MM is committed to protecting the confidentiality of the information provided by its clients and their employees. All personal data provided to MM through the MM Services is deemed confidential and is treated accordingly. MM maintains an enterprise-wide Information Security Program and has implemented administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of client confidential information. Due to the constantly changing nature of technologies and security concerns, we regularly conduct risk assessments and continually evaluate and modify our security procedures, policies and standards. MM maintains comprehensive written information security policies, which are summarized below, and which include an incident response and handling process.
Security Policies and Practices
The Information Security Program institutes technical, physical, and administrative safeguards to protect data and assets from unauthorized access, disclosure, or inappropriate use. The program establishes requirements and standards, and organizes them into Policy documents. Policies encompass, but are not limited to the areas listed below.
- Backup: MachineMetrics' backup procedures are documented in its Backup Policy. The purpose of this policy is to institute the necessary controls to mitigate the accidental loss of MachineMetrics data. These controls assume that events such as accidental data corruption, deletion, or destruction will occur, and mitigate the impact of such events by maintaining reliable backup copies from which data can be readily restored.
- Encryption: Encryption practices are documented in MachineMetrics' Encryption Policy. The purpose of this policy is to establish practices for protecting MachineMetrics data in the event of unauthorized access through the use of encryption. The policy describes the different components that can be configured to utilize encryption, the algorithm that must be used for each, and how encryption keys should be managed.
- Change Management: MachineMetrics' change management process is documented in its Change Management Policy. The purpose of this policy is to provide guidance on the process of managing change across MachineMetrics' critical systems and products in order to ensure that sufficient checks and balances are in place to mitigate the risks inherent in continuous product development.
- Vulnerability Management: MachineMetrics' Vulnerability Management program is documented in the Vulnerability Management Policy. The purpose of this policy is to establish vulnerability management controls and provide guidelines for their implementation. Vulnerability management encompasses source code, operating systems, runtimes, and devices, and vulnerability scans are performed externally via penetration testing and web application scans.
- Access Control: MachineMetrics' access control practices are documented in its Access Control Policy. The purpose of this policy is to establish the principles and guidelines for controlling access to systems owned by MachineMetrics.
- Authentication and Password: MachineMetrics' approach to authentication and password management is documented in MachineMetrics' Authentication and Password Policy. This policy describes MachineMetrics' requirements with regards to account authentication, including how passwords should be generated, used, and protected.
- Security Incident Response: MachineMetrics' procedures for handling security incidents are documented in its Security Incident Management Policy. The purpose of this policy is to establish requirements and plans for reporting and responding to security incidents impacting MachineMetrics' corporate or customer systems.
- Business Continuity: MachineMetrics' business continuity plan is documented in the Business Continuity Policy. The purpose of this policy is to establish requirements and plans to recover MachineMetrics operations following a disruption due to causes such as natural disaster, loss of access to premises, pandemic, or malicious activity from external or internal sources.
- Risk Management: MachineMetrics maintains a risk management program to identify, prioritize, and mitigate risk to acceptable levels.
- The program consists of regularly performed risk assessments, which identify and prioritize security and compliance gaps, and recommend additional security controls needed to mitigate the risk carried by the gaps.
- Training: Security awareness training is provided to new employees, and to all employees on a recurring annual basis, to promote strong security practices for the whole company.
MM conducts periodic reviews of our security policies and practices through independent third-party auditing services, including ISO27001 certifications, as well as other assessments MM deem appropriate.