Information Security Program Whitepaper

Summary

Progress Software operates an Executive Security Committee which has directed that a security program and supporting policy framework be operated to protect the security interests of company infrastructure, the software it produces, and customer solutions it operates. The company information security program is responsible for protecting the confidentiality, integrity, and availability of information handled by company technology systems and outwardly facing technology products. It is established that this function will identify, assess, monitor, and remediate security issues in a manner that keeps risks under control and within company and customer appetite. The program is operated according to applicable laws, regulations, and industry best practices. The function shall leverage colleagues from across the company to effectively manage risk, and efforts remain transparent to leadership. The following program components underpin the Progress’ Information Security Program.

Company Information Security Strategy

On an annual basis, company information security officers present to management a revised corporate information security strategy aimed at protecting the confidentiality, integrity, and availability of company systems and customer facing products. Throughout the course of a given year risks are identified and tracked, existing information Security solutions are monitored, and new Security Technologies are researched. These ingredients converge on an annual basis into a strategic security plan that governs corporate information security strategy and product security related practices. These plans then influence initiatives, projects, policies and procedures across the company.

Security Governance

Information Security at Progress is governed by an interrelated hierarchy of working groups which is overseen by an Executive Security / Executive Risk Management Committee. The ERM committee approves new policy and security standards, hears from working groups on emerging security risks, and provides guidance & direction on top level strategy. The committee members advise on, and prioritize the development of information security initiatives. The committee establishes additional working groups or subcommittees as it deems necessary.

A Corporate Information Security Working Group, (aka Corporate InfoSec) governs and manages security matters related to company IT infrastructure and IT operations. Its governance duties include approving policy drafts that seek final approval by Executive Security Committee, approving security standards & procedural guidelines, identifying security risks, providing guidance & direction on remediation strategies, tracking of aging risks, and reporting of major risk issues to Executive Security Committee. INFOSEC provides leadership in the protection of company information assets and technology. The committee members advise on and prioritize the development of information security initiatives. INFOSEC advocates for the prioritization of security activities throughout the company. This group may also establish other working groups or subcommittees to identify and develop strategic direction and recommendations.

A Product Information Security Working Group, (aka PSWG) is an entity appointed to manage security matters related to company products. Its members collaborate on security best practices, share knowledge, and develop policy documentation that effects all products. Working group members discuss and debate security initiatives to improve product security and work together to maintain security compliance posture.

Compliance

Progress conducts a range of compliance activities throughout the course of any given year. These focus on Sarbanes-Oxley (SOX), SOC2, HIPAA, and GDPR. Compliance reports are available on request to assist customers with vendor diligence activities.

GDPR Related Controls – Common Questions

1. What technical or organizational measures are in place to prevent unauthorized access to the premises in which the data is processed? Progress corporate facilities are protected by state-of-the-art secure entry systems. Employees must possess their building proxy cards to gain entry. Facilities are also staffed by security guards who monitor the premises with CCTV. Data centers are equipped with an increased level of security measures. Finally, many of progress cloud applications are operated out of AWS and Azure data centers which feature highly advanced physical security/
2. What technical or organizational measures are in place to prevent the use of data processing systems by unauthorized persons. All systems and applications are protected by a defense in depth security strategy that features robust physical security, firewall, access control, antivirus, encryption, monitoring, and other defenses. These controls are examined routinely as part of company HIPAA, SOC2, and SOX programs.
3. Technical or organizational measures to ensure that those entitled to use a data processing system only have access to the data. As part of our information security program we operate an access control strategy based on the model of least privilege. Only employees who need information to perform their jobs are provisioned access to a given set of data.
4. Technical or organizational measures to ensure that personal data are not read, copied, altered or removed during processing or without authorization. Production systems are highly secured and monitored for anomaly behavior. Corporate networks are equipped with intrusion detection systems capable of identifying attempted exfiltration.
5. Technical or organizational measures to ensure that personal data that is transferred during electronic transmission, cannot be read, copied, altered or removed without authorization, and that it is possible to check and determine at which points a transfer of personal data by means of data transmission is or has taken place. As a standard practice, any commercial off-the-shelf software packages as well as custom software solutions developed by progress are equipped with encryption. There are no justifiable circumstances where an application owner within the company can operate a solution without encryption enabled at all layers.
6. Technical or organizational measures to ensure that it is possible to subsequently verify and determine whether and by whom personal data has been entered into, altered or removed from computer systems. In all system and application deployments, non-repudiation is factored into the design with the use of generic or shared accounts prohibited and only permitted by exception with compensating controls in place.
7. Technical or organizational measures to ensure that data collected for different purposes can be processed separately. Wherever possible and appropriate, company software applications feature an independent and isolated database and/or storage repository.
8. Technical or organizational measures to ensure that personal data are protected against accidental destruction or loss. Safeguards are designed and implemented on a per application basis to protect against accidental destruction of personal information. In a rare case where this occurred, backup restore capabilities would be utilized as a resolution.
9. Technical or organizational measures to ensure the resilience of systems and services related to processing. In the case of both SaaS/Cloud and on-premise solutions, high-availability principles are incorporated into architectural planning and deployment practices. For example, cloud-based product offerings are positioned at AWS and Azure and leverage multi-region redundancy.
10. Technical or organizational measures to ensure encryption. All cloud-based product offerings feature encrypted connectivity as a mandatory means. Wherever possible and appropriate, applications are equipped with encryption at all layers from web, to application, to database, to storage. These items are in scope for annual SOC2 review.
11. What is the process for periodic review, evaluation and evaluation of the effectiveness of these technical and organizational measures. IT and other technical staff operate our technologies via procedures that feature organized change control involving second sets of eyes. Information security staff perform reviews of such activities and processes as part of everyday business, as well as part of HIPAA and SOC2 compliance activities. Finally, the company’s internal audit department monitors the effectiveness of IT and information security staff and escalates major gap issues to an executive risk management committee.

Policy

Progress maintains a family of Information Security Policy documents that take the form of policies, standards, and procedural guidelines. Each of these types of document are published inside of progress to shape employee behaviors, maintain the security of our environment, and the security of our products. Such documents are kept in an electronic policy binder and made available to all employees. On an annual basis company information security policy is circulated to all employees for acknowledgement and signoff.

Employee Security Awareness

All employees undergo a regimen of security training throughout the year. Content is selected by committee and features such topics as General Security awareness, email security, phishing awareness, HIPAA ePHI Training, GDPR training, and secure coding.

Security Architecture Planning

Company Security Architecture planning is an ongoing activity managed by Corporate Information Security and Product Information Security Staff. Throughout the course of a given year risks are identified and tracked, existing information Security solutions are monitored, and new Security Technologies are researched for possible implementation. Standard approaches to perimeter Network Security, cloud infrastructure security, web and application security, authentication, and database security are just some of the disciplines we focus on. Our engineers work together within products and across products to ensure best practices in security design are implemented and maintained.

Security Defense

From corporate networks, to web applications, to cloud offerings, to employee computing environments, Progress employs a defense in depth strategy in the protection of our corporate assets and our customer environments. Network perimeter security, intrusion detection and prevention, anti-malware, anti-virus, server hardening, secure load balancing, secure authentication, encryption of data in transit, encryption of data at rest, stringent user access control, database security, security monitoring, and event management are just a few of the technologies involved in protecting our business and our customers.

Access Management

Access to company software applications, especially administrative access to production customer applications, is tightly controlled via best practices and access management technologies. Corporate and business applications are tightly connected to HR employee management activities to ensure that our users just the right to access while abiding by the model of least privilege. Administrator activities are logged and reviewed for unusual patterns, and administrator accounts are reviewed occurring basis to verify need.

Product Security

All software products at progress are developed a via the use of modern methodologies, techniques, technologies, and processes. Our software development life cycles employ Agile methodologies while including numerous waves of security planning and testing. These include security requirements planning, security design planning, code level security scanning, vulnerability scanning, and penetration testing.

Threat and Vulnerability Management

Ongoing threat and vulnerability management activities performed on all corporate assets and customer facing product environments. These activities include monitoring of key government and media outlets to stay apprised of emerging security issues, vulnerability scanning of internal and external systems, penetration testing of products and corporate environments.

Remediation Management

Progress subjects itself to a regular regimen of assessment activities to identify information security risks. Such activities may include self-initiated security assessments via a contracted 3rd party security firms, systems controls reviews by external industry authorities, or internal assessment activities using the expertise of existing staff. As such activities are conducted, any finding will be processed in a consistent manner that mitigates risk.

Security Incident Management

The Executive Security Committee at Progress has directed that an Incident Management function be operated that handles all corporate and customer related incident matters. In the case of an information security incident that threatens the availability, confidentiality, and integrity of information assets, information systems, and the networks that deliver the information, a response is conducted in a consistent manner. Appropriate leadership and technical resources are involved in any incident situation, in order to make key decisions and promptly restore any operations impacted. Exercises are performed on a recurring basis to ensure staff familiarity with procedures and identify any new lessons that should be incorporate into response plans.