SECURITY ADDENDUM
Latest Version – November 12, 2021
Previous Versions – https://www.strongdm.com/legal/archive/security-exhibit
-
Information Security Program
Provider’s information security program (“Information Security Program”) is based on the National Institute of Standards and Technology’s Cybersecurity Framework (CSF) v1.1. Provider endeavors to ensure the security, confidentiality, integrity, and availability of the Services by taking the following steps:
-
Provider targets compliance with the AICPA Trust Services Criteria 2017 for Security, Availability, and Confidentiality;
-
Provider employs a Director, Security & Compliance to lead the Information Security Program and set and review objectives for information security each year; and
-
The Director, Security & Compliance is responsible for leading all subordinate programs in support of the Information Security Program, and also leads the company-wide governance, risk, and compliance programs.
-
-
Definitions
Solely for the purposes of this Security Addendum and the Information Security Program, Provider defines “Customer Data” as data or information input into the Platform by a Customer or generated automatically through the usage of the Platform, including:
-
Customer Authorized User information (e.g. first and last names, email addresses);
-
Identifiable data source information, including:
-
Customer Authorized User information (e.g. first and last names, email addresses);
-
Resource names and IP addresses
-
Hostnames and URLs
-
Database names
-
-
Authentication secrets and related data, including:
-
Usernames
-
Passwords
-
Cryptographic Keys
-
Access/API keys
-
-
-
Identity and Access Management
Provider’s identity and access management program is based on the requirements and guidance from a number of sources, including NIST 800-53 Rev. 5, NIST SP 800-63-3, as well as common industry best practices. Provider has established Identity Management and Access Control policies that establish controls and practices governing all aspects of access to systems and data.
Authorized User Identity Management
-
Provider maintains a centralized identity provider to manage accounts used within its business systems. Each Authorized User within the Services is provided with a unique username for identification when logging into the Services.
-
Circumstances that require the use of a shared account will be managed on a case-by-case basis, and require a business justification before the account may be created.
-
Provider conducts quarterly access reviews to ensure that Authorized Users have access to only those systems needed to perform their duties. Where required, accounts are flagged for suspension and removal.
Authenticator Requirements
-
Provider’s access management policy requires that where Provider has the ability to set password requirements, Provider will enforce standards in line with NIST 800-63B. This means:
-
Provider requires all Authorized Users to set passwords that are at least 14 characters in length and randomly generated
-
Provider does not require arbitrary or periodic rotation of passwords
-
-
Where Provider is not able to enforce specific requirements on passwords, Provider chooses the option that most closely aligns with its policies.
-
Wherever possible, Provider implements authentication federation through SAML or OIDC with its centralized identity provider.
Privileged Account/Access Management
-
Authorized Users must have a demonstrated business need to be granted access to privileged/administrative rights and sensitive information.
-
Provider conducts quarterly privilege reviews to ensure that Authorized Users only have the rights they need to perform their duties.
-
-
Data Security
Provider’s data security program (“Data Security Program”) is designed to ensure that both sensitive business and Customer Data is protected from unauthorized access, disclosure, and deletion. Provider has policies in place to govern the classification, usage, protection, retention, and destruction of data.
Usage
-
Only those with a demonstrable business need are able to access Customer Data
-
Identifiable Customer Data is not permitted to be removed from production systems or downloaded to local Authorized User machines via policy
-
Data classification levels are defined and applied throughout the organization
-
All data and documents should be labeled with their data classification level
Retention
Provider’s data retention policy has been established to maintain Customer Data for only as long as is necessary to support business operations. That means:
-
Provider retains the product’s audit log data for 13 months and subsequently delete it from the Platform. Activities (interactions with the API itself) are stored indefinitely.
-
When a business relationship between Provider and Customer is terminated, and specifically requested by the Customer, Provider will delete all Customer Data within a reasonable period of time after termination. Otherwise, log data is deleted at the end of the retention period.
Destruction
-
Secure delete functions are used wherever possible
Protection & Encryption
-
All data is required to be encrypted at rest on whatever platforms Provider uses to provide services to customers
-
All data in transit is encrypted by standard encryption methods, including TLS v1.2
-
Full-disk encryption is required for all Authorized User workstations and is periodically audited for compliance
Privacy
strongDM maintains a Privacy Policy for usage of its public website, which can be viewed at https://www.strongdm.com/privacy. Privacy commitments for usage of the strongDM Platform are governed within the Agreement.
-
-
Asset Management
Provider has established an asset management program to track all corporate assets and ensure strong controls around the purchasing, issuing, reclamation, and disposal of hardware and software.
Hardware and Software Procurement and Management
-
All hardware and software is purchased through a central IT team
-
All hardware assets are checked out to specific Authorized Users
-
Excess hardware is wiped of all data and disposed of through a trusted business partner
License Management
-
Provider ensures that all software is properly licensed and appropriately used
-
-
Endpoint and Perimeter Defense
Provider has an endpoint and network protection program that includes system hardening, anti-malware requirements, vulnerability management.
System and Application Hardening
-
Systems are configured against baselines for basic security controls, such as full-disk encryption, local firewalls, and minimal Authorized User accounts.
-
All production systems have adaptive anti-malware, file integrity monitoring, and vulnerability scanning agents installed.
-
All corporate systems have endpoint detection and response/anti-malware software deployed that alerts to a central console.
Vulnerability Management
-
Provider conducts regular vulnerability assessments against its production systems.
-
Vulnerabilities are rated based on CVSS, availability of exploit code, and public attack surfaces, and remediated in a timeframe governed by Provider policy.
Perimeter Defenses
-
Network access controls are put in place and configured via a source-controlled repository to ensure only appropriate and authorized ports are open.
-
Direct access to production systems is not permitted, and may be made only via the Platform itself.
-
-
Security Incident Response
Provider’s security incident response program is based on the incident command system to provide assurance that Provider’s processes are repeatable and the appropriate resources are available internally.
-
Provider tests its incident response plan & processes quarterly.
-
Provider conducts post-incident reviews after each test and incident to gather feedback and incorporate it into its processes.
-
If Customer Data is affected by a security incident, Provider will notify the affected Customer in a reasonable timeframe after confirmation of the scope of the incident.
-
-
Secure System and Software Development
Provider has implemented a robust software/systems development life cycle to ensure the highest quality code and systems are deployed into the Provider environment.
-
Provider maintains custom static analysis and linting code.
-
Every developer contributes to that system and responds to security alerts.
-
Each commit is authored and reviewed by a pair of developers with responsibilities for cross-training for secure coding practices as part of the code review process.
Independent Testing
-
Provider partners with an independent third party to conduct annual penetration tests on Provider’s web application and API.
-
-
Contingency Planning
Provider has created a holistic contingency planning program to assess and prepare for potential disruptions to Provider’s business and its ability to provide the Platform to Customers.
Business Continuity Planning
-
Provider has implemented a robust system architecture designed to eliminate single points of failure.
-
Provider’s people are distributed across the Western hemisphere, which helps ensure that a disaster in one region doesn’t affect Provider’s ability to continue operating.
Disaster Recovery Planning
-
Provider has established RTOs and RPOs for bringing services online in the event of a complete disruption of services.
-
Provider conducts full-scale annual tests of its disaster recovery plan and incorporates any improvements into the plan for following years.
-
-
Information Security Training & Testing
-
Provider trains all employees on security awareness at least annually.
-
The Director, Security & Compliance regularly updates Provider on evolving security threats.
-
-
Risk Management
Provider has a risk management program built around relevant NIST 800-series special publications.
-
Provider conducts annual risk assessments and quarterly risk sessions with executive leadership to identify, assess, and act on risks to the business and the Platform.
-
Risks are tracked on a centralized risk register.
-
All risks are categorized and assigned an owner who is responsible for evaluating the impact and likelihood of the risk and providing a treatment recommendation to the risk management team.
Vendor/Third-party Risk Management
-
Provider has implemented a vendor risk management program and policy to vet the security of Provider’s critical vendors.
-
Provider assesses any potential impacts those vendors could have on the security and availability of the Platform or its business.
-
-
Auditing and Compliance
External Auditing
-
Provider partners with an independent third party to conduct an annual SOC 2 Type 2 audit of the Services.
-
Provider’s SOC 2 Type 2 audits are scoped against 2017 Trust Services Criteria regarding Common Criteria/Security, Availability, and Confidentiality.
Internal Auditing
-
Provider performs a number types of internal audits for compliance with its controls and policies
-
-
Use of External Vendors
Subservice Organizations
Provider uses the following subservice organizations in the delivery of the Platform:
Subservice Organization Name Services Provided Amazon Web Services (AWS) Cloud hosting provider MailChimp (fka Mandrill) Transactional email provider