1) When I create Admin during setup and use my ActiveDirectory user name as the Admin, will it authenticate using ActiveDirectory? (Meaning that the Mingle Admin account is not a special account within Mingle it follow same authentication as all other users)
Correct. Mingle will authenticate the Mingle Admin using Active Directory.
2) Are user IDs and/or passwords cached anywhere?
No
3) Is account lockout implemented as to limit repeated access attempts?
Mingle does not implement lockout but as part of Mingle’s most recent security assessment we now enforce a wait period after 10 unsuccessful logins to make brute force attacks more difficult.
4) Idle sessions timeout
By default Mingle sessions timeout after 4 hours and would require the user to login again. The timeout period can be changed via a configuration properties file.
5) Is password required to reactivate idle sessions?
Yes
6) Does the application implement encryption of any data elements and files?
No
If YES, indicate encrypted data elements, encryption algorithms and key length
Data elements and files are not encrypted by Mingle.
7) Does the application implement hashing and/or digital signature methods? If YES, indicate integrity-critical data elements, hashing / dsig algorithms and parameters
No. Mingle can be configured so that it can be accessed only via HTTPS but there are no other out of the box message verification methods.
8) Does the application log user login attempts? – Yes If YES, does it log all successful user login attempts? – Yes If YES, does it log all failed user login attempts? – Yes Indicate: log location and name (path, db:table, others) – Login attempts are logged in mingle.log Indicate: log rotation (condition/trigger, number of logs prior to purging) – Log rotation is configurable and is rolled over based on a configurable max file size and the number of files to retain. Indicate: log retention (number of days, on-line, off-line) – See above. Log retention will depend on the number of files and size of files configured for log rotation.
9) Does the application log data access? – Yes If YES, does it log read data operations? – Yes If YES, does it log update data operations? – Yes If YES, does it log create data operations? – Yes If YES, does it log delete data operations? – Yes Indicate: log location and name (path, db:table, others) – Logged in mingle.log Indicate: log rotation (condition/trigger, number of logs prior to purging) – See above for log rotation answer Indicate: log retention (number of days, on-line, off-line) – See above for log
10) Does the application log account administration operations? – Yes If YES, does it log add user / assigned role? – Yes If YES, does it log remove user / change role? – Yes If YES, does it log password reset / unlock user? – Yes If YES, does it log all privileged administrative changes? – Yes Indicate: log location and name (path, db:table, others) – mingle.log Indicate: log rotation (condition/trigger, number of logs prior to purging) – See above Indicate: log retention (number of days, on-line, off-line) – See above
11) Do the user access logs contain the following data elements?
| UserID | No but this can be inferred |
| Date and Time of Event | Yes |
| Type of Event | Yes |
| Component Accessed (File, Database, Record) | Yes |
| Access type (READ, WRITE, CREATE, DELETE) | Yes |
| Application / Program / Utilities used | N/A |
| Terminal / desktop identification or other location identifier (IP | Yes via IP |
| address) | |
| Server Name | No |
| Domain Name | No |
| Updates include both “old value” and “new value” | Yes via Mingle version |
| Report Name or database query command executed | N/A |
| Client Identifier (for shared client systems) | No |
| Sensitive Data Fields (PAN, passwords, pins, PII) | No |
| Unique session identifier | Yes |
Comments
0 comments
Please sign in to leave a comment.