ARCGIS ONLINE HECVAT LITE V 3.04
HLSY-04
Have your systems and applications had a third party security assessment
completed in the last year?
Yes
Athirdpartyassessmentwascompletedandasummaryoftheresultscanbemade
availableuponrequestunderNDA.
HLSY-05
Do you have policy and procedure, currently implemented, guiding how
security risks are mitigated until patches can be applied?
Yes
InalignmentwithFedRAMPModeraterequirements.
Vendor Answers Additional Information
HLDA-01
Does the environment provide for dedicated sin
le-tenant capabilities? If not,
describe how your product or environment separates data from different
customers
e.
.
lo
icall
h
sicall
sin
le tenanc
multi-tenanc
No
ArcGISOnlineutilizeslogicallyseparateproductionandnon‐production
environments(environmentisnotphysicallyseparate).SeparateSQLAzure
databasestostorehostedfeatureservicedataforeachcustomer'sArcGISOnline
HLDA-02
Is sensitive data encrypted, usin
secure protocols/al
orithms, in transport?
e.
. s
stem-to-client
Yes
ArcGISOnlineprovidesencryptionatRESTwithAES‐256,andencryptionintransit
withHTTPSviaTLS1.2.
HLDA-03
Is sensitive data encrypted, using secure protocols/algorithms, in storage?
(e.g. disk encryption, at-rest, files, and within a running database)
Yes
DataisencryptedatrestwithAES‐256whichisaFIPS140‐2compliantencryption
algorithms.ThisisinalignmentwithFedRAMPTailoredLowrequirements
HLDA-04
Are involatile backup copies made according to pre-defined schedules and
securely stored and protected?
Yes
Esridoesbackup
infrastructuredataandcustomerisresponsibleforbackupoftheir
dataatwhateverfrequencytheydesire.
DataisencryptedatrestwithAES‐256whichisaFIPS140‐2compliantencryption
algorithms.ThisisinalignmentwithFedRAMPTailoredLowrequirements
HLDA-05 Can the Institution extract a full or partial backup of data? Yes
Esriperformsbackupofinfrastructuredataandcustomeris
responsibleforbackup
oftheirdata
HLDA-06
Do you have a media handlin
process, that is documented and currently
implemented that meets established business needs and regulatory
requirements, including end-of-life, repurposing, and data sanitization
r
r
?
Yes
AGOasaSaaSdoesnothandlephysicalmedia.ThisisaresponsibilityoftheCloud
infrastructureProvider(AWSandAzure)
HLDA-07
Does your staff (or third party) have access to Institutional data (e.g.,
financial, PHI or other sensitive information) within the application/system?
Yes
SelectEsrisystemadministraionstaffhavedirectaccesstocustomerdataandtheir
actionsfullylogged.Customerremainsresponsiblefortheirdataandmusthavetheir
own
policiesinplacetoavoidcopyingontoremovablemedia.
Thirdpartycloudproviderswillhavesystemsandproceduresinplacetopreventthis
copying,byrestrictingaccesstodatacentresandnotpermittingremovablemedia
withinthedatacentres.
Vendor Answers Additional Information
HLDC-01
Does your company mana
e the physical data center where the institution's
data will reside
No
ArcGISOnlineutilizedonlyAWSandMSAzuredatacenterslocatedwithintheUS,EU
orAsiaPacificregions.
HLDC-02
Are you
enerally able to accomodate storin
each institution's data within thei
eo
ra
hic re
ion?
Yes
ArcGISOnlinecustomerscanchoosetostoredataintheUS,EUorAsiaPacific
re
ions.
HLDC-03 Does the hosting provider have a SOC 2 Type 2 report available? Yes
SOC2reportsmaybeobtaineddirectlyfromAWSandMSAzure.
HLDC-04 Does your organization have physical security controls and policies in place? Yes
SeeCloudinfrastructureproviderdocumentationforphysicalsecuritycontrols
HLDC-05
Do you have physical access control and video surveillance to prevent/detect
unauthorized access to your data center?
Yes
Cloudinfrastructureproviderphysicalaccessisstrictlycontrolledbothatthe
perimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideo
surveillance,intrusiondetectionsystems,and
otherelectronicmeans.Authorized
staffmustpasstwo‐factorauthenticationaminimumoftwotimestoaccess
datacenterfloors.Nosubcontractoraccessbe
ondcloud
roviders
Vendor Answers Additional Information
HLNT-01
Do you enforce network se
mentation between trusted and untrusted networks
(i.e., Internet, DMZ, Extranet, etc.)?
Yes
Thecloudinfrastructureprovidersutilizemultipleseparatenetworksegments.This
infrastructureprovidersegmentationhelpstoprovideseparationofcritical,back‐
endserversandstoragedevicesfromthepublic‐facinginterfaces.
FIDP-02
HLNT-02 Are you utilizing a stateful packet inspection (SPI) firewall? Yes
Cloudnativefirewallprotectionsareutilizedwhichprovidestatefulsecuritygroups.
Data
Datacenter
Networking
July 2023 Page 5