multiple availability zones. In AWS, there is a NAT gateway for private subnets. ArmorerLink has 2 AWS accounts, one for production and the other for non-production environment. Under each AWS account is a DuploCloud Infrastructure in the AWS US-GOV-WEST-1 region where the corresponding application workload is hosted. • Tenant or Project. Tenants are the most fundamental construct of the policy model. It represents an application's entire Iifecycle. o It is a security boundary i.e., all resources within a tenant have access to each other, but any external access is blocked unless explicitly exposed via an LB, IAM Policy, or SG. o It is a container of resources with each resource implicitly tagged with the tenant's name and other labels associated with the tenant. Deleting a tenant deletes all the resources underneath it. o It is an access control boundary i.e.; each tenant can be accessed by N number of users and each user can access M tenants. The single sign-on access given for a user to a tenant is automatically propagated to provide the user with just-in- time access to the AWS resources via the console by the software. • It carries all the logs, metrics, and alerts of the application in a single dashboard. • It links to the application's code repository for Cl/CD, providing a runtime build as a microservice construct such that each tenant can run its own builds in resources in that tenant without worrying about setting up a build system like Jenkins, Bitbucket etc. o A DuploCloud Tenant can be part of 1 and only 1 DuploCloud Infrastructure. An infrastructure can have multiple tenants. o ArmorerLink has a total of 2 Tenants: DEV and PROD. • Plan. This is a logical construct and a container of tenants. It basically has governance policies for the tenants under it. For example, resource usage quota, allowed AMIs, allowed certificates, labels, etc. Each plan can be linked to one and only one infrastructure. • User. This is an individual with a user ID. Each user could have access to one or more tenants/projects. • Host. This is an EC2 instance. This is where your application will run. • Service. Service is where your application code is packaged as a single docker image and running as a set of one or more containers. It is specified as - image-name; replicas; env-variables; vol-mappings, if any. DuploCloud also allows running applications that are not packaged as Docker images. Page 8 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 • LB. A Service can be exposed outside of the tenant/project via an LB and DNS name. LB is defined as - Service name + container-port + External port + Internal-or-internet facing. Optionally, a wild card certificate can be chosen for SSL termination. You can choose to make it internal which will expose it only within your VPC to other applications. • DNS Name. By default, when a Service is exposed via an LB, DuploCloud will create a friendly DNS Name. A user can choose to edit this name. The domain name must have been configured in the system by the admin. • Docker Host or Fleet Host. If a host is marked as part of the fleet, then DuploCloud will use it to deploy containers. If the user needs a host for development purposes such as a test machine, then it would be marked as not part of the pool or fleet. • DevOps Controls and SecOps Controls. Infrastructure is implemented in 2 categories: o DevOps Controls. These are configurations that are done during provisioning of the infrastructure. Subnets, VPC, Security groups, IAM Roles, Encryption at rest are examples of DevOps Controls. o SecOps Controls. These are controls that are ongoing. Examples of these are Just-in-time-access, Host and Network Intrusion Detection, Vulnerability Detection, Web Application Firewall etc. Page 9 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Architecture ArmorerLink',Deploy,ti-i Architecture nesdwwn avmraeuxyzenv .raft Zwrres f h,wrttr W ---------------------------------------- vC aveiiv rnew 10,290e.W16 r¢geu--NBet1 1i..mo o2i to laoe a]S � � ® ii RaACarhe MySpL Lemaaa nnca{ctl � FuncWns i Bvaaet ,4 R d n ce p7' f 1WGJIIm ivnt aarz�r ®� I ILri I n9wn I w,razm cmm muy rase classes I I .r�tires Icrvnl I Vurs armorerlinkcwn Wemet Gateway i LEL _ _ .Iu IaEmin-q—e Wn*—hetlgler app queue api-php WVnx Amazo Simple Email I service ews wnr u„e.0 nLe � WiJ _ _ _ y i (SES� MP MP-uhetleier apmin madhcg _haite _: Security Information and Event Management ArmorerLink infrastructure has a centralized system to aggregate and process all events. This is the basis of our operations and incident management. The primary functions of the system are: 1. Data Repository 2. Event Processing Rules 3. Dashboard 4. Events and Alerting Distributed agents of this platform are deployed at various endpoints (VMs in Cloud) where they collect events data from various logs like syslog, virus scan results, NIDS alerts, File Integrity events, etc. Data is sent to a centralized server and undergoes a set of rules to produce events and alerts that are stored in typically Elasticsearch where dashboards can then be generated. Data can also be ingested from sources like AWS CloudTrail, AWS Guard Duty, AWS Trusted Advisor, and other cloud resources. Subsequent sections describe the location of various core modules of our PCI-DSS implementation in the SIEM dashboard. Page 10 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 STEM * > Security > SIEM Open New Tab DuploCloud Modules Total agents Active agents Disconnected agents Never connected agents 29 17 2 10 SECURITY INFORMATION MANAGEMENT AUDITING AND POLICY MONITORING oa Security events I�grity monitoring 6 bd policy monitoring System auditing Browse through your security Alerts related to lily changes, Venfy that your systems are Audit users behavior,monitonng alerts,identitying issues and including permissions,content, configured accordkng to your command execution and alerting threats in your environment. ownership and attributes. security policies baseline. on access to critical fllea. aws Amazon AWS [I] CIS-CAT `p0 Security configuration Security events related to your Configuration assessment using assessment Amazon AWS services. Center ct Internet Security Scan your assets as pan of a collected directly via AWS API. scanner and SCAP checks. oonfgura sesi Lion assmem audit AM Page 11 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Tenant: OLFAVLT Qswitehto Old uI ate SIEM * - S—ray q Ev ' Open Nev Tab � ,i r - _ �oupioc opgv Modules Security events Securityevents O t)ashbpard Events 6p&Eaplore agent aeneit.report Agents v Search KoL East 1 Hour ShnW tlates G RHYPsh 0 Si ndards emre<d.p—,* .Add filter Toral Level 12 or ab—Wns Auiherglc ll!allure 0.uthenticarion success o Vulnenbi?itl@s 23 0 11 7 �Inv@ntory II AI@TCS AIerI MVJe�IMrr a Top MRRE ATT6GII5 •3 •@rote Force Faults c 5 ,. valid se 11 •pemote Services §e a , 1 lap eaaenra � Mxta evpNppn-Too eaperNa m ioxx uploefoud,rne. DevOps Controls Network, Security and IAM (Requirement 1) PCI DSS Requirements v3.2.1 DuploCloud Implementation Requirement 1-. Install and maintain a firewall configuration to protect cardholder data 1. 1.1.4 Requirements for a firewall Infrastructure is split into public and private subnets. at each Internet connection and Dev, stage, and production are split into different between any demilitarized zone VPCs. DuploCloud automation introduces a concept (DMZ)and the Internal network of a tenant which is a logical construct above AWS zone and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS. By default, no access is allowed into the tenant unless specific ports are exposed via LB. 2. 1.1.5 Description of groups, DuploCloud overlays logical constructs of Tenant and roles, and responsibilities for infrastructure that represents an application. Within a management of network tenant there are concepts of services. All resources components. within the tenant are by default labeled in the cloud with the Tenant name. Further the automation allows user to set any tag at a tenant level and that is automatically propagated to AWS artifacts. The Page 12 of 69 Armorerl-ink Infrastructure Security Guide Revised 08/14/2024 system is always kept in sync with background threads 3. 1.2.1 Restrict inbound and Infrastructure is split into public and private subnets. outbound traffic to that which is Dev, stage, and production are split into different necessary for the cardholder VPCs. DuploCloud automation introduces a concept data environment, and of a tenant which is a logical construct above AWS specifically deny all other traffic. and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. 4. 1.3.1 Implement a DMZ to limit Infrastructure is split into public and private subnets. inbound traffic to only system Dev, stage, and production are split into different components that provide VPCs. DuploCloud automation introduces a concept authorized publicly accessible of a tenant which is a logical construct above AWS services, protocols, and ports. and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. 5. 1.3.2 Limit inbound Internet traffic Infrastructure is split into public and private subnets. to IP addresses within the DMZ. Dev, stage, and production are split into different VPCs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. 6. 1.3.4 Do not allow unauthorized By default, all outbound traffic uses NAT Gateway. outbound traffic from the Additional subnet ACLs if needed, can be put in cardholder data environment to place. Nodes in the private subnets can only go the Internet. outside via a NAT Gateway. 7. 1.3.6 Place system components Infrastructure is split into public and private subnets. that store cardholder data (such Dev, and production are split into different AWS as a database) in an internal Account or across VPCs. DuploCloud automation network zone, segregated from introduces a concept of a tenant which is a logical the DMZ and other untrusted construct above AWS and represents an application's networks. entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed to the tenant unless specific ports are exposed via LB. The application is split into multiple tenants with each Page 13 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 tenant having all private resources in a private subnet. An example implementation would be all data stores are in one tenant and frontend UI is in a different tenant 8. 1.3.7 Do not disclose private IP Use Private subnets and private R53 hosted zones. addresses and routing information to unauthorized parties. 9. 1.5 Ensure that security policies Usage of a rules-based approach makes the and operational procedures for configuration error free, consistent, and documented. managing firewalls are Further documentation is to be done by the client and documented, in use, and known DuploCloud can also produce documentation during to all affected parties the blue printing process. Secret Management (Requirement 2) PCI DSS Requirements v3.2.1 DuploCloud Implementation Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 1. 2.1 Always change vendor- DuploCloud enables user specified password or supplied defaults and remove or random password generation options. User access is disable unnecessary default managed in such a way that all end user access is via accounts before installing a single sign without explicit passwords. Even access to system on the network. This AWS console is done by generating a federated applies to ALL default console URL that has a validity of less than an hour. passwords, including but not The system enables operations with minimal user limited to those used by accounts as most access is JIT operating systems, software that provides security services, application and system accounts, point-of-sale (POS)terminals, Simple Network Management Protocol (SNMP) community strings, etc.) 2. 2.2.1 Implement only one primary DuploCloud orchestrates Kubernetes node selectors function per server to prevent for this and supports non container workloads and functions that require different allows labeling of VMs and achieve this. For non- security levels from co-existing container workloads are also supported and hence on the same server. (For allows automation to meet these controls. For example, web servers, database example, one can install Wazuh in one VM, Suricata servers, and DNS should be in another and Elastic Search in another Page 14 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component. 3. 2.2.2 Enable only necessary By default, no traffic is allowed inside a tenant services, protocols, daemons, boundary unless exposed via an LB. DuploCloud etc., as required for the function allows automated configuration of desired inter-tenant of the system. access w/o users needing to manually write scripts. Further as the env changes dynamically DuploCloud keeps these configs in sync. DuploCloud also reconciles any orphan resources in the system and cleans them up, this includes docker containers, VMs, LBs, keys, S3 buckets and various other resources 4. 2.2.3 Implement additional DuploCloud gets certificates from Certificate Manager security features for any required and automates SSL termination in the LB services, protocols, or daemons that are considered to be insecure. Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed. 5. 2.2.4 Configure system security AWS IAM configuration and policies in AWS that parameters to prevent misuse. implement separation of duties and least privilege, S3 bucket policies. Infrastructure is split into public and private subnets. Dev, and production are split into different VPCs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed to the tenant unless specific ports are exposed via LB. The application is split into multiple tenants with each tenant having all private resources in a private subnet. An example implementation would be all data stores are in one tenant and frontend UI is in a different tenant 6. 2.2.5 Remove all unnecessary DuploCloud reconciles any orphan resources in the functionality, such as scripts, system against the user specifications in its database drivers, features, subsystems, file and cleans them up, this includes docker containers, VMs, LBs, keys, S3 buckets and various other Page 15 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 systems, and unnecessary web resources. All resources specified by the user in the servers. database are tracked and audited every 30 seconds. 7. 2.3 Encrypt all non-console SSL LB and VPN connections are orchestrated. administrative access using DuploCloud automates OpenVPN P2S VPN user strong cryptography. management by integrating it with user's single sign on i.e., when a user's email is revoked from DuploCloud portal, it is cleaned up automatically from the VPN server 8. 2.4 Maintain an inventory of All resources are stored in DB, tracked, and audited. system components that are in The software has an inventory of resources that can scope for PCI DSS. be exported Encryption and Key Management (Requirement 3) PCI DSS Requirements v3.2.1 DuploCloud Implementation Requirement 3: Protect stored cardholder data 1. 3.4.1 If disk encryption is used DuploCloud orchestrates AWS KMS keys per tenant (rather than file-or column-level to encrypt various AWS resource in that tenant like database encryption), logical DBs, S3, Elastic Search, REDIS etc. Access to the access must be managed keys is granted only to the instance profile w/o any separately and independently of user accounts or keys. By default, DuploCloud native operating system creates a common key per deployment but allows authentication and access control ability to have one key per tenant mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. Note: This requirement applies in addition to all other PCI DSS encryption and key-management requirements. 2. 3.5.2 Restrict access to DuploCloud orchestrates AWS KMS per tenant to cryptographic keys to the fewest encrypt various AWS resource in that tenant like DBs, number of custodians necessary. S3, Elastic Search, REDIS etc. Access to the keys is granted only to the instance profile w/o any user accounts or keys. By default, DuploCloud creates a common key per deployment but allows ability to have one key per tenant Page 16 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 3. 3.5.3 Store secret and private DuploCloud orchestrates AWS KMS for this and that keys used to encrypt/decrypt in turns provides this control that are inherited cardholder data in one (or more) of the following forms at all times: • Encrypted with a key-encrypting key that is at least as strong as the data encrypting key, and that is stored separately from the data-encrypting key • Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of- interaction device) •As at least two full-length key components or key shares, in accordance with an industry accepted method Note: It is not required that public keys be stored in one of these forms. Transport Encryption (Requirement 4) PCI DSS Requirements v3.2.1 DuploCloud Implementation Requirement 4: Encrypt transmission of cardholder data across open, public networks 1. 4.1 Use strong cryptography and In the secure infrastructure blueprint, Application Load security protocols to safeguard Balancers with HTTPS listeners are used. HTTP sensitive cardholder data during listeners forwarded to HTTPS. The latest cipher is transmission over open, public used in the LB automatically by the DuploCloud networks, including the following: software • Only trusted keys and certificates are accepted. • The protocol in use only supports secure versions or configurations. • The encryption strength is appropriate for the encryption methodology in use. Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed. Examples of open, public Page 17 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 networks include but are not limited to: • The Internet •Wireless technologies, including 802.11 and Bluetooth • Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA) • General Packet Radio Service (GPRS) • Satellite communications Access Control (Requirements 7 & 8) PCI DSS Requirements v3.2.1 DuploCloud Implementation Requirement 7: Restrict access to cardholder data by business need to know 1. 7.1.1 Define access needs for The DuploCloud tenant model has access controls each role, including: built in. This allows access to various tenants based • System components and data on the user roles. This access control mechanism resources that each role needs to automatically integrates into the VPN client as well access for their job function i.e., each user has a static IP in the VPN and based • Level of privilege required (for on his tenant access his IP is added to the respective example, user, administrator, tenant's SG in AWS. Tenant access policies will etc.)for accessing resources automatically apply SG or IAM based policy in AWS, based on the resource type. 7.2 Establish an access control User access to AWS console is granted based on system(s)for systems tenant permissions and least privilege and a Just in components that restricts access time federated token that expires in less than an hour. based on a user's need to know Admins have privileged access and read-only user is and is set to "deny all" unless another role. specifically allowed. This access control system(s) must include the following 2. 7.2.1 Coverage of all system AWS resource access is controlled based on IAM components. role, SG and static VPN client IPs, and static VPN client Ips that are all implicitly orchestrated and kept up to date. Page 18 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 3. 7.2.3 Default deny-all setting. This is the default DuploCloud implementation of SG and IAM roles in AWS. Requirement 8: Identify and authenticate access to system components 4. 8.1.1 Assign all users a unique DuploCloud integrates with client's IDP like G Suite ID before allowing them to and 0365 for access to the portal. From there a access system components or federated logic in done for AWS resource access. cardholder data. 5. 8.1.2 Control addition, deletion, This is done at infra level in DuploCloud portal using and modification of user IDs, single sign on. credentials, and other identifier objects. 6. 8.1.3 Immediately revoke access DuploCloud integrates with client's IDP like G Suite for any terminated users. and 0365 for access to the portal. If the user has a private key to a VM even, then he cannot connect once the VPN is deprovisioned. 7. 8.1.4 Remove/disable inactive DuploCloud integrates with client's IDP like G Suite user accounts within 90 days. and 0365 for access to the portal. The moment the email is disabled all access is revoke. Even if the user has a private key to a VM even then he cannot connect because VPN will be deprovisioned 8. 8.1.5 Manage IDs used by third DuploCloud integrates by calling STS API to provide parties to access, support, or JIT token and URL. maintain system components via remote access as follows: • Enabled only during the time period needed and disabled when not in use. • Monitored when in use. 9. 8.1.6 Limit repeated access DuploCloud integrates with client's IDP like G Suite attempts by locking out the user and 0365 for access to the portal. When DuploCloud ID after not more than six managed OpenVPN is used it is setup to lock the user attempts. out after failed attempts. 10. 8.1.7 Set the lockout duration to DuploCloud integrates with client's IDP like G Suite a minimum of 30 minutes or until and 0365 for access to the portal. When DuploCloud an administrator enables the user managed OpenVPN is used it is setup to lock the user ID. out after failed attempts. In Open VPN an admin has to unlock the user. 11. 8.1.8 If a session has been idle DuploCloud single sign on has configurable timeout. for more than 15 minutes, require For AWS resource access JIT access is provided. Page 19 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 the user to re-authenticate to re- activate the terminal or session. 12. 8.2 In addition to assigning a DuploCloud relies on the client's single sign on / IDP. unique ID, ensure proper user- If the user secures his corporate login using these authentication management for controls, then by virtue of single sign on, this get non-consumer users and implemented in the infrastructure. administrators on all system components by employing at least one of the following methods to authenticate all users: • Something you know, such as a password or passphrase • Something you have, such as a token device or smart card • Something you are, such as a biometric. 13. 8.2.1 Using strong cryptography, Encryption at REST is done via AWS KMS and in render all authentication transit via SSL. credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 14. 8.2.2 Verify user identity before DuploCloud integrates with client's IDP like G Suite modifying any authentication and 0365 for access to the portal. credential—for example, performing password resets, provisioning new tokens, or generating new keys. 15. 8.2.3 Passwords/phrases must Enforced by AWS and should be enforced by client's meet the following: IDP. DuploCloud integrates with the IDP. The control • Require a minimum length of at should be implemented by the organization IDP. least seven characters. • Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above. 16. 8.2.4 Change user DuploCloud integrates with client's IDP like G Suite passwords/passphrases at least and 0365 for access to the portal. every 90 days. Page 20 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 17. 8.2.5 Do not allow an individual Enforced by AWS and should be enforced by client's to submit a new IDP. DuploCloud integrates with the IDP. The control password/phrase that is the should be implemented by the organization IDP. same as any of the last four passwords/phrases he or she has used. 18. 8.2.6 Set passwords/phrases for Enforced by AWS and should be enforced by client's first time use and upon reset to a IDP. DuploCloud integrates with the IDP. The control unique value for each user and should be implemented by the organization IDP. change immediately after the first use. 19. 8.3 Secure all individual non- DuploCloud integrates with client's IDP like G Suite console administrative access and 0365 for access to the portal. Open VPN has and all remote access to the MFA enabled. CDE using multi-factor authentication. Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication. 20. 8.3.1 Incorporate multi-factor DuploCloud integrates with client's IDP like G Suite authentication for all non-console and 0365 for access to the portal. Open VPN has access into the CDE for MFA enabled. personnel with administrative access. 21. 8.3.2 Incorporate multi-factor DuploCloud integrates with client's IDP like G Suite authentication for all remote and 0365 for access to the portal. Open VPN has network access (both user and MFA enabled. administrator and including third- party access for support or maintenance)originating from outside the entity's network. 22. 8.7 All access to any database The IAM integration with database makes SQL containing cardholder data connections also via Instance Profile. For users, (including access by applications, individual JIT access is granted that lasts only 15 mins. Page 21 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 administrators, and all other users) is restricted as follows: •All user access to, user queries of, and user actions on databases are through programmatic methods. • Only database administrators can directly access or query databases. •Application IDs for database applications can only be used by the applications (and not by individual users or other non- application processes) Page 22 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 SecOps Controls Vulnerability Detection (Requirement 6.1) Agents collect the list of all installed applications and send it to the Wazuh master which compares with global vulnerability database using public OVAL CVE repositories. To check the vulnerabilities, go to "Security dashboard ❑ Vulnerabilities". For more information on the implementation, refer to the Wazuh Vulnerability Detection Guide. Pn mm v Mo',- vulnerabilities Vulnerabilities e Dashboard Events W Explore agent 0 Generate report 0— Search KOL 8 Last 24 hours Shaw dates C Refresh managexne d,plo-eecenty rule.gmeps:wlnerebllity-aetectar7 +Add filter Critical Severity Alert6 High Severity Alerts Metlium S—ty Mert, to.Severity Alert. 367 1929 2657 0 Moet aMectetl agenfn M.n.—nty ✓ tluploservices-prod... 1,000 Medium � �� �tluplpePloservlces.tlefa_. �High tluervCeaprpd... ROd •Critical �tluplP.ervlo..-ptpa... 600 auploservices-prod... 5 zoo p , a000 w. oe ao moo is rmoo timestemp per 30 minutes Moat common CVE. Z M-ffeetodpchagMa dsE dm MO9MrnIp o.ES r:VF]Mt-i]Rnn 31, buevhn�-Inlre.mte !'.W1F-f>R CIS Benchmarks (Requirement 1) SIEM provides the Security Configuration Assessment (SCA) module which offers the user the best possible experience when performing scans on hardening and configuration policies. To check the SCA report, go to "Security dashboard, Security Events" and search for rule.groups: Insca". For more information, refer to the Wazuh SCA. Page 23 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 SIEM /R ) Security > SIEM Open New Tab e�bupl.CL.d —. r1rd.......-_�ma, v Meclules Security events Security events o Dashboard Events Uql)Explore agent p- rule.groups:"sca" KQL Last 24 hours Show dates G Refresh managecname:dupin—udty +Add filter security-alerts-* v t= 193 hits Cj Search field narnl Jul 24,2022 @ 17A126,524-Jul 25,2022 @ 17:43:25.524 Auto Q Filter 4y type 0 Seleeled flelds 150 1 agent.nama � 'no 0 U l rule.description ;p t rule.id � 18�00 2100 DO DO 03:00 r__! 0900 '2 00 ',S Do M rule.l...I Available Geld. timestamp per 30 minutes t ag.'t_[a Time_ egent—me rule.description rule.level rule.id t ag.nt.lp > Jul 25, 2022 9 10:18:45.091 duploservices-default-z SCA summary: CIS Benchmark for VebdaWLin 7 1 data.amh ap-i-0312%4007dd29e298 ux 10: Score less than 50%(16) Cloud Vulnerabilities & Intrusion Detection (Requirement 11.4) Automation-Platform integrates and orchestrates AWS Inspector, CloudTrail, Trusted Advisor, VPC flow logs and Guard Duty. To view the alerts, go to "SIEM Dashboard :1 Amazon AWS". Following is an example of an alert for a break-in attempt into AWS Console: n,,Overview (9M1116eme1t 11Aa¢nts >_Dw tools AduAlo-zx�rlry o w.r„.wl Ama,on Aws OB moaor., SecvriN—nts Integritym 4n 6n5 Ama AW5 v Search KQL 8 L-lyear show dates mknk8krnkmk:tllglo-sko,my wlwlmuW,kmkmn ruM.Murlptmn:mvsuoutllratl:kynn.artseonkuue,n comaWol+�anfNu baeaFlnBam^aPr IM1LSh numuraflogm artmaPnt x iMd R., Sources Accounts 1 53 buckets Regions , 0 •tlwanaii •uasx/� •o"oase�.cezromn:• • Top rvles el Ruin lb kwm Caum� 90]$$ AW$CIoy9Hall sl/nln ametpnK.usFem-Cmwlelogln-Aesslble h,¢akl,ig aryempl lhl�nymbea of login an¢mp[sl- - Page 24 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 1,2..m—11.1 an nano.... ...... ......... .... uLe.p coups:sezan.awe.aw^_c_ocd t rai9.autrentzcataon failures an ut.t e._o a ent.name:dup lo-security agent.id:¢00 previsva eutput:{"int egret io a":'axe','awe":{':ag_info'.("axs_account alias":"'.'la9_lile": -d- lit—92—296- V.cozen 1- ............ -,kCddD4C-713�-451�-bf�-b9e?d74G4�94 —p. Page 25 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 I cBtl.nwx,ICp_�n•n.ln0_to'e c]audtra it/AWS Log cP03)52933009N/C louatr azll ue-aac.-t M020.�85/14/B3�ER9330B95_C1wtlT rail_ue�ea et-t_R BRB05t4t 20502 wJ Rxp p5Nn01%E>t N.j sor.gz 1 cata.ews.log_in-e.¢3ouctet Jv'ylpv'ei vaces-c woylaan'_e ev'da t-83]539333B95 1 catq.awa,rttcqunlP ttaant Ic 83)629336E94 1 cata.awc.reapnne eE]emen:e.[one9leLcgin fx alu re 1 cata.awv.amr-e:Pbd dress ,T 5.t B1.9..z1 ®reta_aws_sour.e,iP-atldess 1i5.TB1.94.23 1 reta_awauSerAeent Mc zi11a:5 0(Mintleee M'B.G;Nin44;r69]hppleWebl(it/53).3fi(xi]ML,like Gecko)CM1 r9ne/01.0.9049.138 3afar i 153].30 r rete.ew¢.¢¢�rmen ity.¢groLntld N3]bz933Re3n 1 cate.dwa.0 acridsnti<y.Pr.nc ipal ld FIEA4GAfBGCVEZTAVZE00 r cow.awa.astride nti ty.cypc Tpplryer 1 cete.aw¢.ever ltle nt ity.ace rxame er akar up--d rct t ceta.in te5 rat aen exs t cecoee r.name 1Fan 1 zd 1,R949B,05.,GBT2,83 t mnan,an gtPln-ARs 1 manage r.name p -se rl� t crevi9us cu3on , !`int eg ratim":'ens", 'ens"c("ley-info"-{•exs_account_s_i<s": "."1a3.`ile":"c_oa dtrai110YSLog c:E3]523 - - - �B5/,4/9l]529339B9fi C1oudT rail as-ea=t-I 28200514T2B5F2 ka190P5pN]115 dy.]P.3s tla p�oservice s-rnpliv nca-es6at-B3]52933Ee5B"y, tity-: irtw a1AMl¢er", npipalLd','AIDh4CAFRDBy EZTAY169G', "a untldVenf 83]52933099f, e e—yld r¢korldua LBplaud.ngt-], n[Tim.':"2B2B OS 14T2B:46:3 BZ n[9aurcc-'�acrN¢n9":'a "cv¢ arp ¢icnin.ampzcmx cntNomc' ac lcLagin',•wa 10 Rc5io - ccIPAddreaa": .101.99,21•, '44.111 ni No zzl lel3 0(Wzndors M ,0:WinE4 1 l.61 AooleWeaxzt/�3).36a1 NI iiML,1—Sec hol Cbrome/01.0.4044.130 1 rule_aes ript eon FBS CLax tltr aal:eagnzn.anazanaxa,ccn-.an¢cleLa gen-Poc¢_Ele area king a[-eme[I,a9M1 numaer c{lag cn attem pt¢1. d ruln.fzreanras , ruln.0 requ cncy F 1 rulc.9d Pr It 3f..].d,ZV_32.2 1 rule.g r¢ups xe_cloutlt� utkert zcetzon fazlurec 1 rule.nv pea 1E4.312,6 1 rule.ad BB256 x rule.Ie ve1 lF t' rule.ma it to lee t lNle.pcl d5a ,1.q,10.2 d,IO.._5 m tsmtatanP xay ts.�B2e m e_.aae5.en Page 26 of 69 Armorerl-ink Infrastructure Security Guide Revised 08/14/2024 File Integrity Monitoring (Requirement 10.5.5) Agents on the hosts will monitor the key files for any changes, verifying the checksum and attributes of the monitored files. The System Check will happen every 12 hours. To check the file integrity monitoring, go to "SIEM Dashboard ❑ Integrity Monitoring". For more information, refer to the Wazuh Vulnerability Detection Guide. Werview (Dm—gemem QAgenrs >_Elev,nnls td.plo-ze.0 E Oyetview Jlrnegtity monitoring O 0oi�smrer 5¢c.tity p,erus I griN mo.ito a nmamn nuvs �, v 5ev.ch ML t v l.24h— Showdmes 0 .�.nagername.duplo-zecu.�ty le.groupz.syssnett —ddfilter Rule dtWibutlon 1' Actians l Top 5 users T •i�ag m.n.rMrr,m a • ae.e A—lD 'I—mm. l.plwr [aunt. 082 duylozervRezaodz- toot 2 h--I odznss9as9e2wzrn o3e d�pl.:tee:- m.t z ampn.ac.pro+rl 6342633a�2es4e3x AM summary f A".e aupl�r.lceswe6.IteJron-t-0326vF1oe3eronza 1�Ana.d)evsegmz nwdifled t dupbsemceswebsite-hosz--03zb9E3ue3916ibza ltm�/cmn,dfawzagent-update mudifed a dpplaur.Inzrtools•haztl�Od2b559A538]1b36E !n<Jina.aJ.waaE..t nzodMea 1 tlupbzervlcez-molrhonl-I-0a2L559a5362Po2H fett/cron.tllawzagent-uptlete madlflea 1 dupbervlcez<ompllancepraryi—b33acG2661e32 Jett/In2d/ewaagen[ modlfled 1 dupbzeMces<omplianW347b33162-32 Jeulnondlawzagent-update modlfled 1 dudoxnlcnkBO1t0]6t.tgl-090100z925118B6B! X%EY 1f1C4L M.CXikEl3vtNmlCvHMContral5.t15nvknllphlpwclen.do\pmbua3hhlM i8.<cA]ch modM.d 1 auplow.ulc¢y-keat-2m5-z¢A-w9ozumnl5tteeee5 X[v_lo[n�MUXIrv[lsysx¢ml�rrernce.tral5&lsmres1W32nme15¢curenm¢umltslgunnme mmMea t aupl�r.lceskeal-201e1e1-1-925f3lwelt5 X XINEl Vsremlcur.em[oMmset\sentes1w32nmelsecurenmeu— mudMea 1 duyb.erNcerke-01-2o16teA-I-090]OOa925t]Bf1665 XKEY_IIXAL M0.CXIrvE15ys9emlCurrent[ontrd5N15etzxes\W32tme4Lonfig mcdifled 1 F.µot flarvs Formartetla Page 27 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Virus Scanning (Requirements 5.1, 5.2 & 5.3) ClamAV can be used as a virus scanner tool. Automation-Platform can enable ClamAV deployment on all the hosts. Automation-Platform will also make sure that ClamAV agent is running and if it fails it raises a fault in the portal. To view the virus alerts, go to "SIEM Dashboard I Security Events Add a filter (rule.groups: virus)". SIEM Open New Tab oapmcm a V Motlules Security events Security events O Dashboard Events Oyt Explore agent t t manaBer.name.dupm-secadN ,Add filter security-alerts-* v `= 1 hit [2 Search field names Jul 25,2022 @ 17:19:51.545-Jul 25,2022 @ 17:49:51.545 Auto Q Fnler by type 0 su.er.af6ldi oe � ob 1 a9encRame � V 0< 1 NIB-deacripnpn 02 rule.ld c 172000 115", aa000 .;ao oo tras_do A rule.level Araiiebleeeltle limeslamp per 3d seconds r ayenud Ti.. O.M.- rraa.dawripdon n0a.lava€ rula.ia 1 agent.ip > Jul 25, 2922 0 17:25:45.927 duploservices-default-host01-i-0900652a2b042ebac C1amAV database update 3 52507 1 data.daokenlaval 1 data doclyrmggggge Page 28 of 69 Armorerl-ink Infrastructure Security Guide Revised 08/14/2024 Network Intrusion Detection (Requirement 11.4) AWS Guard Duty is used as NIDS processing engine. Further, Suricata can be deployed to analyze this VPC traffic and produces results in files that are collected by Wazuh SIEM agents and sent to the SIEM master. To check the network vulnerabilities, go to "SIEM Dashboard ❑ Security Events ❑ Add in search (rule.groups: "suricata'")". Refer to AWS Traffic mirroring and Suricata. all. Tenant: DEFAULT v (2)Switch to Did UI Zafar Atlmenis[I210r � VADMINISTRATOR Agents * Security Agents tp DEvORs ossec CiamAV_vO clamav-scanner_v6 W cVco Total 2 Show 25 la SECURfry C9 SIEM NAME IP MONITORED: AGENT MOST OS PLATFORM LAST ACTIVE ACTION duaservices- dafaultplZap$ 10.2202.182 ® cm cm Llnuz 20T-07-26f00s220z 0 Standards u3125Aou7dd29e 298 O Vulnerabilities duplasarvcas- Inventory —pliance- siem-i- 102M52.174 ® ISO dewlb "roux 9999-12-31T235959Z Il Alerts Oae4c9453c71b4d dd1 8 Faults n U- DIAGNOSTICS Below is a sample SIEM dashboard with events for"suricata" Page 29 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 r�,aerview QManagelpaM QABap[s J_Deelools lydppEPseaprny (q� Ovelwew/Seariry eyerrts O 4D ersopee• Security..' Integrity monitoring A—AM �v rale.gsovps:wd— KQE 4 McY12,M20Lw :W:X1 Q �•a„�e..p,[ne:dupw..eau.ln +Aaa rdeer 926 0 0 0 Top 5 agems j Top 5 rule Stoups f Agents status l •e�P«eMrar-r,m,n•,,.:. •wa •u...�a��.n.a •.�,rera P •n,u.e 3 s •a�e.,.u.e Alerts summary l RP41A Pgx•IpePn LME poets. e66at surkase:alert-cr l3goP os[,lela ekes Llnea snura�wp3 3 2W s55pi suarase:alert-[i s[ANsusp.—.,nb—d'.Mss W-33 3 z5 g3661 3wiwW:Mert-Er GN3 ANVe IAreaI IMelllgence Poor Repatxbn IP group gl 3 U H91 Swlzxx.AleN UGNSP 111 a 111 lMNl".N P—Repll—lP Vepp 68 3 39 M Ri swluse_ales-SU.—zn 1--to mabn espo em request 3 36 a6wL s,rkate:Alert-[L s[An slpelmus Yan 3 3s e56ui suar Talert-ei spnn slpvlmus user-PgeM o�eaned llnendlysrannerl 3 3a MR, 5,ewl1.Men et GINS—threat 1P Vaup 89 3 m g6661 SwlntP:Alen-9C145-1.lllrcal lrvselll,ence Pmr lP poop U 3 33 g6691 Swlsase:Mert-ET POLICY curl ilzerAgent Outhouna 3 36 Page 30 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Inventory Management (Requirement 11) Automation-Platform can collect and store inventory information from Cloud infrastructure and at an operating system level from each host. It also has an inventory of all the Docker containers currently running on the server. For Cloud inventory, go to "Security ❑ Assets", for Docker containers, look at "Admin ❑ Metrics" and for OS level inventory (Installed apps, network configuration, open ports, etc.), go to "SIEM Dashboard ❑ Agents ❑ Select agent of your choice ❑ Select inventory data". For more information, refer to System Inventory. Page 31 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Agauts dgPhlservlcea-defawt., 1—intprya1ta d u plo services-default-zap-i-0 31254 0 07dd29e298 Gene+aterepart Cores:2 Memory:3872JO MB Arch:x86_64 OS:Ubuntu 18.046 LTS(Bil Beaver) CPU:Intel(R)Xeon(R)Platinum 8259CL CPU 02.51 Last scan.Jul 25,2022 17:18:58.000 Net work lnierlace5 C Network pprt6 Nuns MAC Bp1p ulll type bcN IP to P BrHe Pral00d ens5 02:42d6:e2:77:31 up 800t elhemel O.O.o.o 60❑35 Ilslening tcp 10cket0 02'11:11.11.26 tlpwn I500 erhxner 1270053 53 Ilstening tcp Rows per page:to v I > p.6.p.0 22 lists"' mp ;;fmr 127,04.1 45837 Idtening tcp0 .. 43567 lislaning [w6 .. 8030 lielenin9 trp6 .. d2a3 Ilslening trps .. 22 llstaning tcp6 .. e0S0 Ilslening tcp6 eaa3 Ilstening tcp6 Rows per page.10 v 1 b Network settings ens5 1022o,i,i 92 255.255.2a0.0 Ipv4 10.220.15,255 ens5 1"0,42 di 7731 Ifff:fifr:fm'.(IN:: IPvS dOckerO 172,174.1 2S5.255.D.0 Ipv4 172.17.255.255 Rows per page'10 1 Packages(611) (1, Fflter packages.. Mm. A.meewre aw.lon wemr p..rlpma 03 Ot1638]1063]1h62501- mok01 xlrxlfid Dubuntu2-16 D41 Uhunw Developers<ubunw-davel-discuss@Iista uhCmu_com> tools rut manipuia[ilrg maMlne owner keys IihquadmaMO amd66 BA.O.lubunrul-16.04 Uhunw Com developers cubuniu-devil-disuussQ8lisis.ubun[u cwn> GCC Ouad-Pracision Matb Library python-apt-common all 1.6.SubumlA.] Ubuntu oevelopers<upuntu-Oevel-dl Pyl hoo Interlace to libapr-Pro(bcalesl remfrea amd66 1.04-1 Ubumu Developara<ubuntu.tlavel-tliacusa@Bate upumu_com> zero free blocks irom—,e>t3 and avt4 file y—s kbrtpiM1O amO64 1.5-3 Ubuntu cevelOpers ubuntu.Wm> replacement li GNU Pil uaarl syst¢m 1nr¢a05 pymon-secrelstOrage all 2.3.1-2 U—DeyOlOpera<upVM1IV-tlav¢I-di¢CV55@II¢isU—N.COmr Pyl NW M04Ule r0r 9*rbg HCrea-PytdOn 2.k pernpo ldisk amd64 231.1--buntu3.7 —it.Pevalppers<ub--..el-tliecu ss@lists.ubudu.com> collection A partitioning u4Gties Nlao-host s-lS4 1.9.113+d1sg-IubuMul.l] Ubuntu Develop—eubunw-4euel-d15 Su Iista,YbNVU.— DNS lookup utility tddp—1 Ipullls-pirg a-" 33D1611D5.1ubunw3 Ubuntu Developers<ubuniwlevel-discuss@lists ubunlu_coma Tools to test Me teachability d network hosts ubun[u-advamage-tools amd66 2].6-i8.0&1 Uhunw Developes eubuntu-level-di—lislisis,ubuwu coma managemem mots Pot Ubunu Pdvamage Rows per page:l0 1 2 3 4 5 52 > 04 o—li Csv >-PrOte6665(109) n Filler processes... Home eaedMu... ewouw... Nb Pmad Pe aemmend 7vw+ AM elm 94e 9eeelm —ii, ate. systemO root root 1 0 !abut., 15pllo 399R] 1 0 5 kthraedd root root 2 0 0 0 U U 6 rc19p rcot root 3 2 0 0 0 -20 1 —Far_UP rani rod A 2 0 ❑ ❑ -10 1 kw0tker-H-kb root raA 6 2 0 ❑ mar-pempl, root root 9 2 0 0 0 -20 1 '-Nioupo root root 10 2 0 0 0 0 5 r—tneb root root ll 2 O a v 0 1 lnigratianl0 root root 12 2 0 0 O 0 S —WO root r0A 13 2 0 C U U 6 Rows per page:l0 v < 3 2 3 4 5 11 > M1 Cownloaa CSV Page 32 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Host Intrusion Detection (Requirement 10.6.1) Agents installed by Automation-Platform can be combine anomaly and signature-based technologies to detect intrusions or software misuse. They can also be used to monitor user activities, assess system configuration, and detect vulnerabilities. Below is a sample: ., . a o 32 �r.Q,,.R .wm31,..ea 0 A.T wmmary (' weio o..ale.a LeM muK_ f>vx Baia.hru,e mi.mpneoa,mmerytem. so 3f sm1 ,me.auwrw.eku[kan,e.ei ler�ve.wune0 a 1 f�wwi oee.mmi Page 33 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Host Anomaly Detection Anomaly detection refers to the action of finding patterns in the system that do not match the expected behavior. Once malware (e.g., a rootkit) is installed on a system, it modifies the system to hide itself from the user. Although malware uses a variety of techniques to accomplish this, SIEM uses a broad-spectrum approach to finding anomalous patterns that indicate possible intruders. This includes: • File integrity monitoring • Check running process • Check hidden ports • Check unusual files and permissions • Check hidden files using system calls • Scan the /dev directory • Scan network interfaces • Rootkit checks For more information refer to Wazuh Anomaly Detection. ** Alert 1460225922.841535: mail - ossec,roctcheck 2027 Feb 15 10:00:42 (localhost) 192.168.1.240->rootchecic Rule: 510 (level 7) -> 'host-based anomaly detection event (rootcheck). ' Process '495' hidden from /proc. Possible kernel level rootkit. Page 34 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Email Alerting Automation-Platform can extend SIEM with an alerting module to send alert notification to a tool like Sentry or simply notify using AWS CloudWatch notifications, which in turn sends the email alerts. All the alerts above a configured level (default is 7) will be sent as an email to the configured users. CloudWatch Email Sample: ALARM: "i-Oa9602ce852f7c7f9-CPUUtilization" in AWS GovCloud (US-West) de duploservices-prodOl-inf ra-alerts<no-reply@sns.amazonaws.com> - to alerts.armorerlink You are receiving this email because yourAmazon CloudWatch Alarm"i-Oa9602ce852f7c7f9-CPUUtilization"in the AWS GovCloud(U: state,because"Threshold Crossed:1 out of the last 1 datapoints[62.74179562433298(14108124 01:50.00)]was greater than the three ALARM transition)."at"Wednesday 14 August,2024 01:55:40 UTC". View this alarm in the AWS Management Console: https:/lus-gov-west-1.console.amazonaws-us-gov.com/cloudwatch/deeplink.js?region=us-gov-west-1#alarmsV2.alarmli-Oa9602ce852f Alarm Details: Name: i-Oa9602ce852f7c7f9-CPUUtilization Description. State Change: OK->ALARM Reason for State Change: Threshold Crossed:1 out of the last 1 datapoints[62.74179562433298(14/08124 01:50:00)]was greater datapoint for OK->ALARM transition). Timestamp: Wednesday 14 August,2024 01:55:40 UTC AWS Account: 019024541289 AlarmArn: arn:aws-us-gov:cloudwatch:us-gov-west-1:019024541289:alarm:i-Oa9602ce852f7c7f9-CPUUtilization Threshold: -The alarm is in the ALARM state when the metric is GreaterThanThreshold 50.0 for at least 1 of the last 1 period(s)of 300 seconds. Monitored Metric: MetricNamespace: AWSIEC2 MetricName: CPUUtilization Dimensions: [Instanceld=i-Oa9602ce852f7c7f9] Period: 300 seconds Statistic: Maximum Unit: not specified TreatMissing Data: missing Page 35 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Sentry Notification (if configured): SENTRY View on Sentry New alert from msp-wazuh-poc ISSUE W ClamAV: Virus detected - duploservice... May 18, 2020, 2:16:31 p.m_ UTC ID: 2eelb170f4674f69b22ddeab9def080D Message C1amAV: Virus detected - duploservices-devOl-host2-i- 4f204087cfb0ad518- Alert level: 8 Tags level = info runtime = CPython 2.7.12 runtime.name = CPython server-name = dupio-security You are receiving this email due to matching rules:Send a notification for new issues Incident Management Sentry has integration with Jira. All the events that come to Sentry can be configured to create incidents in Jira. For more information refer to Sentry Jira Integration. Control-by-Control PCI Implementation Detail PCI DSS Requirements v3.2.1 DuploCloud Implementation Page 36 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 1. 1.1.4 Requirements for a firewall Infrastructure is split into public and private subnets. at each Internet connection and Dev, stage, and production are split into different between any demilitarized zone VPCs. DuploCloud automation introduces a concept (DMZ)and the Internal network of a tenant which is a logical construct above AWS zone and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. 2. 1.1.5 Description of groups, DuploCloud overlays logical constructs of Tenant and roles, and responsibilities for infrastructure that represents an application. Within a management of network tenant there are concepts of services. All resources components. within the tenant are by default labeled in the cloud with the Tenant name. Further the automation allows user to set any tag at a tenant level and that is automatically propagated to AWS artifacts. The system is always kept in sync with background threads. 3. 1.2.1 Restrict inbound and Infrastructure is split into public and private subnets. outbound traffic to that which is Dev, stage and production are split into different necessary for the cardholder VPCs. DuploCloud automation introduces a concept data environment, and of a tenant which is a logical construct above AWS specifically deny all other traffic. and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. 4. 1.3.1 Implement a DMZ to limit Infrastructure is split into public and private subnets. inbound traffic to only system Dev, stage, and production are split into different components that provide VPCs. DuploCloud automation introduces a concept authorized publicly accessible of a tenant which is a logical construct above AWS services, protocols, and ports. and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via ELB. 5. 1.3.2 Limit inbound Internet traffic Infrastructure is split into public and private subnets. to IP addresses within the DMZ. Dev, stage and production are split into different VPCs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. Page 37 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 By default, no access is allowed into the tenant unless specific ports are exposed via ELB. 6. 1.3.4 Do not allow unauthorized By default, all outbound traffic uses NAT Gateway. outbound traffic from the Additional subnet ACLs can be put in place, if cardholder data environment to needed. Nodes in the private subnets can only go the Internet. outside via a NAT Gateway. 7. 1.3.6 Place system components Infrastructure is split into public and private subnets. that store cardholder data (such Dev, stage, and production are split into different as a database) in an internal VPCs. DuploCloud automation introduces a concept network zone, segregated from of a tenant which is a logical construct above AWS the DMZ and other untrusted and represents an application's entire lifecycle. It is a networks. security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed to the tenant unless specific ports are exposed via LB. The application is split into multiple tenants with each tenant having all private resources in a private subnet. An example implementation would be all data stores are in one tenant and frontend UI is in a different tenant 8. 1.3.7 Do not disclose private IP Use Private subnets and private R53 hosted zones. addresses and routing information to unauthorized parties. 9. 1.5 Ensure that security policies Usage of a rules-based approach makes the and operational procedures for configuration error free, consistent and documented. managing firewalls are Further documentation is to be completed by the documented, in use, and known client during the blue printing process. to all affected parties 10. 2.1 Always change vendor- DuploCloud enables user specified password or supplied defaults and remove or random password generation options. User access is disable unnecessary default managed in such a way that all end user access is via accounts before installing a single sign on and password less. Even access to system on the network. AWS console is done by generating a federated This applies to ALL default console URL that has a validity of less than an hour. passwords, including but not The system enables operations with minimal user limited to those used by accounts as most access is JIT. operating systems, software that provides security services, application and system accounts, point-of-sale (POS)terminals, Simple Network Management Protocol (SNMP) community strings, etc.) Page 38 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 11. 2.2.1 Implement only one primary DuploCloud orchestrates K8 node selectors for this function per server to prevent and supports non container workloads and allows functions that require different labeling of VMs and achieve this. For non-container security levels from co-existing workloads are also supported and hence allows on the same server. (For automation to meet these controls. For example, one example, web servers, database can install Wazuh in one VM, Suricata in another and servers, and DNS should be Elastic Search in another. implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component. 12. 2.2.2 Enable only necessary By default, no traffic is allowed inside a tenant services, protocols, daemons, boundary unless exposed via an LB. DuploCloud etc., as required for the function allows automated configuration of desired inter-tenant of the system. access w/o users needing to manually write scripts. Further as the env changes dynamically DuploCloud keys these configs in sync. DuploCloud also reconciles any orphan resources in the system and cleans them up, this includes docker containers, VMs, LBs, keys, S3 buckets and various other resources. 13. 2.2.3 Implement additional DC gets certificates from Cert-Manager and security features for any required automates SSL termination in the LB. services, protocols, or daemons that are insecure. Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed. 14. 2.2.4 Configure system security IAM configuration and policies in AWS that implement parameters to prevent misuse. separation of duties and least privilege, S3 bucket policies. Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS per tenant. By default, no access is allowed to the tenant unless specific ports are exposed via LB. The application is split into multiple tenants with each tenant having all private resources in a private subnet. An example implementation would be all data stores Page 39 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 are in one tenant and frontend UI is in a different tenant. 15. 2.2.5 Remove all unnecessary DuploCloud reconciles any orphan resources in the functionality, such as scripts, system against the user specifications in its database drivers, features, subsystems, file and cleans them up, this includes docker containers, systems, and unnecessary web VMs, LBs, keys, S3 buckets and various other servers. resources. All resources specified by the user in the database are tracked and audited every 30 seconds. 16. 2.3 Encrypt all non-console SSL LB and VPN connections are orchestrated. administrative access using DuploCloud automates OpenVPN P2S VPN user strong cryptography. management by integrating it with user's single sign on i.e., when a user's email is revoked from DuploCloud portal, it is cleaned up automatically from the VPN server. 17. 2.4 Maintain an inventory of All resources are stored in DB, tracked, and audited. system components that are in The software has an inventory of resources that can scope for PCI DSS. be exported. Requirement 3: Protect stored cardholder data 18. 3.4.1 If disk encryption is used DuploCloud orchestrates AWS KMS per tenant to (rather than file- or column-level encrypt various AWS resource in that tenant like DBs, database encryption), logical S3, Elastic Search, REDIS etc. Access to the keys is access must be managed granted only to the instance profile w/o any user separately and independently of accounts or keys. By default, DuploCloud creates a native operating system common key per deployment but allows ability to have authentication and access control one key per tenant. mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. Note: This requirement applies in addition to all other PCI DSS encryption and key-management requirements. 19. 3.5.2 Restrict access to DuploCloud orchestrates AWS KMS per tenant to cryptographic keys to the fewest encrypt various AWS resource in that tenant like DBs, number of custodians necessary. S3, Elastic Search, REDIS etc. Access to the keys is granted only to the instance profile without any user accounts or keys. By default, DuploCloud creates a Page 40 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 common key per deployment but allows ability to have one key per tenant. 20. 3.5.3 Store secret and private DuploCloud orchestrates AWS KMS for this and that keys used to encrypt/decrypt in turns provides this control that is inherited. cardholder data in one (or more) of the following forms at all times: • Encrypted with a key-encrypting key that is at least as strong as the data encrypting key, and that is stored separately from the data-encrypting key • Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of- interaction device) •As at least two full-length key components or key shares, in accordance with an industry accepted method Note: It is not required that public keys be stored in one of these forms. Requirement 4: Encrypt transmission of cardholder data across open, public networks 21. 4.1 Use strong cryptography and In the secure infrastructure blueprint, Application Load security protocols to safeguard Balancers with HTTPS listeners are used. HTTP sensitive cardholder data during listeners forwarded to HTTPS. The latest cipher is transmission over open, public used in the LB automatically by the DuploCloud networks, including the following: software. • Only trusted keys and certificates are accepted. • The protocol in use only supports secure versions or configurations. • The encryption strength is appropriate for the encryption methodology in use. Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed. Examples of open, public networks include but are not limited to: • The Internet Page 41 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 • Wireless technologies, including 802.11 and Bluetooth • Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA) • General Packet Radio Service (GPRS) • Satellite communications Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 22. 5.1.1 Ensure that all anti-virus DuploCloud enables ClamAV deployment via agent programs are capable of modules and alerts are collected in Wazuh. detecting, removing, and protecting against all known types of malicious software. 23. 5.1.2 For systems considered to DuploCloud agent modules can be enabled. be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 24. 5.2 Ensure that all anti-virus DuploCloud enables ClamAV deployment via agent mechanisms are maintained as modules and alerts are collected in Wazuh. follows: •Are kept current, • Perform periodic scans • Generate audit logs which are retained per PCI DSS Requirement 10.7 25 5.3 Ensure that anti-virus DuploCloud agent modules raise an alert if a service mechanisms are actively running is not running. and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as Page 42 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti- virus protection is not active. Requirement 6: Develop and maintain secure systems and applications 26. 6.1 Establish a process to DuploCloud installs by default Wazuh agent and AWS identify security vulnerabilities, Inspector and any other Agent modules in all VMs using reputable outside sources and keeps them active. In case any node is failing the for security vulnerability auto install DC raises an alarm. In Wazuh the alerts information, and assign a risk are configured and generated. The customer's SOC ranking (for example, as "high," team is engaged to act on the alerts. DuploCloud "medium," or"low")to newly team is the second line of defense if the issue cannot discovered security be addressed by client team. vulnerabilities. Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected. Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization's environment and risk assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a "high risk"to the environment. In addition to the risk ranking, vulnerabilities may be considered "critical" if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security Page 43 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data. 27. 6.2 Ensure that all system Patch management is done as part of DuploCloud components and software are SOC offering. protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. 28. 6.3.2 Review custom code prior DuploCloud's Cl/CD offering provides an out-of-box to release to production or integration with SonarQube that can be integrated into customers in order to identify any the pipeline to scan the code. potential coding vulnerability (using either manual or automated processes)to include at least the following: • Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. • Code reviews ensure code is developed according to secure coding guidelines •Appropriate corrections are implemented prior to release. • Code-review results are reviewed and approved by management prior to release Note: This requirement for code reviews applies to all custom code (both internal and public facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal Page 44 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 personnel or third parties. Public- facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6. Requirement 7: Restrict access to cardholder data by business need to know 29. 7.1.1 Define access needs for The DuploCloud tenant model has access controls each role, including: built in. This allows access to various tenants based • System components and data on the user roles. This access control mechanism resources that each role needs to automatically integrates into the VPN client as well access for their job function i.e., each user has a static IP in the VPN and based • Level of privilege required (for on his tenant access his IP is added to the respective example, user, administrator, tenant's SG in AWS. Tenant access policies will etc.)for accessing resources automatically apply SG or IAM based policy in AWS based on the resource type. 7.2 Establish an access control User access to AWS console is granted based on system(s)for systems tenant permissions and least privilege and a Just in components that restricts access time federated token that expires in less than an hour. based on a user's need to know Admins have privileged access and read-only user is and is set to "deny all" unless another role. specifically allowed. This access control system(s) must include the following 30. 7.2.1 Coverage of all system AWS resource access is controlled based on IAM components. role, SG and static VPN client Ips that are all implicitly orchestrated and kept up to date. 31. 7.2.3 Default deny-all setting. This is the default DuploCloud implementation of SG and IAM roles in AWS. Requirement 8: Identify and authenticate access to system components 32. 8.1.1 Assign all users a unique DuploCloud integrates with client's IDP like G Suite ID before allowing them to and 0365 for access to the portal. From there a access system components or federated logic is done for AWS resource access. cardholder data. 33. 8.1.2 Control addition, deletion, This is done at infra level in DuploCloud portal using and modification of user IDs, single sign on. credentials, and other identifier objects. Page 45 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 34. 8.1.3 Immediately revoke access DuploCloud integrates with client's IDP like G Suite for any terminated users. and 0365 for access to the portal. The moment the email is disabled all access is revoked. Even if the user has a private key to a VM even then he cannot connect because VPN will be deprovisioned. 35. 8.1.4 Remove/disable inactive DuploCloud integrates with client's IDP like G Suite user accounts within 90 days. and 0365 for access to the portal. The moment the email is disabled all access is revoke. Even if the user has a private key to a VM even then he cannot connect because VPN will be deprovisioned. 36. 8.1.5 Manage IDs used by third DuploCloud integrates by calling STS API to provide parties to access, support, or JIT token and URL maintain system components via remote access as follows: • Enabled only during the time period needed and disabled when not in use. • Monitored when in use. 37. 8.1.6 Limit repeated access DuploCloud integrates with client's IDP like G Suite attempts by locking out the user and 0365 for access to the portal. When DuploCloud ID after not more than six managed OpenVPN is used it is setup to lock the user attempts. out after failed attempts. 38. 8.1.7 Set the lockout duration to DuploCloud integrates with client's IDP like G Suite a minimum of 30 minutes or until and 0365 for access to the portal. When DuploCloud an administrator enables the user managed OpenVPN is used it is setup to lock the user ID. out after failed attempts. In Open VPN an admin must unlock the user. 39. 8.1.8 If a session has been idle DuploCloud single sign on has configurable timeout. for more than 15 minutes, require For AWS resource access JIT access is provided. the user to re-authenticate to re- activate the terminal or session. 40. 8.2 In addition to assigning a DuploCloud relies on the client's single sign on / IDP. unique ID, ensure proper user- If the user secures his corporate login using these authentication management for controls, then by virtue of single sign on, this get non-consumer users and implemented in the infrastructure. administrators on all system components by employing at least one of the following methods to authenticate all users: • Something you know, such as a password or passphrase Page 46 of 69 Armorerl-ink Infrastructure Security Guide Revised 08/14/2024 • Something you have, such as a token device or smart card • Something you are, such as a biometric. 41. 8.2.1 Using strong cryptography, Encryption at REST is done via AWS KMS and in render all authentication transit via SSL. credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 42. 8.2.2 Verify user identity before DuploCloud integrates with client's IDP like G Suite modifying any authentication and 0365 for access to the portal. credential—for example, performing password resets, provisioning new tokens, or generating new keys. 43. 8.2.3 Passwords/phrases must Enforced by AWS and should be enforced by client's meet the following: IDP. DuploCloud integrates with the IDP. The control • Require a minimum length of at should be implemented by the organization IDP. least seven characters. • Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above. 44. 8.2.4 Change user DuploCloud integrates with client's IDP like G Suite passwords/passphrases at least and 0365 for access to the portal. every 90 days. 45. 8.2.5 Do not allow an individual Enforced by AWS and should be enforced by client's to submit a new IDP. DuploCloud integrates with the IDP. The control password/phrase that is the should be implemented by the organization IDP. same as any of the last four passwords/phrases he or she has used. 46. 8.2.6 Set passwords/phrases for Enforced by AWS and should be enforced by client's first time use and upon reset to a IDP. DuploCloud integrates with the IDP. The control unique value for each user and should be implemented by the organization IDP. change immediately after the first use. Page 47 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 47. 8.3 Secure all individual non- DuploCloud integrates with client's IDP like G Suite console administrative access and 0365 for access to the portal. Open VPN has and all remote access to the MFA enabled. CDE using multi-factor authentication. Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication. 48. 8.3.1 Incorporate multi-factor DuploCloud integrates with client's IDP like G Suite authentication for all non-console and 0365 for access to the portal. Open VPN has access into the CDE for MFA enabled. personnel with administrative access. 49. 8.3.2 Incorporate multi-factor DuploCloud integrates with client's IDP like G Suite authentication for all remote and 0365 for access to the portal. Open VPN has network access (both user and MFA enabled. administrator and including third- party access for support or maintenance)originating from outside the entity's network. 50. 8.7 All access to any database The IAM integration with database makes SQL containing cardholder data connections also via Instance Profile. For users, (including access by applications, individual JIT access is granted that lasts only 15 administrators, and all other mins. users) is restricted as follows: •All user access to, user queries of, and user actions on databases are through programmatic methods. • Only database administrators have the ability to directly access or query databases. •Application IDs for database applications can only be used by the applications (and not by Page 48 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 individual users or other non- application processes) Requirement 10: Track and monitor all access to network resources and cardholder data 51. 10.1 Implement audit trails to link DuploCloud maintains trails in 2 places in addition to all access to system components cloud trail. It logs all write events about infrastructure to each individual user. change in an ELK cluster. Further Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard. 52. 10.2.1 All individual user Infrastructure updates are audited and stored in ELK. accesses to cardholder data. Access to DB is through JIT access. SSh access to VMs are done via Wazuh syslog collection. 52. 10.2.2 All actions taken by any Infrastructure updates are audited and stored in ELK. individual with root or Access to DB is through JIT access. SSH access to administrative privileges. VMs are done via Wazuh syslog collection. 53. 10.2.3 Access to all audit trails. Infrastructure updates are audited and stored in ELK. Access to DB is through JIT access. SSH access to VMs are done via Wazuh syslog collection. 54. 10.2.4 Invalid logical access Cloud trails and syslog hold this information which is attempts. stored in the centralized SIEM (Wazuh). 55. 10.2 5 Use of and changes to Infrastructure updates are audited and stored in ELK. identification and authentication Access to DB is through JIT access. SSH access to mechanisms—including but not VMs are done via Wazuh syslog collection. limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges. 56. 10.2.6 Initialization, stopping, or AWS IAM policies prevent start/stop of AWS pausing of the audit logs CloudTrail, S3 bucket policies protect access to log data, alerts are sent if AWS CloudTrail is disabled, AWS Config rule provides monitoring of AWS CloudTrail enabled. 57. 10.2.7 Creation and deletion of DuploCloud maintains trails in 2 places in addition to system level objects cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - CloudTrail, Page 49 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 audit and Wazuh agent events are brought together in the Wazuh dashboard. 10.3 Record at least the following audit trail entries for all system components for each event: 58 10.3.1 User identification. DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - CloudTrail, audit and Wazuh agent events are brought together in the Wazuh dashboard. 59. 10.3.2 Type of event. DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - CloudTrail, audit and Wazuh agent events are brought together in the Wazuh dashboard. 60. 10.3.3 Date and time. DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - CloudTrail, audit and Wazuh agent events are brought together in the Wazuh dashboard. 61. 10.3.4 Success or failure DuploCloud maintains trails in 2 places in addition to indication. cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - CloudTrail, audit and Wazuh agent events are brought together in the Wazuh dashboard. 62. 10.3.5 Origination of event. DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - CloudTrail, audit and Wazuh agent events are brought together in the Wazuh dashboard. 63. 10.3.6 Identity or name of DuploCloud maintains trails in 2 places in addition to affected data, system cloud trail. It logs all write events about infrastructure component, or resource. change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - CloudTrail, audit and Wazuh agent events are brought together in the Wazuh dashboard. Page 50 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 64. 10.4 Using time-synchronization All instances launched in VPC are synced with NTP. technology, synchronize all User data is injected for time sync. critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. Note: One example of time synchronization technology is Network Time Protocol (NTP). 65. 10.4.1 Critical systems have the All instances launched in VPC are synced with NTP correct and consistent time. using user data that is implicitly added. All log data has timestamp provided by NTP. 66. 10.4.3 Time settings are received All instances launched in VPC are synced with AWS from industry-accepted time NTP servers which in turn obtain time from NTP.org. sources. 67. 10.5.1 Limit viewing of audit trails Audit trails views access is part of the DuploCloud to those with a job-related need. Access controls. 68. 10.5.2 Protect audit trail files Cloud trails policies are set in place. Wazuh and ELK from unauthorized modifications. access is limited to admins. 69. 10.5.3 Promptly back up audit This is done automatically by DuploCloud. trail files to a centralized log server or media that is difficult to alter. 70. 10.5.4 Write logs for external- DuploCloud maintains trails in 2 places in addition to facing technologies onto a cloud trail. It logs all write events about infrastructure secure, centralized, internal log change in an ELK cluster. Further, Wazuh agent server or media device. tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard. 71. 10.5.5 Use file integrity Cloud trail data can be stored in a separate AWS monitoring or change-detection account. Wazuh STEM has file integrity monitoring software on logs to ensure that functionality. existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). 72. 10.6.1 Review the following at Done by DuploCloud SOC Team. least daily: •All security events Page 51 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 • Logs of all system components that store, process, or transmit CHID and/or SAD • Logs of all critical system components • Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e- commerce redirection servers, etc.). 73. 10.7 Retain audit trail history for DuploCloud automatically snapshots the SIEM after at least one year, with a the indexes grow beyond a certain size (minimum 3 minimum of three months months) and deletes the index in the running system. immediately available for Any old index can be brought back in a few clicks. analysis (for example, online, The indexes are per day which makes it straight archived, or restorable from forward to meet compliance guidelines like 3 months backup). in this case. Requirement 11: Regularly test security systems and processes 74. 11.2 Run internal and external Offered as part of DuploCloud SOC. network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned, and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed. For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1)the most Page 52 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 recent scan result was a passing scan, 2)the entity has documented policies and procedures requiring quarterly scanning, and 3)vulnerabilities noted in the scan results have been corrected as shown in a re- scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred. 75. 11.2.1 Perform quarterly internal Offered as part of DuploCloud SOC. vulnerability scans. Address vulnerabilities and perform rescans to verify all "high risk" vulnerabilities are resolved in accordance with the entity's vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel. 76. 11.3.3 Exploitable vulnerabilities DuploCloud enables WAF rules to mitigate many of found during penetration testing these vulnerabilities if the application change is less are corrected and testing is viable. repeated to verify the corrections. 77. 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions DuploCloud orchestrates AWS Traffic mirroring to send into the network. a copy of the traffic at all critical points (tenants)to a Monitor all traffic at the perimeter Suricata VM. From there the alerts are fetched by of the cardholder data environment Wazuh and displayed in the central dashboard. This as well as at critical points in the provides IDS but if prevention is desired then the cardholder data environment, and Suricata software is enabled in each critical VM, alert personnel to suspected preferably in the AMI (Image) itself. The alerts are then compromises. Keep all intrusion- fetched by the Wazuh agent and updated in Wazuh detection and prevention engines, SIEM. baselines, and signatures up to date. 78. 11.5 Deploy a change-detection DuploCloud orchestrates installation and update of mechanism (for example, file- Wazuh agent is all servers that are launched. Wazuh integrity monitoring tools)to alert agent then performs FIM and raises alerts. The alerts personnel to unauthorized will first be triaged by the client SOC team. modification of critical system files, configuration files, or Page 53 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 content files; and configure the software to perform critical file comparisons at least weekly. Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come preconfigured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider) 79. 11.5.1 Implement a process to DuploCloud SOC team will receive the email and respond to any alerts generated operate as per the defined and approved Incident by the change detection solution. management solution. Control-by-Control HIPAA Implementation Detail HIPAA Regulation Text DuploCloud Implementation 1. §164.306(a) Covered entities and For data at rest DuploCloud orchestrates KMS keys business associates must do the per tenant to encrypt various AWS resource in that following: (1) Ensure the tenant like RIDS DBs, S3, Elastic Search, REDIS etc. confidentiality, integrity, and For data in transit DuploCloud fetches the certificates availability of all electronic from cert manager and all the requests can be made protected health information the through TLS. covered entity or business associate creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such Page 54 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and (4) Ensure compliance with this subpart by its workforce. I 2. §164.308(a)A covered entity or Usage of a rules-based approach makes the business associate must in configuration error free, consistent, and documented. accordance with §164.306: In addition, DuploCloud also provides audit trails for (1)(i) Implement policies and any change in the system. procedures to prevent, detect, contain, and correct security violations. I 3. §164.308(a)(1)(ii)(A) Conduct an Inherited from AWS. accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 4. §164.308(a)(1)(ii)(B) Implement Usage of a rules-based approach makes the security measures sufficient to configuration error free, consistent, and documented. reduce risks and vulnerabilities to Further documentation is to be done by the client a reasonable and appropriate during the blue printing process. level to comply with §164.306(a). 5. §164.308(a)(1)(ii)(D) Implement DuploCloud maintains trails in 2 places in addition to procedures to regularly review cloud trail. It logs all write events about infrastructure records of information system change in an ELK cluster. Further, Wazuh agent activity, such as audit logs, tracks all activities at the host level. All 3 - Cloud trail, access reports, and security audit and Wazuh agent events are brought together in incident tracking reports. the Wazuh dashboard. 6. §164.308(a)(3)(i) Implement DuploCloud automation introduces a concept of a policies and procedures to tenant which is a logical construct above AWS and ensure that all members of its represents an application's entire lifecycle. It is a workforce have appropriate security boundary implemented by having a unique access to electronic protected SG, IAM Role and Instance Profile per tenant. By health information, as provided default, no access is allowed into the tenant unless under paragraph (a)(4) of this specific ports are exposed via ELB. section, and to prevent those Page 55 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 workforce members who do not have access under paragraph (a)(4)of this section from obtaining access to electronic protected health information. 7. §164.308(a)(5)(ii)(C) Procedures DuploCloud maintains trails in 2 places in addition to for monitoring log-in attempts cloud trail. It logs all write events about infrastructure and reporting discrepancies. change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard. 8. §164.308(a)(5)(ii)(D) Procedures DuploCloud enables user specified password or for creating, changing, and random password generation options. User access is safeguarding passwords. managed in such a way that all end user access is via single sign on and password less. Even access to AWS console is done by generating a federated console URL that has a validity of less than an hour. The system enables operations with minimal user accounts as most access is JIT. 9. §164.308(a)(6)(i) Implement Duplo orchestrates with Wazuh as STEM. Wazuh policies and procedures to agents are automatically installed in the hosts and is address security incidents. integrated with various services like CloudWatch, cloud trail, inspector and Suricata. Which collects the vulnerabilities, and all of those vulnerabilities can be view in one page. 10. §164.308(a)(6)(ii) Identify and Duplo orchestrates with Wazuh as SIEM. Wazuh respond to suspected or known agents are automatically installed in the hosts and is security incidents; mitigate, to the integrated with various services like CloudWatch, extent practicable, harmful cloud trail, inspector and Suricata. Which collects the effects of security incidents that vulnerabilities, and all of those vulnerabilities can be are known to the covered entity view in one page. or business associate; and document security incidents and their outcomes. 11. §164.308(a)(7)(i) Establish (and Duplo infrastructure is created with 2 or more implement as needed) policies availability zones. With this alternate storage and and procedures for responding to processing capability that dynamically provides an emergency or other transfer and resumption of system operation in times occurrence (As one illustrative of failure. example, fire, vandalism, system failure, and natural disaster)that damages systems that contain Page 56 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 electronic protected health information. 12. §164.308(a)(7)(ii)(A) Establish Inherited from AWS. and implement procedures to create and maintain retrievable exact copies of electronic protected health information. 13. §164.308(a)(7)(ii)(B) Establish DuploCloud automation includes DR and BCP. This (and implement as needed) includes data backups for services like S3, EBS and procedures to restore any loss of RDS. The automation supports multi-regions with the data. platform that can be deployed in different regions as per the BCP needs. The MTTR is minimized and is typically less than an hour by virtue of the automation. 14. §164.308(a)(7)(ii)(C) Establish Duplo infrastructure is created with 2 or more (and implement as needed) availability zones. With this alternate storage and procedures to enable processing capability that dynamically provides continuation of critical business transfer and resumption of system operation in times processes for protection of the of failure. security of electronic protected health information while operating in emergency mode. 15. §164.310(a)(2)(i) Establish (and Duplo infrastructure is created with 2 or more implement as needed) availability zones. With this alternate storage and procedures that allow facility processing capability that dynamically provides access in support of restoration transfer and resumption of system operation in times of lost data under the disaster of failure. recovery plan and emergency mode operations plan in the event of an emergency. 16. §164.310(a)(2)(iii) Implement DuploCloud's single sign on functionality over various procedures to control and cloud system accesses enable a Just in time and validate a person's access to secure access to software systems. DuploCloud facilities based on their role or enables user specified password or random password function, including visitor control, generation options. User access is managed in such and control of access to software a way that all end user access is via single sign on programs for testing and revision. and password less. Even access to AWS console is done by generating a federated console URL that has a validity of less than an hour. Multiple other systems like SIEM, Elastic search dashboards for Auditor, Log viewing etcetera are also integrated into the single sign on. Page 57 of 69 Armorerl-ink Infrastructure Security Guide Revised 08/14/2024 17. §164.310(d)(2)(iv) Create a Inherited from AWS. retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. 18. §164.312(a)(1) Implement The DuploCloud tenant model has access controls technical policies and procedures built in. This allows access to various tenants based for electronic information on the user roles. This access control mechanism systems that maintain electronic automatically integrates into the VPN client as well protected health information to i.e., each user has a static IP in the VPN and based allow access only to those on his tenant access his IP is added to the respective persons or software programs tenant's SG. Tenant access policies will automatically that have been granted access apply SG or IAM based policy based on the resource rights as specified in type. §164.308(a)(4). 19. §164.312(a)(2)(i)Assign a DuploCloud integrates with client's IDP like G Suite unique name and/or number for and 0365 for access to the portal. From there a identifying and tracking user federated logic in done for AWS resource access. identity. 20. §164.312(a)(2)(ii) Establish (and Duplo infrastructure is created with 2 or more implement as needed) availability zones. With this alternate storage and procedures for obtaining processing capability that dynamically provides necessary electronic protected transfer and resumption of system operation in times health information during an of failure. emergency. 21. §164.312(a)(2)(iii) Implement Inherited from AWS. electronic procedures that terminate an electronic session after a predetermined time of inactivity. 22. §164.312(a)(2)(iv) Implement a DuploCloud orchestrates KMS keys per tenant to mechanism to encrypt and encrypt various AWS resource in that tenant like RIDS decrypt electronic protected DBs, S3, Elastic Search, REDIS etc. Access to the health information. KMS keys is granted only to the instance profile w/o any user accounts or keys. By default, DuploCloud creates a common KMS key per deployment but allows ability to have one key per tenant. 23. §164.312(b) Implement DuploCloud maintains trails in 2 places in addition to hardware, software, and/or cloud trail. It logs all write events about infrastructure procedural mechanisms that change in an ELK cluster. Further, Wazuh agent record and examine activity in tracks all activities at the host level. All 3 - CloudTrail, information systems that contain Page 58 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 or use electronic protected health audit and Wazuh agent events are brought together in information. the Wazuh dashboard. 24. §164.312(c)(1) Implement DuploCloud automation introduces a concept of a policies and procedures to tenant which is a logical construct above AWS and protect electronic protected represents an application's entire lifecycle. It is a health information from improper security boundary implemented by having a unique alteration or destruction. SG, IAM Role and Instance Profile per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via ELB. 25. §164.312(c)(2) Implement DuploCloud automation introduces a concept of a electronic mechanisms to tenant which is a logical construct above AWS and corroborate that electronic represents an application's entire lifecycle. It is a protected health information has security boundary implemented by having a unique not been altered or destroyed in SG, IAM Role and Instance Profile per tenant. By an unauthorized manner. default, no access is allowed into the tenant unless specific ports are exposed via ELB. 26. §164.312(e)(1) Implement DC gets certificates from Cert-Manager and technical security measures to automates SSL termination in the ELB. In addition, guard against unauthorized TLS/SSH ports are enforced in the security groups by access to electronic protected the DuploCloud. health information that is being transmitted over an electronic communications network. 27. §164.312(e)(2)(i) Implement DuploCloud by default orchestrates appropriate security measures to ensure that services like Encryption at rest and transit to protect electronically transmitted data integrity. electronic protected health information is not improperly modified without detection until disposed of. 28. §164.312(e)(2)(ii) Implement a DuploCloud orchestrates KMS keys per tenant to mechanism to encrypt electronic encrypt various AWS resource in that tenant like RIDS protected health information DBs, S3, Elastic Search, REDIS etc. Access to the whenever deemed appropriate. KMS keys is granted only to the instance profile w/o any user accounts or keys. By default, DuploCloud creates a common KMS key per deployment but allows ability to have one key per tenant. Page 59 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Dynamic Application Security Testing ZAP is periodically run to test our application against OWASP vulnerabilities. OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. ZAP is configured and proxies all the URL's of the Web-Application to ZAP, which then scans and attacks the URL's and generate reports. Browser ZAP Proxy � ZAP Sends Berger Reoelves Browser Traffic URL il URL Scanning a XML/ HTML Reports Page 60 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 General Security Controls Confidentiality Statement All employees sign a confidentiality non-disclosure agreement. The statement includes general use, security and privacy safeguards, unacceptable use, and enforcement policies. Background Check We conduct thorough background checks and evaluate the results to assure that there is no indication that the worker may present a risk for theft of confidential data. Workstation/Laptop Encryption All workstations and laptops that process and/or store customer data are encrypted using Advanced Encryption Standard (AES), with a 128bit key or higher. Server Security Servers containing unencrypted data have sufficient administrative, physical, and technical controls in place to protect that data, based upon a risk assessment/system security review. Minimum Necessary Only the minimum necessary amount of data required to perform necessary business functions is copied, downloaded, or exported. Removable Media Devices All electronic files that contain data are encrypted when stored on any removable media or portable devices. Antivirus Software All workstations, laptops and other systems that process and/or store data use a comprehensive anti-virus software solution with automatic updates scheduled at least daily. Patch Management All workstations, laptops and other systems that process and/or store data have operating system and application security patches applied, with system reboot if necessary. All applicable patches are installed within 30 days of vendor release. Page 61 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 User IDs and Password Controls All employees have a unique username. Username is promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password. Passwords are not shared, are at least eight characters, non-dictionary word and not be stored in readable format on the computer. Must be changed every 60 days. Password must be changed if revealed or compromised. Must be composed of characters from at least three of the following four groups from the standard keyboard: • Upper case letters (A-Z) • Lower case letters (a-z) • Arabic numerals (0-9) • Non-alphanumeric characters (punctuation symbols) Escorting Visitors Visitors are escorted and restricted to the visitor conference room. Page 62 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Data Security Management ArmorerLink has partnered with Amazon Web Services (AWS) for our server infrastructure. Customer data is secured at AWS data center located at US-GOV-WEST-2. ArmorerLink uses GitLab for version control in the software development life cycle. Confidentiality Customer data is considered confidential and maintained on AWS servers. It is implied through the employment contract that customer data is confidential. Sanitization Data is sanitized by delete and reformat when not needed. Ownership and Retention Each customer has their own dedicated database and owns their data 100% either entered by the end user, the agency or assigned agents. ArmorerLink does not sell customer data nor provide information to third-parties other than shipping information. Data is backed up daily and retained for 30 days maximum. Credit Card Transactions ArmorerLink is a PCI Level 4 Merchant because we handle less than 20,000 e-commerce transactions per year, or merchants that process up to one million transactions through all channels (card present, card not present, e-commerce). Merchants that are deemed to be PCI Level 4 must do the following to be PCI compliant: 1. Complete the appropriate annual PCI self- assessment questionnaire (SAQ). 2. Perform a quarterly external network security scan by the Approved Scanning Vendor (ASV). 3. Complete the Attestation of Compliance (AOC) Form.4. Discover, American Express, or JCB has no Level 4 merchant designations. ArmorerLink meets all stringent criteria through Clover for all credit card transactions. We do not retain credit card information hard copies. All data is stored electronically through approved Clover (www.clover.com) security standards. ArmorerLink accepts all major credit cards. Restoration and Purge Process To request a data backup restoration, or purge, please notify support(a)-armorerlink.com and our technical team will make the arrangements to restore or purge the data requested and notify the customer in writing when completed. Page 63 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Encryption Data stored on the servers is encrypted. All data stored in ALFMS is subject to public record request. AWS Certificate Manager maintains the private encryption key used to create a wildcard SSL certificate that covers all customers. Encryption is Advanced Encryption Standards (AES) and at rest AWS Key Management Services (AWS KMS). System Security Controls System Timeout Systems provide an automatic timeout, requiring reauthentication of the user session after 20 minutes of inactivity. System Logging Audit trails are date and time stamped, logging both successful and failed accesses, is read only, and restricted to authorized users. This logging includes all user privilege levels including, but not limited to, systems administrators. Database logging functionality is enabled, and audit trail data is archived. Access Controls Access controls for all user authentications, enforces the principle of least privilege. Transmission Encryption All data transmissions outsourced is encrypted using Advanced Encryption Standard (AES), with a 128bit key or higher. Encryptions are end-to-end at the network level pertaining to any type of motion such as website access, file transfer, and E-Mail. Intrusion Detection All systems involved in accessing, holding, transporting, and protecting data that are accessible via the Internet are protected by a comprehensive intrusion detection and prevention solution. Page 64 of 69 Armorerl_ink Infrastructure Security Guide Revised 08/14/2024 Paper Document Controls Documents Paper forms are not left unattended at any time, unless it is locked in a file cabinet, file room, desk, or office. Unattended means that information is not being observed by an employee authorized to access the information. Sensitive papers are never left unattended at any time in vehicles or planes and never checked in baggage on commercial airplanes. Confidential Destruction Confidential documents are disposed of by shredding. Telecopies Telecopies are not left unattended and fax machines are in a secure area. Telecopies contain a confidentiality statement notifying people receiving messages in error to destroy them. Telecopy numbers are verified with the intended recipient before sending. Mailing Using secure methods, for disks and other transportable media sent through the mail files are encrypted and sent by trackable means. Page 65 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Audit Controls System Security Review All systems processing and/or storing have an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews include vulnerability scanning tools. Log Reviews All systems processing and/or storing have a routine procedure in place to review system logs for unauthorized access. Change Control All systems processing and/or storing have a documented change control procedure that ensures separation of duties and protects the confidentiality, integrity, and availability of data. Right to Audit Security We outsource our data storage and security to Amazon Web Services (AWS) and have our own internal security team. ArmorerLink business uses Okta, in conjunction with TOTP authenticators and 2FA. ArmorerLink is SOC-2 Type II compliant. A copy of our SOC-2 Type II audit is made available for review to customers that have an ArmorerLink SOC-2 Type 11 compliant requirement subscription. Page 66 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Business Continuity / Disaster Recovery Controls Database Availability The AWS RDS MySQL database is configured with multi-AZ to allow ArmorerLink to continue to function in the event AWS has an availability zone outage. Disaster Recovery A documented plan to enable continuation of critical business processes and protection of the security of electronic data in the event of an emergency is in place. Data Backup Plan A documented procedure to securely backup data and maintain retrievable exact copies data. The backups are encrypted, and includes a regular schedule for backups, an inventory of backups. The backup schedule is daily by mirrored servers. Cyber Insurance Policy ArmorerLink in addition to general liability insurance and workman compensation insurance carries a cyber policy that requires ArmorerLink to meet high level standards for security and data management. In addition, we conduct annual audits. Page 67 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Single Sign-on (SSO) Authentication We offer single sign-on (SSO) authentication connectivity for Okta and Microsoft Azure AD. C�=� l ArmorerLink° Please enter your officer number Enter your password e Forgot Your Pass,vad`� 2U4Armorer Link I A Division of Gznete Soluhons.Inc.All Rights Reserved I PA-1 Pending I L so_a You can find ArmorerLink on the OKTA Integrations Network https://www.okta.com/integrations okta Customer ltlentlly Workforce ltlentlty, Why Ckta Roscr.�ces- Contact Us eo Login ArmorerLink CH) Okt.v.rtned o Overview The integration was either ereated by Ourarmo d firearm man t solution is cam hensive antl far exceeds mere treckin ryan agemen pre g Okta or by Okta community users capability.We are cemmitted to remaining in nerat-and continuing to offer leading edge products and then tested and ver,fled by Okte. and services that link risk antl performance for not only agencies,but the man and women who rva.This Okta integration Enables Armorerlink customers to lag intofhe Arrnorerlink platform using Okta as a single sill proyil Lwpq ae Supported English u-case Functionality Centralized Logging Add thisintegmeon to enable authentication and provisioning capabilities. Page 68 of 69 ArmorerLink Infrastructure Security Guide Revised 08/14/2024 Compliance Standards ArmorerLink hosting platform complies with the following standards through our business alliances, partners or directly by ArmorerLink. ISO/ IEC ISO 14001 ISO 14001 ISO 9001 SOC 1 SOC 2 27001 (SSAE 18) SOC 3 PCI DSS Fed RAMP NIST 800-53 CJIS ITAR Level 1 JAB P-ATO FIPS 140-2 HITRUST HIPAA Privacy Act Swiss-US Tech UK Safe Harbor Member Content Delivery & Security Underwriters ADA/Section PCI DSS Association (CDSA) Laboratory 508 and (UL) WCAG 2.0 Level AA' Personal Identifiable Information (PII) ArmorerLink complies with PII programs and policies in effect to ensure compliance with PII and with supplemented, amended or replaced PII policies. ArmorerLink's policy is to notify customers immediately in writing if at any time ArmorerLink determines that it, or its service providers are not, or will likely not be complying with PII. Terms of Use and Privacy End users are required to accept the terms of use when first accessing the ALFMS SaaS solution. When the terms and/or privacy policy has been updated, users are notified electronically. END Limited in scope, as ArmorerLink solution is primarily used by peace officers handling firearms and certain ADA web compliance standards are not applicable. Page 69 of 69 A�" CERTIFICATE OF LIABILITY INSURANCE DATE(MMIDD/YYYY) 09/05/2024 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER.THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND,EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S),AUTHORIZED REPRESENTATIVE OR PRODUCER,AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED,the policy(ies)must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED,subject to the terms and conditions of the policy,certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER CONTACT Jessica Douglas NAME: MVW Insurance Inc PHONE (503)291-1703 FAX (503)291-1487 A/C No Ext: A/C,No): 9600 SW Oak Street E-MAIL Jessica@mvwinsurance.com ADDRESS: Suite 580 INSURER(S)AFFORDING COVERAGE NAIC# Tigard OR 97223 INSURERA: Continental Casualty Company 20443 INSURED INSURER B: General Insurance Company of America Ganete Solutions Inc,DBA:ArmorerLink INSURER C: At-Bay Insurance Services 5242 6625 SE Wagner Way INSURER D: STE 352 INSURER E: Gig Harbor WA 98335 INSURER F: COVERAGES CERTIFICATE NUMBER: Master Certs REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT,TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN,THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES.LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. TR INSD WVD POLICY NUMBER POLICY EFF POLICY EXP LIMITS TYPE OF INSURANCE (MM/DD/YYYY) (MM/DD/YYYY) X COMMERCIAL GENERAL LIABILITY EACH OCCURRENCE $ 2,000,000 DAMAGE To_7CLAIMS-MADE � OCCUR PREM SES Ea occurrence)l $ 1,000,000 MED EXP(Any one person) $ 10,000 A B 6021357327 12/15/2023 12/15/2024 PERSONAL&ADV INJURY $ 2,000,000 GEN'LAGGREGATE LIMIT APPLIES PER: GENERAL AGGREGATE $ 4,000,000 X POLICY ❑ PRO ❑ LOC PRODUCTS-COMP/OPAGG $ 4,000,000 JECT OTHER: Employment Practices $ 10,000 AUTOMOBILE LIABILITY G®M91NED SINGLE LIMIT $ 1,000,000 (Ea accident) ANYAUTO BODILY INJURY(Per person) $ B �/ OWNED �/ SCHEDULED AZG66322154 05/23/2024 05/23/2025 BODILY INJURY(Per accident) $ X AUTOS ONLY AUTOS X HIRED NON-OWNED PROPERTY DAMAGE $ AUTOS ONLY AUTOS ONLY (Per accident) X UMBRELLA LIAB OCCUR EACH OCCURRENCE $ 1,000,000 A EXCESS LIAB CLAIMS-MADE B 6081232752 12/15/2023 12/15/2024 AGGREGATE $ DED I X1 RETENTION $ 10,000 $ WORKERS COMPENSATION PER OTH- AND EMPLOYERS'LIABILITY Y/N STATUTE ER ANY PROPRIETOR/PARTNER/EXECUTIVE ❑ NIA E.L.EACH ACCIDENT $ OFFICER/MEMBER EXCLUDED? (Mandatory in NH) E.L.DISEASE-EA EMPLOYEE $ If yes,describe under DESCRIPTION OF OPERATIONS below E.L.DISEASE-POLICY LIMIT $ Cyber Liability C Errors&Omissions 6608504-04 03/29/2024 03/29/2025 Limit 2,000,000 DESCRIPTION OF OPERATIONS/LOCATIONS/VEHICLES (ACORD 101,Additional Remarks Schedule,may be attached if more space is required) "Coverage Subject to Policy Conditions and Exclusions CERTIFICATE HOLDER CANCELLATION SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF,NOTICE WILL BE DELIVERED IN City of Kent IT Department ACCORDANCE WITH THE POLICY PROVISIONS. 220 Fourth AVE South AUTHORIZED REPRESENTATIVE Kent WA 98032 ©1988-2015 ACORD CORPORATION. All rights reserved. ACORD 25(2016/03) The ACORD name and logo are registered marks of ACORD MC TO SIGN ArmorerLink renewal Final Audit Report 2024-09-10 Created: 2024-09-09 By: Ikhra Mohamed(imohamed@kentwa.gov) Status: Signed Transaction ID: CBJCHBCAABAAh5KFLUTpK8gf94vSr5K24GdkCTIwKps6 WC TO SIGN_ArmorerLink renewal" History Document created by Ikhra Mohamed (imohamed@kentwa.gov) 2024-09-09-11:34:00 PM GMT Document emailed to Mike Carrington (mcarrington@kentwa.gov)for signature 2024-09-09-11:34:15 PM GMT 140 Document e-signed by Mike Carrington (mcarrington@kentwa.gov) Signature Date:2024-09-10-3:50:08 PM GMT-Time Source:server Agreement completed. 2024-09-10-3:50:08 PM GMT Powered by Adobe L�KEN7 Acrobat Sign