SailPoint

Thumbnails Document Outline Attachments Find: Previous Next Highlight all Match case Presentation Mode Open Print Download Current View Go to First Page Go to Last Page Rotate Clockwise Rotate Counterclockwise Enable hand tool Document Properties… Toggle Sidebar Find Previous Next Page: of 2 <ul> <li>Facebook</li> <li>Twitter</li> <li>Linkedin</li> <li>Google Plus</li> <li>Email</li> </ul> Presentation Mode Open Print Download Current View Tools Zoom Out Zoom In Automatic Zoom Actual Size Page Fit Page Width 50% 75% 100% 125% 150% 200% 300% 400% Page 1of 2Security Program (V. 20190801)SAILPOINT SAAS DATA SECURITY PROGRAMSailPoint has implemented and shall maintain a commercially reasonable information security program, which shall include technical and organizational measures designed to ensure an appropriatelevel ofsecurityforCustomerPersonalDatatakingintoaccounttheriskspresentedbytheprocessing,inparticularfrom accidentalorunlawfuldestruction,loss,alteration,orunauthorizeddisclosureof,oraccesstoCustomerPersonal Data, and the nature of the Customer Personal Data to be protected having regard to the state of the art and the cost of implementation. This document communicatesthe security program applicable to the SaaS Service in accordance with SailPoint’s Software as a Service Agreement (the “SaaS Agreement”). Except as otherwise modified or defined herein, capitalized terms shall have the same meaning as in the SaaS Agreement. 1.Security Program.1.1.ISO27001-based Information Security Management System (ISMS): SailPoint shall maintain an ISMS risk-basedsecurityprogramtosystematicallymanageandprotecttheorganization’sbusinessinformationandthe information of its customers andpartners.With respect to SailPoint’s IdentityNow service, SailPoint has completed a SOC 2 Type 2 audit and ISO 27001 certification. SailPoint will complete a SOC 2 Type 2 audit annually and maintain ISO 27001 certification throughout the term of the SaaS Agreement or until such time as SailPoint receives any industry certification applicable to the SaaS Service which supersedessuch certifications. Upon written request from Customer, SailPoint will provide a copy of such then-current certifications and audit reports.1.2.Security Governance Committee: SailPoint shall maintain a security committee comprised of leaders across businessunitsthatoverseesthecompany’ssecurityprogram.Thiscommitteeshallmeetmonthlytoreview the operational status of the ISMS (including risks, threats, remediation actions, and other security-related issues) and drive continuous security improvement throughout thebusiness.1.3.Security incident response policy: SailPoint shall maintain policies and procedures to (1) investigate and respond to security incidents, including procedures to assess the threat of relevant vulnerabilities or security incidents using defined incidentclassifications and categorizationsand (2) establish remediation and mitigation actions for events, including artifact and evidence collection procedures and defined remediation steps.1.4.Policy maintenance: All security and privacy related policies shall be documented, reviewed, updated,andapproved by management at least annually.1.5.Communication and commitment: Security and privacy policies and procedures shall be published and communicated to all relevant and applicable personnel and subcontractors. Security shall be addressed at the highest levels of the company with executive management regularly discussing security issues and leading company-wide securityinitiatives.2.Personnel Security.2.1.Backgroundscreening:PersonnelwhohaveaccesstoCustomerPersonalDataortheequipmentonwhichit isstoredshallbesubjecttobackgroundscreening(asallowedbylocallaws)thatshallinclude verification of identity, right to work and academic degrees and a check of criminal records, sex offender registries,and prohibited/denied partylists.2.2.Confidentiality obligations: Personnel who have access to Customer Personal Data shall be subject to a binding contractual obligation with SailPoint to keep the Customer Personal Dataconfidential.2.3.Security awareness training: Personnel shall receive training upon hire and at least annually thereafter covering security practices and privacyprinciples.2.4.Code of conduct: SailPoint shall maintain a code of conduct and business ethicspolicy requiringethical behavior and compliance with applicable laws andregulations.3.Third-Party Security.3.1.Screening: SailPoint shall maintain policies and procedures designed to ensure that all new sub-processors, SaaS applications, IT software, and IT service solutions are subject to reasonable due diligence to confirm their ability to meet corporate security and compliance requirements as well as businessobjectives.3.2.Contractual obligations: SailPoint shall maintain controls designed to ensure that contractual agreements with sub-processorsinclude confidentiality and privacy provisions as appropriate to protect SailPoint’s interests and to ensure SailPoint can meet its security and privacy obligations to customers, partners, employees, regulators,and other stakeholders.3.3.Monitoring and Review: As practicable, SailPoint shall periodically review existing third-party sub-processorsin a manner designed to ensure the sub-processor’scompliance with contractual terms, including any security and availability requirements. This review program shall reviewsub-processorsatleastannually(regardlessoflengthofcontractualterm)todetermine whetherthesub-processor/solution is still meeting the company’s objectives and the sub-processor’s performance, security, and compliance postures arestillappropriategiventhetypeofaccessandclassificationofdatabeingaccessed,controlsnecessaryto protect data, and applicable legal and regulatoryrequirements.4.Physical Security.4.1.Corporate facility security: A facility security program shall be maintained that manages building entrances, CCTVs, and overall security of its offices, including a security perimeter (including barriers such as card controller entry gates or manned reception desks). All employees, contractors,and visitors shall be required to wear identification badges which distinguish their respectiverole.4.2.Corporate data center security: Systems installed on SailPoint’s premises and used to process Customer Personal Data shall be protected by measures designed to control logical or physical access. equipment used to process Customer Personal Data cannot Page 2of 2Security Program (V. 20190801)be moved, removed, upgraded,or reconfigured without appropriate authorizationand protection of the information. and, when equipment processing Customer Personal Data is decommissioned, Customer Personal Data shall be disposed of in a manner that would prevent itsreconstruction.4.3.SaaS Servicedata center security: SailPoint leverages Amazon Web Services (AWS) data centers for hosting the SaaS Service. AWS follows industry best practices and complies with numerous standards. Details on AWS data center physical security are available athttps://aws.amazon.com/compliance/data-center/controls/.5.Solution Security.5.1.Softwaredevelopmentlifecycle(SDLC):SailPointshallmaintainasoftwaredevelopmentlifecyclepolicythat definestheprocessbywhichpersonnelcreatesecureproductsandservicesandtheactivitiesthatpersonnel must perform at various stages of development (requirements, design, implementation, verification, documentation anddelivery).5.2.Secure development: Product management, development, test and deployment teams are required to follow secure application development policies and procedures that are aligned to industry-standard practices, such as the OWASP Top10.5.3.Vulnerability assessment: SailPoint shall conduct risk assessments, vulnerability scans and audits (including third-party penetration testing of a representative instance of theSaaS Servicetwice annually). Identified product solution issues shall be scored using the Common Vulnerability Scoring System (CVSS) risk-scoring methodology based on risk impact level and the likelihood and potential consequences of an issue occurring. Vulnerabilities are remediated on the basis of assessed risk. Upon the written request of Customer, SailPoint shall provide information about the identified vulnerabilitiesin the SaaS Service or Required Software, as applicable to such Customer,and the measures takento remediate or address any suchvulnerabilities.6.Operational Security.6.1.Access controls: SailPoint shall maintain policies, procedures, and logical controls to establish access authorizationsforemployeesandthirdparties. Such controls shallinclude:6.1.1.requiring unique user IDs to identify any user who accesses systems ordata;6.1.2.managing privileged access credentials in a privileged account management (PAM)system;6.1.3.communicating passwords separately from userIDs;6.1.4.requiringthatuserpasswordsare(a)changedatregularintervals;(b)ofsufficientlengthandcomplexity;(c) stored in an encrypted format. (d) subject to reuse limitations. and (e) not assigned to other users, even at a different time. and6.1.5.automatically locking out users’ IDs when a number of erroneous passwords have beenentered.6.2.Least privilege: Personnel shall only be permittedaccess to systems and data as required for the performance of their roles. only authorizedpersonnel are permitted physical access to infrastructure and equipment;authorized accesstoproductionresourcesfortheSaaS Serviceisrestrictedtoemployeesrequiringaccess. and access rights are reviewed and certified at least annually.6.3.Malware: SailPoint shall utilizemeasures intended to detect and remediate malware, viruses, ransomware, spyware, and other intentionally harmful programs that may be used to gain unauthorizedaccess to information orsystems.6.4.Encryption: SailPoint shall useInternet industry-standard encryption methods toprotect data in transit and at rest as appropriate to the sensitivity of the data and the risks associated with loss. all laptops and other removable media, including backup tapes, on which Customer Personal Data is stored shall beencrypted.6.5.Business continuity and disaster recovery (BCDR): SailPoint shall maintain formal BCDR plans designedto ensure SailPoint’s systems and services remain resilient in the event of a failure, including natural disasters or systemfailures, and such plans shall be reviewed, updated, and approved by management at least annually.6.6.Data backups: SailPoint shall backup data and systems using alternative site storage available for restore in case of failure of the primary system. All backups shall use Internet industry-standard encryptionmethods to protect backups in transit and atrest.6.7.Change management: SailPoint shall maintain change management policies and procedures to plan, test, schedule,communicate,andexecutechangestoSailPoint’sSaaSServiceinfrastructure,systems,networks, and applications.6.8.Network security: SailPoint shall implement industry-standard technologies and controls designed to protect network security, including firewalls, intrusion prevention systems, monitoring, network segmentation, VPN,and wireless security. Networks shall be designed and configured to restrict connections between trusted and untrusted networks, and network designs and controls shall be reviewed at leastannually.6.9.Datasegregation:SailPointshallimplementlogicalcontrols,includinglogicalseparation,accesscontrolsand encryption, to segregate Customer’s Personal Data from other Customer and SailPoint data in the SaaS Service. SailPoint shall additionally ensure that production and non-production data and systems are separated.***End of Page*** More Information Less Information Close <p>Enter the password to open this PDF file.</p> Cancel OK File name: <p>-</p> File size: <p>-</p> Title: <p>-</p> Author: <p>-</p> Subject: <p>-</p> Keywords: <p>-</p> Creation Date: <p>-</p> Modification Date: <p>-</p> Creator: <p>-</p> PDF Producer: <p>-</p> PDF Version: <p>-</p> Page Count: <p>-</p> Close Preparing document for printing... 0% Send This Link to a friend Your Name<br> <br> Friends Name<br> <br> Your Email Address<br> <br> Friends Email Address<br> <br> Message<br> <br>