POWERFUL TECHNOLOGY sownous I FOR THE CITY AND PUBLIC wE SERVE Seattle . l/ Information Technology Vendor Kronos Scope Kronos Workforce Management Software as a Service (SaaS) for web and mobile with Noti?cations through Telephony/NR. The mobile use is an application in the smartphone store (not a responsive web page). Scope Description The City of Seattle intends to use Kronos Workforce Central (WFC) and Workforce TeleStaff (WFTS). Telephony/IVR for noti?cations occurs by a 3rd party SaaS provider known as Aspect/Voxeo. The benefit will initially provide automated scheduling for the Communications Center Unit/911 through Phase 1, broaden the scheduling for the entire Police department through Phase 2, and take the schedules time to pay through timesheets and exports to the Citywide HRIS system. Modules Scope Phase 1 and 2 (Scope ID: WFTS) Workforce TeleStaff Enterprise (note: Core Product: Workforce TeleStaff is a time-tested and proven scheduling, communication, and bidding solution that helps: Control costs by allocating overtime Workforce TeleStaff also referred to as WFTS, fairly; creating impartial schedules based on demand and employee preferences; and reducing overstaffing. Minimize compliance risk by incorporating an Workforce Central TeleStaff) organization's unique scheduling rules and adhering to the necessary labor laws and union rules. Improve workforce productivity with automated position, shift, and vacation bidding that frees supervisors? time and improves employee satisfaction. Includes Platinum Support, Includes Cloud Hosting for two instances (production and non-production). Includes Cloud Hosting for population (head count). There is no mobile a lication for Workforce TeleStaff and the web pages are responsive for any device being used. Workforce TeleStaff Institution Focus Provides Access Security: Allows two or more Institutions (Seattle PD) to exist in a single database while keeping their people and staffing information separate. License must match Workforce TeleStaff Enterprise. Workforce TeleStaff Global Access Provides Web Connectivity: Provides User Access to the application over any Browser on any Device that supports HTML5. License must match Workforce TeIeStaff Enterprise. Workforce TeIeStaff Contact Manager Provides Notifications: Routes Messages from TeleStaff to the appropriate message delivery module email and/or phone). Contact Manager also ensure that messages are sent out in the priority order established by rules configured in Workforce TeleStaff. Workforce TeIeStaff Bidding Provides Bidding Function: Automate position, shift, and vacation bidding. Managers can set up online auctions and employees can bid on or choose slots. Workforce TeIeStaff Gateway Manager Provides Data Integration (one time cost): Gateway Manager is a ?exible data integration tool that interfaces TeleStaff with other business applications, such as CAD, RMS, Workforce Timekeeper and Payroll. 1(Page POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUBLIC WE SERVE Seattle lf Information Technology 3rd party Telephony used in Phase 1 and 2 (Scope id: M) Workforce IVR or Telephony Modules Scope Phase 3 (Scope id: WFC) Provides Interactive Voice Response (IVR): Cloud Telephony through 3rd party SaaS provider known as hosted Aspect/Voxeo Prophecy. Kronos treats IVR like any other Kronos software with the same protection. Kronos does not commit to Aspect/Voxeo data security contractually. Links: Privacy Policy Workforce Central Workforce Manager Attestation Workforce Manager Workforce Employee Workforce Absence Manager Workforce Integration Manager Mobile Employee and Manager ZIPage Core Product. Workforce Timekeeper is the key component of the Workforce Central Time and Labor product group and is required for all other products in this mtegory. It is an automated time and attendance solution that enforces pay and work rules, allows time entry and approval, tracks attendance exceptions, and handles employee inquiries. Includes Cloud Hosting for population (head count). Workforce Attestation supplements the Workforce Timekeeper by adding additional capability to require employees to respond to various questions throughout the work day. Customized Approval prompts can also be incorporated for different groups of employees, where specific attestation language is required or desired. A Manager license is required for any user authorized to access (views, approves, or modi?es) another user's time or attendance (leave) records. Examples: Supervisors, Team Leads, Timekeepers, HR, and Payroll staff. Kronos includes a certain number of Manager licenses per 100 users in the Host Base Price. Additional Manager licenses may be purchased at a per-user rate. (Note: Each Manager license user also requires an Employee user license.) Basic time and leave license required for each user. Captures and stores the following for each user: Basic schedule (days of week, hours per day, time of day); timesheet entries; leave requests; and leave balances, including forecasting future leave balance. Applies rules to validate time entries and leave requests. Absence Manager automates Leave policies using a combination of Workforce Accruals, Leave and Attendance modules. Accruals calculates and enforces grant and usage rules for bene?ted leave. 'Leave' assists with complying with FMLA and OFLA requirements. Attendance is designed to monitor attendance behavior and enforce attendance policies. Workforce integration Manager is an integrated, web-based, flexible data integration tool that interfaces Kronos products with other business applications such as payroll and human resources. Employee: Mobile application that enables employees to submit leave requests, enter timecard/timesheet data and track detailed labor activity. Manager: The mobile applimtion which allows users to review and approve tirnesheets and leave requests from their mobile phone. POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUBLIC WE SERVE Seattle l: Information Technology Instructions: Speci?c to the Scope under review, please provide an accurate response to each question in the corresponding column below. Each question's response must cover the entire Scope (noted above) where scope is not covered this must be speci?cally identi?ed. For instance, if the Scope has more than one system, service, and/or party, the response should differentiate accordingly, as applicable. Expand on any "Yes/No? answers with sufficient explanation, and responses may be expanded on by providing a separate document and/or supporting attachments. Answers indicating response is covered by Service Organizational Controls (SOC) Report is not acceptable. Category Question Response Overall What is the 3rd party scope for the services contracted? Kronos manages all aspects of the contracted service except: 0 CenturyLink provides the Kronos data center 0 Aspect/Voxeo provides the IVR Telephony service 0 SWITCH data center provides the Aspect/Voxeo telephony service What scope is covered by SOC 2 audit reports and what type is the audit report? Kronos provides American Institute of CPAs (AICPA) Service Organization Control (SOC 1 Type II and SOC 2 Type 2) Relevant to Security, Availability, and Con?dentiality with AT-101 (Attest Engagements). Reports provided include: The Kronos infrastructure management Kronos provides American Institute of CPAs (AICPA) (SOC 1 Type 2) in accordance with the "Statement on Standards for Attestation Engagements (SSAE) No. 16 The CenturyLink data center used by Kronos Answers to questions regarding scope outside of infrastructure are contained in this questionnaire for full scope of solution inclusion. Category Question Specific Response Scope as Applicable Organization 1. Please provide and/or describe your IT WFTS IT Governance: Entity level controls are governed by a Board of Directors and its committees having ultimate governance, information security, WFC responsibility for overseeing the Kronos offering. The Board of Directors is comprised of 8 members, compliance, privacy, and/or risk including independent directors, members of Kronos management, and 3 private equity firms that collectively management organization, strategy, own 100% of the Company. The Board of Directors meet quarterly or as needed to discuss Kronos business. and policies/procedures. Include a Committees of the Board of Directors include Audit and Compensation Committees. Kronos management description of applicable presents quarterly reports to Kronos executive management which includes the Chief Executive Officer (CEO), organization/personnel responsible for Chief Financial Officer (CFO), Chief Product Officer (CPO), Chief Service Of?cer (C50), and Vice President 8: security, risk, compliance, and privacy Chief Information Of?cer (CIO). Multiple teams within Kronos global organization support the systems roles/responsibilities, number of 24x7x365 from Chelmsford Massachusetts and Noida, lndia facilities. Oversight of the Kronos offerings is dedicated employees, monitored by the corporate information security team. Changes are governed by a change management qualifications/background, etc.). process and includes: 3 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS SERVE Seattle lw? Information Technology Category Question Specific Scope as Applicable Response A Change Request must be submitted by the requestor and reviewed by a Cloud IT Service Management (ITSM) Change Manager. Change Requests must have required fields populated with data pertinent to the change. 0 The requested change must be deployed in a test environment and accepted by the customer before going to Production. 0 Change requests are categorized as Standard, Normal, Major, Urgent or Emergency depending on the complexity and impact of the change. 0 Customers who are live can request changes by contacting Kronos Global Support. Change requests for customers who are in implementation will be handled by their professional services team. Information Security: All services contracted are in scope except Aspect/Voxeo telephony. Oversight of the controlled environment is provided by the Information Security Team. The team is led by our Chief Information Security Of?cer. Each of the security on the team has a role in monitoring compliance for the Kronos Private Cloud (KPC) environment to assist the Chief Information Of?cer. The Kronos Information Security Team is responsible for Kronos corporate security and the security within the Kronos hosted environments, including the SOC auditing process. The team is comprised of 14 experienced with varying levels of certi?cations, including CISA, CISM, CISSP, CRISC, CGEIT, CISO, and The KPC is housed in a CenturyLink colocation cage in a single tenant SSAE SOC 1 Type 2 compliant and ISO 27001 certi?ed data center. Kronos owns and manages everything from end to end within the cage. The team works in of?ces behind key carded access by role and this is monitored on a quarterly basis for appropriateness of access. Privacy: Kronos complete Privacy Policy is found here. The Privacy Policy covers Personal information collected; sites, cookies, and similar technologies; online advertising and research; do not track; how we use data; disclosure of personal information; access and control of personal data; exclusions; children; links to other websites; security; changes to privacy policy; contact information; and privacy shield including other compliance mechanisms. Risk Management Organization: As part of the continuous monitoring program, the corporate information security team conducts annual risk assessments in order to determine whether updates to the information security program are required. The risk assessment enables Kronos to determine if controls are adequately 4 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS SERVE Seattle Information Technology Category Question Specific Scope as Applicable Response designed to achieve relevant criteria or if new controls are required to be implemented. Kronos understands that without proper business processes, policies, and procedures efficient operations cannot be maintained. As part of the risk assessment process, Kronos evaluates the type and classi?cation of data that is being stored in the KPC environment, the compliance requirements associated with relevant standards, customer contractual commitments that have been made and employee responsibilities to implement these components. Kronos examines both internal and external risks, including, but not limited to, consideration of the following areas: software and technology, physical security, logical security, internal/external threat evaluations, and vulnerability assessments. During the analysis of the environment, each team supporting the KPC environment is consulted to determine whether day to day operational processes would continue to support the KPC environment. Where necessary, new business processes and/or controls are deployed, access rights are modi?ed, and/or continuous monitoring is implemented to address changes or new risks. A security committee meets to discuss operating issues in the environment, security concerns reported by employees or customers, and evaluate business processes. The committee publishes meeting notes and the C50 provides periodic updates to the CIO recapping activities of the group and a status of the continuous monitoring within the environment. Roles and Responsibilities Role Responsibility Board of Directors 0 Hold ultimate responsibility for overseeing all affairs of Kronos offerings Audit Committee 0 Assists the Board of Directors in overseeing the adequacy of the internal audit function compliance with legal and regulatory matters 0 Oversight of the global business conduct 0 Oversight of the compliance program 0 Selection and appointment of the independent auditors (including evaluation of their quali?cations, performance, and independence) Kronos Executive 0 includes the Chief Executive Of?cer (CEO), Chief Financial Officer (CFO), Management Chief Product Of?cer (CPO), Chief Service Of?cer (C50), and Vice President Chief Information Of?cer (CIO) Oversees health and state of security 0 Oversees technology 0 Meets regularly to discuss business strategy 5 Page POWERFUL TECHNOLOGY SOLUTIONS seattle Information Technology FOR THE CITY AND PUBLIC WE SERVE Category Question Specific Response Scope as Applicable Announces corporate success, earnings, and acquisitions Communications through town hall meetings and announcements Assess employee feedback Oversees Security Awareness Training Confirms annually Oversees corporate code of ethics conduct con?rmation process annually CIO Overall responsibility for the success of the IT organization IT Senior Director Overall responsibility for the security, privacy, and risk of IT and reports to (Corporate Information the CIO Security Officer) 0 Reports Security Committee Outcomes Security Committee 0 Meets Discusses operational issues, security concerns reported, and evaluate business processes Reviews controlled processes Publishes notes Reports to the IT Senior Director (Corporate Information Security Officer) Monitors compliance for the Kronos environments assisting the Chief Information Of?cer (CIO) Monitors access changes in the environment verifying accounts (new, modified, and disabled) are processed properly 0 Monitors changes to the environment such as network firewall changes, patching activities 0 Attends the Change Advisory Board (CAB) weekly to validate proper change management processes are followed 0 Reviews access results quarterly Re-directs resources to properly perform the control processes 0 Conducts annual risk assessment to determine required updates to the information security program 0 Evaluate type/class of data stored in Kronos systems 0 Compliance requirements 0 Customer contractual commitments Corporate Information Security Team 6 Page POWERFUL rscuuomsv SOLUTIONS Seattle i? Information Technology FOR THE CITY AND PUILIC WE SERVE Category Question Specific Response Scope as Applicable 0 Employee responsibilities to implement 0 Internal/external risks including, but not limited to (software and technology, physical security, logical security, internal/external threat evaluations, and vulnerability assessments) 0 Business process evaluation to support risk response 0 Access Rights modi?ed as necessary 0 Continuous monitoring to address changes or new risks Kronos Management 0 Presents quarterly reports on the health and state of security and technical oversight to Kronos Executive Management Provides Departmental staff meetings Communicates through announcements Seeks employee feedback Conducts Security Awareness Training Con?rms annually Conducts corporate code of ethics 81 conduct con?rmations annually Approves/denies change requests Change Advisory Board (CAB) Change Manager Processes change requests 0 Ensures change request follows requirements Product Engineering 0 Designs, implements, tests, and delivers features and service releases to the Team offerings Attends annual Security Awareness Training 8: pass a test assessing level of understanding of data security and privacy protection 0 Confirms understanding of code of ethics and conduct annually Information Technology 0 Provides architecture leadership for the underlying infrastructure that processes the subscription services and maintains the continuous monitoring of the system 0 Attends annual Security Awareness Training pass a test assessing level of understanding of data security and privacy protection 0 Confirms understanding of code of ethics and conduct annually Hosting Operations 0 Provides architecture leadership 7 Page POWERFUL rscuuomsv SOLUTIONS Seattle FOR THE CITY AND PUILIC WE SERVE i? Information Technology Category Question Specific Response Scope as Applicable Responsible for all aspects of running the production data center including infrastructure, software and applications 0 Attends annual Security Awareness Training pass a test assessing level of understanding of data security and privacy protection 0 Confirms understanding of code of ethics and conduct annually Global support 0 Provides operational and customer management support directly to customers using the Workforce Central (WFC) Attends annual Security Awareness Training 8: pass a test assessing level of understanding of data security and privacy protection 0 Confirms understanding of code of ethics and conduct annually Service Delivery 0 Provides pre-sales and implementation support to new and existing customers 0 Attends annual Security Awareness Training 8: pass a test assessing level of understanding of data security and privacy protection 0 Confirms understanding of code of ethics and conduct annually Professional Services 0 Works directly with the customers to implement and con?gure the Workforce Central (WFC) application 0 Attends annual Security Awareness Training 8: pass a test assessing level of understanding of data security and privacy protection 0 Confirms understanding of code of ethics and conduct annually Sales, Technical Presales, 0 Provide overall corporate functions Sales Operations, 0 Confirms understanding of code of ethics and conduct annually Marketing, Human Resources and Finance teams 2. Do you have an individual designated WFTS Sheila Goodwin, Kronos lT Senior Director (Corporate Information Security Officer) with the responsibility for information WFC security, such as a Chief Information Security Officer? If so, please provide full name with job title and/or role. 8 Page POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUBLIC WE SERVE I) Seattle Information Technology Category Question Specific Scope as Applicable Response 3. Do you have an individual designated with the responsibility for privacy, such as a Chief Privacy Of?cer? If so, please provide full name with job title and/or role. WFTS WFC The privacy policy is administered by both the Kronos Legal and the Kronos IT Senior Director (Corporate Information Security Of?cer), Sheila Goodwin Compliance and 4. Assurance What applicable certifications, registrations, and/or qualified assessments are current and you maintain for the proposed systems and services, such as: - accreditation/certification 27001, others) Service Organization Control reports SOC 2 Type 2) - CJIS Other: (please explain) WFTS WFC The Kronos Private Cloud (KPC) hosts Workforce TeleStaff and Workforce Central applications. The KPC is housed in a CenturyLink data center colocation cage in a single tenant data center. Kronos owns and manages end to end within the cage. KPC has undergone American Institute of CPAs (AICPA), Statement on Standards for (Attest Engagements) audits and passed the Service Organization Control (SOC 1 and SOC 2 Type 2) relevant to security, availability, and con?dentiality. Kronos undergoes an annual audit. The Kronos Information Security Policy is comprehensive and aligned with the International Organization for Standardization (ISO) 27001 (information security management). Kronos application development testing is based on Standard 829-2008 (Software and System Test Documentation). 5. For each of the above, please note which proposed products/services are included/covered and how such compliance is assured/validated, such by quali?ed third party. If not currently compliant or if unable to achieve compliance, please explain. (see response scope speci?cs) Based on the response for question 4, the scope covered includes scope id: WFTS and WFC (Workforce TeleStaff and Workforce Central). For scope id: IVR (Aspect/Voxeo Interactive Voice Response Aspect does not have audit reports for any Service Organization Control. The data center Aspect/Voxeo uses (SWITCH) undergoes audits for Service Organization Control (SOC 2 Type 2). For each speci?c scope, please note which proposed products/services are included/covered and how such compliance is assured/validated, such by quali?ed 3rd party. If not currently compliant or if unable to achieve compliance, please explain. WFTS WFC Workforce TeleStaff and Workforce Central are hosted in the same Kronos Private Cloud (KPC) data center co- located cage. In addition, penetration testing occurs on Workforce TeleStaff, Workforce Central, and the Workforce Central Mobile Application (note there is no mobile application for Workforce TeleStaff). Penetration testing occurs annually or as needed for major releases 9 Page Powenrm TECHNOLOGY SOLUTIONS Seattle Information Technology FOR THE CITY AND PUBLIC WE SERVE Category Question Speci?c Response Scope as Applicable 7. Are there any parts of the proposed IVR Interactive Voice Response (IVR) telephony services are *not* in scope with Kronos audit processes. systems and services that are not covered by the compliance and IVR is a 3rd party Software as a Service (SaaS) provider, known as Aspect/Voxeo, and initiates from Kronos assurance listed for questions 4 and 5 Workforce TeleStaff for outbound calling or the end user for inbound calling. above? Outbound functions as: 0 Message - Use to send a message. 0 Notification - Use to send assignment details for the selected date. 0 Roster Alarms - Use to send Roster Alarm details for the selected date. 0 Vacancy- Use to fill a vacancy. This option only enables for vacant positions and disables all other Outbound types. Inbound functions as: To change enter a code To change remove a code To review your personal calendar To check your pick list position To review working opportunities To change your personal information Data Stored is used for phone message narration or billing purposes. Sensitive data use is indicated below. The Workforce TeleStaff system forces a password reset after 3 attempts. 10 Page POWERFUL TECHNOLOGY SOLUTIONS THE CITY MIMIC Seattle l: Information Technology Category Question Specific Scope as Applicable Response poms son as pasdalnua pauusueu 5 Employee Name .Employee Name Narration Sam Buchanan Phone Logln phone Log-n Used for employee to 1234 identify on the phone Called ID Employee preferred Used for outbound 999-999?9999 contact phone Phone Password Phone password Password used by ABC321 employee for access usrng Policies, Procedures Standards, and 8. Do you have information security policies, procedures, and standards formally established, documented, implemented, and periodically reviewed and approved by an appropriately designated individual or group? Do you have system, service, and/or data integrity and availability policies, procedures, and standards formally established and periodically reviewed, updated, and approved by an appropriately designated individual or group? WFTS WFC Yes, Kronos has security policies, procedures, and standards formally established, documented, implemented, and with periodical reviews governed by the Yes, Kronos has systems, services, data integrity, availability policies, procedures, and standards formally established and periodically reviewed, updated. The Kronos' corporate Information Security Policy is reviewed and approved by Kronos IT Senior Director (Corporate Information Security Officer) and the Chief Information Of?cer (CIO) at least annually. The security escalation policy includes responses to issues presented by customers based on the following factors: likelihood of exploitation, potential for harm, and scope/complexity of the mitigation. Kronos' Information Security Policy is communicated to Kronos employees and contractors through Kronos Security Awareness training and confirmed annually. Kronos conducts annual risk assessments and implements changes as required including procedures through business process to support the changes. Note: Kronos does not share internal cloud operations policies and procedures for security purposes. The Kronos corporate security policy can be viewed upon request. 11 Page POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUBLIC WE SERVE Seattle i: Information Technology Category Question Specific Scope as Applicable Response 9. Please indicate the applicable security, system, service, and/or data integrity and availability policies, procedures, and standards established and in place, such as: a. Assigning responsibility and accountability for system and information security; system development, changes, and maintenance; and availability and data integrity b. Ensuring the identification of and compliance with applicable legal and regulatory requirements, internal and external commitments, service level agreements, and other requirements and expectations c. Identifying, documenting, communicating, and enforcing the system availability, service level agreement, and related security requirements of customers and stakeholders d. Classifying data based on its criticality and sensitivity and that classi?cation is used to define protection requirements, access rights, and access restrictions, and retention and destruction requirements WFTS WFC Kronos has implemented a range of policies and controls. These include entity-level policies, including hiring, training, change management, incident response, and access control including a continuous monitoring program to assure operating effectiveness. a. Assigning responsibility and accountability for system and information security; system development, changes, and maintenance; and availability and data integrity Responsibility is assigned through the business processes identified to support the Corporate Information Security Policy. b. Ensuring the identification of and compliance with applicable legal and regulatory requirements, internal and external commitments, service level agreements, and other requirements and expectations Annual risk assessments are conducted to ensure controls are defined to reasonably mitigate risks associated with areas of physical access, logical access, security monitoring, confidentiality, availability monitoring and change management. The annual assessment covers classification of data, compliance requirements, customer contractual commitments, employee responsibilities to implement, internal/external risks for software, technology, physical security, logical security, internal/external threat evaluations, and vulnerability assessments. It includes business process to support, access rights modifications, and continuous monitoring. c. Identifying, documenting, communicating, and enforcing the system availability, service level agreement, and related security requirements of customers and stakeholders The Kronos Information Security Policy is comprehensive and aligned with the International Organization for Standardization (ISO) 27001 (information security management). d. Classifying data based on its criticality and sensitivity and that classi?cation is used to define protection requirements, access Kronos evaluates the type and classi?cation of data that is being stored on its systems annually through the risk assessment process. 12 Page POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUBLIC WE SERVE Seattle lr Information Technology Category Question Specific Scope as Applicable Response e. m. Assessing risks, threats, and vulnerabilities on a periodic basis Identifying, documenting, and implementing the security requirements of authorized users (such as least-privileged and role- based access) Adding new users, modifying the access levels of existing users, and revoking user access when no longer needed or appropriate Providing training, education, awareness, and other resources to support information security and related policies Preventing, detecting, and responding to unauthorized activity and access, tampering, or disruption Identifying, mitigating, and responding to real or suspected security breaches, policy violations, and other incidents Addressing how reports, complaints, and requests relating to system availability and related security issues are resolved Testing, evaluating, authorizing, and communicating changes before implementation Ensuring systems are developed and maintained and validated as being rights, and access restrictions, and retention and destruction requirements Assessing risks, threats, and vulnerabilities on a periodic basis Kronos conducts a risk assessment annually. Identifying, documenting, and implementing the security requirements of authorized users (such as least-privileged and role? based access) The Kronos Information Security Policy is developed by the Security Committee, led by the IT Senior Director (Corporate Information Security Of?cer). Customer data is held in accordance with applicable data protection and other regulations set out in the customer contracts and limits access to electronically held customer data on a need to know basis. Customer data is held in a SQL database technology and is managed primarily by Hosting Operations department. Access to customer data is limited to authorized Kronos personnel and is only granted in accordance with the system security administration policies covering roles based access. Adding new users, modifying the access levels of existing users, and revoking user access when no longer needed or appropriate Frequently, the Information Security Team monitors access changes in the environment to verify that new accounts, modi?ed accounts, and disabled accounts were properly processed. Annually, risk assessments are conducted and access rights are modi?ed as needed ensuring least-privileged role based access is implemented. Providing training, education, awareness, and other resources to support information security and related policies By policy, Kronos provides training through the Security Awareness Training program. The policy and training de?nes system user responsibilities, which are designed to reasonably protect con?dential Kronos and customer con?dential information. As part of the on-boarding process, new employees are required to complete the Security Awareness Training within 60 business days from the date of hire. The training is designed to educate the employee on the Kronos Information Security Policy and procedures. The training includes information on how 13 Page POWERFUL TECHNOLOGY SOLUTIONS Seattle FOR THE CITY AND PUILIC WE SERVE Information Technology Category Question Specific Response Scope as Applicable secure (secure development practices, to identify, locate and protect confidential information. security and penetration testing, etc.) Additionally, it includes how the classification of data may require n. Handling of exceptions and situations additional safeguards to protect information. Employees are not speci?cally addressed in its system instructed on the requirements to use unique user IDs and availability, data integrity, and related passwords to access information, not sharing user account security policies passwords, data during transmissions, and 0. Monitoring system performance and system backup media. In addition, the training includes capacity to achieve customer notifications to management of any suspected or con?rmed commitments or other agreements information security incident. The employee participates in an regarding service and availability online exam to assess their understanding and must receive a p. Recovering and continuing service in passing score in order to be registered as completing the training. accordance with documented Training completion is monitored by the Corporate Information customer commitments or other Security Team and non?compliance is reported and agreements communicated. q. Requirements of third parties that i. Preventing, detecting, and Preventing and Detecting: Kronos has deployed multiple layers reflect the requirements the vendor iS responding to unauthorized activity of security beginning at the system perimeter, including next subject to and access, tampering, or generation analysis technology, single-purposed International disruption Computer Security Association (ICSA) certi?ed ?rewalls, next generation technology firewalls protecting the Customer environment within the Kronos network, intrusion prevention systems, intrusion detection systems, log monitoring, and anti- virus software. The environment is continuously monitored, by Kronos staff. Kronos hires a third party, Works, who provides intelligence driven security solutions that monitor logs 24x7x365. Responding: Security, availability, and confidentiality incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identi?ed, reported to appropriate personnel, and acted on in accordance with established incident response procedures. 14 Page POWERFUL TECHNOLOGY SOLUTIONS Seattle FOR THE CITY AND PUBLIC WE SERVE Information Technology Category Question Specific Response Scope as Applicable j. Identifying, mitigating, and Security, availability, and con?dentiality incidents, including responding to real or suspected logical and physical security breaches, failures, concerns, and security breaches, policy violations, other complaints, are identi?ed, reported to appropriate and other incidents personnel, and acted on in accordance with established incident response procedures. k. Addressing how reports, Regarding communication, internal and external system users complaints, and requests relating have been provided with information on how to report security, to system availability and related availability, and con?dentiality failures, incidents, concerns, and security issues are resolved other complaints to appropriate personnel. I. Testing, evaluating, authorizing, Quality Assurance 8: Testing in Software Development Lifecycle and communicating changes (SDLC): Each major release and service pack has a formal Quality before implementation Test Strategy and Test Plan. These plans are written in conformance with Standard 829-2008 (Software and System Test Documentation). The Quality Test Strategy outlines the requirements for delivery of a quality product and the Test Plan defines environments, platforms, and test cases for new and existing features. Each team reviews and updates test plans based on user stories. People from cross-functional areas such as support and services also review the user scenarios and test plans so that they can provide feedback and input based on direct customer experience. During each release cycle, Kronos invites selected customers to participate in pre-release product evaluations where new features are demonstrated for con?rmation that the product meets customer expectations of functionality and quality. Feedback from these evaluations is incorporated into the product either ahead of release, in a service pack or if feature requests are substantial, the next major release. Testing is accomplished by using a combination of test automation developed over many years of Workforce Management releases and manual tests conducted by test 15 Page POWERFUL TECHNOLOGY SOLUTIONS Seattle Information Technology FOR THE CITY AND PUILIC WE SERVE Category Question Specific Response Scope as Applicable engineers and expert domain This effort has resulted in hundreds of thousands of test cases for the suite covering the breadth and depth of Workforce Management applications. Automated tests are packaged as unit, functional and suite tests. Each release is ushered through a thorough regression test cycle to ensure new features and defect repairs do not degrade existing functionality and that recidivism is minimized. In addition to engineering-seeded databases and datasets, part of these regression cycles include use of selected customer databases (which have been purged of sensitive information) that represent all market verticals Kronos supports. All internally discovered and customer-reported defects are tracked in a commercial defect tracking system with a formal workflow and documented defect handling methodology. For each release, the strategies and plans are reviewed for revision and improvement based on the previous release experience. For Release Management: When the release is complete and passes all criteria for release by Engineering, a cross-functional Release Readiness Review team reviews the engineering deliverables and also verifies the readiness of the company as a whole to deliver and support the new release. Executive management approval to ship the release is required at this review meeting. After approval at the Release Readiness Review Meeting, the ?nal releases are made available for electronic access, as well as for media creation for major releases. Each release also ships with release notes that describe product features and enhancements. For major releases, there are also user guides, administrative guides, and installation guides for all products, as well as online Help. 16 Page POWERFUL TECHNOLOGY SOLUTIONS I Seattle lw? Information Technology FOR THE CITY AND PUILIC WE SERVE Category Question Specific Response Scope as Applicable Prior to production: At the completion of the SDLC QA process, Hosting Operations is responsible for completing Quality Assurance (GA). GA confirms that all aspects of the build have been completed to customer speci?cation and any related testing performed. The QA task is then updated and closed within the build book. Additionally, the Information Security Team is notified at this point to conduct a pre-release vulnerability assessment. Upon receiving appropriate results in the vulnerability assessment, the Information Security Team will confirm the build is within the approved standard or assign vulnerabilities to be remediated by an engineer. Deployment and Go Live Approval: After receiving the con?rmed 0A task closure, the Build Manager coordinates the appropriate application resources to deploy the software and infrastructure. Once deployment is ready to begin processing production transactions the Build Manager requests application monitoring to be enabled. For specific customer go live: After the Build Book, QA and vulnerability assessment have been completed and documented the Change Advisory Board (CAB) will review and announce the customer implementation as complete and the customer is considered live. The customer is handed off to the Global Support team for support. m. Ensuring systems are developed Software Development Lifecycle (SDLC) includes criteria for and maintained and validated as conformance to the formal standards set in Kronos? Engineering being secure (secure development Architecture Standards and Guidelines, which include standards practices, security and penetration on code quality, performance, and security. For the entire testing, etc.) development cycle of Workforce Central Kronos conducts weekly security scans and penetration tests of our software as it was being developed. These manual?assisted dynamic web 17 Page POWERFUL TECHNOLOGY SOLUTIONS Seattle FOR THE CITY AND PUILIC WE SERVE Information Technology Category Question Specific Response Scope as Applicable application security scans were performed by a reputable independent security testing firm, which has specialized in this field since 2001. Our development organization triaged and mitigated the issues and vulnerabilities as they were discovered. In addition to the manually assisted dynamic scanning, Kronos also contracts with well-known security assessment firms to conduct in-depth manual and tool aided security penetration- testing against the major components of each release in order to catch anything missed by the dynamic scanning process. n. Handling of exceptions and Any exception to Kronos policies surrounding security in the situations not speci?cally cloud environment must be approved by senior management, addressed in its system availability, including Kronos Chief Information Security Of?cer, and the data integrity, and related security Director of Cloud Hosting. policies 0. Monitoring system performance The availability of the Kronos services is monitored using and capacity to achieve customer different tools analyzing the relevant layers of technology to commitments or other agreements determine whether requirements are maintained. Monitoring regarding service and availability tools identify resources that may be on the verge of failure and validates servers are available including resource usage being optimal for ef?cient processing. The ability to monitor attributes such as CPU, memory usage, buffers, disk space and connection statistics are all delivered via the operating system monitoring solution. The network monitoring solution assesses the ability of traf?c to traverse the environments to the customer locations. The network monitoring assesses the availability and performance of network devices, traf?c utilization statistics, and interface monitoring. If either tool identifies anomalies, warning noti?cations and actual incident tickets are created. Kronos also follows proactive support methodology that monitors the system by a dedicated team Application Response Team 18 Page POWERFUL TECHNOLOGY SOLUTIONS seattle Information Technology FOR THE CITY AND PUBLIC WE SERVE Category Question Specific Response Scope as Applicable (ART) to look for system anomalies which includes system performance and availability. If something is detected the Application Response Team (ART) will investigate to resolution thus ensuring, we maintain our Service Level Agreements (SLA) of 99.75. p. Recovering and continuing service Regarding Disaster Recovery: Basic Disaster Recovery services in accordance with documented are provided to all hosted customers at no additional fee and customer commitments or other include: Customer environment and all customer data in the agreements Kronos Cloud are replicated to a secondaw Kronos Cloud data center. Disaster Recovery Services provide for a Recovery Point Objective (RPO) of 24 hours and Kronos strives to restore application availability in a commercially reasonable timeframe. The customer will be down until the Production environment is restored in the primary or secondary data center, if needed, as an application environment is not readily available at the alternate site to process data. Customers are expected to use fully qualified domain names to access the service given that IP address of the service may change. During a disaster, Kronos will roll over to the Disaster Recovery facility in Chicago Illinois which is approximately 1,000 miles from the primary site and continue to function out of our Disaster Recovery (DR) site until the primary is operational again. Any issues arising out of the disaster recovery event due to customer con?guration, customization and/or customer third party software outside of the Kronos Cloud is the responsibility of the customer to resolve. Regarding Business Continuity: 19 Page POWERFUL TECHNOLOGY SOLUTIONS seattle Information Technology FOR THE CITY AND PUBLIC WE SERVE Category Question SpecIfic Response Scope as Applicable Kronos Incorporated (Kronos) has developed a Business Continuity Management (BCM) program in support of our mission to be the global leader in delivering workforce management solutions in the Cloud. The BCM program is designed to provide a framework to both protect the wellbeing of Kronos employees as well as enable the continual provision of exceptional service to our customers in the face of disruption. Responsibility for ongoing ownership and maintenance of BCM capabilities is embedded within the business, administered and supported by: 0 A formal BCM Steering Committee responsible for providing advice to the Board, Senior Executives, the Executive Sponsor, and key stakeholders on the strategic direction and appropriateness of BCM activities conducted across the organization; 0 An Executive Sponsor that provides oversight and direction for the overall BCM capability; and, A BCM Program Manager who is focused on: day-to-day coordination; reporting and escalation of key BCM program activities; and, continual enhancement of the program to ensure it remains effective and sustainable across Kronos. Review the full Business Continuity Management program overview here: KRONOS DOC Business Cont 20 Page POWERFUL TECHNOLOGY SOLUTIONS I Seattle Information Technology FOR THE CITY AND PUILIC WE SERVE Category Question Specific Response Scope as Applicable q. Requirements of third parties that CenturyLink provides the data center for hosting services, reflect the requirements the including physical security and environmental safeguards. vendor is subject to Expected Controls include: 0 Access to the data center is restructured to authorized employees and contractors through the use of card readers and other systems 0 Visitors to the data center are required to sign a visitor log 0 Physical access to the data center facilities is restricted to appropriate personnel who require such access to perform their job functions. 0 Administrator access to the card system and other systems is limited to authorized personnel 0 Camera surveillance of the data center if monitored and retained for a period of time 0 Environmental safeguards are designed, implemented, Operated, and maintained for fire detection/suppression systems; climate (including temperature and humidity) control systems, uninterruptible power supplies (UPS) and backup generators; redundant power and telecommunications lines Aspect/Voxeo provides the IVR telephony service and is expected to notify Kronos within 24 hours where there may be a data security breach. Physical Security 10. How is physical security ensured, WFTS Data Center Access: Entrance to the CenturyLink physical building requires a pre-registered badge, entrance such as for personnel/visitor facilities WFC to the data center floor requires two factor authentication and pre-authorization from Kronos. Various levels access, designated rooms for servers, of physical controls exist throughout the data center including guards, access cards, biometrics, man traps, etc.? and cameras. Security systems on the building exterior include cameras, false entrances, vehicle blockades, customized parking lot designs, bulletproof glass/walls and unmarked buildings, biometric systems, including palm scanners, numerous security cameras with digital recorders, and all entry and exit points to the data center are alarmed, in addition to security staff and CCTV monitoring. 21 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS WE SERVE Seattle l Information Technology Category Question Specific Scope as Applicable Response Employee Working Access in US: Employees access the environment by VPN with multi factor authentication. Badge access of different levels are across the Kronos buildings. The administrators are in a controlled environment for engineering and cloud support work areas which is role based. Access is role based. Employee Working Access in India: Kronos employees in India are subject to the same policies, including policies in place in support of auditing for Kronos Service Organization Control (SOC 2 Type 2) Relevant to Security, Availability, and Confidentiality, while accessing the solution environment. Employees access the environment by VPN with multi-factor authentication. In the Kronos Noida India facility, Kronos corporate policies are in force, including Kronos information Security Policy, which addresses physical and logical access controls. All access is role and least privilege based. System Development Lifecycle 11. What software development security standards does your organization adhere to? What does your secure development program consist of? WFTS WFC Over the last few years? data security has become a topic of paramount importance to our customers. Kronos has responded to this changing security landscape by substantially increasing our efforts and investments to ensure that products we deliver are securely designed to protect customer data. Kronos has de?ned security standards and practices used in the development process to avoid introducing vulnerabilities and to avoid (SysAdmin, Audit, Network, and Security) to 25 software errors? and most recent ?Open Web Application Security Proiect (OWASP) Top 10 Web Application Vulnerabilities?. The secure development lifecycle modeled on the industry-leading Microsoft SDL (Security Development Lifecycle) guides the software development process from requirements through support including training, risk assessments, threat modeling/mitigation, security design review, attack surface review, security code review, root cause analysis, and final security review. With each new release Kronos will continue to focus on, and invest in, application security. We will continue our program of penetration testing and vulnerability mitigation. We will evaluate new security features. We will also review and update the application security training program within our development organization, which will help us to prevent the introduction of new security flaws, and improve our ability to ?nd and fix flaws, as they are discovered. Security is deeply ingrained into our Software Development Life Cycle (SDLC): All Kronos software engineers undergo annual training in the latest industry secure application development practices. All software architects receive additional training for their role. 22 Page POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUB LIC WE SERVE il 1? Seattle Information Technology Category Question Speci?c Response Scope as Applicable 0 Kronos has software security architects and a security focused task force that comprises of several members from each product team. 0 Secure design is incorporated into the architectural review process, which include: threat/security risk modeling and mitigation secure design review 0 secure code reviews 0 Kronos engineering uses a mix of dynamic and static code analysis tools. 0 All source code is tracked and stored in standard tools. Kronos? focus on web application vulnerabilities is continual and includes the entire development cycle of WFC and WFT weekly security scans and penetration tests of the software as it is being developed. The manual-assisted dynamic web application security scans are performed by a reputable independent security testing firm. Kronos triages and mitigates the issues and vulnerabilities as they are discovered. The testing regime is comprehensive and rigorous and includes all for the following areas: Command Execution - Buffer Over?ow Format String Attack LDAP Injection OS Commanding SQL Injection SSI injection XPath Injection Information Disclosure - Directory Indexing - Information Leakage Path Traversal Predictable Resource Location Client-Side Content Spoo?ng Cross-site Scripting (XSS) HTTP Response Splitting Authentication - Brute Force Insuf?cient Authentication - Weak Password Recovery Validation Cross-Site Request Forgery Authorization Credential/Session Prediction Insuf?cient Authorization - Insuf?cient Session Expiration - Session Fixation Logical Attacks Abuse of Functionality Denial of Service insuf?cient Anti-automation Insuf?cient Process Validation 23 Page POWERFUL rscuuomsv SOLUTIONS Seattle Information Technology FOR THE CITY AND PUILIC WE SERVE Category Question Specific Response Scope as Applicable In addition, to the manually assisted dynamic scanning mentioned above, Kronos contracts with well-known security assessment ?rms to conduct in-depth manual and tool aided security penetration-testing against the major components of each release to catch anything missed by the dynamic scanning process. Utilizing the outcomes/outputs of the various tests mentioned here, Kronos addresses, on a priority basis, issues in all of the following areas: Reflected Cross Site Scripting, Stored Cross Site Scripting, Content spoofing, Information leakage, Lack of Obfuscation, Session Fixation, Session ID in URL, SQL Injection. Further, Kronos limits the use of sensitive personal data in its products and undertakes many safeguards described in this questionnaire to ensure against risk of data compromise or misuse. Lastly, Kronos contracts with an independent third party at least on an annual basis to conduct a network, mobile, and application penetration test on the most recent version of the applications released to market. Penetration testing includes the web application vulnerabilities de?ned by the Open Web Application Security Project (OWASP) 10 Web Application Vulnerabilities and SANS Top 25 Most Dangerous Software Errors. These vulnerabilities include the potential for unauthorized internet access, compromise of roles, and escalation of privileges for the application. Kronos has a Software Development Lifecycle (SDLC) process for application development. The SDLC can be accessed here: 10 Kronos Software Development Lifecyt 12. Will the products, systems, and WFTS Yes, with warranties stated in the Harford School District (Contract Section number 8 for services be delivered and maintained WFC Software as a Service (SaaS) services and Section B, 9b under professional services. In addition each work free of defects? order speci?es the acceptance process for the implementation of the solutions. Security Testing 13. Please explain your methodology WFTS Overview and How Often: Kronos conducts vulnerability scanning of the customer environment prior to go- and Assurance for conducting manual and automated WFC live and annually thereafter using third party tools. Additional scans are executed at the discretion of Cloud system security and vulnerability Hosting management. Identified vulnerabilities are researched and resolved and/or mitigated using the assessments and penetration test, to Kronos Change Management Process which is attested in the Sewice Organization Control (SOC 2 Type 2) 24 Page POWERFUL TECHNOLOGY SOLUTIONS seattle FOR THE CITY AND PUBLIC WE SERVE l? Information Technology Category Question Specific Response Scope as Applicable include who performs the testing, audit process. The Kronos product is penetration tested and scanned for vulnerabilities prior to deploying what tools/methods are used, what is code to market using third party tools. Annual network penetration testing by a third party is also conducted. tested, and how often. Who: Coal?re LABS APPLICATIONS Scope: Application Penetration for Workforce TeleStaff and Workforce Central Methodology: Coal?re?s Advanced Application Penetration test is intended to find vulnerabilities that can be exploited to compromise the application and the data it transmits, processes, or stores. This testing begins by emulating an anonymous, Internet-based attacker attempting to compromise the application by identifying coding errors, business logic flaws, or web server con?guration weaknesses. Next, we emulate an insider- threat to determine the impact of a malicious insider or a user that has had their credentials compromised. Coal?re uses automated vulnerability scanning tools to rapidly identify technical vulnerabilities within the web application. In addition, our penetration testers review the application logic for any flaws or vulnerabilities in the authentication, permissions, or user management scheme. These technical and business logic vulnerabilities will be exploited in an attempt to gain ?unauthorized? access to data managed by the system or to escalate privileges within the application or on the system itself. What is tested: Testing will be performed in both a Black Box and Grey Box manner. Our ?rst attack scenario will be Black box testing, emulating a malicious attacker with no credentials. Black box testing focuses on the integrity of the application?s public footprint only. Our second attack is performed using a user account to attempt to escalate permissions of the user account or to access data belonging to another user's account. TOP 25 Most Dangerous Software Errors are investigated as part of the testing. In addition, The OWASP Top Ten provides a sample of the types of vulnerabilities that are identi?ed during this assessment: 0 A1 - Injection 0 A2 Cross-Site Scripting (X55) 0 A3 Broken Authentication Session Management 0 A4 Insecure Direct Object Reference 25 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS WE SERVE Seattle Information Technology Category Question Specific Scope as Applicable Response Tools: Scope: A5 - Cross-Site Request Forgery (CSRF) A6 - Security Miscon?guration A7 Insecure Storage A8 Failure to Restrict URL Access A9 - Insuf?cient Transport Layer Protection A10 - Un-validated Redirects Forwards Coalfire utilizes for its Advanced Application Penetration Tests include: Tenable?s Nessus The industry? 5 most widely deployed vulnerability scanner. Nessus Professional features high-speed asset discovery, con?guration auditing, target pro?ling, malware detection, sensitive data discovery, and vulnerability analysis. Metasploit- is an open-sourced project managed by Rapid7. It provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. Burp Suite - is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process. Netsparker? an advanced and in-depth SQL injection and Cross Site scripting testing tool incorporating a JavaScript engine that can parse, execute and analyze the output of .IavaScript. This allows Netsparker to automatically crawl, interpret and scan modern web 2.0 and HTM L5 web applications that rely on client-side scripting. Open Source - In addition to commercial products, Coalfire may leverage open source tools including: Cain Able, Nmap, Nikto/Wikto, Superscan, SSL Digger, Nessus, Microsoft Baseline Security Analyzer (M BSA), and Center for Internet Security (OS) Benchmarks. Mobile Application (used only WFC) Kronos products in scope for the test include: 26 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS WE SERVE Seattle l Information Technology I Category Question Specific Scope as Applicable Response Kronos Mobile for Kronos Mobile for Android 0 Kronos Tablet for Methodology: Mobile applications are continuing to be a rather ?new" vector of attack. These can be subject to network based attacks over the numerous wide area, local area, and near-field communications protocols, as well as physical attacks against the device. A poorly implemented mobile application has the potential to leak sensitive data or authentication credentials, leaving it exposed on the mobile device and susceptible to individuals that gain either logical or physical access of the device on which the application is installed. With exposed data, your application, application back-end, and user's data is then only as secure as the mobile device is con?gured to be. Coal?re's Mobile Application Security Analysis service is comprised of two complimentary tasks: a Mobile Device Footprint Analysis and a Mobile Application Penetration Test. The Mobile Device Footprint Analysis provides a high-level forensic evaluation of your application in a typical deployment scenario. The device examination will include evaluating mobile device management strategies, determining whether the data is secure at rest on the device itself, determining whether the data is secure in transit when communicating with back-end systems, and identify the level of risk a compromised mobile device may incur to the application, application back-end, and user data. The Mobile Application Penetration Test provides technical testing with the goal of subverting system, network, and application controls. The testing will demonstrate what impact an attacker could have on the platform, the environment, or any back- end systems based on merely having access to the application. This testing focuses on compromising the Web Services or other service layer technology that supports the application. Network Testing Scope: Workforce TeleStaff and Workforce Central Applications run on the same Network Methodology: Coalfire under contract with Kronos Incorporated conducted a Network Penetration of the Kronos Cloud environment. Coal?re?s Basic External Network Penetration Testing determines if system or service vulnerabilities can be exploited to allow unauthorized access to systems, applications, or data. This testing is designed to attack a network from the outside, demonstrating the impact of an Internet-based 27 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS WE SERVE h?x Seattle Information Technology Category Question Specific Scope as Applicable Response attacker attempting to compromise systems with an externally accessible interface. This service includes Network penetration testing that will attempt to compromise networks and operating systems, as well as Commercial-off-the-shelf web applications. m? open ports, Us. automated sans Ind am and web walla-?ow mm to mom. non dim audit-hoe Determine stud: vectors. possibilities and develop mad: plan mm ?80??th Elm-mushroom! Coal?re approaches external network penetration testing with a singular goal - to gain unauthorized access to systems or data. At a high level, Coalfire takes an approach to penetration testing that is similar in nature to the Penetration Testing Execution Standard (PTES) and the penetration testing methodologies endorsed by SANS and Offensive Security. For this level of penetration test service, our approach can be summarized as performing Reconnaissance and Vulnerability Identification, followed by Exploitation. Reconnaissance and Vulnerability Identification 28 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS WE SERVE Seattle Information Technology Category Question Specific Scope as Applicable Response Using a variety of automated scanning tools (both open source and commercial) Coal?re Penetration Testers will gather and classify all systems, open ports, and running services in the target environment. The following types of vulnerabilities are typical of those identified and exploited during a penetration test: 0 Weak Con?guration Missing patches Use of insecure services and protocols Web Application Vulnerabilities, such as Cross-site scripting, SQL Injection and Command injection Authentication Vulnerabilities such as default or easily guessable usernames and passwords Database Server Vulnerabilities such as insecure object permissions Exploitation Coalfire will exploit vulnerabilities to gain access to systems or information contained on the system. Exploitation techniques may include buffer overflows, command injection, or other methods as appropriate to the system being attacked. All exploitation clone in this phase is intended to gain additional access to the platform being targeted in order to allow our testers to achieve the goals set for the engagement. Unless requested by the client, our penetration testing methodology does not include denial of service attacks. Tools: Tools Coalfire utilizes for its Network Penetration Tests include: Tenable?s Nessus The industry?s most widely deployed vulnerability scanner. Nessus Professional features high speed asset discovery, configuration auditing, target pro?ling, malware detection, sensitive data discovery, and vulnerability analysis. 0 Metasploit- is an open-sourced project managed by Rapid7. It provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. 0 Burp Suite - is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process. 0 Netsparker- an advanced and in-depth SQL injection and Cross Site scripting testing tool incorporating a JavaScript engine that can parse, execute and analyze the output of JavaScript. This allows Netsparker to automatically crawl, interpret and scan modern web 2.0 and HTM L5 web applications that rely on client?side scripting. 29 Page POWERFUL TECHNOLOGY SOLUTIONS Seattle FOR THE CITY AND PUILIC WE SERVE Information Technology Category Question Specific Response Scope as Applicable 0 Open Source - In addition to commercial products, Coalfire may leverage open source tools including: Cain 8: Able, Nmap, Nikto/Wikto, Superscan, SSL Digger, Nessus, Microsoft Baseline Security Analyzer (MBSA), and Center for Internet Security Benchmarks. 14. Have you had your WFTS Kronos, on at least an annual basis, contracts with an independent third party to conduct a network and system/services security tested by an WFC application penetration test on the most recent version of the applications released to market in Kronos objective, quali?ed party following a Cloud. Penetration testing includes the web application vulnerabilities defined by the Open Web Application suitable security standard, such as Security Project (OWASP) 10 Web Application Vulnerabilities and SANS Top 25 Most Dangerous Software OWASP to test Errors. These vulnerabilities include the potential for unauthorized internet access, compromise of roles, and against common application escalation of privileges for the application. There were no critical or high risk issues found in the most recent vulnerabilities (cross-site scripting, SQL reports. injection, etc.)? Please brie?y provide any relevant explanation of testing For additional details, please see answers to question 13. performed, test results, and remedial action taken. Also note that any externally facing web-based application will be required to be thoroughly tested prior to implementation, with detailed results provided to the City for review and acceptance. 15. Did your last system security and WFTS No critical or high risk issues were found vulnerability assessments and/or WFC penetration tests result in any medium- or high-risk security vulnerabilities identified? If any, have the speci?c findings been appropriately addressed? If not, what is the plan and timeline to resolve the issues? 16. As part of your proposed solution, WFTS Yes. Kronos conducts vulnerability scanning of the customer environment prior to go-live and annually will you be including any manual WFC thereafter using third party tool. After the build book, QA testing, and vulnerability assessment have been 30 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUBLIC SOLUTIONS WE SERVE Seattle I Information Technology Category Question Specific Scope as Applicable Response and/or automated system security and vulnerability assessments and penetration tests? completed and documented the Change Advisory Board (CAB) will review and announce the customer implementation as complete and the customer is considered live. Incident Management 17. Please describe your incident response and breach notification stance applicable to your proposed solution. Are you willing and able to notify the City within 24 hours of being made aware of a real or suspected security incident? Are you willing and able to adequately assess and support an incident investigation and response with and on behalf of the City? WFTS WFC Should there be a known breach affecting the City of Seattle?s data, Kronos will activate the Incident Response Plan and the Customer will be noti?ed within 24 hours of con?rmation of the breach. Kronos Incident Response Plan includes identification, containment/eradication, root cause analysis, and the implementation of any mitigating controls to prevent recurrence. After containment, a root cause analysis and remediation plan will be put into place. Throughout, Kronos shall provide Customer timely updates and information. Kronos would be transparent, working with Customers as to progress, what has occurred, and steps being taken to address. In addition, Kronos works with customers on their handling of the matter. Further, the incident response plan includes identi?cation, containment/eradication, root cause analysis, and the implementation of any mitigating controls to prevent recurrence. Kronos has deployed an internal ticketing system that manages priority, escalation and notification so that the information security officer, legal, engineering, and support teams are noti?ed. Information security and legal are in leadership roles and it is an all hands on deck situation as response teams formed. Third Party Management 18. If you any third parties are included or involved in the development, implementation, support, and/or maintenance of the proposed solution, please specify the parties by name and applicable service(s) provided. WFC WFTS There are no third parties included or involved in the development, implementation, support, and/or maintenance of the Kronos solution except for: Aspect/Voxeo for telephony IVR, Software as a Service (SaaS) service provider for telephony inbound/outbound calls. Kronos provides overall support including telephony IVR in the platinum support service provided through Software as a Service (SaaS) contracts. Kronos does not commit data security on behalf of Aspect/Voxeo; however, Aspect/Voxeo is contractually obligated to notify Kronos when there is a security breach and Kronos in turn notifies the City of Seattle of such breach and initiates the incident response plan including Aspect/Voxeo telephony service as applicable. Aspect/Voxeo Inclusion/Involvement 31 Page POWERFUL TECHNOLOGY SOLUTIONS seattle FOR THE CITY AND PUBLIC WE SERVE i? Information Technology Category Question Specific Response Scope as Applicable The service is preconfigured to work with the Kronos Workforce TeIeStaff (WFTS) solution using the Contact Manager. During implementation, Kronos team con?gures the customer? 5 instance for telephony IVR use by setting up Workforce TeleStaff web connects to Aspect/Voxeo Interactive Voice Response (IVR) telephony IVR service for outbound calling or the end user for inbound calling. Outbound functions as: 0 Message - Use to send a message. 0 Notification - Use to send assignment details for the selected date. 0 Roster Alarms - Use to send Roster Alarm details for the selected date. 0 Vacancy- Use to fill a vacancy. This option only enables for vacant positions and disables all other Outbound types. Inbound functions as: To change enter a code To change remove a code To review your personal calendar To check your pick list position To review working opportunities To change your personal information Data Stored is used for phone message narration or billing purposes. Sensitive data use is indicated below. The employee name is optional. The Workforce TeleStaff system forces a password reset after 3 attempts. 32 Page POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUBLIC SERVE Seattle i? Information Technology Category Question Specific Scope as Applicable Response Poms enuowo mu II pudlnua pouajsulu, .Employee Name Employee Name Narration Sam Buchanan Phone Logm phone Logm Used for employee to 1234 identify on the phone Called ID Employee preferred Used for outbound 999-999-9999 contact phone Phone password Password used by ABC321 employee for access using Phone Password 19. Are third parties (vendors and service providers) contractually obligated to maintain security controls commensurate with the City?s requirements? How is compliance with such expectations verified? WFTS WFC Regarding City?s requirements: Kronos does not have a list of security requirements for the City of Seattle. Based on the questions the assumed requirements are covered contextually in this questionnaire. Based on the assumed requirements, there are two third parties: CenturyLink data center and Aspect/Voxeo IVR telephony web service. Kronos has agreements in place for CenturyLink and Aspect/Voxeo regarding data security. Regarding veri?cation: Aspect/Voxeo and Aspect/Voxeo is not audited based on the American Institute of CPAs (AICPA) Service Organization Control (SOC 2 Type 2). Aspect/Voxeo?s data center is audited and provides the SOC 2 Type 2 report. 0 CenturyLink data center is audited and provides the SOC 1 Type 2 report. Generally, Kronos has an internal process that facilitates initiation, kickoff meeting, RFP process, vendor meeting and vendor due diligence, review and follow up, recommendations and procurement, and periodic assessment of third parties. 20. Are third parties periodically audited for compliance with security obligations? Are those audit results available for review by the City? WFTS WFC Aspect/Voxeo and Aspect/Voxeo is not audited based on the American Institute of CPAs (AICPA) Service Organization Control (SOC 2 Type 2). - Aspect/Voxeo?s data center is audited and provides the SOC 2 Type 2 report. 0 CenturyLink data center is audited and provides the SOC 1 Type 2 report. 33 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS WE SERVE Seattle Information Technology Category Question Specific Scope as Applicable Response Safeguarding City Data (Pre/Post Implementatio 21. Please describe how the City's data will be accessed and safeguarded before, during, and after n) implementation who can access it and why, how such access is enabled and controlled, etc.). Are there different levels of access within your organization? Are those accesses logged and periodically reviewed? WFTS WFC The access to City of Seattle data will be dependent on the scope as de?ned in each work order of the customer agreements. The work orders outline what data is accessed and requirements for such access. Typical Access During Implementation for WFTS Who accesses: the solution consultant has full access to the database Why: The solution consultant needs access to perform configuration responsibilities. Enabled and Controlled: Solution consultant access is granted based on level of authority using a least- privilege, role based, access model. The City may request additional access to its data in writing with approvals. Logging: The implementation team does not monitor logged accesses, but it is a standard report available in the product which is accessible by the customer. Process: For the initial build of the database, the data collection spreadsheet will be completed by the City and uploaded through Kronos? secure customer portal using Secure File Transfer Protocol (SFTP) and the Workforce TeleStaff Gateway Manager. The data provided by the City of Seattle is in CSV format. There is an initial load and thereafter an update import process. Methodology: During implementation the solutions consultant will work initially work from their computer. Once the environment is prepared, the data is stored on the server. Safeguarded: Kronos solution consultant computers are Direct Access to on premise data: Kronos will not require direct access to the City?s on premise systems or data. Typical Access During Implementation for WFC Who accesses: the solution consultant has full access to the database Why: The solution consultant needs access to perform configuration responsibilities. 34 Page POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUILIC WE SERVE Seattle lw? Information Technology Category Question Specific Scope as Applicable Response Enabled and Controlled: Solution consultant access is granted based on level of authority using a least- privilege, role based, access model. Logging: The implementation team does not monitor logged accesses, but it is a standard report available in the product which is accessible by the customer. Process: Workforce integration Manager is expected to be used for all interfaces to/from the City?s SFTP in a true API methodology eliminating the need for ?at ?le import/exports in WFTS and WFC. This interface style will be in scope for Phase 3. Methodology: During implementation the solutions consultant will work initially work from their computer. Once the environment is prepared, the data is stored on the server. Safeguarded: Kronos solution consultant computers are Direct Access to on premise data: Kronos will not require direct access to the City's designated SFTP server. 22. How will your personnel (employees and vendors) gain access to City systems and data? Are there different levels of access? ls such activity logged and periodically reviewed for appropriateness? WFTS WFC The access to City of Seattle systems and data will be dependent on the scope as de?ned in each work order of the customer agreements. The work orders outline what data is accessed and requirements for such access. The Software as a Service (SaaS) solution assumes access to on premise City systems and data is not required. For implementation, data population requires the Kronos solution consultant to handle prior to populating the database on the Kronos servers. The solution consultant computer is Access to the Workforce TeleStaf?f and Workforce Central applications is role based. The corporate Information Security Team monitors access changes in the environment verifying accounts (new, modified, and disabled) are processed properly; reviews access results quarterly; re-directs resources to properly perform the control processes where non-compliant; and modi?es access rights as necessary. 23. How do you restrict your personnel and any applicable third parties from printing, saving, copying, and/or disseminating City data? WFTS WFC In addition to the required Kronos background checking and security and privacy awareness training, physical and logical access is limited to authorized support staff only, using a least-privilege, role based, access model. Access is reviewed quarterly to determine appropriateness for the business purpose. The Kronos solution is designed to be accessed using terminal server jump hosts to prevent unauthorized data from being removed from the data center. The restrictions are on the server for downloading or printing customer data. The database engineer has access to the database for maintenance and tuning. By policy, they do not access customer data directly. Kronos hires a third party, known as Dell Secure Works. who provides intelligence 35 Page POWERFUL TECHNOLOGY SOLUTIONS seattle FOR THE CITY AND PUBLIC WE SERVE Information Technology Category Question Specific Response Scope as Applicable driven security solutions that monitor logs 24x7x365. Alerts are thrown due to direct access to customer?s data and the Kronos engineers receive the alerts and review the logs for follow-up. 0 The restrictions are on the server for downloading or printing customer data. 0 The solution is designed to be accessed using terminal server jump hosts to prevent unauthorized data from being removed from the data center. 0 Physical and logical access to the solution is limited to authorized support staff only, using a least- privilege, role based, access model in which the principle of segregation of duties is incorporated. By policy, Kronos staff do not access customer data directly. Remote access for Kronos employees requires the use of a secure VPN and two factor authentication to access. CenturyLink data center staff can see the cage and have no access to the data. There is downloadable content for the training materials to PowerPoint Slides deck). There are no licenses as this is a Software as a Service (SaaS) subscription based service offering. Pill"t 0f your proposal to enable and The Aspect/Voxeo IVR telephony is a web based service facilitate the operation of your software solution, 35 all 0 Modules Scope Phase 1 and 2 WFTS software, services, downloadable Feature/Module Definition content, and licenses. Solution 24. Please provide a summary of all WFTS Inventory electronic components included as WFC Workforce Core Product: Workforce TeleStaff is a time-tested and proven scheduling, TeleStaff Enterprise communication, and bidding solution that helps: Control costs by allocating (note: Workforce overtime fairly; creating impartial schedules based on demand and employee TeleStaff also preferences; and reducing overstaffing. Minimize compliance risk by referred to as incorporating an organization's unique scheduling rules and adhering to the WFTS, Workforce necessary labor laws and union rules. Improve workforce productivity with Central TeleStaff) automated position, shift, and vacation bidding that frees supervisors' time and improves employee satisfaction. Includes Platinum Support, Includes Cloud Hosting for two instances (production and non-production). Includes Cloud Hosting for population (head count). There is no mobile 3 Iication for Workforce TeleStaff and the web pages are responsive for any device being used. 36 Page POWERFUL TECHNOLOGY SOLUTIONS seat?tle Information Technology FOR THE CITY AND PUBLIC WE SERVE Category Question Specific Response Scope as Applicable Workforce Provides Access Security: Allows two or more Institutions (Seattle PD) to exist in TeleStaff a single database while keeping their people and staffing information separate. Institution Focus License must match Workforce TeleStaff Enterprise. Workforce Provides Web Connectivity: Provides User Access to the application over any TeleStaff Global Browser on any Device that supports License must match Workforce Access TeleStaff Enterprise. Workforce Provides Notifications: Routes Messages from Workforce TeleStaff to the TeleStaff Contact appropriate message delivery module email and/or phone). Contact Manager Manager also ensure that messages are sent out in the priority order established by rules configured in Workforce TeleStaff. Contact Manager also ensures that messages are sent out in the priority order received from Workforce TeleStaff. 0 Line Manager: Controls each logical line in the IVR system. 0 Email Manager: Sends employee emails from Workforce TeleStaff using standard SMTP protocols. I Task Manager: Automatically initiates predefined tasks that execute certain functions within Workforce TeIeStaff, helping to alleviate repetitive tasks for staffers and system administrators. Workforce Provides Bidding Function: Automate position, shift, and vacation bidding. TeleStaff Bidding Managers can set up online auctions and employees can bid on or choose slots. Workforce Provides Data Integration (one time cost): Gateway Manager is a ?exible data TeleStaff Gateway integration tool that interfaces TeleStaff with other business applications, such as Manager CAD, RMS, Workforce Timekeeper and Payroll. For example, Exports scheduling data in XML and CSV formats for dynamic date ranges and sends roster and personnel data to CAD, RMS, and HR systems. 0 3rd party Telephony used in Phase 1 and 2 Feature/Module Definition Workforce IVR or Provides Interactive Voice Response (IVR): Cloud Telephony through 3rd party Telephony SaaS provider known as hosted Aspect/Voxeo Prophecy. Kronos treats IVR like any other Kronos software with the same protection. Kronos does not commit to Aspect/Voxeo data security contractually. Links: The As ect Cloud' Privacy Policy 37 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS WE SERVE Seattle Information Technology Category Question Specific Scope as Applicable Response 0 Modules Sco pe Phase 3 WFC Feature/Module Definition Workforce Central Core Product, Workforce Timekeeper is the key component of the Workforce Central Time and Labor product group and is required for all other products in this category. It is an automated time and attendance solution that enforces pay and work rules, allows time entry and approval, tracks attendance exceptions, and handles employee inquiries. Includes Cloud Hosting for population (head count). Workforce Manager Attestation Workforce Attestation supplements the Workforce Timekeeper by adding additional capability to require employees to respond to various questions throughout the work day. Customized Approval prompts can also be incorporated for different groups of employees, where specific attestation language is required or desired. Workforce Manager A Manager license is required for any user authorized to access (views, approves, or modifies) another user's time or attendance (leave) records. Examples: Supervisors, Team Leads, Timekeepers, HR, and Payroll staff. Kronos includes a certain number of Manager licenses per 100 users in the Host Base Price. Additional Manager licenses may be purchased at a per-user rate. (Note: Each Manager license user also requires an Employee user license.) Workforce Employee Basic time and leave license required for each user. Captures and stores the following for each user: Basic schedule (days of week, hours per day, time of day); timesheet entries; leave requests; and leave balances, including forecasting future leave balance. Applies rules to validate time entries and leave requests. Workforce Absence Manager Absence Manager automates Leave policies using a combination of Workforce Accruals, Leave and Attendance modules. Accruals calculates and enforces grant and usage rules for benefited leave. 'Leave' assists with complying with FMLA and OFLA requirements. Attendance is designed to monitor attendance behavior and enforce attendance policies. Workforce Integration Manager (WIM) Workforce Integration Manager is an integrated, web?based, flexible data integration tool that interfaces Kronos products with other business applications such as payroll and human resources. Mobile Employee and Manager Employee: Mobile application that enables employees to submit leave requests, enter timecard/timesheet data and track detailed labor activity. Manager: The 38 Page POWERFUL TECHNOLOGY SOLUTIONS FOR THE CITY AND PUIL WE SERVE I i . I Seattle Information Technology Category Question Specific Scope as Applicable Response mobile application which allows users to review and approve timesheets and leave requests from their mobile phone. 25. Please provide a summary of all physical components included as part of your proposal to enable and facilitate the operation of your proposed solution, such as: all hardware, devices, removable hard drives and media, sound cards, mixers, sewers, monitors, USB devices, back? up/replication systems, DVD burners, CDs, physical security and/or anti- tampering safeguards, and operation manuals. WFTS WFC The proposed solution is Software as a Service (SaaS) for Workforce TeleStaff and Workforce Central. There are no expected equipment or hardware requirements for the City of Seattle. Solution Hosting and Location(s) 26. Please describe how your proposed solution, data center, and associated systems and data are to be hosted and maintained, including physical location. WFTS WFC Kronos Workforce TeleStaff and Workforce Central Solution: The solution is hosted from the data center and maintained by Kronos employees located in Chelmsford Massachusetts and Noida, India. Data Center: The Kronos solution is housed in a CenturyLink co-located data center cage in a single tenant located in Waltham, Massachusetts. Kronos owns and manages everything from end to and within the cage. CenturyLink staff can see the cage but do not have logical access to the environment. The Kronos Private Cloud is backed up to a Kronos Managed colocation cage in Chicago, Illinois. Associated Systems: Aspect/Voxeo is housed in a SWITCH data center located in Las Vegas Nevada. Data: Data is maintained in a SQL database and maintained by Kronos database engineers 39 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS SERVE Seattle lw? Information Technology Category Specific Scope as Applicable Question Response Aspect/Voxeo Telephony IVR Solution: Aspect/Voxeo is a web service with an existing connection to the Workforce TeleStaff environments requiring initial implementation to con?gure for the Customer?s speci?c instance within the Kronos solution located worldwide with corporate headquarters in Phoenix Arizona. Data Center: Aspect/Voxeo is housed in a SWITCH data center located in Las Vegas Nevada. SWITCH provides data center hosting services including the physical infrastructure, power, and data connectivity needed to house information systems of user entities. SWITCH provides certain physical and environmental security mechanisms to safeguard user entities assets from unauthorized access and environmental threats. As such, user entities engage SWITCH to secure and maintain the availability of their applications and important data for their customers, employees, and stakeholders. Associated Systems: Data: Data is transported from Workforce TeleStaff to Aspect/Voxeo for IVR with some data stored locally for billing purposes. Solution Access and Support 27. Does any part of your proposed WFTS solution require or allow any external WFC connectivity, such as to enable any IVR integrations, batch processing, services, or to perform troubleshooting or support from a remote location? No parts of the Kronos solution require or allow external connectivity except for: Workforce TeIeStaff allows connections to Aspect/Voxeo telephony IVR web services for inbound/outbound calling. 0 Employees access the environment by VPN with multi factor authentication. Solution Data Security and Integrity WFTS WFC (transport to/from IVR) 28. Do the systems involved in your proposed solution use strong when processing, in transit, and at rest? What methods, algorithms, and key sizes are used? What other provisions are in place to ensure data security and integrity? Kronos uses strong in transit and rest (optional for customers). The algorithm methods are de?ned below including the key sizes. Data stored with Aspect/Voxeo is not at rest. When processing on the web/application servers, the data is in memory in order to be processed. In transit to/from Kronos environment: "Transport Layer Security is used for Kronos Web Applications and Application Programming Interface (API) traffic. Kronos accepts by default "Advanced Standard 128 bit "Triple Data Standard 112 bits. 40 Page POWERFUL TECHNOLOGY FOR THE CITY AND PUIL SOLUTIONS It SERVE Seattle i? Information Technology Category Question Specific Scope as Applicable Response In transit to/from Aspect/Voxeo web services: From Workforce TeleStaff data is transported over over SSL or Secure to Aspect/Voxeo. At rest: Each work order may speci?c whether is required at rest AES 25 bit. The initial work order requires at rest and it is expected future work orders will also require at rest. Solution A Controls ccess 29. Please describe the system/user access, password, authentication, security con?guration available to be configured and enforced by your proposed system and solution. WFTS WFC Kronos recognizes the importance of safeguarding the information in the workforce management solution. Workforce TeleStaff enforces the concept of ?no privileges until assigned,? which means that users cannot access system data or functions until access is explicitly granted to them. User access rights are de?ned in Workforce TeleStaff access control pro?les. Login Policy de?nes user passwords to control and limit who and how personnel can access Workforce TeleStaff. The Login Policy initiates when the user attempts to log in. Multiple and distinct login polices can be created to support your security plan. 30. Does the system support role- based user access control? WFTS WFC Yes 31. Does the system use Active Directory for authentication? WFTS WFC IVR Active Directory Authentication for Workforce TeleStaff and Workforce Central 0 Workforce TeleStaff Authentication is accomplished through LDAP over secure VPN Token based authentication with Active Directory Federated Services (ADFS) is on the roadmap for the next major release scheduled Q1 2017 Workforce Central 0 Authentication is accomplished using taken based authentication with Active Directory Federated Services (ADFS) No Active Directory Required for Aspect/Voxeo The user sets up their phone login and phone password. The phone password must be a separate set of credentials since special characters are not available on a telephone key pad. 32. Does the application automatically log off inactive users? WFTS WFC Yes 33. Does the application limit access by user role? WFTS WFC Yes 34. Do or will all user interfaces require, at minimum, a unique user ID WFTS WFC Yes. If the customer does not use LDAP authentication (WFTS) or taken based authentication (WFC), the strength of the password is con?gurable based on the department?s security practices. A minimum password 41 Page POWERFUL TECHNOLOGY SOLUTIONS son rue AND PUILIC we Seattle . lw? Information Technology Category Question Specific Response Scope as Applicable and strong password? If so, please length can be set, as well as forcing users to change their passwords, how frequently they can be repeated describe, also noting any password and how many unsuccessful attempts are allowed before they are locked out. The lock out period is strength requirements, password determined by your security policy. Passwords are not displayed to any user, no matter what their authority reset/recovery procedures, account level is. They must call an administrator to have their password reset to the default. Once the user logs in with locking after a set number of failed the default password, they are prompted to change their password. authentication attempts, etc. The phone login and phone password also has configurable security practices within the limitation of the phone pad. Concerning Mobile Application and Location Functions 0 There is no mobile application for Workforce TeleStaff used in Phases 1 and 2. 0 There is a mobile application for Workforce Central (WFC) in Phase 3. The Kronos WFC Mobile Application provides a function for checking in/out of work. Part of this function includes ?geo-fencing? for checking in/out. 'Geo-fencing' provides a pre-set GPS coordinate that indicates the location that is acceptable for the employee or group to check in/out of work an employee cannot check into work when they are not near the work site). Checking in/out of work is not in scope for the Seattle Police Department in any phase. The Seattle Police Department turns location off on mobile devices; however, the user can turn the location back on. Ability to ?turn off' location from the Kronos WFC mobile application I There is no way to turn off the use of location administratively on the backend If the user turns off the GPS location on their phone, the Kronos WFC Mobile Application will not use it. I If the user turns on the GPS location on their phone, the Kronos WFC Mobile Application will use it. There is a con?gurable setting on the administrative backend that can be set by user or by group to drop (?not use? or "discard?) the location if it is transmitted from the mobile device which enables the Police department to drop the location for all employees in one group if desired. Submitted by [executive/director level name] 42 Page POWERFUL TECHNOLOGY SOLUTIONS Seattle In FOR THE CITY AND PUBLIC WE SERVE Information Technology Title [Title/ Role] Company Kronos Date 43 Page