Webtrends Optimize, and Accelerate Group Limited are each referred to herein as “Webtrends Optimize”.
Webtrends Optimize SaaS Solutions Security Statement
Last Updated: August 1, 20181 WEBTRENDS OPTIMIZE SAAS PRODUCTION ENVIRONMENT
Webtrends Optimize employs a public cloud deployment model with virtualized resources for its software-as-a-service solutions (“SaaS Solutions”). All maintenance and configuration activities are conducted by Webtrends Optimize employees.
Webtrends Optimize SaaS Solutions are multi-tenant and logical access controls using authentication and roles ensure the necessary separation between data from different clients. All infrastructure responsibilities rest with Webtrends Optimize, and clients are provided with functionality to manage their own users and roles at the application level.
Webtrends Optimize follows guidance from the ISO/IEC 27002:2013 standard. Additionally, Webtrends Optimize employs industry standard practices and relies on its 15 years of experience in operating highly secure SaaS solutions for security controls such as firewalls, intrusion detection, change management and written security policies.1.1 Scalability
Webtrends Optimize distributed architecture for data collection, processing and reporting allows it to scale horizontally as the number of clients and volume of traffic increase. Webtrends Optimize uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications and capacity. Systems are load balanced and scaled up when predetermined capacity thresholds are reached.1.2 SaaS Management
Webtrends Optimize SaaS operations team (“SaaS Operations”) is responsible for all aspects of the SaaS Solutions production environment. SaaS Operations is set up separately and independently from the corporate network IT organisation to ensure the necessary separation of duties. SaaS Operations’ professional depth enables Webtrends Optimize to provide SaaS services at the highest levels of efficiency.2 RISK MANAGEMENT
Webtrends Optimize business continuity planning includes practices to assist management in identifying and managing risks that could affect the organisation’s ability to provide reliable services to its clients (as further described below). These practices are used to identify significant risks for the organisation, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.
Webtrends Optimize evaluates and manages risks related to its SaaS Solutions throughout their lifecycle, taking into considerations the consequences for our clients of loss of confidentiality or availability of the information we collect, process and store.
Webtrends Optimize maintains coverage to insure against major risks. Policies include errors and omissions liability, commercial general liability, auto liability, commercial umbrella liability, workers’ compensation and employer’s liability, fiduciary liability, directors’ and officers’ liability, and crime bond. Insurance companies, which management believes to be financially sound, provide coverage. Coverage is maintained at levels which Webtrends Optimize considers reasonable given the size and scope of its operations.3 SECURITY POLICIES & ORGANISATION OF INFORMATION SECURITY
Webtrends Optimize information security management system is based on ISO 27002. Webtrends Optimize maintains a general Information Security Policy, updated annually, that explicitly addresses the confidentiality, integrity and availability of client data and information technology resources, and details employee’s responsibilities and managements’ role.
Comprehensive technical policies govern various aspects of Webtrends Optimize SaaS Operations and corporate, which policies define security measures appropriate to the sensitivity of the data processed.
Policies are approved by senior management, communicated to all affected Personnel to whom the policies apply, and clearly state the consequences of non-compliance. All employees must review and sign Webtrends Optimize’ Information Security Policy during onboarding.3.2 Information and Communication
Webtrends Optimize utilises various methods of communication, including email and the corporate intranet to update employees on current events and policies, and share information relevant to employees, such as corporate data, industry news, training and development materials, employee resources, and other corporate policies. SaaS Operations has dedicated intranet sections to publish information relevant to the SaaS production staff, such as technical materials, policies, procedures, and calendars.
Update of key documents such as policies require email notification to the affected staff.3.3 Information Security Coordination
Webtrends Optimize has adopted a decentralised approach to information security. Webtrends Optimizes IT Director coordinates all security and privacy activities within Webtrends Optimize. Responsibilities of this position include:
Implementation of security controls rests with the management of each relevant function. Webtrends Optimize separates its SaaS Solutions production network and all associated functions from the general corporate IT. Webtrends Optimize IT Director is responsible for policies and security implementation within the SaaS environment.3.4 Segregation of Duties
Only authorised personnel can administer systems or perform security management and operational functions. Authorisation for and implementation of changes are segregated responsibilities wherever appropriate to the organisation.4 HUMAN RESOURCES SECURITY
Webtrends Optimize has background checks performed on all employees at the time of hire (to the extent permitted by law), and requires that non-disclosure and/or confidentiality agreements are signed by all Personnel. Webtrends Optimize policy prohibits employees from using confidential information (including Client Data) other than for legitimate business purposes, such as providing technical support, and this obligation continues after their employment ends.
An employee’s failure to cooperate fully in any background check and any dishonesty or omission of information pertaining to a background check by an employee precludes employment with Webtrends Optimize.
Background checks are performed by a reputable third party company for all full time and temporary employees.
Background checks differ by geography to account for local laws. In all cases, they include criminal checks, education and employment reports.4.2 Terms of Employment
Webtrends Optimize operates an onboarding process including at a minimum the following steps:
General information security responsibilities are documented in Webtrends Optimize Information Security Policy, which all employees must sign as part of their onboarding.4.3 Training
General information security training is provided to all new employees (both full time and temporary) as part of their onboarding. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding.
Development and SaaS Operations staff receives further training specific to product development, deployment and management of secure applications. Additional security training is also provided to employees who handle client data.4.4 Termination of Employment
Webtrends Optimize maintains a formal termination or change of employment process that, promptly upon termination or change of employment, requires return of any and all Webtrends Optimize and Client assets, disables or adjusts access rights, and reminds ex-employees of their remaining employment restrictions and contractual obligations. All access (logical and physical) are terminated on or before the termination date. Webtrends Optimize uses pre-defined checklists to help ensure the consistency and completeness of the termination process.5 ASSET MANAGEMENT
All data collected by Webtrends Optimize on behalf of its clients is the property of the respective clients and classified as highly confidential under Webtrends Optimize information classification policy, which provides employees with the necessary guidance for the handling of all information according to its classification. Access to client data is restricted to legitimate business use only.
Webtrends Optimize generally performs no additional encryption on data collected and stored within the Webtrends Optimize SaaS production environment. Content for delivery onto clients’ web page by Webtrends Optimize is encrypted both at rest and in transit.5.1 Client Data Location
All client data is processed and stored in the Europe. Collected client data transits temporarily through Webtrends Optimize data collection centers in the United States, Europe, and Asia for optimal performance based on the visitor’s location and the regional option selected by the client.5.2 Media Handling
Webtrends Optimize Information Security Policy prohibits copying client data on removable media device, including flash drives, hard drives, tapes or other media, other than for legitimate business purposes and with the express authorisation from the client. This authorisation can be contingent on encryption being used.
All personnel who handle storage media used in the Webtrends Optimize SaaS solutions must comply with Webtrends Optimize SaaS Operations Data Handling Policy.
Webtrends Optimize’ decommissioning procedures are designed to prevent access to client data by unauthorised persons. Webtrends Optimize follows NIST Guidelines for Media Sanitization (Special Pub 800-88) to destroy data. All printed Confidential Information, including Client Data, is disposed of in secured containers for shredding.
Webtrends Optimize deletes all client data, other than backup copies held for disaster recovery purposes, on a scheduled basis following termination of contract.6 ACCESS CONTROL & PHYSICAL SECURITY
Webtrends Optimize IT Director manages access control policies and procedures for the corporate network, and manages access control policies and procedures for the SaaS production network.6.1 User Access Management
Accounts on Webtrends Optimize SaaS production network, including for network administrators and database administrators, are mapped directly to employees using unique identifiers based on employee names. Microsoft’s Active Directory enforces uniqueness. Generic administrative accounts are not used. Upon notification by HR as part of the formal termination notification process, all physical and system accesses are immediately adjusted to the new role or revoked both on Webtrends Optimize Corporate network and in Webtrends Optimize SaaS Solutions production network.
All accesses to Webtrends Optimize SaaS Operations network must be submitted by the requestor’s manager to the change management meeting. After review and approval, the request is logged for implementation.
Password complexity rules and account lockouts are enforced in all environments to protect against brute force dictionary attacks or other passwords threats.
Webtrends Optimize periodically reviews employee access to internal systems. Reviews ensure that employees’ access rights and access patterns are commensurate with their current positions.6.2 User responsibilities
Webtrends Optimize Information Security Policy requires employees to notify corporate IT immediately if they believe that the security of their password has been compromised. Employees must abide by all Webtrends Optimize policies, including all sections of the Information Security Policy.6.3 System and Application Access Control
Authentication and robust access controls ensure that all clients’ confidential information is secured against unauthorized access. Users of Webtrends Optimize SaaS Solutions must be authenticated before they can access their data, and rights associated to their credentials control access to the logical structures containing their data.
Accesses to resources are controlled by explicit rights in all environments. Employees are given appropriate accounts on systems which they are authorised to access following the “least privilege” principle. Generally, access controls are provided by Microsoft’s Active Directory services and appropriate configuration of the operating system, file system and application settings.
Access to client data is limited to legitimate business need, including activities required to support clients’ use of the SaaS Solutions. Employees may only access resources relevant to their work duties. Processes ensure that any production data used by Webtrends Optimize Technical Support for testing (always with client consent) is automatically deleted after 14 days.6.3.1 Data Access by Clients
Client end users are authorised only to see data from their account and may have additional privilege restrictions placed on their access to the account by their account administrator.
Client end users are identified with a username and password. They authenticate to the system over an HTTPS connection.6.3.2 Access control to program source code
Write access to Webtrends Optimize SaaS production source code is limited to the engineering staff. Anti-malware scans are performed during all build processes.7 PHYSICAL AND ENVIRONMENTAL SECURITY
Webtrends Optimize SaaS Solutions infrastructure is physically separated from Webtrends Optimize corporate facilities and managed by an independent SaaS Operations team. Webtrends Optimize SaaS Solutions infrastructure uses Infrastructure-as-a-Service (IaaS) providers.
Access to all facilities is controlled by electronic key systems. Employees are educated about good practices to ensure physical security. Corporate headquarters have security guards on site 24 x 7 as well as CCTV monitoring, and all visitors must register and be accompanied during visits. Additional electronic access controls restrict access to critical areas to authorised personnel only.8 SAAS OPERATIONS SECURITY
Webtrends Optimize SaaS Solutions infrastructure is managed by a team separate both from corporate IT and from development, and employs industry best practices such as default deny rules for firewalls, intrusion detection systems and automated patch management.8.1 Documented Procedures
Webtrends Optimize maintains documented procedures that include at a minimum:
Webtrends Optimize maintains, communicates and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked and implemented by a dedicated team. All key business owners such as Technical Support, Engineering, DevOps, Security, and SaaS Operations are represented at the daily change management meeting.
All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the change management meeting team prior to implementation.
Webtrends Optimize relies on well-defined processes, disciplined execution and continual training of staff. Webtrends Optimize operates an automated code deployment and configuration management system for its SaaS Solutions infrastructure.
All critical decisions must be approved by Webtrends Optimize IT Director
Evaluating the probability and impact of all changes drives the risk management process to protect against activities such as spoofing, tampering, disclosure or denial of services which could expose the SaaS environment to attacks, compromise the privacy and confidentiality of client data, or disrupt the availability of the SaaS Solutions.
Both scheduled and emergency changes are tested in separate environments, reviewed and approved by SaaS Operations, Engineering and Technical Support before deployment to the production environment. Emergency changes must be peer reviewed and may be initially made without formal authorisation. The Change Management process requires that all emergency changes must be documented and reviewed at the next Change Management meeting.8.3 Capacity Management
Provisioning, configuration, and management software is used to maintain network configuration information and to catalog changes. Applications configuration is stored in a redundant location.8.4 Separation of development, testing and operational facilities
All systems used for the Solutions are managed by the Webtrends Optimize SaaS Operations team, which is separate (both from a network domain perspective, and from a staffing perspective) from corporate network resources. All access is limited to the least privilege needed and requires authentication. Access logs are reviewed at least quarterly.
Administrative access to SaaS Operations resources is limited to SaaS Operations personnel and authentication requires a separate set of credentials.
Promotion of code from engineering into production is controlled by the change management process, and the SaaS Operations team manages all deployments into the production environment. Testing, other than deployment validation, is prohibited in the production environment.8.5 Protection against Malware
Webtrends Optimize deploys anti-malware software with automatic scanning and update on all workstations; installs anti-malware software on all Windows external-facing web servers with weekly scans; and scans all deployed code for malware.
Systems are scanned continuously. Updates are managed and pushed out via workstation/server policy management. Definitions are automatically updated. Employees cannot disable the solution. Where optimal performance precludes active scanning, anti-virus scans are scheduled weekly.
Webtrends Optimize uses a leading commercial solution for email security, including incoming and outgoing filtering for spam, phishing attacks and malware.8.6 Data Backup
Webtrends Optimize stores all client data in the SaaS production environment on fully redundant storage systems, and utilises either a multi-tiered backup approach. Backups are stored in secure containers and transferred offsite weekly for storage in a secure, environmentally controlled, reputable third party data archive facility. Only Webtrends Optimize SaaS Operations employees have access to backup media.
Container lists are logged by the backup storage provider as they rotate offsite and backup sets within containers are maintained by SaaS Operations. All backup media are tracked within the backup software and matched to each job processed. Backup media is barcode-labeled for tracking.8.7 Logging and Monitoring
Webtrends Optimize maintains audit information and logs for all information technology resources, applications and network accesses, monitors these logs for abnormal pattern and unauthorised access attempts, and maintains defined processes for security alerting, escalation and remediation. Logs are centralised in a limited-access system that prevents deletion and changes.
24×7 monitoring of critical network events with intrusion detection system (IDS) and log aggregation with industry standard enterprise application management solution gives Webtrends Optimize SaaS Operations the ability to identify and address any unauthorised access to assets (including access to client data) within the SaaS production network, and perform trend analysis and risk assessment. This includes outside threats as well as internal users as the SaaS infrastructure is behind firewalls in both cases. Alerting is in place to notify Webtrends Optimize SaaS Operations team of any issue.
Escalation procedures exist to ensure the timely communication of significant security incidents through the management chain and ultimately to any affected client.8.8 Technical Vulnerability Management
Webtrends Optimize subscribes to manufacturers and independent security notification services to monitor potential external threats.
Manual and automated vulnerability testing are performed during the development process. Webtrends Optimize engages an independent third party security firm annually to conduct a vulnerability scan of all external-facing (public) infrastructure devices and application penetration test of its Solutions.
Vulnerabilities are logged as defects, resolved or mitigated, and verified fixed.8.8.1 Hardening Controls
Specifically regarding ensuring that applications remains configured to build standards, Webtrends Optimize SaaS Operations uses automated tools and documented procedures to build and configure all network equipment, systems and servers from predefined build configuration procedures in accordance with good industry practices such as NIST. All systems, platforms and applications are configured to minimize security risks. Specifically:
Webtrends Optimize operates a commercial patch management solution to maintain network device, system, OS and application level security patches. Reviews performed on a regular basis ensure patching is consistent and current based on industry standards. Webtrends Optimize deploys security patches released by the vendors as necessary to development, testing, and production systems after validation in pre-production environment.
Patches are applied on a monthly schedule, unless criticality demands a quicker response. Critical patches are evaluated and deployed as promptly as possible, based on Webtrends Optimize review of server/workstation vulnerabilities and the risks to any operating applications. Patch applicability and urgency is evaluated based on the zone of deployment (perimeter, DMZ, applications, storage), its relevance (i.e. is the service being patched enabled in the environment) and threat severity (likelihood x impact).9 COMMUNICATIONS SECURITY
Network-based intrusion detection systems (IDS) monitor network traffic and activity for intrusion and Webtrends Optimize SaaS Operations personnel leverages multiple network and application monitoring tools to continuously scan for errors or suspicious activities. Webtrends Optimize hosted environment is completely separate from Webtrends Optimize corporate environment. Access is restricted to SaaS Operations personnel, and authentication requires a separate set of credentials.
Comprehensive and centralised system and application logging and monitoring facilitate alerting, trend analysis, and risk assessment. A network configuration management tool tracks and catalog changes, which are reviewed. Escalation procedures exist to ensure the timely communication of security incidents through the management chain and ultimately to any affected client.
With fault tolerance and redundancy as guiding principles, Webtrends Optimize deploys appropriate, modern, and warranty-backed servers to host the application and database environment for SaaS Operations. In addition, Webtrends Optimize SaaS Solutions infrastructure includes a mix of redundant data storage arrays, near line backups and off-site backups for client data.9.2 Segregation in Networks
Webtrends Optimize production infrastructure uses separate segments for the web and storage layers with a multi-perimeter stateful firewall configuration between the Internet and the demilitarized zone (DMZ). Data storage and processing servers have no externally exposed services.9.3 Information Transfer
Webtrends Optimize clients access the Webtrends Optimize environment via the public Internet. All data transfers from Webtrends Optimize SaaS Solutions must use secure protocols; all data transfers to Webtrends Optimize SaaS Solutions default to secure protocols.9.4 Confidentiality and Non-Disclosure Agreements
All Webtrends Optimize employees must sign Webtrends Optimize confidentiality agreement at the time they join the organisation. Upon termination, employees are provided another copy of their agreement.
Webtrends Optimize requires a non-disclosure agreement or confidentiality clauses in all contracts of third parties accessing computing facilities or information assets as well as prior to sharing or providing access to any confidential information outside of Webtrends Optimize, whether verbally or in writing.10 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
Webtrends Optimize development methodology uses security significant requirements and threat modeling to ensure security concerns are considered and addressed during design.10.2 Security in Development and Support Process
Webtrends Optimize follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security and security testing are implemented throughout the entire software development methodology.
Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities. Our main test areas include volume, stress, security, performance, resource usage, configuration, compatibility, installation, and recovery testing.
Webtrends Optimize uses defense in depth best practices and validates them using both internal and third party security vulnerability scans.
Code reviews are part of the application development process. The internal quality assurance function also exhaustively tests all application end-points for vulnerabilities, including those identified in OWASP Top Ten.
The development process includes a review of all embedded third party components to ensure that security updates are incorporated. Use of open source software is subject to technical and legal review and approval.11 SUPPLIER RELATIONSHIPS
Webtrends Optimize may use contractors for development and testing tasks. These individuals work under the direct supervision of Webtrends Optimize employees and may have access to client data where contractually permitted.
Webtrends Optimize doesn’t give suppliers direct access to client data or network/equipment management responsibility.
Webtrends Optimize uses exclusively world renown third party suppliers with stellar background, such as Microsoft (for cloud infrastructure)
Webtrends Optimize reviews SOC2 reports and/or ISO certification of its infrastructure providers to confirm their adherence to industry standard security and operational requirements.12 INCIDENT PROCESS
Webtrends Optimize has developed a robust Security Incident Response Process (SIRP) to address security and privacy related events in an efficient and timely manner. The SIRP framework describes how the team is deployed, documents the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements, and establishes contact information.
The SIRP core team is composed of senior employees with an executive sponsor reporting directly to Webtrends Optimize CEO. This team is deployed and disbanded for each event and meets periodically in the absence of events for training and process maintenance. The SIRP process identifies key roles to facilitate the effective coordination of Webtrends Optimize response to a security incident, and defines a secure methodology for the confidentiality of all information and communication.
Incidents are triaged in three impact categories, each with different response levels:
The SIRP process is based on industry standard best practices and methodology. It specifies roles and responsibilities as well as priorities for each of the six phases:
Security incidents are managed by Webtrends Optimize Security Incident Response Process team. All communications with clients in case of security or privacy incident will be through our support team, using Webtrends Optimize Portal at https://status.webtrends-optimize.com (client users can subscribe to the Slack feed for push notification) and agreed upon contacts.
Webtrends Optimize Technical Support team will notify client contacts assigned to the account as soon as possible after confirming them as being affected by a security or privacy breach or by a DR event, but in any event within 24 hours for significant events and within 2 business days for non-critical events.13 BUSINESS CONTINUITY & DISASTER RECOVERY
Webtrends Optimize maintains and tests a business continuity plan (BCP) and disaster recovery (DR) plan that prioritises critical functions (such as data collection) supporting the delivery of its Solutions to its clients. Under such a plan, the disruption resulting from a complete site outage at a data collection center would be limited to single geographic region and would only last for a few minutes while traffic gets automatically rerouted. Webtrends Optimize retains DR archives of Client Data for up to two years after the backup. Webtrends Optimize SaaS Operations team performs a comprehensive annual risk assessment.13.2 Monitoring and Communication
We establish continuous monitoring of each system, throughout the application, and in each location where data is stored and moved. Monitoring is a critical component of everything we do.
A system-level failure, for any component in the Webtrends Optimize SaaS solutions environment, is easily identified and resolved through Webtrends Optimize 24×7 SaaS Operations Center. When monitoring detect a failure, failed systems are automatically removed from the production environment, and the SaaS Operations team is alerted and resolves the issue or escalates to the appropriate vendor as needed.13.3 Risk Assessment
Webtrends Optimize BCP & DR planning take into account all relevant threats as well as the criticality of each part of the SaaS Solutions. Webtrends Optimize SaaS Solutions disaster recovery strategy focuses on the following priorities:
Webtrends Optimize takes advantage of the distributed architecture of its SaaS Solutions to exercise critical aspects of its disaster recovery routinely when significant organisational or environmental changes are necessary. Other less critical aspects such as events affecting data storage are tested less frequently.
Disaster recovery plans for the most critical parts of the solution (data collection) are exercise quarterly at minimum, and tabletop exercises performed annually for the data processing functions.13.5 Redundancy
Webtrends Optimize maintains Client Data within the Solutions production environment on fully redundant or replicated storage systems, utilises a multi-tiered backup approach, and transfers backup media in locked containers for storage in a secured offsite location. Webtrends Optimize SaaS Solutions extends redundancy beyond storage through the entire infrastructure, from load balancers and processing engines, to power and telecommunication providers. Specifically:
Webtrends Optimize complies with statutory and regulatory requirements, and uses reasonable efforts to comply with applicable industry standards.14.1 Compliance with Legal Requirements
For personal data that is subject to the EU Data Protection Directive:
Webtrends Optimize is a data processor in the definition set out by the European Data Protection Directive 95/46/EC.14.2 Independent review of information security
In addition to thorough internal quality assurance testing, Webtrends Optimize runs a monthly security scan of the SaaS production environment and engages annually a reputable third party security firm to conduct a comprehensive application penetration test and network vulnerability scan of Webtrends Optimize SaaS Solutions.
The primary objective of these scans and tests is to gain independent third-party validation of Webtrends Optimize security stance and provide actionable recommendations for mitigation of any risks that may have been identified.
Both white box and black box testing are used to assess both the strength of the environment through a penetration test, and the defenses against known application vulnerabilities using guidelines from OWASP.
All critical issues confirmed are remediated immediately. Issues of lesser severity are evaluated for resolution as part of the standard development process