progressive security for mission critical solutions · identify and patch potential security...
TRANSCRIPT
PAGE 1
RMS(one) SolutionsPROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS
R M S R E P O R T
PAGE 2
Confidentiality Notice
Recipients of this documentation and materials contained herein are subject to the restrictions of the confidentiality
provisions contained in applicable license agreements, services agreements, or any other applicable nondisclosure terms
executed with RMS.
Except to the extent permitted by the terms of a license agreement or non-disclosure agreement with RMS, no part of this
document may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable
form without prior written consent from RMS.
Warranty Disclaimer and Limitation of Liability
Information in this document is subject to change without notice and does not represent a commitment on the part of
RMS. The material contained herein is supplied as-is and without representation or warranty of any kind. RMS assumes
no responsibility and shall have no liability of any kind arising from the supply or use of this document or the material
contained herein.
©2017 Risk Management Solutions, Inc. All rights reserved. Use of the information contained herein is subject to an RMS-
approved license agreement.
Licenses and Trademarks
ALM®, RiskBrowser®, RiskCost®, RiskLink®, RiskOnline®, RiskSearch®, RiskTools®, RMS®, RMS LifeRisks®, RMS logo, and
RMS(one)® are registered and unregistered trademarks and service marks of Risk Management Solutions, Inc. in the United
States and other countries. All other trademarks are the property of their respective owners.
Risk Management Solutions, Inc.
7575 Gateway Boulevard, Newark, CA 94560 USA
http://support.rms.com/
© Risk Management Solutions, Inc. All rights reserved.
PAGE 3
RMS Information Security proactively incorporates security principles and best practices throughout our organization to accelerate business growth while providing assurance to our customers that their data is secure and protected during transmission, processing, and storage.
Table of Contents
Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Security: Protect and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Secure Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Infrastructure Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Encryption in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Vulnerability Management and Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Monitoring, Logging, and Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
End-User Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Physically Secure Hardened Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Stringent Change Management and Restricted Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Integrated Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Security Compliance: Trust and Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Complying with Standards and Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Verifying Our Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Independent Third-Party Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
More Information About RMS(one) Solutions Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
PAGE 4
Data Security
Trust is the foundation of our relationship with our customers. We value the trust you have put
in us as stewards of your data, and we take seriously the responsibility of protecting your data.
RMS(one) solutions are highly secure and designed and built to meet the rigorous standards you
expect from us. We are committed to continue developing RMS(one) solutions with an emphasis
on security and compliance.
Security: Protect and Control
RMS has designed our robust information security management methodology to assess and address
risks, reflecting our culture of security. The RMS(one) platform is a secure, hosted infrastructure
with multiple layers of protection. We protect your data through dedicated security resources and
tools for visibility and control that are deployed across our software development, legal, monitoring,
information security, and cloud operations teams.
We approach security from two specific verticals: application security and infrastructure security.
Application Security
The RMS(one) platform and RMS(one) solutions use continuous automated and manual security
testing processes throughout the system development life cycle (SDLC). The testing processes
identify and patch potential security vulnerabilities and bugs on the RMS(one) platform. These
processes include static application security testing (SAST), dynamic application security testing
(DAST), open-source scanning (OSS), and manual penetration testing.
The RMS(one) platform and RMS(one) solutions use independent third-party auditors annually to certify our security, systems, and controls. Additionally, we have trained security experts in the RMS(one) development and quality testing teams as well as an external bug bounty program.
Here is a brief outline of our application security processes:
1. SAST: Continuous static analysis scanning of application source code and binaries that identify
potential security vulnerabilities.
2. DAST: Continuous dynamic scans of our applications as they evolve, to provide automatic
detection and assessment of code changes and alerts for newly discovered vulnerabilities.
3. OSS: Continuous scanning of our open-source code, mapping open source in use to known
security vulnerabilities and flagging potential licensing issues to ensure open-source license
compliance.
PAGE 5
4. Manual penetration (pen) testing: Identifying Open Web Application Security Project (OWASP)
top 10 security risks and emerging threat risks throughout the software development lifecycle.
This testing culminates in annual third-party pen testing and certification and includes working
with third-party security specialists, other industry security teams, and the security research
community.
5. Vulnerability tracking: Using a find, fix, and manage security remediation process, identified
issues are logged, triaged, fixed, retested, and brought to closure in a timely manner dictated
by severity levels.
A dedicated security partner works with RMS engineering and project teams to raise awareness of
the risks related to data security and confidentiality. This dedicated stakeholder helps to:
• Identify and mitigate potential threats to RMS(one) solutions
• Investigate potential risks and assess their impact
• Establish actions to mitigate risks
• Track corrective actions to completion
• Communicate results
Secure Architecture
The RMS(one) platform is based on a segregated data model designed to keep customer data
secure and completely isolated through security access controls which enforce seclusion within
the database. Mechanisms are built into the application to log and track user activity, including
authentication and access.
Figure 1: RMS(one) architecture overview
UI UI UIVM VM
Execution Execution Execution
Storage Storage Storage
API API APIAPI API API
VM VM
VM VM
VM VM
VM VM
VM VM
VM VM
VM VM
PAGE 6
Authentication endpoints, including application programming interfaces (APIs), are throttled to
prevent brute-force and denial-of-service (DDOS) attacks.
User authentication and password enforcement are based on guidelines established by the National
Institute of Standards and Technology.
Infrastructure Security
Network
RMS network security combines advanced and hardened firewalls, network segmentation, intrusion
detection, and prevention systems, along with ongoing log monitoring and analysis for threat
prevention.
Our production management network, which hosts customer data, is segregated from the corporate
network and access is restricted to authorized individuals on a need-to-know basis. Access to our
production management network requires multi-factor authentication.
System Hardening
To minimize security risks, we perform system hardening and minimization (also known as operating
system hardening). This means that operating systems are reduced to the minimum of necessary
capabilities, with all non-essential software, services, protocols, modules, programs, utilities, default
accounts, and usernames removed prior to production release. Our baselines reflect the industry-
standard recommendations from the Center for Internet Security. Only essential services and ports
are opened.
Encryption in the Cloud
Industry best practices are used when encrypting data to and from our data centers and cloud
providers. Data transferred between end users and RMS is also encrypted using an industry-
standard minimum 256-bit encryption mechanism.
Vulnerability Management and Penetration Testing
To defend against evolving threats, RMS performs regular vulnerability scans supplemented
by independent, third-party penetration assessments. We also submit new environments to a
vulnerability assessment process prior to production release.
Identified issues are resolved in line with our vulnerability management and patch management
processes to address operational and security issues.
PAGE 7
Monitoring, Logging, and Auditing
We manage and monitor the security and integrity of all stored and processed data. Our Security
Operations Command Center monitors RMS environments 24/7 using highly skilled and trained
security engineers. Security incident and event management (SIEM) tools enable our security
operations team to identify and proactively remedy potential security concerns through periodic
review and log analysis. The team investigates threats and anomalous activity to block such activity
or suspicious access vectors.
Potential security incidents are investigated and addressed based on our security incident response
procedures.
We conduct company-wide information security training, including tabletop exercises, to ensure
preparedness.
Dedicated platform, infrastructure, and cloud-provider support teams also provide monitoring and
operational support so your environment runs optimally. Database administrators are part of these
support teams and have access to customer data. This access is solely to enable us to maintain and
operate the platform to meet our service level commitments. We log access to systems.
The security systems capture and log end-user information when your designated end-users access
RMS(one) solutions. This auditable logged information includes:
• The identity of the end user
• Manner of accessing and using the features, capabilities, and functions of RMS(one) solutions
• The actions they requested and performed on your behalf
This information is used to maintain security and to efficiently and effectively operate and
administer RMS(one) solutions.
End-User Controls
We use antivirus and anti-malware software to safeguard endpoints from malicious software and
security vulnerabilities. Virus definition files are updated periodically and scans are performed
regularly.
Endpoints for corporate users feature hard-disk drive encryption. An enterprise-wide data loss
prevention (DLP) solution is in place to prevent data leakage.
Users are required to use strong authentication controls, including password controls in line with
industry best practices.
PAGE 8
Physically Secure Hardened Data Centers
The RMS(one) platform and RMS(one) solutions infrastructure are housed within a cloud provider
in strategically located, geographically separate, Tier-III-standards-compliant data-center buildings
designed to mitigate risks from natural and human-made disasters. We have partnered with
Microsoft Azure who has multiple data-center locations around the world, all with ISO 27001 and
SOC 2 compliance that attest to the physical and environmental security of its global data centers.
All data-center buildings are constructed and operated to restrict access to authorized personnel
only. In addition, multiple physical security measures restrict entry and access to specifically
authorized people for the RMS(one) solutions infrastructure. All RMS(one) solutions infrastructure
resides in private, locked cages within each data center. A limited number of authorized personnel
with clearance vetted by third-party background checks and stringent security training can
physically access the infrastructure.
Only the authorized personnel of the RMS Cloud Operations team can have access privileges
and authority to perform scheduled maintenance and upgrades. Cloud and RMS(one) solutions
data-center access and system administrative activities are logged, monitored, and audited to be
consistent with industry best practices.
Stringent Change Management and Restricted Access
The RMS(one) solutions team maintains operational-level security and governance through a
combination of technology and best-practice-based policies, procedures, and processes, using
industry-standard, change-management processes. We also follow industry-standard processes
for incident management, release management, and problem resolution.
Integrated Business Continuity
A disaster recovery (DR) package can be purchased as an add-on to enable business continuity
during an adverse event. The DR data center is physically separate from the primary production
data center and resides within the same geopolitical region. It uses data replication to ensure instant
recovery from failure and resumption of production operation. Client data is mirrored to the DR data
center using encrypted transfers from production data. If a production data center experiences a
significant and extended outage, the DR data center will include failover capability as a stand-in
that provides business continuity. For extra safety, we regularly validate our DR data center and
corresponding processes.
Security Compliance: Trust and Verify
Compliance is an effective way to validate the trustworthiness of a service. RMS encourages and
expects verification that our security practices comply with the most widely accepted standards
and regulations, including ISO 27001 and SOC 2. Our independent third-party auditors test our
controls and provide their assessment and reports.
PAGE 9
The RMS(one) platform and RMS(one) solutions are certified for ISO 27001 and SOC 2 (for Security, Availability, and Confidentiality), and are self-certified for the Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR).
Complying with Standards and Regulations
ISO CERTIFICATION
The International Organization for Standardization (ISO) has developed a series of world-class
standards for information and societal security to help organizations develop reliable and innovative
products and services. We have certified our systems, applications, people, and processes through a
series of audits by an independent third party.
ISO 27001 – Information Security Management
ISO 27001 is recognized as the premier information security management system (ISMS) standard
around the world. We continually and comprehensively manage and improve our physical, technical,
and organizational controls according to ISO 27001.
CLOUD SECURITY ALLIANCE: SECURITY, TRUST, AND ASSURANCE REGISTRY
The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) is a free, publicly
accessible registry that offers a security assurance program for cloud services. This helps users
assess the security posture of current or potential cloud providers.
We have completed the CSA STAR Level 1 Self-Assessment, a rigorous survey based on CSA’s
Consensus Assessments Initiative Questionnaire (CAIQ). The questionnaire aligns with the CSA
Cloud Controls Matrix (CCM) and provides answers to more than 130 questions a cloud customer or
cloud security auditor may want to ask. The CSA STAR Level 1 Certification for RMS(one) solutions is
available upon request through our sales or account management teams.
SOC REPORTS
Service Organization Control (SOC) reports – known as SOC 1, SOC 2, and SOC 3 – are frameworks
established by the American Institute of Certified Public Accountants (AICPA) for reporting on
internal controls implemented within an organization. The RMS(one) platform validates systems,
applications, people, and processes through a series of audits by an independent third party.
SOC 2 for Security, Confidentiality, and Availability
The SOC 2 report provides customers with a detailed level of controls- based assurance. The
SOC 2 report has a detailed description of the RMS(one) solutions processes, and there are over
100 controls in place to protect your data. In addition to our independent third-party auditor’s
opinion on the effective design and operation of our controls, the report includes the auditor’s test
PAGE 10
procedures and results for each control. A SOC 2 Type 1 assessment has been performed for the
RMS(one) Solutions and a Type 2 assessment will be available upon request through our sales or
account management teams in the first quarter of 2018.
SOC 3 for Security, Confidentiality, and Availability
The SOC 3 general-use report is an executive summary of the SOC 2 report that includes an
independent third-party auditor’s opinion on the effective design and operation of our controls and
processes.
Verification of Security Practices
Independent Third-Party Audits
RMS uses independent third-party auditors to test our systems and controls against some of the
most widely accepted security standards and regulations in the world, such as ISO 27001 and SOC
2. These reviews occur at least annually and are conducted by independent, thorough, and globally
respected audit and security firms.
CONTINUAL IMPROVEMENT
A critical part of any information security management program is the improvement of security
programs, systems, and controls. To this end, RMS is committed to soliciting feedback from various
internal teams, customers, and internal and external auditors, using this feedback to develop
improved processes and controls.
More Information About RMS(one) Solutions Compliance
Compliance and certification documents can be requested through an RMS sales representative or,
for current RMS(one) platform users, through your account management team.
To learn more about security for the RMS(one) platform and RMS(one) solutions, visit www.rms.com/security