Randori and IBM Plan to Join Forces to Tackle Growing Attack Surface Risks

SECURITY AT RANDORI

RANDORI Data Security and Privacy Principles

  1. Definitions

Capitalized terms used herein have the meanings given below or if not defined below, the meanings given in the applicable written contract between RANDORI and Client for the RANDORI Services.

Client – is the entity to which RANDORI is providing the RANDORI Services under an RANDORI Services Document.

Components – are the application, platform, or infrastructure elements of an RANDORI Service that RANDORI operates and manages.

Content – consists of all data, software, and information that Client or its authorized users provide, authorize access to, or input to RANDORI Services. 

DSP – is this RANDORI Data Security and Privacy Principles document.

RANDORI Cloud Services – are “as a service” RANDORI offerings that RANDORI makes available via a network, such as software as a service, platform as a service, or infrastructure as a service.

RANDORI Services Document – is a Transaction Document and any other document that is incorporated into a written contract between RANDORI and a Client and that addresses details of a specific RANDORI Service.

RANDORI Services – are (a) RANDORI Cloud Services, (b) other RANDORI service offerings, including infrastructure or application service offerings that RANDORI delivers and dedicates to or customizes for a Client, and (c) any other services, including consulting, maintenance, or support, that RANDORI provides to a Client. 

Security Incident – is an unauthorized access and unauthorized use of Content.

Transaction Document – is a document that details the specifics of transactions, such as charges and a description of and information about an RANDORI Cloud Service. Examples of Transaction Documents include statements of work, service descriptions, ordering documents and invoices for an RANDORI Cloud Service. There may be more than one Transaction Document applicable to a transaction.

  1. Overview

The technical and organizational measures provided in this DSP apply to RANDORI Services (including any Components) only where RANDORI has expressly agreed to comply with the DSP in a written contract between RANDORI and Client. For clarity, those measures do not apply where Client is responsible for security and privacy or as specified below or in an RANDORI Services Document. 

  1. Client is responsible for determining whether an RANDORI Service is suitable for Client’s use and implementing and managing security and privacy measures for components that RANDORI does not provide or manage within the RANDORI Services. Examples of Client responsibilities for RANDORI Services include: (1) the security of systems and applications built or deployed by the Client upon an infrastructure as a service or platform as a service offering or upon infrastructure, Components or software that RANDORI manages for a Client, and (2) Client end-user access control and application level security configuration for a software as a service offering that RANDORI manages for a Client or an application service offering that RANDORI delivers to a Client. 
  2. Client acknowledges that RANDORI may modify this DSP from time to time at RANDORI’s sole discretion and such modifications will replace prior versions as of the date that RANDORI publishes the modified version. Notwithstanding anything to the contrary in any written contract between RANDORI and Client, the intent of any modification will be to: (1) improve or clarify existing commitments, (2) enable RANDORI to appropriately prioritize its security focus to address evolving data and cybersecurity threats and issues, (3) maintain alignment to current adopted standards and applicable laws, or (4) provide additional features and functionality. Modifications will not degrade the security or data protection features or functionality of RANDORI Services.
  3. In the event of any conflict between this DSP and an RANDORI Services Document, the RANDORI Services Document will prevail and if the conflicting terms are in a Transaction Document, they will be identified as overriding the terms of this DSP and will only apply to the specific transaction. 
  1. Data Protection
    1. RANDORI will treat all Content as confidential by not disclosing Content except to RANDORI employees, contractors, and suppliers (including subprocessors), and only to the extent necessary to deliver the RANDORI Services. 
    2. Security and privacy measures for each RANDORI Service are implemented in accordance with RANDORI’s security and privacy by design practices to protect Content processed by an RANDORI Service, and to maintain the availability of such Content pursuant to the applicable written contract between RANDORI and Client, including applicable RANDORI Services Documents.
    3. Additional security and privacy information specific to an RANDORI Service may be available in the relevant RANDORI Services Document or other standard documentation to aid in Client’s initial and ongoing assessment of an RANDORI Service’s suitability for Client’s use. Such information may include evidence of stated certifications and accreditations, information related to such certifications and accreditations, data sheets, FAQs, and other generally available documentation. RANDORI will direct Client to available standard documentation if asked to complete Client-preferred security or privacy questionnaires. 
  2. Security Policies
    1. RANDORI will maintain and follow written IT security policies and practices that are integral to RANDORI’s business and mandatory for all RANDORI employees. The RANDORI Chief Information Security Officer will maintain responsibility and executive oversight for such policies, including formal governance and revision management, employee education, and compliance enforcement.
    2. RANDORI will review its IT security policies at least annually and amend such policies as RANDORI deems reasonable to maintain protection of RANDORI Services and Content.
    3. RANDORI will maintain and follow its standard mandatory employment verification requirements for all new hires and will extend such requirements to wholly-owned RANDORI subsidiaries. In accordance with RANDORI internal processes and procedures, these requirements will be periodically reviewed and include, but may not be limited to, criminal background checks, proof of identity validation, and additional checks as deemed necessary by RANDORI. Each RANDORI company is responsible for implementing these requirements in its hiring process as applicable and permitted under local law. 
    4. RANDORI employees will complete RANDORI’s security and privacy education annually and certify each year that they will comply with RANDORI’s ethical business conduct, confidentiality, and security policies, as set out in RANDORI’s Business Conduct Guidelines. Additional training will be provided to any persons granted privileged access to Components that is specific to their role within RANDORI’s operation and support of the RANDORI Services, and as required to maintain compliance and accreditations stated in any relevant RANDORI Services Document.
  3. Compliance
    1. For standard (non-custom) RANDORI Cloud Services, the measures implemented and maintained by RANDORI within each RANDORI Cloud Service will be subject to annual certification of compliance with ISO 27001 or SSAE SOC 2, or both, unless stated otherwise in an RANDORI Services Document.
    2. Additionally, RANDORI will maintain compliance and accreditation for the RANDORI Services as defined in an RANDORI Services Document. 
    3. Upon request, RANDORI will provide evidence of the compliance and accreditation required by 5a. and 5b., such as certificates, attestations, or reports resulting from accredited independent third-party audits (accredited independent third-party audits will occur at the frequency required by the relevant standard).
    4. RANDORI is responsible for these data security and privacy measures even if RANDORI uses a contractor or supplier (including subprocessors) in the delivery or support of an RANDORI Service.
  4. Security Incidents
    1. RANDORI will maintain and follow documented incident response policies consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines or equivalent industry standards for computer security incident handling and will comply with the data breach notification terms of the applicable written contract between RANDORI and Client.
    2. RANDORI will investigate Security Incidents of which RANDORI becomes aware, and, within the scope of the RANDORI Services, RANDORI will define and execute an appropriate response plan. Client may notify RANDORI of a suspected vulnerability or incident by submitting a request through the incident reporting process specific to the RANDORI Service (as referenced in an RANDORI Services Document) or, in the absence of such process, by submitting a technical support request.
    3. RANDORI will notify Client without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by RANDORI to affect Client. RANDORI will provide Client with reasonably requested information about such Security Incident and the status of any RANDORI remediation and restoration activities.
  5. Physical Security and Entry Control
    1. RANDORI will maintain appropriate physical entry controls, such as barriers, card-controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into RANDORI managed facilities (data centers) used to host the RANDORI Services. Auxiliary entry points into such data centers, such as delivery areas and loading docks, will be controlled and isolated from computing resources.
    2. Access to RANDORI-managed data centers and controlled areas within those data centers will be limited by job role and subject to authorized approval. Such access will be logged, and such logs will be retained for not less than one year. RANDORI will revoke access to RANDORI-managed data centers upon separation of an authorized employee. RANDORI will follow formal documented separation procedures that include prompt removal from access control lists and surrender of physical access badges.
    3. Any person granted temporary permission to enter an RANDORI-managed data center facility or a controlled area within such a data center will be registered upon entering the premises, must provide proof of identity upon registration, and will be escorted by authorized personnel. Any temporary authorization to enter, including deliveries, will be scheduled in advance and require approval by authorized personnel.
    4. RANDORI will take precautions to protect the physical infrastructure of RANDORI managed data center facilities against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.
  6. Access, Intervention, Transfer and Separation Control
    1. RANDORI will maintain a documented security architecture for Components. RANDORI will separately review such security architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense-in-depth standards prior to implementation. 
    2. RANDORI may use wireless networking technology in its maintenance and support of the RANDORI Services and associated Components. Such wireless networks, if any, will be encrypted and require secure authentication and will not provide direct access to RANDORI Cloud Services networks. RANDORI Cloud Services networks do not use wireless networking technology.
    3. RANDORI will maintain measures for an RANDORI Service that are designed to logically separate and prevent Content from being exposed to or accessed by unauthorized persons. RANDORI will maintain appropriate isolation of its production and non-production environments, and, if Content is transferred to a non-production environment, for example to reproduce an error at Client’s request, security and privacy protections in the non-production environment will be equivalent to those in production.
    4. RANDORI will encrypt Content not intended for public or unauthenticated viewing when transferring Content over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, or FTPS, for Client’s secure transfer of Content to and from the RANDORI Services over public networks.
    5. RANDORI will encrypt Content at rest if and as specified in an RANDORI Services Document. If an RANDORI Service includes management of cryptographic keys, RANDORI will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.
    6. If RANDORI requires access to Content to provide the RANDORI Services, and if such access is managed by RANDORI, RANDORI will restrict access to the minimum level required. Such access, including administrative access to any underlying Components (privileged access), will be individual, role-based, and subject to approval and regular validation by authorized RANDORI personnel following the principles of segregation of duties. RANDORI will maintain measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner’s separation or upon the request of authorized RANDORI personnel, such as the account owner’s manager.
    7. Consistent with industry standard practices, and to the extent natively supported by each Component, RANDORI will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, password change frequency, and secure transfer and storage of such passwords and passphrases. 
    8. RANDORI will monitor use of privileged access and maintain security information and event management measures designed to: (1) identify unauthorized access and activity, (2) facilitate a timely and appropriate response, and (3) enable internal and independent third-party audits of compliance with documented RANDORI policy. 
    9. Logs in which privileged access and activity are recorded will be retained in compliance with RANDORI’s worldwide records management plan. RANDORI will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.
    10. To the extent supported by native device or operating system functionality, RANDORI will maintain computing protections for its end-user systems that include, but may not be limited to, endpoint firewalls, full disk encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.
    11. RANDORI will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with NIST guidelines for media sanitization.
  7. Service Integrity and Availability Control
    1. RANDORI will: (1) perform security and privacy risk assessments of the RANDORI Services at least annually, (2) perform security testing and vulnerability assessments of the RANDORI Services before production release and at least annually thereafter, (3) enlist a qualified independent third party, IBM X-Force™ or, if specified in an RANDORI Services Document, another qualified testing service to perform penetration testing of the RANDORI Cloud Services, at least annually, (4) perform automated vulnerability scanning of underlying Components of the RANDORI Services against industry security configuration best practices, (5) remediate identified vulnerabilities from security testing and scanning, based on associated risk, exploitability, and impact, and (6) take reasonable steps to avoid disruption to the RANDORI Services when performing its tests, assessments, scans, and execution of remediation activities.
    2. RANDORI will maintain measures designed to assess, test, and apply security advisory patches to the RANDORI Services and associated systems, networks, applications, and underlying Components within the scope of the RANDORI Services. Upon determining that a security advisory patch is applicable and appropriate, RANDORI will implement the patch pursuant to documented severity and risk assessment guidelines, based on Common Vulnerability Scoring System ratings of patches, when available. Implementation of security advisory patches will be subject to RANDORI change management policy.
    3. RANDORI will maintain policies and procedures designed to manage risks associated with the application of changes to RANDORI Services. Prior to implementation, changes to an RANDORI Service, including its systems, networks, and underlying Components, will be documented in a registered change request that includes a description of and reason for the change, implementation details and schedule, a risk statement addressing impact to the RANDORI Service and its clients, expected outcome, rollback plan, and documented approval by authorized personnel. 
    4. RANDORI will maintain an inventory of all information technology assets used in its operation of RANDORI Services. RANDORI will continuously monitor and manage the health, including capacity, and availability of RANDORI Services and underlying Components.
    5. Each RANDORI Service will be separately assessed for business continuity and disaster recovery requirements through appropriate business impact analysis and risk assessments intended to identify and prioritize critical business functions. Each RANDORI Service will have, to the extent warranted by such risk assessments, separately defined, documented, maintained, and annually validated business continuity and disaster recovery plans consistent with industry standard practices. Recovery point and time objectives for an RANDORI Service, if provided for in the relevant RANDORI Services Document, will be established with consideration given to the RANDORI Service’s architecture and intended use. Physical media intended for off-site storage, if any, such as media containing backup files, will be encrypted prior to transport.

 

Customer Data

We classify all customer data as strictly confidential, regardless of whether it has been obtained publicly or privately. This is our highest level of classification, and requires us to enforce specific security controls to ensure that appropriate protections are in place for use, storage and transmission. We limit access to customer data to those personnel who have a business need for access in support of our service.

Compliance

We maintain industry-accepted certifications and comply with current industry standards and regulations so you can feel confident that your company and customer data remain secure.

We understand the thoughtfulness organizations must take when choosing a third-party security vendor. Certifications such as SOC 2 Type 2 and ISO 27001 provide an independent attestation that a vendor has controls in place which are operating effectively. Having these certifications enables us to demonstrate this commitment to our customers.

Audit and Compliance

SOC 2

The SOC 2 report provides assurance to our customers and our own team that the organization has designed and implemented effective security controls as defined in the SOC 2 standards set forth by the American Institute of Certified Public Accountants (AICPA).

A copy of our SOC 2 report is available upon request. Please contact your sales representative or account team.

ISO 27001

The ISO 27001 certification demonstrates that Randori has met rigorous international standards in information security and confirms that its products, services, and business operations meet user needs with an effective information security management system. The International Organization for Standardization (ISO) is an independent, international organization that sets globally recognized standards, including security and safety standards. In particular, the ISO 27001 certification ensures an organization operates industry-standard practices for information security.

GDPR

Randori is committed to data privacy and security, including complying with and, where applicable, helping our customers and users comply with the EU General Data Protection Regulation (GDPR). 

GDPR is the comprehensive EU-wide data privacy law that went into effect on May 25, 2018. Besides strengthening and standardizing user data privacy across the EU, it introduced new or additional obligations on all organizations that handle EU residents’ personal data, regardless of where the organizations are located.

Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Privacy

Randori is committed  to maintaining the privacy of customer data.  Our policies, controls and processes ensure that our practices are aligned with the expectations of our customers and global privacy laws.

Randori has established a Privacy Policy that describes the purpose(s) for which personally identifiable information (PII) is collected, used, retained, maintained, and shared. Our Privacy Policy is available at: https://www.randori.com/privacy-policy/

Randori complies with applicable law with respect to international transfers of personal data. Where a customer determines that its use of Randori’s services requires the transfer of personal data to a location outside the European Economic Area, Randoir will execute a Data Processing Addendum(DPA) with the customer which includes Standard Contractual Clauses (also commonly referred to as EU Model Clauses). A copy of the Randori DPA is available to prospective and existing customers.

For any privacy related questions, including Data Subject Requests, please email: privacy@randori.com

Vulnerability Reporting

We appreciate efforts to discover and coordinate the disclosure of security vulnerabilities. Randori operates a SaaS service for enterprise customers, and does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports. If you would like to report a vulnerability in our service, or have security concerns regarding Randori assets or resources, please email: security@randori.com We take all vulnerability reports very seriously and will respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, we will update you periodically with our response and remediation status. To support a timely and effective response to your report, please include any of the following:
  • Your name and contact information
  • Type of issue (XSS, vulnerable service, etc..)
  • Affected Randori resource
  • Potential impact of the vulnerability (i.e. what data can be accessed or modified). Please do not provide us with your calculation of a CVSS score.
  • Step-by-step instructions to reproduce the issue
Due to the number of invalid requests & spam, we will not reply to unsolicited requests for bug bounties or issues identified as out-of-scope.

Public Disclosure

Randori follows coordinated vulnerability disclosure practices and requests that anyone reporting a vulnerability to us does the same.

Out-of-scope Vulnerabilities

Randori will assess all submissions, but considers the following vulnerabilities out-of-scope:
  • 2FA exploits
  • Absence or misconfiguration of HTTP headers
  • Account/email enumeration using brute-force attacks
  • Clickjacking on pages that only contain static content
  • DDoS vulnerabilities
  • Lack of SSL or Mixed content
  • Low impact issues related to session management
  • Missing Cookie flags
  • Missing security-related attributes on non-sensitive cookies
  • Social Engineering
  • Third party components in our corporate website, such as marketing forms
  • URL Redirection
  • Vulnerabilities affecting users of outdated browsers, plugins or platforms
  • Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
  • Vulnerabilities that require the user/victim to perform improbable actions (i.e., Self-XSS)
  • Vulnerabilities in components that the upstream developer/packager deems not-fixable or not applicable.
  • Vulnerabilities that are identified but connect to a honeypot
  • Vulnerabilities identified by an automated scanner such as Nessus, Nexpose, etc..
  • Spoofed email due to SPF/DKIM/DMARC values