Information Security Overview
Security Framework and Governing Policies
The mission of the MarcomCentral® Information Security Management Systems (ISMS) Program is to support the company’s business priorities through a risk-based governance framework that leverages the synergy of people, process and technology. The policies that govern the ISMS program adhere to industry accepted frameworks such as the National Institute of Standards and Technology (NIST), the US-EU Privacy Shield, the Open Web Application Security Project (OWASP) and the International Organization for Standardization (ISO). While it is not judicious for us to detail every component that makes up our security posture, the goal of this Security brief is to provide you a glance into our defense-in-depth strategy.
Cloud Security Overview
MarcomCentral® has partnered with the Microsoft Azure Cloud Services to host the MarcomGather server environment. As part of the Microsoft Azure Cloud suite of services, the MarcomGather environment includes the security, access management, authentication, authorization, threat protection and encryption capabilities designed to uphold continuous protection of the confidentiality, integrity and availability of our customer’s processed data. For more details, please visit the Microsoft Azure Cloud Services documentation.
Privacy & Compliance
MarcomCentral® understands that regular system and application log management is critical for establishing baselines, identifying operational trends and supporting audit review and security incident activities during active investigations and postmortem analysis. The MarcomCentral® administration tool empowers users that have been configured with administrator roles to view the event date and user associated with the following activities: Successful Portal or Admin Tool Logins, Failed Portal or Admin Tool Logins, Portal or Admin Tool User Logouts, Portal User Password Resets, Portal User Lockouts, Data Insertions, Data Updates, and Data Deletions.
In furtherance of our commitment to taking great strides to uphold continuous protection of the confidentiality, integrity and availability of our customers data, the MarcomCentral® Software Development Lifecycle Program adheres to industry leading frameworks such as the Open Web Application Security Project (OWASP) and the Microsoft Security Development Lifecycle (SDL). The MarcomCentral® application development practices follow the Scrum methodology to implement Agile processes. Releases occur every sprint. A sprint is 2 weeks and consists of functionality and resolution of issues.
The MarcomCentral® Distributed Marketing product supports SSO (single sign-on) for both the distributed marketing cloud-based platform and the Administration Tool. The SSO functionality provides our customers full control of their user community while enforcing their respective password requirements. MarcomCentral® also supports both Identity Provider and Service Provider Initiated SAML (Security Assertion Markup Language) as well as HTTPS (hypertext transfer protocol secure) redirect.
MarcomGather’s server environment is based in the US for our US customers. MarcomGather is a multi-tenant SaaS solution that segregates each customer’s processed data within their designated instance of the database.
Decommissioning and Data Removal
The MarcomCentral® Data Destruction Policy aligns with industry accepted frameworks and includes the use of disk sanitizing tools that wipe media overwriting every disk sector of the machine with zero-filled blocks, meeting Department of Defense directives. Further, the MarcomGather environment leverages the Microsoft Azure Cloud Services Data Destruction capabilities.
MarcomCentral® recognizes that while it is not feasible to anticipate and protect our environment from every possible cyber threat, the impact of a potential incident can be dramatically reduced by promptly detecting, identifying, containing, and eradicating the threat. The MarcomCentral® Cybersecurity Incident Response Plan (CIRP) is designed to guide our team to immediately contain, eradicate and recover in the event of a cyber intrusion or data breach. In adherence with industry best practices, if we were to suffer a cyber intrusion that in any way impacts our customer’s data processing activities, each customer will be promptly notified in accordance with our terms and contractual agreements.