Professional Documents
Culture Documents
Third-Party Security Controls v1.0
Third-Party Security Controls v1.0
Version 1.0
Date of last update: May 2022
Application/Tool name:
Address (supplier):
Name and position of contact
(supplier):
Module ID
Cloud Integration 1
Authentication
(integration with SSO) 2
3
Function segregation/
Administrator accounts
4
5
Penetration testing
6
Penetration testing
Normativity 8
Encryption 10
Patch management 11
Audit trials/logs 12
Backups 13
Information deletion 14
Security controls in
---Select---
Security control
End-user and administrator authentication must have the ability to integrate with Google SSO (Single Sign-On) or local
authentication, the password must require the following:
-Minimum length of 12 characters.
-At least one lowercase letter.
-At least one uppercase letter.
-At least one number.
-At least one special character.
Implement a two-factor authentication.
-Change password every 60 days.
-Do not accept a change of password that has been used in the last six password changes.
-Block access after three unsuccessful attempts.
*Given a local authentication scenario, use a secure password management mechanism, do not store passwords in clear,
and use something cryptographic as provided in point 10.
Have a model of segregation of profiles, roles and privileges (no generic accounts).
The application must have the technical capability to integrate its administrator users to an access management vault.
Have internal or external penetration tests on the application (with OWASP TOP 10 methodology), provide the last two
reports.
Have secure code analysis (static and dynamic), provide the last two reports of this analysis.
Have vulnerability assessment reports and vulnerability management reports, provide the two most recent ones.
Provide evidence of ISO/IEC 27001 certification, current SOC 2 type II report or other security frame of reference.
Provide evidence of the business continuity plans and the levels of service and support provided by the supplier.
Use the necessary encryption mechanisms for each type of information handled in the application (encryption of data in
transit and at rest).
Provide documentation of the procedure for installing updates and/or security patches.
Have logs/audit trails that at least show the following events and have a retention of information online for at least 90
days and in backup for at least 365 days.
-Failed/successful logins
-User registration, termination and change of users
-Privileged transactions
Provide evidence of backup mechanism, retention times and encryption algorithm used for backups.
Indicate the secure deletion mechanisms used for the information, either by contractual agreement or at the customer's
request.
ity controls in applications/tools for third parties
Comments
Integration is possible if the necessary security measures are met to be able to connect with the external infrastructure.
Implementation in progress, once the scope is defined, the guidelines established in TISPS 10 - Access Management section
3.1 are followed:
a. Passwords must not be shared with any other person including other members of Teleperformance staff.
b. Passwords must be at least 12 (Privileged Accounts, Service Accounts and encryption key passphrases must be at least 20
characters) upper and lower case, alphanumeric characters.
c. Passwords should not contain common dictionary words, names, commands, sites, location, companies, hardware,
software, birthdays, employee ID, SSN, phone number, pet names, fantasy characters, etc.
d. Passwords must be changed after first logon. This must be forced by automatic means where available.
and. The last 4 passwords cannot be re-used.
F. The password age must be set to at least 1 day.
g. Disable passwords from being stored using reversible encryption.
Implementation in process, once the scope is defined, the guidelines established in TISPS 10 - Access Management are
followed. There is a profiling of operational figures with the criterion of minimum possible access, in accordance with
Teleperformance standards.
Implementation in process, once the scope is defined, the guidelines established in TISPS 10 - Access Management are
followed.
Are made penetration tests, this evidence is of a restricted classification due to the type of information it contains, scope and
confidentiality with our clients.
Implementation in process, once the scope has been defined, the analysis of the secure code applicable to the applications
to be used in the operation will be carried out.
Teleperformance Mexico Domestic is PCI and ISO/IEC 27001:2013 certified
Implementation in process, the BCP is documented having the necessary information about the operation such as: scope,
service levels, tools, recovery percentage, scenarios, among other data, following TISPS 16 - Business Continuity
Management.
Implementation in process, the protocols will be applied based on the information management processes that we will have
in the scope.
The log retention period established in TISPS 11 - Logging and Monitoring is complied with through the EDR crowdstrike.
Implementation in process, scope defined, retention periods will follow the guidelines of TISPS 07 - Backups v2022.1.0 and
TISPS 04 - Media and Information Handling v2022.1.0
Implementation in process, the method and period of elimination must be defined by means of secure deletion such as
Blancco File and Secure Delete.