Security Framework and Governing Policies
The mission of the MarcomCentral® Information Security Management Systems (ISMS) Program is to support the company’s business priorities through a risk-based governance framework that leverages the synergy of people, process and technology. The policies that govern the ISMS program adhere to industry accepted frameworks such as the National Institute of Standards and Technology (NIST), the US-EU Privacy Shield, the Open Web Application Security Project (OWASP) and the International Organization for Standardization (ISO). While it is not judicious for us to detail every component that makes up our security posture, the goal of this Security brief is to provide you a glance into our defense-in-depth strategy.
Privacy & Compliance
Data Center Security
The MarcomCentral® Distributed Marketing product is hosted in our US-based primary data center and co-located at our US-based secondary data center. Both data centers maintain the SSAE18 SOC 1&2 Type 2 attestations and are managed around the clock. For our customers based outside the US, our EU data center also maintains the SSAE18 SOC 1&2 Type 2 attestations and is managed around the clock.
The MarcomCentral® infrastructure is architected to encrypt all data in transit using either HTTPS protocol, TLS 1.2+ or the built-in encryption capability of the API service (APIs are mostly selected by each customer depending on the functionality). Further, the MarcomCentral® environment is architected to encrypt all data at rest using cryptographic algorithms that conform to the FIPS (Federal Information Processing Standards) which is issued by the National Institute of Standards and Technology (NIST).
The MarcomCentral® Disaster Recovery Plan is tested annually including fail-over, recovery and synchronization activities. Our Disaster Recovery environment matches Production environment infrastructure at all times and can handle at least 90% of the Production capacity. Preventive controls (e.g., generators, environmental controls, sprinkler systems, fire extinguishers, and fire department assistance) are fully operational at the time of disaster. Computer center equipment, including components supporting the System, is connected to a generator providing an indefinite duration of electricity during a power failure. Service agreements are maintained with our hardware, software, and communications providers to support the emergency system recovery. The systems that make up our redundant environment are supported by firewalls, switches, and load balancing equipment. The network is configured in a fault-tolerant fashion that is able to withstand the loss of one or more components without impact to System operations. The environment runs on multiple commodity-class computer systems in a fault-tolerant fashion that is able to withstand the loss of one or more computers without impact to System operations.
Uptime & Reliability
The MarcomCentral® high availability environment is reinforced by multiple tiers of redundancy including primary and secondary state-of-the-art data centers. Our environment is monitored for service performance and system anomalies which trigger automatic notifications to ensure immediate response to address potential service interruptions. Our Threat and Vulnerability Management Program includes automatic updates from reputable vulnerability monitoring & management providers.
MarcomCentral® understands that regular system and application log management is critical for establishing baselines, identifying operational trends and supporting audit review and security incident activities during active investigations and postmortem analysis. The MarcomCentral® administration tool empowers users that have been configured with administrator roles to view the event date and user associated with the following activities: Successful Portal or Admin Tool Logins, Failed Portal or Admin Tool Logins, Portal or Admin Tool User Logouts, Portal User Password Resets, Portal User Lockouts, Data Insertions, Data Updates, and Data Deletions.
In furtherance of our commitment to taking great strides to uphold continuous protection of the confidentiality, integrity and availability of our customers data, the MarcomCentral® Software Development Lifecycle Program adheres to industry leading frameworks such as the Open Web Application Security Project (OWASP) and the Microsoft Security Development Lifecycle (SDL). The MarcomCentral® application development practices follow the Scrum methodology to implement Agile processes. Releases occur every 7 weeks and consist of three 2-week sprints and one 1-week release sprint. Any significant changes are scheduled in the first and second sprints of the release and the final sprint is reserved for resolving any introduced issues or small feature requests.
The MarcomCentral® Distributed Marketing product supports SSO (single sign-on) for both the distributed marketing cloud-based platform and the Administration Tool. The SSO functionality provides our customers full control of their user community while enforcing their respective password requirements. MarcomCentral® also supports both Identity Provider and Service Provider Initiated SAML (Security Assertion Markup Language) as well as HTTPS (hypertext transfer protocol secure) redirect.
The MarcomCentral® Distributed Marketing product server environment is based in the US for our US customers. We maintain a separate set of servers in the EU for our customers based outside the US. The MarcomCentral® application is a multi-tenant SaaS solution that segregates each customer’s data within their designated instance of the database.
Decommissioning and Data Removal
The MarcomCentral® Data Destruction Policy aligns with industry accepted frameworks and includes the use of disk sanitizing tools that wipe media overwriting every disk sector of the machine with zero-filled blocks, meeting Department of Defense directives.
MarcomCentral® recognizes that while it is not feasible to anticipate and protect our environment from every possible cyber threat, the impact of a potential incident can be dramatically reduced by promptly detecting, identifying, containing, and eradicating the threat. The MarcomCentral® Cybersecurity Incident Response Plan (CIRP) is designed to guide our team to immediately contain, eradicate and recover in the event of a cyber intrusion or data breach. In adherence with industry best practices, if we were to suffer a cyber intrusion that in any way impacts our customer’s data processing activities, each customer will be promptly notified in accordance with our terms and contractual agreements.
As our products and services continue to reach diverse industries, security and compliance requirements uphold an essential part in the partnership between MarcomCentral® and our current and future customers. MarcomCentral® understands that risk tolerance, compliance responsibilities and security requirements differ among the many industries that make up our business partnerships. If you need to engage in further discussions about our security, risk management and compliance practices, please contact us at firstname.lastname@example.org