Cloud Security for IBM Maximo

Security Program

• Please send security questions, concerns, or suspected malicious activity related to Projetech’s service offering to infosecsupport@projetech.com
• Projetech has implemented an ISMS (Information Security Management System) that meets ISO 27001 framework requirements
• All Projetech employees undergo standard verifications checks which include criminal background checks and other identification validation requirements prior to employment.
• All Projetech employees are required to complete security awareness training on an annual basis.
• Projetech employs a formal risk review and mitigation program as part of ISO 27001/27017 requirements.
• All critical security related decisions must be formally approved by Projetech’s Executive or Steering Committees.

Change & Patch Management

• Projetech’s service includes the maintenance of customer applications and supporting infrastructure to ensure all layers of the solution stack are on the latest supported and secure version.
• Patches, upgrades, and other fixes are analyzed in a timely manner and applied using a formal change and patch management system, which is integrated into Projetech’s ticketing and customer communication systems.
• Projetech employs a formal reoccurring maintenance schedule that is shared with customers.
• All changes to customer applications and supporting infrastructure require formal customer communications sent to pre-designated maintenance contacts.

Customer Communication & Knowledge Base

• Projetech’s customer communication solution is integrated into organizational incident response and change management processes. Customers will receive formal communications from Projetech’s ticketing system to pre-designated contacts during incident or change/patch management operations.
• Projetech has created an online community that serves as an educational resource for Maximo related topics. Maximo Online Resources & Education (MORE). https://moremaximo.com/home

Security Testing & Monitoring

Penetration Testing

• Projetech undergoes annual formal penetration testing by a reputable 3^rd party.
• Penetration test results are reviewed by the organizational Steering Committee and remediated based on criticality and overall organizational impact.

Vulnerability Management

• Projetech performs monthly vulnerability scanning on multiple layers of the solution stack.  
• Vulnerabilities are categorized based on NISTNVD metrics.
• Vulnerability results are considered confidential and are not shared with customers or other 3^rd parties.

Customer Monitoring & Access

• Quarterly access control reviews are performed on cloud service infrastructure and associated user accounts.
• DNS configuration and SSL certificate management are included as part of Projetech’s cloud service offering.
• Projetech’s cloud service includes a customer dashboard to monitor items such as application and supporting infrastructure resources, scheduled maintenance, and other system health related information.

Security Operations & Technology

• Projetech’s cloud service includes next-gen firewalls with security features that include but are not limited to intrusion prevention systems (IPS) and DDoS protection.
• Projetech’s cloud infrastructure log sources are integrated into a 3^rd party security information and event management (SIEM) solution for threat analysis and retention requirements.
• All cloud assets contain endpoint security applications to prevent malware and other malicious activities. All endpoint security applications are updated in real-time.
• Projetech’s cloud service includes server auditing using a 3^rd party application to track all cloud user activity and other behavior analysis capabilities.  

Identity Management

• Projetech’s offering includes the configuration of SSO and other authentication methods.
• Projetech recommends implementing SAML authentication. Native and LDAP authentication are also included in Projetech’s service.

Business Continuity

• All customer production environments are replicated to a geographically separate data center. In the event of a disaster, customer applications will be restored in an alternate data center with a maximum RPO of 2 hours.
• Formal business continuity testing occurs at least once annually.

Projetech’s Disaster Recovery Methodology

Quality

• Projetech employs a Quality Management System (QMS) and is ISO 9001 certified. See Compliance section below for link to certificate.

Data Security and Backup

• Least access principles are leveraged for Projetech support staff with access to customer applications. All Projetech employee access must go through a formal change and review process prior to customer data access.
• Projetech employs a full-time Database Administrator to monitor database performance.
• All customer data access is logged and monitored.
• All customer data is encrypted in-transit and at-rest.
• Projetech employs a 3-2-1 backup methodology
• Projetech’s backup offering includes a multi-layer strategy covering the entire solution stack.
• Customer data is backed up hourly for a maximum RPO of 2 hours and replicated to an alternate data center for disaster recovery requirements.
• Customer supporting infrastructure (example: application, database, file server) is backed up daily and replicated to an alternate data center for disaster recovery requirements
• All backup and restoration processes are monitored and tested on a continual basis.

Compliance

Strict industry security standards that are internationally recognized for Information Security Management Systems. SOC reports available upon request

Our Infrustructure/Information Security Manager, Tyler Caldwell, published an article in Reliability Web's Uptime Magazine on the importance of ISO 27001.