Bizagi implements security controls and measures for data integrity, confidentiality and availability aligned to leading information security standards and frameworks such as ISO 27001, NIST and FedRAMP.
The security controls in place are listed below:
•Access Controls and Authentication
•Audit and Accountability
•Business Continuity and Operational Resilience
•Change Control and Configuration Management
•Logging and Continuous Monitoring
•Secure Software Development process
•Risk Assessment and vulnerability management
Please note that the above list is not exhaustive.
Access Controls and Authentication
Bizagi enforces an Access Control policy. The purpose of this Policy is to create, implement and maintain the access controls to systems that contain customer's information. Bizagi relies on an enterprise cloud-based identity and access management solution that provides login and password management features, Segregation of duties role-based, Two-factor authentication, among others. Our policies and access control mechanisms and systems allow Bizagi to prevent inappropriately access to our customer's data.
Audit and Accountability
Bizagi has an Audit Management process that serves to consolidate all audit mechanisms such as audit planning, risk analysis, security control assessment, remediation schedules, report generation, and review of past reports and supporting evidence.
Bizagi's Audit Management process allows us to verify compliance with relevant standards, regulations, legal/contractual, and statutory requirements.
Bizagi performs internal and external audits on a yearly basis.
Business Continuity and Operational Resilience
Bizagi enforces business continuity management and operational resilience policies and procedures. Those policies and procedures establish the actions required in order to recover critical information assets supporting business processes, in order to reduce the effects of disruption upon services ensuring continuity of information security on systems and business processes caused by service interruptions and failures. Bizagi tests its business continuity and operational resilience plans at least annually.
Change Control and Configuration Management
Bizagi follows a change management procedure, which defines how changes must be performed to organization assets including application, systems, infrastructure, configuration, etc and how to manage the risks associated with applying changes.
Bizagi's change management procedure establishes change request creation, approval, testing, and release standards and restrict the unauthorized addition, removal, update, and management of organization assets.
Bizagi enforces several policies to classify, protect and handling of data throughout its life cycle.
Bizagi Standard Agreements describe the protective measures established by Bizagi to protect data from corruption, and to prevent unauthorized access to data assets, etc. Likewise, Bizagi enforces policies and implement technical measures to ensure that data is securely transferred and disposed.
Bizagi has established and follows backup and restore procedures for services containing customers' data as well as retrieval of customer’s data policies and service level agreements.
Bizagi enforces an Information security incident handling policy. The purpose of this policy is to ensure a consistent and effective approach to the handling of information security incidents, including detecting, reporting, assessing, responding to, dealing with, and learning from them. Bizagi's Information Security and Compliance team is subscribed to US-CERT to verify information about the latest threats and activities, alerts identified are communicated to the teams that are responsible of implementing the solution proposed.
Bizagi enforces policies that require notification in the event of a security incident occurs affecting our customers' infrastructure/data/services. Bizagi promptly notifies customers through the Support channels. Notifications are sent by email stated the incident analysis, actions taken to remediate it, and details on whether customers are expected or required to take action.
Logging and Continuous Monitoring
Bizagi uses tools and procedural mechanisms that record and examine activity in information systems, networks, computing devices, and continuously monitored Bizagi's Cloud Services.
Logs record significant activity such as user access to information and user account activity, use of certain software programs or utilities, use of a privileged account, system anomalies: unplanned system shutdown or application errors, failed and successful authentication attempts, access to sensitive data, information systems start-up (or stop), general security incidents. Appropriate hardware, software, or procedural auditing mechanisms are implemented to provide: Date and time of activity, the origin of activity, identification of user performing activity, description of attempted or completed activity.
logs maintained within an application are backed-up consistently with the information backup policies and data recovery processes to ensure that the information is readily available in the manner required.
Bizagi Automation Service relies on Microsoft Azure as its cloud provider. The Azure infrastructure is designed to meet a broad set of international and industry-specific compliance standards and regulations, including ISO/IEC 27017, SOC 1 and SOC 2, PCI/DSS, NIST-800-171, FedRamp, HIPAA/HITECH, and EU Model clauses, among others. see Azure facilities, premises, and physical security.
Secure Software Development process
Bizagi implements a software development cycle that enforces industry-standard high security controls, to enable the Bizagi system (and whole service) to successfully counter potential hacking and mitigate overall security risks.
The security development practices rely on the SAMM (Software Assurance Maturity Model) published by OWASP and Microsoft Security Development Lifecycle. Additionally, our developments follow guidelines proposed by security expert communities such as NIST, OWASP, or Cloud Secure Alliance.
By implementing the Bizagi Security Development Lifecycle we can handle risk and identify possible vulnerabilities in early stages of new developments.
Within a security development strategy, Bizagi adopts several other best practices such as:
•New features being analyzed by conducting Threat modeling.
•Platform-specific guidelines for mobile applications taken into consideration, as officially issued by Apple, Android and Microsoft.
•Automatic tools being employed to perform Dynamic Application Security Testing, Static Application Security Testing and Software Composition Analysis.
•Manual penetration testing is conducted regularly by Bizagi's Security team, to identify any potential vulnerability that would be difficult to detect automatically.
In addition to the above, customers and other organizations, have over the past run security checks to assess whether Bizagi has adequate security compliance levels for enterprise-class solutions.
Bizagi is built for enterprise security, standards and scalability, ensuring that your process applications meet your needs and the stringent requirements of global regulators.
Bizagi is FedRamp Authorized, ISO:27001:2013 certified, HIPAA compliant, and GDPR compliant. See Trust Center.
Risk Assessment and vulnerability management
Bizagi acknowledges the importance of risk and vulnerability analysis and management functions. Bizagi follows a Risk management methodology. This methodology establishes guidelines for information security and privacy risk analysis and management. Risk management is an ongoing process to determine the value of assets and the corresponding exposure to threats and vulnerabilities, including continual assessment and mitigation of identified risks. Information produced during the risk assessment will be used to determine and manage critical countermeasures for the assurance of Bizagi's information security and privacy.
Bizagi follows a hiring procedure that defines different background verification levels according to the existing regulation about personal data handling. All employees of Bizagi have signed a confidentiality obligation which is part of their employment contracts before accessing any information asset.
Training and awareness program
Bizagi workforce receives appropriate security awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. Security awareness and safety training programs are conducted to employees once they are contracted and on a yearly basis.