Recently our team reviewed the OWASP top 10 API security risks and wanted to check if Genesys Cloud CX has any documentation that lists how does Genesys addresses these risks.
I remember Engage used to have certain documentation on the components that addressed such mentioned risks but can anyone share or guide how to verify and find it for Genesys Cloud CX? The link to OWASP 2023- OWASP Top 10 API Security Risks – 2023 - OWASP API Security Top 10
The Genesys Cloud generic security (document is from 2022, haven't been updated) - Genesys Cloud security policy - Genesys Cloud Resource Center
*I am not from security background so please pardon if I mistakenly use wrong terminology or confused between security standards. We want to confirm the Genesys-Salesforce or Genesys-Datagamz and other integrations being impacted with this.
These types of commitments are often in your master services agreement. If you need specific attestations from Genesys, please contact Customer Care or your account manager. They will be able to point you to the relevant sections in your contracts or obtain the necessary statements from our legal team.
Hi Tim,
Thanks for the reply. We did try to contact the Genesys support customer care but they couldn't share specific information on the OWASP listed security concerns and how Genesys is managing the same.
We will keep an eye on the answers or if we are able to make progress based on the article.
They shared the standard below mentioned security measures by Genesys:
PCI DSS (Payment Card Industry Data Security Standard): This standard applies to all organizations that handle credit card data. If your SaaS application involves payment processing, PCI DSS compliance testing would look for compliance with the security measures recommended by OWASP.
ISO 27001: This is an international standard that provides the framework for an Information Security Management System (ISMS). ISO 27001 compliance testing ensures that your organization has the necessary controls in place to manage information security risks effectively, which would include the security vulnerabilities highlighted by OWASP.
SOC 2 (Service Organization Control 2): SOC 2 is a compliance requirement for SaaS companies that handle customer data. A SOC 2 audit would check if your organization's controls are in line with the Trust Services Criteria, including the security controls that align with the OWASP's Top 10 API Security list.
HIPAA (Health Insurance Portability and Accountability Act): If your SaaS application handles health information, HIPAA compliance testing would check if you follow the necessary security measures to protect sensitive patient health information, which would include measures outlined in the OWASP's Top 10 API Security list.
GDPR (General Data Protection Regulation): If you operate in or serve customers in the European Union, GDPR compliance would apply. It would cover the security of personal data, including measures to ensure API security as highlighted by OWASP.
Cloud Security Alliance (CSA) STAR Certification: The STAR certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001 standard together with the CSA Cloud Controls Matrix.
Thanks
MK
Please continue to work with Care on this issue. You may wish to reach out to your account manager for assistance. This is not something we can assist with via the forum.
1 Like