RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Transcription

1 RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS RMS REPORT PAGE 1

2 Confidentiality Notice Recipients of this documentation and materials contained herein are subject to the restrictions of the confidentiality provisions contained in applicable license agreements, services agreements, or any other applicable nondisclosure terms executed with RMS. Except to the extent permitted by the terms of a license agreement or non-disclosure agreement with RMS, no part of this document may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior written consent from RMS. Warranty Disclaimer and Limitation of Liability Information in this document is subject to change without notice and does not represent a commitment on the part of RMS. The material contained herein is supplied as-is and without representation or warranty of any kind. RMS assumes no responsibility and shall have no liability of any kind arising from the supply or use of this document or the material contained herein Risk Management Solutions, Inc. All rights reserved. Use of the information contained herein is subject to an RMSapproved license agreement. Licenses and Trademarks ALM, RiskBrowser, RiskCost, RiskLink, RiskOnline, RiskSearch, RiskTools, RMS, RMS LifeRisks, RMS logo, and RMS(one) are registered and unregistered trademarks and service marks of Risk Management Solutions, Inc. in the United States and other countries. All other trademarks are the property of their respective owners. Risk Management Solutions, Inc Gateway Boulevard, Newark, CA USA Risk Management Solutions, Inc. All rights reserved. PAGE 2

3 Table of Contents Data Security Security: Protect and Control... 4 Application Security Secure Architecture... 5 Infrastructure Security Network System Hardening Encryption in the Cloud Vulnerability Management and Penetration Testing Monitoring, Logging, and Auditing End-User Controls Physically Secure Hardened Data Centers Stringent Change Management and Restricted Access Integrated Business Continuity Security Compliance: Trust and Verify Complying with Standards and Regulations Verifying Our Security Practices Independent Third-Party Audits More Information About RMS(one) Solutions Compliance RMS Information Security proactively incorporates security principles and best practices throughout our organization to accelerate business growth while providing assurance to our customers that their data is secure and protected during transmission, processing, and storage. PAGE 3

4 Data Security Trust is the foundation of our relationship with our customers. We value the trust you have put in us as stewards of your data, and we take seriously the responsibility of protecting your data. RMS(one) solutions are highly secure and designed and built to meet the rigorous standards you expect from us. We are committed to continue developing RMS(one) solutions with an emphasis on security and compliance. Security: Protect and Control RMS has designed our robust information security management methodology to assess and address risks, reflecting our culture of security. The RMS(one) platform is a secure, hosted infrastructure with multiple layers of protection. We protect your data through dedicated security resources and tools for visibility and control that are deployed across our software development, legal, monitoring, information security, and cloud operations teams. We approach security from two specific verticals: application security and infrastructure security. Application Security The RMS(one) platform and RMS(one) solutions use continuous automated and manual security testing processes throughout the system development life cycle (SDLC). The testing processes identify and patch potential security vulnerabilities and bugs on the RMS(one) platform. These processes include static application security testing (SAST), dynamic application security testing (DAST), open-source scanning (OSS), and manual penetration testing. The RMS(one) platform and RMS(one) solutions use independent third-party auditors annually to certify our security, systems, and controls. Additionally, we have trained security experts in the RMS(one) development and quality testing teams as well as an external bug bounty program. Here is a brief outline of our application security processes: 1. SAST: Continuous static analysis scanning of application source code and binaries that identify potential security vulnerabilities. 2. DAST: Continuous dynamic scans of our applications as they evolve, to provide automatic detection and assessment of code changes and alerts for newly discovered vulnerabilities. 3. OSS: Continuous scanning of our open-source code, mapping open source in use to known security vulnerabilities and flagging potential licensing issues to ensure open-source license compliance. PAGE 4

5 4. Manual penetration (pen) testing: Identifying Open Web Application Security Project (OWASP) top 10 security risks and emerging threat risks throughout the software development lifecycle. This testing culminates in annual third-party pen testing and certification and includes working with third-party security specialists, other industry security teams, and the security research community. 5. Vulnerability tracking: Using a find, fix, and manage security remediation process, identified issues are logged, triaged, fixed, retested, and brought to closure in a timely manner dictated by severity levels. A dedicated security partner works with RMS engineering and project teams to raise awareness of the risks related to data security and confidentiality. This dedicated stakeholder helps to: Identify and mitigate potential threats to RMS(one) solutions Investigate potential risks and assess their impact Establish actions to mitigate risks Track corrective actions to completion Communicate results Secure Architecture The RMS(one) platform is based on a segregated data model designed to keep customer data secure and completely isolated through security access controls which enforce seclusion within the database. Mechanisms are built into the application to log and track user activity, including authentication and access. Figure 1: RMS(one) architecture overview UI UI UI API API API API API API Execution Execution Execution Storage Storage Storage PAGE 5

6 Authentication endpoints, including application programming interfaces (APIs), are throttled to prevent brute-force and denial-of-service (DDOS) attacks. User authentication and password enforcement are based on guidelines established by the National Institute of Standards and Technology. Infrastructure Security Network RMS network security combines advanced and hardened firewalls, network segmentation, intrusion detection, and prevention systems, along with ongoing log monitoring and analysis for threat prevention. Our production management network, which hosts customer data, is segregated from the corporate network and access is restricted to authorized individuals on a need-to-know basis. Access to our production management network requires multi-factor authentication. System Hardening To minimize security risks, we perform system hardening and minimization (also known as operating system hardening). This means that operating systems are reduced to the minimum of necessary capabilities, with all non-essential software, services, protocols, modules, programs, utilities, default accounts, and usernames removed prior to production release. Our baselines reflect the industrystandard recommendations from the Center for Internet Security. Only essential services and ports are opened. Encryption in the Cloud Industry best practices are used when encrypting data to and from our data centers and cloud providers. Data transferred between end users and RMS is also encrypted using an industrystandard minimum 256-bit encryption mechanism. Vulnerability Management and Penetration Testing To defend against evolving threats, RMS performs regular vulnerability scans supplemented by independent, third-party penetration assessments. We also submit new environments to a vulnerability assessment process prior to production release. Identified issues are resolved in line with our vulnerability management and patch management processes to address operational and security issues. PAGE 6

7 Monitoring, Logging, and Auditing We manage and monitor the security and integrity of all stored and processed data. Our Security Operations Command Center monitors RMS environments 24/7 using highly skilled and trained security engineers. Security incident and event management (SIEM) tools enable our security operations team to identify and proactively remedy potential security concerns through periodic review and log analysis. The team investigates threats and anomalous activity to block such activity or suspicious access vectors. Potential security incidents are investigated and addressed based on our security incident response procedures. We conduct company-wide information security training, including tabletop exercises, to ensure preparedness. Dedicated platform, infrastructure, and cloud-provider support teams also provide monitoring and operational support so your environment runs optimally. Database administrators are part of these support teams and have access to customer data. This access is solely to enable us to maintain and operate the platform to meet our service level commitments. We log access to systems. The security systems capture and log end-user information when your designated end-users access RMS(one) solutions. This auditable logged information includes: The identity of the end user Manner of accessing and using the features, capabilities, and functions of RMS(one) solutions The actions they requested and performed on your behalf This information is used to maintain security and to efficiently and effectively operate and administer RMS(one) solutions. End-User Controls We use antivirus and anti-malware software to safeguard endpoints from malicious software and security vulnerabilities. Virus definition files are updated periodically and scans are performed regularly. Endpoints for corporate users feature hard-disk drive encryption. An enterprise-wide data loss prevention (DLP) solution is in place to prevent data leakage. Users are required to use strong authentication controls, including password controls in line with industry best practices. PAGE 7

8 Physically Secure Hardened Data Centers The RMS(one) platform and RMS(one) solutions infrastructure are housed within a cloud provider in strategically located, geographically separate, Tier-III-standards-compliant data-center buildings designed to mitigate risks from natural and human-made disasters. We have partnered with Microsoft Azure who has multiple data-center locations around the world, all with ISO and SOC 2 compliance that attest to the physical and environmental security of its global data centers. All data-center buildings are constructed and operated to restrict access to authorized personnel only. In addition, multiple physical security measures restrict entry and access to specifically authorized people for the RMS(one) solutions infrastructure. All RMS(one) solutions infrastructure resides in private, locked cages within each data center. A limited number of authorized personnel with clearance vetted by third-party background checks and stringent security training can physically access the infrastructure. Only the authorized personnel of the RMS Cloud Operations team can have access privileges and authority to perform scheduled maintenance and upgrades. Cloud and RMS(one) solutions data-center access and system administrative activities are logged, monitored, and audited to be consistent with industry best practices. Stringent Change Management and Restricted Access The RMS(one) solutions team maintains operational-level security and governance through a combination of technology and best-practice-based policies, procedures, and processes, using industry-standard, change-management processes. We also follow industry-standard processes for incident management, release management, and problem resolution. Integrated Business Continuity A disaster recovery (DR) package can be purchased as an add-on to enable business continuity during an adverse event. The DR data center is physically separate from the primary production data center and resides within the same geopolitical region. It uses data replication to ensure instant recovery from failure and resumption of production operation. Client data is mirrored to the DR data center using encrypted transfers from production data. If a production data center experiences a significant and extended outage, the DR data center will include failover capability as a stand-in that provides business continuity. For extra safety, we regularly validate our DR data center and corresponding processes. Security Compliance: Trust and Verify Compliance is an effective way to validate the trustworthiness of a service. RMS encourages and expects verification that our security practices comply with the most widely accepted standards and regulations, including ISO and SOC 2. Our independent third-party auditors test our controls and provide their assessment and reports. PAGE 8

9 The RMS(one) platform and RMS(one) solutions are certified for ISO and SOC 2 (for Security, Availability, and Confidentiality), and are self-certified for the Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR). Complying with Standards and Regulations ISO CERTIFICATION The International Organization for Standardization (ISO) has developed a series of world-class standards for information and societal security to help organizations develop reliable and innovative products and services. We have certified our systems, applications, people, and processes through a series of audits by an independent third party. ISO Information Security Management ISO is recognized as the premier information security management system (ISMS) standard around the world. We continually and comprehensively manage and improve our physical, technical, and organizational controls according to ISO CLOUD SECURITY ALLIANCE: SECURITY, TRUST, AND ASSURANCE REGISTRY The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) is a free, publicly accessible registry that offers a security assurance program for cloud services. This helps users assess the security posture of current or potential cloud providers. We have completed the CSA STAR Level 1 Self-Assessment, a rigorous survey based on CSA s Consensus Assessments Initiative Questionnaire (CAIQ). The questionnaire aligns with the CSA Cloud Controls Matrix (CCM) and provides answers to more than 130 questions a cloud customer or cloud security auditor may want to ask. The CSA STAR Level 1 Certification for RMS(one) solutions is available upon request through our sales or account management teams. SOC REPORTS Service Organization Control (SOC) reports known as SOC 1, SOC 2, and SOC 3 are frameworks established by the American Institute of Certified Public Accountants (AICPA) for reporting on internal controls implemented within an organization. The RMS(one) platform validates systems, applications, people, and processes through a series of audits by an independent third party. SOC 2 for Security, Confidentiality, and Availability The SOC 2 report provides customers with a detailed level of controls- based assurance. The SOC 2 report has a detailed description of the RMS(one) solutions processes, and there are over 100 controls in place to protect your data. In addition to our independent third-party auditor s opinion on the effective design and operation of our controls, the report includes the auditor s test PAGE 9

10 procedures and results for each control. A SOC 2 Type 1 assessment has been performed for the RMS(one) Solutions and a Type 2 assessment will be available upon request through our sales or account management teams in the first quarter of SOC 3 for Security, Confidentiality, and Availability The SOC 3 general-use report is an executive summary of the SOC 2 report that includes an independent third-party auditor s opinion on the effective design and operation of our controls and processes. Verification of Security Practices Independent Third-Party Audits RMS uses independent third-party auditors to test our systems and controls against some of the most widely accepted security standards and regulations in the world, such as ISO and SOC 2. These reviews occur at least annually and are conducted by independent, thorough, and globally respected audit and security firms. CONTINUAL IMPROVEMENT A critical part of any information security management program is the improvement of security programs, systems, and controls. To this end, RMS is committed to soliciting feedback from various internal teams, customers, and internal and external auditors, using this feedback to develop improved processes and controls. More Information About RMS(one) Solutions Compliance Compliance and certification documents can be requested through an RMS sales representative or, for current RMS(one) platform users, through your account management team. To learn more about security for the RMS(one) platform and RMS(one) solutions, visit PAGE 10