Nova Current - Delegation and Policy Control Security Guide

FIPS 140-2 compliance

Nova Delegation & Policy Control cryptographic usage is not based on Azure FIPS 140-2 compliant cryptographic functions. For more information, see: https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations

SDLC and SDL

The Nova Delegation & Policy Control team follows a strict Quality Assurance cycle.

·Access to source control and build systems is protected by domain security, meaning that only employees on Quest’s corporate network have access to these systems. Therefore, should an Nova Delegation & Policy Control developer leave the company, this individual will no longer be able to access Nova Delegation & Policy Control systems

·All code is versioned in source control.

·All product code is reviewed by another developer before check in

In addition, the Nova Delegation & Policy Control Development team follows a managed Security Development Lifecycle (SDL) which includes:

·MS-SDL best practices

·OWASP guidelines

·Regularly scheduled static code analysis is performed on regular basis

·Regularly scheduled vulnerability scanning is performed on regular basis

·Segregated QA, Staging, and Production environments. Customer data is not used in Development and Pre-Production environments

Nova Delegation & Policy Control developers go through the same set of hiring processes and background checks as other Quest employees.

Operational security

Source control and build systems can only be accessed by Quest employees on Quest’s corporate network (domain security.) If a developer (or any other employee with access to Nova Delegation & Policy Control) leaves the company, the individual immediately loses access to the systems.

All code is versioned in source control.

Access to data

Access to Nova Delegation & Policy Control data is restricted to:

·Quest Operations team members

·Particular Quest Support team members working closely with Nova Delegation & Policy Control product issues.

·The Nova Delegation & Policy Control development team to provide support for the product

Access to Nova Delegation & Policy Control data is restricted through the dedicated Microsoft Entra security groups. For different types of data (e.g., product logs, customer data, and sensitive data) different access levels and lists of allowed people are assigned.