This Security Requirements document describes safeguards and technical, physical and organizational precautions undertaken by the BeyondTrust to ensure that data of our customers (each, a “Customer”) is reasonably protected from unauthorized access and disclosure. This document constitutes the Security Requirements as referenced in the BeyondTrust Software License Subscription Agreement.
1.0 Definitions
“Business Contact Information” is defined at name, job title, department name, BeyondTrust name, business telephone, business fax number, and business email address.
“De-identification” or “de-identified” is defined as removing, obscuring, masking, or obfuscating enough Personally Identifiable Information from a record to ensure that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual and no less protections than the provisions of NIST – Draft Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information or its successor.
“Extended Workforce” is defined as any third party with access to Customer Protected Information, through, or under BeyondTrust, including sub-contractors and sub-contractors of whatever tier.
“Information Processing System(s)” is defined as the individual and collective electronic, mechanical, and software components of BeyondTrust’ operations that store, protected Customer’s Protected Information.
“Information Security Event” is defined as any situation where Customer Protected Information is lost; is subject to unauthorized or inappropriate access, use, or misuse; the security, confidentiality, or integrity of the information is compromised; or the availability of Information Processing System(s) is compromised by external attack.
“Personally Identifiable Information (PII)” means any information with can be used to distinguish or trace an individual’s identity, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual as set forth in NIST – Draft Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) or its successor. PII is included in the definition of Confidential Information.
“Protected Information” means Customer member, customer, employee, or workplace information, including PII, or information about the Customer whether the information is received from Customer or directly from the Customer member, customer, or employee including, but not limited to name, address, , or any such other information required to be protected or encrypted by local, state, or federal law, regulation or statute, or mandatory industry standard. Protected information is included in the definition of Confidential Information.
2.0 Purpose
BeyondTrust has implemented and maintains a comprehensive security program covering all areas of Information Security and with the intention of providing defense in depth for the protection of sensitive Customer information. The program protects Information Processing System(s) and media containing Customer Protected Information from internal and external security threats, as well as Customer Protected Information from unauthorized disclosure. The purpose of this document is to describe the controls, methodologies, and guidelines that BeyondTrust has deployed in the protection of PII and other Customer data.
3.0 Security Policy
3.1 Formal Security Policy. BeyondTrust has a security information policy that is approved by BeyondTrust’ management and is communicated to all BeyondTrust workforce personnel. BeyondTrust shall maintain written security management policies and procedures to prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, and availability of BeyondTrust information systems and/or Customer's Data Such policies and procedures shall (i) assign specific data security responsibilities and accountabilities to specific individual(s); (ii) include a formal risk management program, which includes periodic risk assessments; and (iii) provide an adequate framework of controls that safeguard Customer's information systems, including without limitation any hardware or software supporting Customer, and Customer's Confidential Information.
3.2 Security Policy Review. BeyondTrust will review the information security policy at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. BeyondTrust will ensure that has a similar policy review process. BeyondTrust shall periodically (no less than annually) evaluate its processes and systems to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the confidentiality, integrity, availability, and security of Customer's Confidential Information within BeyondTrust information systems as well as the maintenance and structure of BeyondTrust's information systems. BeyondTrust shall document the results of these evaluations and any remediation activities taken in response to such evaluations.
4.0 Organizational Security
4.2 Security Requirement Persistence. BeyondTrust will include as part of its agreements with its Extended Workforce requirements no less stringent than those contained in this document, including all subsequent parties having access to Customer Protected Information or Information Processing System(s) containing Customer Protected Information.
4.3 Materiality of Organizational Security. BeyondTrust agrees that the requirements listed under Organizational Security are material to its Agreements with Customers.
5.0 Asset Management
5.1 Asset Inventory. BeyondTrust will maintain an inventory listing containing at a minimum all Information Processing System(s) and media containing Customer Protected Information.
5.2 Acceptable Use. BeyondTrust will maintain guidance on the acceptable use of information and assets which is no less restrictive than ISO/IEC 27001 or its successor. Such guidance is approved by BeyondTrust’ management and is published and communicated to all BeyondTrust workforce personnel.
5.3 Portable Devices. Customer Protected Information, may not be stored on portable devices including, but not limited to laptops, Personal Digital Assistants, MP3 devices, and USB devices. The foregoing does not prohibit the storage of Protected Information on portable media such as tapes within a data center or in secure offsite storage.
5.4 Personally Owned Equipment. Customer Protected Information may not be stored on personally-owned equipment.
6.0 Human Resources Security
6.1 Security Awareness Training. BeyondTrust workforce members will receive security awareness training appropriate to their job function. Recurring security awareness training will be delivered at planned intervals and as required to mitigate significant changes to information security risk.
6.2 Removal of Access Rights. The access rights of all BeyondTrust workforce members with access to Information Processing System(s) or media containing Customer Protected Information will be removed immediately upon termination of their employment, contract, or agreement, or adjusted upon change of job function.
6.3 Background Checks. BeyondTrust will conduct pre-employment background checks of all global candidates for employment. Such background checks will include the following elements: SSN / name verification, criminal record checks, credit, education verification, and drug screening.
7.0 Physical and Environmental Security
7.1 Secure Areas. All areas, including facilities, telecommunication areas, cabling areas, and off-site areas that contain Information Processing System(s) or media containing Customer Protected Information must be protected by the use of appropriate security controls to include, but not be limited to:
7.1.1 Access will be controlled by use of a defined security perimeter, appropriate security barriers, entry controls, and authentication controls as determined by BeyondTrust’ security risk assessment. A record of all accesses will be securely maintained for a minimum of 90 days.
7.1.2 All personnel are required to wear some form of visible identification to identify them as employees, contractors, visitors, etc.
7.1.3 Visitors to secure areas are escorted or cleared via an appropriate background check for non-escorted access. Date and time of entry and departure will be recorded and kept for a minimum of 90 days.
8.0 Communications and Operations Management
8.1 Protections Against Malicious Code. BeyondTrust will use detection, prevention, and recovery controls which are no less current than ISO/IED 27001 or its successor to protect against malicious software and will train BeyondTrust workforce personnel on the prevention and detection of malicious software.
8.2 Back-ups. BeyondTrust will perform appropriate back-ups of Information Processing System(s) and media containing Customer Protected Information as required to protect the confidentiality, integrity, and availability of Customer Protected Information.
8.3 Media Handling. BeyondTrust will control media containing Customer Protected Information to protect against unauthorized access or misuse.
8.4 Media Disposal. BeyondTrust will securely dispose of media (including, but not limited to paper, disks, CDs, DVDs, optical disks, USB devices, and hard drives) containing Customer Protected Information by the maintenance of procedures to include, but not be limited to:
8.4.1 Disposal of media containing Customer Protected Information so that it is rendered unreadable or undecipherable, such as by burning, shredding, pulverizing, or overwriting similar to the methods described in NIST Special Publication 800-88.
8.4.2 Maintenance of a disposal log that is secured and provides an audit trail of disposal activities. The log will be kept for a minimum of 90 days.
8.4.3 Purge of Customer Protected Information from all of BeyondTrust’ physical storage mediums (filing cabinets, drawers, etc.) and Information Processing System(s) within thirty (30) days of the latest occurrence of the following: (i) upon extermination of this agreement; (ii) upon the completion of BeyondTrust’ performance obligations under this document; (iii) when no longer required by law or court order; or (iv) the destruction date specified in BeyondTrust’ documented record retention schedule.
8.4.3.1 Upon request, BeyondTrust will provide a Certificate of Destruction to Customer certifying that all Customer Protected Information was purged within time frame as stated in the Agreement, following the purge.
8.5 Exchange of Information. To protect the confidentiality and integrity of Customer Protected Information in transit, BeyondTrust will:
8.5.1 Perform an inventory and risk assessment of all data exchange channels (including, but not limited to FTP, HTTP, HTTPS, SMTP, modem, and fax) at a minimum for those data exchange channels used to transmit Customer Protected Information in order to identify and mitigate risks to Customer Protected Information from the use of these channels.
8.5.2 Monitor all data exchange channels to detect unauthorized information (including, without limitation, PII) releases.
8.5.3 Use appropriate security controls and approved data exchange channels when exchanging Customer Protected Information.
8.5.4 Use industry standard enhanced security measures where available (at a minimum TLS1.2 or better encryption) to encrypt Customer Protected Information transmitted via open networks, including, but not limited to the Internet and wireless.
8.5.5 Prohibit information about Customer customers, members, or workforce members gathered by BeyondTrust web pages from being used except for the performance of its obligations under this document.
8.5.6 Prohibit the use of web tracking technologies including, but not limited to web beacons, web bugs, invisible GIFs, and persistent cookies from being used to gather information about Customer customers, members, or workforce members, except as agreed to in writing by Customer and as necessary for BeyondTrust to perform its obligations under this Agreement.
8.6 Protection of Information. To protect the confidentiality and integrity of Customer Protected Information at rest, BeyondTrust will:
8.6.1 Encrypt all Customer Protected Information wherever it resides on BeyondTrust systems.
8.6.2. Encrypt all Customer Protected Information on all backup and removable media.
8.6.3. Utilize industry-standard encryption algorithms and mechanisms (AES-256 at a minimum wherever possible, off-system key storage) for all at-rest encryption implementations.
8.6.4. Develop and implement a full key lifecycle management program and subsequent processes designed to fully protect encryption keys.
8.7 Vulnerability Management. To protect against system, network, and application vulnerabilities and exploitation, BeyondTrust will:
8.7.1 Regularly monitor vulnerability and patch notification lists and repositories for new and updated system vulnerability information.
8.7.2 Regularly scan internal and external networks and applications for the existence of potential security weaknesses and gaps, on a period not to exceed thirty (30) days between cycles.
8.7.3 Perform risk assessment of all disclosed and relevant vulnerability information as it applies to BeyondTrust systems, networks, and applications.
8.7.4 Test all planned updates and mitigations prior to deployment into production environments.
8.7.5 Update systems, networks, and applications to protect against vulnerabilities on a defined and continuous cycle, not to exceed thirty (30) days in total duration.
8.7.6 Utilize a process to deploy updates deemed to be critical in nature, based on a risk assessment, more rapidly than the normal cycle.
8.7.7 Perform penetration testing of networks, systems, and applications on an annual basis that includes testing to exploit identified security weaknesses and gaps as well as faulty business and processing logic.
8.8 Monitoring. To protect against unauthorized access or misuse of Customer Protected Information residing on Information Processing System(s), BeyondTrust will:
8.8.1. Employ security controls which are no less restrictive than ISO/IEC 27001 or its successor and tools to monitor Information Processing System(s) for unusual or suspicious activities, exceptions, and Information Security Events.
8.8.2 Protect logging functions and log information against tampering and unauthorized access and keep critical logs for a minimum of 90 days.
8.8.3 Perform, at a minimum, quarterly reviews of access logs and take immediate actions necessary to mitigate issues found.
8.8.4 At Customer’s request, make redacted logs available to Customer to assist in investigations.
8.8.5 Synchronize the clocks of all relevant Information Processing System(s) using a national or international time source.
9.0 Access Control
9.1 User Access Management. BeyondTrust Information Processing System(s)are protected against unauthorized access or misuse of Customer Protected Information, BeyondTrust will:
9.1.1 Employ a formal user registration and de-registration procedure for granting and revoking access rights to all Information Processing System(s).
9.1.2 Employ a formal password management process. BeyondTrust shall implement appropriate password parameters for systems that may access, transmit or store Customer's Confidential Information ("Systems"). BeyondTrust shall implement strong authentication services and complex passwords ("Passwords") for all network and systems access to related Systems. Default passwords used in BeyondTrust's products shall be changed upon installation.
9.1.3 Perform a recurring review of users’ access and access rights to ensure that they are appropriate for the users’ role.
9.2 User Responsibilities. To protect against unauthorized access or misuse of Customer Protected Information residing on Information Processing System(s), BeyondTrust will:
9.2.1 Train Information Processing System(s) users on current security practices in the selection and use of strong passwords.
9.2.2 Use appropriate controls to protect unattended equipment from access and use by unauthorized individuals.
9.2.3 Use appropriate controls to protect Customer Protected Information contained in all work areas from inappropriate access, including, but not limited to paper and on display screens.
9.3 Network Access Control. Access to internal, external, and public network services that allow access to Information Processing System(s) will be controlled. In order to mitigate the risk of unauthorized access, BeyondTrust will:
9.3.1 Use authentication controls that are no less restrictive than ISO/IEC 27001 or its successor.
9.3.2 Network access controls that are no less restrictive than ISO/IEC 27001 or its successor.
9.3.3 Tightly control access to physical and logical diagnostic and configuration ports.
9.4 Operating System Access Control. To protect against unauthorized access or misuse of Customer Protected Information residing on Information Processing System(s), BeyondTrust will:
9.4.1 Control access to operating systems by use of a secure log-on procedure.
9.4.2 Use unique identifiers (e.g. user IDs) to uniquely identify Information Processing System(s) users.
9.4.3 Monitor and control access to utility programs that are capable of overriding system and application controls.
9.4.4 When technically possible, shut down inactive sessions after a defined period of time.
9.4.5 When technically possible, employ restrictions on connection times to high risk applications.
9.5 Mobile Commuting and Remote Working. To protect Customer Protected Information residing on Information Processing System(s) from the risks inherent in mobile computing and remote working, BeyondTrust will:
9.5.1 Perform a risk assessment which, at a minimum, identifies and mitigates risks to Customer Protected Information from mobile commuting and remote working.
9.5.2 Maintain policies and procedures for managing mobile commuting and remote working.
9.5.3 Use security controls to manage authentication of mobile and remote users which are no less restrictive than ISO/IEC 27001 or its successor.
10.0 Information Systems Acquisition, Development, and Maintenance
10.1 Security of System Files. To protect Information Processing System(s) and system files containing Customer Protected Information, BeyondTrust will restrict access to source code to authorized users who have a direct need to know.
10.2 Security in Development and Support Processes. To protect Information Processing System(s) and system files containing Customer Protected Information, BeyondTrust will:
10.2.1 Use a formal change control process to implement Information Processing System(s) changes.
10.2.2 Use security controls which are no less restrictive than ISO/IEC 27001 or its successor to minimize information leakage.
10.2.3 Perform quality control and security management oversight of outsourced software development.
11.0 Information Security Incident Management
11.1 Reporting Information Security Events and Weaknesses. To protect Information Processing System(s) and system files containing Customer Protected Information, BeyondTrust will:
11.1.1 Maintain a process to ensure that Information Security Events are reported through appropriate management channels as quickly as possible. BeyondTrust will ensure that its Extended Workforce has a similar process.
11.1.2 Perform initial and recurring training of all BeyondTrust workforce personnel and Extended Workforce on how to report any observed or suspected Information Security Event. BeyondTrust will ensure that its Extended Workforce has a similar process.
11.1.3 Notify Customer by email or phone within forty-eight (48) hours of all Information Security Events which affect Customer Protected Information or environments that store, transmit, or process Customer Protected Information. Following any such event, BeyondTrust will promptly notify Customer whether or not Customer Protected Information was compromised or released to unauthorized parties, the Customer Protected Information that was affected, and details of the event.
12.0 Business Continuity Management
12.1 Business Continuity Management Program. In order to protect the confidentiality, integrity, and availability or Customer Protected Information, BeyondTrust will:
12.1.1 Maintain a business continuity management program that ensures that security controls that meet or exceed the requirements of this document are maintained in test and actual business continuity scenarios.
12.1.2 Update and test Business Continuity Plans annually at a minimum, and as required to mitigate significant changes to information security risk. RTO/RPO timescales are situation specific and will vary depending on the nature of the incident.
13.0 Security Assessments
13.1 Initial and Recurring Security Assessments. Each year throughout the Term of the Agreement, BeyondTrust will permit Customer representatives to conduct an annual assessment through security questionnaires and documentation review.
13.2 Security Assessments Following Information Security Events. Following the occurrence of an Information Security Event, BeyondTrust will provide information related to the physical and logical security controls used at BeyondTrust’ data processing and business facilities in order to assess the impact of the event, even if an assessment has been completed within the year.
13.3 Security Assessment Findings. Upon completion of an assessment, Customer may provide BeyondTrust with an assessment that summarizes Customer’s findings. Upon Customers reasonable request, BeyondTrust will provide the following in relation to BeyondTrust’s security, confidentiality, privacy, and other controls for its services and products provided under the Agreement: 1) a summary of applicable tests undertaken by BeyondTrust along with an executive summary of the testing and 2) a copy of the audits and assessment reports undertaken by BeyondTrust or a third party retained by BeyondTrust, which includes a SOC 2 Type II reports,. Should BeyondTrust be made aware of or otherwise discover, deficiencies categorized as critical or high, BeyondTrust will take commercially reasonable efforts to remediate those deficiencies,.
14.0 De-Identification of Customer Protected Information Used in Non-Production Environments
14.1 Exclusions to the De-Identification Requirement.
14.1.1 De-identification is not required if the security controls used in the environment are equivalent to the security controls used in the production environment and the security controls used to meet or exceed the requirements of this document.
14.1.2 De-identification is not required if de-identification would interfere with the resolution of a current production failure. De-identification should be performed to the extent possible and the Customer Protected Information that has not be de-identified should be removed from the non-production environment as soon as the failure has been resolved.
14.1.3 De-identification is not required if de-identification would interfere with an atypical, short-term, non-production activity (e.g. near-production final testing) where de-identification would distort the results of the activity. De-identification should be performed to the extent possible and the Customer Protected Information that has not been de-identified should be removed from the non-production environment as soon as the activity has been completed.
14.1.4 If Customer PII is required to be used in non-production environments and the requirement does not meet one of the exceptions listed above, BeyondTrust will obtain written permission from Customer prior to the use.
15.0 Privacy
15.1 Segregation. All Customer data is segregated from data of other Customers, as well as internal data from BeyondTrust.
15.2 Data Usage. BeyondTrust will not use Customer data for any purpose other than in support of the obligations described herein and within any additional services agreement.
15.3 Legal Compliance. BeyondTrust maintains compliance with all applicable privacy laws and regulations in the US and internationally, including without limitation United States state privacy laws.
15.4 Testing Restrictions. BeyondTrust does not use Customer information, in whole or in part, in connection with any testing in system development. Customer information means all Customer, associate, employee, contractor, and payroll information submitted by or with respect to Customer to BeyondTrust in the performance of the services specified within any additional services agreement.
16.0 Vendor Management
16.1 Vendor Assessment. BeyondTrust conducts annual reviews and risk assessments of all vendors processing, storing, or transmitting Customer Protected Information.
16.2 Vendor Risk Assessment. Information gathered from the vendor review is used as inputs to the BeyondTrust risk assessment process which is used to generate a metrics-based narrative report identifying all areas of concern and the associated potential impact and likelihood.
16.3 Vendor Risk Remediation. BeyondTrust works with the vendor to identify a plan of action for remediation of all identified risks and the successful completion of the remediation plan.
17.0 changes.
BeyondTrust may, from time to time and in its sole discretion, make changes to this document or the terms and conditions set forth herein, provided however, in no event shall BeyondTrust make any changes that will adversely impact or degrade the safeguards and/or technical, physical and organizational precautions undertaken by BeyondTrust without the Customer’s prior written approval. When BeyondTrust makes changes hereto which do not degrade the safeguards and/or precautions undertaken by BeyondTrust, BeyondTrust will provide prominent notice as appropriate under the circumstances, e.g., by displaying a prominent notice within the applicable BeyondTrust products or services or by sending Customer an email.
