Confidentiality and Integrity
Organization of Information Security
Information Security organization at ThousandEyes is headed by the Chief Information Security Officer. His team oversees all aspects of data protection: business, physical, and technical security and privacy. This also includes audit and compliance, as well as overall risk management.
Human Resources Security
We believe information security starts with people and it's not enough to merely secure physical systems. Hence, we invest in security awareness and training for all our employees so that they are equipped with the knowledge to support our security and privacy management systems from day one.
Asset and Risk Management
All information is classified in terms of its confidentiality within a three-level data classification scheme, and we require specific security controls to be implemented accordingly. Risk assessments are required to be performed on each critical information asset to verify if existing controls meet defined criteria. All customer information is classified as confidential by default and as a result, will always require the highest level of protection.
Access to information is granted on a need-to-know basis and controlled through a managed process that addresses authorization for new access, timely access revocation when required and periodic review of access lists to critical information.
All crypto controls at ThousandEyes adhere to international legal regulations and restrictions and require strong key management procedures.
Physical and Environmental Security
Both data center and office space are equipped with access control and video surveillance systems with 24x7 security onsite. To be accepted by ThousandEyes, data centers must meet Tier III requirements.
All networks, systems and applications are securely configured, implemented and backed-up to ensure that they operate as intended. Anti-malware is deployed on all critical customer-facing systems.
All communication resources at ThousandEyes are used in a manner that is consistent with our ethical and business principals and have implemented relevant controls such as use of cryptography for sensitive data transmission.
System Acquisition, Development and Maintenance
Examples of our controls include penetration testing and code review as vital steps in the approval process. Furthermore, our secure software development lifecycle design and deployment methodologies are continually being enhanced to keep up with current best practices and stay ahead of the latest threats.
Third Party Services
When contracted third-parties act on our behalf, we require them to meet the same rigorous standards of security and privacy as we meet internally. This due diligence is completed as part of our vendor risk management process, which entails a comprehensive security review of the third-party organization as well as their service offering or product.
Security Monitoring and Incident Management
We constantly monitor our network, systems and applications to detect various types of events. No surprise, our own cloud monitoring solution monitors itself and other components of our technology infrastructure. When a critical event is registered, incident response plan immediately kicks in.