ILAB OPERATIONS SOFTWARE TECHNICAL SECURITY MEASURES

Effective as of October 19, 2018

Scope

The purpose of this document is to outline the strategies and control mechanisms that form the Security Management practices of the iLab Operations Software (“iLab”) service (the “Service”). Additionally, it provides a description of the information security safeguards provided by third-party tools and vendors used by iLab.

Purpose

The purpose of the Security Management practices is to ensure that information stored and accessed through the iLab Service is managed such that:

Approach

Agilent works continuously with researchers, lab-managers and administrators to identify information-security needs, and with experts in the hardware security, application security and network security to update the Service to meet those needs.

Overview

Technical security measures are in place to guard against security threats including:

Agilent takes measures across the three layers of the application framework in order to maximize security precautions:

Hardware Protection

Agilent locates all hardware in SAS 70, Type II certified facilities, which meet the most stringent civilian hardware uptime and security standards. Facilities ensure 24/7 information availability, prevent against unauthorized access to hardware, and provide protection against hardware damage from accidents and natural disasters.

Hosting provider security

Hosting providers maintain SOC Type II certifications. In addition, the implementation of the iLab service on the cloud service provider is reviewed by the Agilent’s ISRM group (Information Security Risk Management) and must meet Agilent’s Cloud Security Standards. These standards define guidelines around firewall implementations, server patching, etc.

Application Protection

The iLab Service is built on an application stack which integrates best-in-class operating systems, database-servers and application-servers. Agilent continuously updates all components of the stack with the latest security patches and releases to prevent unauthorized attempts to gain access or control of the Service.

Authentication

Measures aimed at ensuring that only authorized individuals can access the iLab Service.

Authenticated system access

Accessing the iLab Service requires authentication with a login identifier and password. All login identifiers are unique and all passwords are always encrypted. Agilent logs all successful and failed system login attempts to identify suspicious activity trends.

Strong passwords

The iLab Service requires that all passwords be between 8 and 40 characters long and contain:

Agilent salts and encrypts all stored passwords.

Inactive session termination

In order to mitigate the risk of unauthorized access from a user forgetting to log out of the iLab Service, iLab automatically terminates all sessions after 120 minutes of “inactivity”.

Password expiry

Agilent offers customers the option to define the frequency with which users must change their passwords in order to protect against password guessing, cracking or threat.

Server access

Only registered iLab administrators have access to the iLab database servers, application servers and operating systems with a secure password. In addition, Agilent audits all server access attempts.

Authorization

Measures aimed at ensuring that only authorized users can access specific pieces of information in the iLab Service.

Data partitioning

Users can control access to data at a granular level, including providing access to individual “information assets” such as files, with the ability to specify which other users are allowed to read, modify, and share each information asset. In addition, administrators can control which users have access to project, lab, or department information.

Data validation checks

Agilent tests all user-generated input for malformed input, which prevents unintended code execution and inappropriate access to information in files or databases. We prevent SQL injection and Cross-Site Scripting (XSS) attacks by using parameterized queries, applying stringent data validations and sanitizing all user input before use.

Agilent access to information

All Agilent access to user-generated content is controlled by the following policies and conditions:

Auditing

Auditing User Activity

Agilent maintains detailed logs of access to and modification of all information in the Service. Audit entries capture:

Product development process

Enterprise grade data protection and encryption

Network and Monitoring

Network protection

Multilevel security products from leading security vendors and proven security practices ensure network security.

Monitoring

Agilent has implemented systems to monitor security and immediately alert the iLab team of suspicious activity to allow a response before the first level of defense is breached.

Additionally, the enterprise monitoring application on host machines is configured to alert support staff personnel when pre-defined system thresholds are exceeded that include, but are not limited to, the following: