BeyondTrust has implemented and continuously maintains a robust security program and Information Security Management System (ISMS), containing appropriate security policies, practices, and procedures to protect our corporate and cloud environments to mitigate any unauthorized access, destruction, use, modification, or disclosure of our organization’s data, and more importantly, our customer’s data.
The ISMS is certified under the rigorous standards of ISO/IEC 27001 and a Privacy Information Management System (PIMS) that is certified under ISO/IEC 27701. In addition, numerous security and compliance audits are performed to assess our corporate practices, product portfolio, and cloud environments under the AICPA SOC 2 Type II requirements.
BeyondTrust’s ISMS consists of 26 policies and standards that reflect the organization’s security posture and compliance with industry standards. These policies and their associated standards are topic-centered and include:
Access Management | Information Lifecycle Management |
---|---|
Asset Management | Information Security Management |
Audit Management | Logging & Monitoring Management |
Change Management | Network Security Management |
Communications Management | Password & Authentication Management |
Configuration Management | Patch Management |
Use of Cryptography | Personal Information Management |
Data Protection | Physical & Environmental Security Management |
Device & Media Control | Risk Analysis & Management |
Disaster Recovery & Business Continuity Management | Software Development |
Endpoint Use & Endpoint Security | Third-Party Risk Management |
Exception and Approval Process | Vulnerability Management |
Human Resources Security Management | Network Security Management |
Incident Management | Logging & Monitoring Management |
BeyondTrust conducts pre-employment background checks of all global candidates for employment. Such background checks include the following elements: identity verification, right to work, criminal record checks, credit, education verification, and drug screening.
A formal Security Awareness Training program in place that requires all employees to complete prior to employment, annually, and on an as needed basis. The content covers applicable security threat information, social engineering to include phishing/ransomware, compliance efforts, and privacy considerations. Additionally, phishing simulations are performed for all staff to ensure awareness is increased around social engineering attacks.
Formal procedures are implemented for managing access throughout the organization. All access requests are reviewed and approved in accordance with defined policies. Users are centrally managed and authenticated via corporate Single Sign-On which requires FIDO2 multi-factor authentication (MFA). Technical and role-based access controls are in place to ensure that users only have the necessary level of access required to carry out their duties following Least Privilege criteria.
BeyondTrust protects all endpoints within the organization to minimize the likelihood of a weakness being exploited. Controls such as full disk encryption, endpoint detection and response (EDR), web-content filtering, centralized configuration management, and the utilization of our own product suite empowers our security personnel to effectively safeguard against anomalous activity.
To guarantee the protection of all email communications against malicious acts such as spam, phishing, and viruses, our company has implemented a highly regarded email security platform. Next generation Internet-edge firewalls are configured to inspect all traffic across our environments and alerts are configured to notify staff of anomalous activity.
A dedicated team of individuals are tasked with the requirement of managing all aspects of logging and monitoring within the organization, including both corporate and cloud environments. Logs are centrally managed and ingested into a SIEM so that anomalous activity can be detected and actioned accordingly.
The BeyondTrust SIEM receives comprehensive security logging such as ingress authentication logging to track user access and activity, threat analytics to detect any suspicious software installations, and third-party access detection to alert BeyondTrust personnel to any potential malicious activities. All such incidents are automatically reported to the BeyondTrust Information Security team for analysis and appropriate action taken based on the severity and relevance of the alert.
A robust incident response plan is in place which addresses all aspects of identification, containment, eradication, recovery, and incorporating lessons learned to overall plan improvement.