As part of our commitment to continuous improvement, Okta will continue to review and improve our security and customer communication procedures. A key component is maintaining a current Primary Security Contact and CIO/CISO Contact for all Auth0 customers. Defining these contacts allows Okta to contact the customer's security teams quickly to respond to cyber-attacks, mitigate potential bad actors, or notify them of a security or privacy incident. 

To ensure we have the most current security contacts for your organization, a self-service solution is now available to enable Tenant Admins to proactively provide the most current Primary Security Contact and CIO/CISO information on the Auth0 Support Center

Primary Security Contact

A Primary Security Contact is a person or group in a customer’s organization who is responsible for receiving notifications and maintaining systems security and privacy compliance, and can respond in the event of a security and/or privacy incident. The individual(s) could be a leader or member of the Security, Privacy, Compliance, or IT teams, depending on how the customer is organized. This contact may receive notices as set forth under the notices provision of your contract.

CIO/CISO Contact

The CIO/CISO Contact is the C-level or most senior person accountable in your organization for security who can be contacted to discuss critical security related items, such as to join a web conference or phone call.

• Auth0 Support Center
• Primary Security Contact
• CIO/CISO Contact

A Tenant Admin can follow these steps to review and update their organization's Primary Security and CIO/CISO Contact Information on the Auth0 Support Center. 

NOTE: Only Tenant Admins can update Security Contacts

1. Authenticate on the Auth0 Support Center by clicking the Log In option.
2. Under the user profile, select the option for Account Contacts.

3. As a Tenant Admin, on the My Account Contacts page, review the Primary Security Contacts and CIO/CISO Contacts that have been defined for your organization.

4. If a contact is not listed, search by clicking on the Search contacts button and typing the name of the individual to add.
   1. NOTE: Multiple contacts can be entered as the Primary Security Contact by selecting and updating them individually. However, it is recommended to only have one CIO/CISO contact.

5. After selecting the contact, click Add contact.

6. Specify the type of contact being added, Primary Security Contact and/or Primary CIO/CISO Contact, and click Confirm.

7. To add a contact not currently listed in the Auth0 system, click Add new contact.

8. Enter the information for the new Security Contact and press Confirm.

9. After adding a new contact, a message displays that the request was received, followed by a confirmation message when the new contact is added.

10. To remove an existing Primary Security or CIO/CISO Contact, click on the Remove icon. 

Once a primary security or CIO/CISO contact is added or removed, an email notification will be sent with the updates made.

NOTE: If additional contact information, such as a phone number or email address, needs to be updated, contact your Technical Account Manager. 

For issues with adding a Security Contact, contact your Technical Account Manager or create a support ticket.

Why it’s important:

The Primary Security Contact may be used to alert your security and privacy team if Okta identifies a specific threat to your organization requiring notification.  For example, we may notify the Security and Privacy Contact to confirm impact during a security and/or privacy incident, or if we observe that your organization’s environment within Auth0 is the target of a specific attack, or if Okta proactively identifies a customer configuration that leaves your organization exposed to potential attacks.

Customers provide a Primary Security Contact when a contract is signed, but as people change roles and companies in their careers, these named contacts can change, possibly preventing Okta from effectively communicating security-related information to customers. Okta encourages customers to periodically review their Primary Security Contact to ensure the named individual remains accurate. 

The CIO/CISO contact is a C-level or most senior person accountable for security in your organization who can be contacted when there is a critical security event or incident, such as to join a web conference or phone call. The CIO/CISO will only be contacted during a critical security event or incident. 

Security is always top of mind for Okta, and we want to ensure we are doing our part regarding security and communication procedures.