ConnectWise Information Security
Information Security Policy
ConnectWise maintains a documented Information Security policy based upon NIST and ISO27000 standards that includes directives for:
- Information Classification and Handling
- Access Provisioning and Review
- Personnel Security and Security Awareness
- Application and System Security
- Network Security
- Vulnerability and Threat Management
- Security Monitoring and Incident Management
- Business Continuity Management
Further, we explicitly define employee responsibilities and acceptable use of information system resources. The organization receives signed acknowledgment from employees indicating that they have read, understand, and agree to abide by the rules of behavior before providing authorized access to ConnectWise information systems. This policy is periodically reviewed and updated as necessary and must be reviewed and acknowledged by all ConnectWise staff annually.
ConnectWise’s Chief Information Security Officer (CISO) reports to the Chief Technology Officer (CTO) directly under the Chief Executive Officer (CEO). The CISO also leads an Executive Information Security Council comprised of senior leaders from all business areas within ConnectWise. This structure facilitates the appropriate executive engagement for security program oversight and risk management.
Information Security roles and responsibilities are further defined within the organization with clear delineation of responsibilities and segregation of duties.
The Information Security organization itself is comprised of key operating areas including:
Information Asset Management
ConnectWise’s data and information system assets are comprised of both partner as well as corporate assets. All assets are formally classified based upon sensitivity and criticality, and protection is driven accordingly by security policies and procedures.
ConnectWise applies relevant data classification levels to all customer data it hosts. ConnectWise does not inspect or monitor its customers’ data and has no ability to understand how any data may have been classified by individual customers. For ConnectWise, the overriding requirement towards customer data is that it remains hosted solely in the private cloud and is treated and handled according to its policies for all customer data. Customers remain the data controller (i.e., data owner) for all data they store in their ConnectWise instance and should therefore apply access controls according to their data classification policies.
Personnel Conduct and Security
ConnectWise employees are required to conduct themselves in a manner consistent with the company’s guidelines, including those regarding confidentiality, business ethics, and professional standards. All employees are required to sign confidentiality agreements.
Employees are provided with security training at the time of hire and on an annual basis going forward. Security training covers a broad section of topics around security awareness, compliance, and privacy. In addition, each ConnectWise employee is required to read, understand, and take a training course on the company’s code of conduct.
Physical and Environmental Security
ConnectWise has policies, procedures, and infrastructure to handle physical security of its corporate offices as well as our support locations across the globe.
ConnectWise offices employ cameras at all entrances and badges are required for access. Our Help Desk, SOC, and NOC locations have backup power supplies and can draw power from diesel generators and backup batteries. Our information systems and infrastructure are hosted by world-class cloud providers that are geographically dispersed to provide high availability and redundancy to ConnectWise and its customers.
Changes to information systems, network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process. Changes are reviewed, approved, tested, and monitored post-implementation to ensure that the expected changes are operating as intended.
Security Event Management
We generate and maintain audit and event logs on all systems. These logs provide an account of which personnel have accessed which systems and include security-relevant events. These logs and events are captured and sent to a central event management server for correlation and analysis. The event logs are protected from unauthorized access and tampering. Access to our auditing and logging tool is further controlled by limiting access to authorized individuals. The security operations team continuously monitors for suspicious activity. Potential security issues are triaged and escalated within security operations and to the Incident Response team accordingly. Security events that record critical system configuration changes and administrators are alerted at the time of change. Retention schedules for the various logs are defined in our security control guidelines.
ConnectWise endpoints are equipped with a cloud-based, next-generation threat protection platform leveraging execution profiling and predictive security analytics as well as malware signatures, indicators of compromise, exploits, and vulnerabilities.
ConnectWise regularly scans systems and networks for vulnerabilities. All findings are reviewed, prioritized based on severity, and assigned to the appropriate team for remediation. ConnectWise also regularly commissions vulnerability assessments, phishing assessments, and penetration tests through trusted third-party providers.
ConnectWise also has a process for addressing zero-day vulnerabilities that includes threat intelligence for visibility, scanning for assessment of threat, and emergency escalation provisions for remediation.
ConnectWise strives to apply the latest security patches and updates to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. Patch management processes are in place to implement security patch updates as they are released by vendors. Patches are tested prior to being deployed into production.
Logical Access Controls
Role-based access is utilized in all information systems. Entitlements are defined based upon least privilege and segregation of duties. Processes and procedures are in place to govern access provisioning, access termination (voluntary and involuntary), and periodic entitlement reviews. Privileged access is further controlled by segregation of account IDs, security notifications of privileged account usage, and time-bound access.
All users are provisioned with unique account IDs. Password requirements enforce the use of complex passwords as well as password rotation to protect against unauthorized use of passwords. Passwords are individually salted and hashed. Further, all employees have multifactor authentication (MFA) enabled and enforced on their accounts.
ConnectWise employees are granted a limited set of default permissions to access company resources, such as their email and the corporate intranet. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines. Approvals are managed by workflow tools that maintain audit records of changes.
We follow a defined methodology for developing software that is designed to increase the resiliency and trustworthiness of our products. Our software development methodology is based on a security/privacy-by-design approach. Security and security testing are implemented throughout the entire software development methodology. Quality assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities.
Our secure development lifecycle includes standard security practices such as vulnerability testing, regression testing, penetration testing, and product security assessments. The ConnectWise architecture review board review is responsible for reviewing all major changes to our products as well as changes to our engineering approach and methodology.
ConnectWise has a formalized incident response plan and associated procedures in case of an Information Security incident. The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.
An incident response team is responsible for providing an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
Business Continuity and Disaster Recovery
To minimize service interruption due to technology failure, natural disaster, or other catastrophe, we have implemented data backup and disaster recovery programs across all cloud environments. These programs include multiple components to minimize the risk of any single point of failure. Access and encryption controls are established to safeguard data back-ups. All recovery and data restoration plans are tested and updated regularly.
We apply a common set of data management principles to partner and customer data that we may process, handle, and store. We protect all data using appropriate physical, technical, and organizational security measures.