Xoxoday maintains documented interim risk mitigation policies—including compensating controls, access restrictions, and enhanced monitoring—to keep environments secure while critical patches are being scheduled and applied.
Acting Before the Patch Arrives
When a security vulnerability is identified, Xoxoday does not wait for a patch before taking protective action. The Information Security Team performs an immediate impact and exposure assessment to classify the risk and determine which assets or services are affected. This assessment drives the scope and urgency of every interim measure that follows.Compensating Controls During Patch Delays
Patch deployment is sometimes deferred for legitimate operational reasons—compatibility testing, scheduled maintenance windows, or integration dependencies with connected HR and finance systems such as Workday, SAP SuccessFactors, or Darwinbox. During this window, Xoxoday applies documented compensating controls to reduce exposure. Controls applied may include restricting or disabling affected services and ports, tightening firewall rules and applying network segmentation, implementing application-level configuration changes, and temporarily deactivating vulnerable features or interfaces. The specific combination is determined by the risk classification of the identified vulnerability, not by a one-size-fits-all checklist.Access Restriction and Stakeholder Communication
Access to affected systems is immediately limited to only the personnel and services that genuinely require it. This narrows the attack surface while patching is in progress. A temporary entry is created in Xoxoday’s risk register, and relevant stakeholders are notified of the mitigation plan and expected patch timeline. All steps—including the documented rationale for any delay—are recorded in line with Xoxoday’s Patch Management Policy, supporting continuous audit compliance under frameworks such as ISO 27001 and SOC 2 Type II.Enhanced Monitoring Throughout the Mitigation Window
Systems operating under interim controls are placed under heightened monitoring. Security teams track indicators of compromise and suspicious activity in real time, and alerting thresholds are raised for events related to the specific vulnerability. For organisations running Xoxoday’s rewards and recognition workflows across tools like Slack or Microsoft Teams, this monitoring extends to activity at the integration layer, not only the core platform.Controlled Closure After Patching
Once the patch is successfully applied, Xoxoday reviews and removes all interim compensating controls in a controlled sequence. The event is formally closed with complete audit logs, and a post-mitigation review confirms that no residual exposure remains. This end-to-end process ensures security and compliance continuity even when immediate patching is not operationally feasible. Learn more: Xoxoday Help Centre — Data, policy and privacyHow does Xoxoday handle vulnerability disclosure?
Learn how Xoxoday identifies, classifies, and responds to reported security vulnerabilities across its platform.
What is Xoxoday's patch management policy?
Understand the timelines, prioritisation criteria, and approval processes Xoxoday follows to deploy security patches.