S

Version 1.0
Date of last update: May 2022

Company name (supplier):

Application/Tool name:

Address (supplier):
Name and position of contact
(supplier):

Contact (supplier) email:

Cloud service model

Module ID

Cloud Integration 1

Authentication
(integration with SSO) 2

3
Function segregation/
Administrator accounts
4

5
Penetration testing

6
 Penetration testing

Normativity 8

Business continuity plans/

SLA 9

Encryption 10

Patch management 11

Audit trials/logs 12

Backups 13

Information deletion 14
 Security controls in

---Select---

Security control

Possibility of integration with the AWS cloud.

End-user and administrator authentication must have the ability to integrate with Google SSO (Single Sign-On) or local
authentication, the password must require the following:
-Minimum length of 12 characters.
-At least one lowercase letter.
-At least one uppercase letter.
-At least one number.
-At least one special character.
Implement a two-factor authentication.
-Change password every 60 days.
-Do not accept a change of password that has been used in the last six password changes.
-Block access after three unsuccessful attempts.

*Given a local authentication scenario, use a secure password management mechanism, do not store passwords in clear,
and use something cryptographic as provided in point 10.

Have a model of segregation of profiles, roles and privileges (no generic accounts).

The application must have the technical capability to integrate its administrator users to an access management vault.

Have internal or external penetration tests on the application (with OWASP TOP 10 methodology), provide the last two
reports.

Have secure code analysis (static and dynamic), provide the last two reports of this analysis.
Have vulnerability assessment reports and vulnerability management reports, provide the two most recent ones.

Provide evidence of ISO/IEC 27001 certification, current SOC 2 type II report or other security frame of reference.

Provide evidence of the business continuity plans and the levels of service and support provided by the supplier.

Use the necessary encryption mechanisms for each type of information handled in the application (encryption of data in
transit and at rest).

Allowed protocols for network transmission are:

-Transport Layer Security (TLS) v 1.2 or higher
-Secure Shell (SSH-2)
-Secure File Transfer Protocol (SFTP)

The following symmetric encryption algorithms are authorized:

-AES (Advanced Encryption Standard) with key length of at least 256 bits.

The following asymmetric encryption algorithms are allowed:

-RSA with key length of at least 1024 bits.

The following hash algorithms are allowed:

-SHA-2, SHA-3

The allowed algorithms for key exchange are:

-Diffie Hellman
-RSA (minimum key of 2048 bits)

*The use of MD5 and Kavak systems is prohibited.

Provide documentation of the procedure for installing updates and/or security patches.

Have logs/audit trails that at least show the following events and have a retention of information online for at least 90
days and in backup for at least 365 days.
-Failed/successful logins
-User registration, termination and change of users
-Privileged transactions

Provide evidence of backup mechanism, retention times and encryption algorithm used for backups.

Indicate the secure deletion mechanisms used for the information, either by contractual agreement or at the customer's
request.
ity controls in applications/tools for third parties

Complies Status Evidence Reference

Yes Pending Not applicable

2. TISPS 10 - Access Management v2022.1.0

Yes In progress
2. Password policy

Yes In progress 3. TISPS 10 - Access Management v2022.1.0

Yes In progress 4. TISPS 10 - Access Management v2022.1.0

5. Penetration Testing Report -

Teleperformance Mexico Domestic 2020
Yes Closed
5. Penetration Testing Report -
Teleperformance Mexico Domestic 2021

Yes In progress 6. OWASP

 8. Certificate ISO 27001_TPNSR 2021_2024

Yes Closed 8. Teleperformance-Domestic-2022-PCI DSS

AOC-Final Report

9. TISPS 16 - Business Continuity

Management v2022.1.0
Yes In progress
9. BCP_DRP Coyoacan

Yes In progress 10. TISPS 04 - Media and Information

Handling v2022.1.0

11. GECSP Patch Management Control

Yes Pending Document v12

12. TISPS 11 - Logging and Monitoring

v2022.1.0
Yes Closed
12. EDR Crowdstrike

13. TISPS 07 - Backups v2022.1.0

Yes In progress 13. TISPS 04 - Media and Information
Handling v2022.1.0

Yes In progress 13. TISPS 07 - Backups v2022.1.0

s

Comments

Integration is possible if the necessary security measures are met to be able to connect with the external infrastructure.

Implementation in progress, once the scope is defined, the guidelines established in TISPS 10 - Access Management section
3.1 are followed:
a. Passwords must not be shared with any other person including other members of Teleperformance staff.
b. Passwords must be at least 12 (Privileged Accounts, Service Accounts and encryption key passphrases must be at least 20
characters) upper and lower case, alphanumeric characters.
c. Passwords should not contain common dictionary words, names, commands, sites, location, companies, hardware,
software, birthdays, employee ID, SSN, phone number, pet names, fantasy characters, etc.
d. Passwords must be changed after first logon. This must be forced by automatic means where available.
and. The last 4 passwords cannot be re-used.
F. The password age must be set to at least 1 day.
g. Disable passwords from being stored using reversible encryption.

Implementation in process, once the scope is defined, the guidelines established in TISPS 10 - Access Management are
followed. There is a profiling of operational figures with the criterion of minimum possible access, in accordance with
Teleperformance standards.

Implementation in process, once the scope is defined, the guidelines established in TISPS 10 - Access Management are
followed.

Are made penetration tests, this evidence is of a restricted classification due to the type of information it contains, scope and
confidentiality with our clients.

Implementation in process, once the scope has been defined, the analysis of the secure code applicable to the applications
to be used in the operation will be carried out.
Teleperformance Mexico Domestic is PCI and ISO/IEC 27001:2013 certified

Implementation in process, the BCP is documented having the necessary information about the operation such as: scope,
service levels, tools, recovery percentage, scenarios, among other data, following TISPS 16 - Business Continuity
Management.

Implementation in process, the protocols will be applied based on the information management processes that we will have
in the scope.

There is the GECSP Patch Management Control document.

The log retention period established in TISPS 11 - Logging and Monitoring is complied with through the EDR crowdstrike.

Implementation in process, scope defined, retention periods will follow the guidelines of TISPS 07 - Backups v2022.1.0 and
TISPS 04 - Media and Information Handling v2022.1.0

Implementation in process, the method and period of elimination must be defined by means of secure deletion such as
Blancco File and Secure Delete.