March 29, 2023
Armis Information Security Disclosure
Introduction
Armis’ Platform enables customers to discover, assess, and manage all IT, OT and IoT devices on their network, including those that are managed, unmanaged or unknown. It encompasses the following key functions and services:
- Discover all assets.
- Identify risks and gaps.
- Automate enforcement.
The Platform components are built from the ground-up with robust security controls designed to protect collected Customer Data (as defined in the Armis Platform Terms and Conditions (“Terms”). All Customer Data is processed and stored on Armis’ or Armis’ third party provider’s servers located within supported Cloud Services Providers’ (“CSP”). Each CSP data center utilizes state-of-the-art information security measures that are SOC2 Type II audited and/or certified under the ISO27001 standards. Customer Data is kept strictly confidential regardless of location including limited information contained within support tickets. Customer Data is never shared with any third-party organization except Armis’ appointed third party subprocessors. Our application, databases, networks, and corporate infrastructures are supported by extensive industry security standards and measures, including a range of technical, physical, and administrative measures, to provide quality data security alongside quality product and user experience.
Overview
Armis implements and maintains a multi-layer Information Security Management System (ISMS), in accordance with ISO 27001 guidance. To test the implementation of the controls, Armis has retained the auditing services of a top-tier, independent 3rd party auditor and has undergone a SOC2 Type 2 and ISO 27001 audit. The ISMS provides for controls at multiple levels of data storage, processing, export and/or deletion, access, and transfer. The strategy includes the following key components:
- Armis corporate security policies
- Organizational security
- Security Risk Management Program
- Asset classification and control
- Personnel/Human Resources secure management
- Information Security Awareness
- Cryptography
- Communications Security
- Vendor Security Risk Management
- Change management
- Physical and environmental security
- Operational security
- Security Vulnerability Management
- Access controls
- Secure systems development and maintenance
- Disaster recovery and business continuity
- Corrective action program
- Regulatory compliance
Organizational Security
Armis employs an internal Information Security Team (“Infosec Team”). The Infosec Team is responsible for building, improving, supervising and maintaining customized security infrastructure, the company’s perimeter defense systems, security policies, processes and standards, and implementing Armis’ overall information security program. Specifically, the Infosec Team performs the following activities:
- Develop, ensure approval, train on, implement, review and continuously improve security policies, processes, standards and measures for Armis’ networks, applications, systems, services and practices, by conducting regular security design and implementation-level reviews;
- Provide ongoing assessment and consultation on security risks associated with all systems and activities involving Customer Data, in relation to known and newly found security concerns, as well as any number of projects and possible solutions to security concerns;
- Implement and continuously improve an information security program comprising of a range of data security administrative, technical and physical measures;
- Oversee the implementation of a range of information security technical measures aimed at logging relevant information security signals, scanning relevant systems, controlling access to relevant systems, implementing data encryption and similar technologies, ensuring data availability and backup, controlling and maintaining personal computers used by Company personnel, and operating a Security Operations Center (SOC) to ensure proper analysis and attention to any and all information security alerts;
- Ensure physical security in all Armis offices and other relevant facilities;
- Oversee all information security aspects of a comprehensive vendor management program where proprietary, confidential and/or Customer Data is involved;
- Adhere to a formal incident response process to quickly recognize, analyze, and remediate information security threats;
- Develop and deliver training for employees on the information security program, information security awareness, and compliance with security policies and process;
- Engage outside security experts to conduct regular security assessments of Armis’s infrastructure and applications.
Administrative Security Measures
Policies and Processes:
Armis has developed and implemented a range of documented policies, standards, programs and processes in support of its overall data security program. These include, but not limited to, employee security training process; employee background checks; incoming and departing employees access and related data protection process; access control policy and processes; product vulnerability management and penetration testing, reporting and remediation process; business continuity and disaster recovery process; security incident management standard; confidentiality documentation policy; vulnerability and patch management standards; mobile devices policy; removable media policy; acceptable encryption standard; vendor risk management standard; configuration management standard; data handling policy; media destruction policy, data classification and handling standard, etc.
Security Risk Management: Armis has implemented a security risk management program which is based on the requirements of NIST Risk Management Framework (RMF). The Program defines a systematic and consistent process to ensure that security risks to Armis’ Information Assets are identified, analyzed, evaluated and treated. Risk treatment and the risk remaining after treatment (i.e., residual risk) is communicated to risk owners, who decide on acceptable levels of risk, authorize exceptions to this threshold, and drive corrective action when unacceptable risks are discovered.
Acceptable Use Policy: This policy defines the proper configuration, use and maintenance of Company equipment at Armis (including computing devices, software, storage media, networks and other devices).
Asset Management Policy: This policy covers the following aspects:
- Assets associated with information and information processing facilities are identified and an inventory of these assets is listed and maintained;
- Assets maintained in the inventory are assigned an owner;
- Company provided assets are governed by the Acceptable Use Policy;
- All employees and external party users return all the organizational assets in their possession upon termination of their employment, contract or agreement.
Access Control Policy: This policy is based on an employee’s job function and role, using Least-Privilege and Need-to-Know concepts to match access privileges to defined responsibilities. By default, Armis employees are granted only limited permission to access company resources, such as email, internal portals, and HR information. Access to Armis’s data systems is controlled by authentication and authorization mechanisms. In addition, employees must be in a Armis office, or connected via VPN or Zero trust network (authenticated with user ID + password + pin/token), then login to an internal portal via SSO, before they can connect with a customer management console and/or server. The policy includes the following rules: (i) system owners are responsible for users with access to their systems; (ii) Armis’s Information Technology Group acts as a technical admin to all data systems and supervises grant and removal of access rights; and (iii) upon employees change of duties, access rights are changed accordingly.
Data Classification & Handling: all Data (which includes all proprietary, confidential, sensitive and/or customer data) is classified as such and is assigned corresponding processes and policies with respect to access rights, labeling, encryption requirements, maintenance and destruction, transfer methodologies, sharing, logging and monitoring of such Data.
Security Vulnerability Management Policy & Patch management standard: detailed process for testing Armis products and corporate systems for security vulnerabilities, reporting of identified vulnerabilities and a corresponding elimination procedure. The vulnerability management program also includes:
- The Infosec Team constantly monitors vulnerabilities flagged by customers, employees, hired 3rd party assessors and other users of the Platform. The Team undertakes external testing and audits. The Team is responsible for tracking and following on identified vulnerabilities;
- Periodic network vulnerability scans and annual penetration testing process implemented, which includes testing of the Armis SaaS Platform, corporate environment and all other systems which host and process proprietary information and customer data;
- Application of security patches to production systems on a regular basis;
- Updating all software components and operating systems as part of every application/management console major release;
- Performing Static, Dynamic code analysis & 3rd party library vulnerability scanning before every major release.
Business Continuity & Disaster Recovery Processes: includes the following components:
- Daily backup of all Customer Data: all Customer Data is backed-up daily in our CSP data center, and where available or provided by the CSP, physically located in a different location (availability zone) from where the same Customer Data is originally stored;
- Monitoring process in place to ensure successful ongoing backup;
- Systems capable of restoring customers servers in under 4 hours (RTO) and RPO of 24 hours;
- For Armis’ corporate environment: daily backups of all critical servers, a retention policy of backup data for 1 year, performance of periodic restore and backups monitoring, means and processes to enable employees maintain business continuity during a recovery event;
- Annual Disaster recovery plan testing.
Data Backup and Retention/Deletion Policy: All Customer Data and critical business data is backed-up as follows:
- Daily backup of Customer Data: all Customer Data is backed-up daily in our CSP data center different than the primary location where such Customer Data was originally stored, utilizing online snapshot technology;
- All Customer Data (including backups) is deleted or irretrievably destroyed within 60 days of subscription termination to the Platform.
Security Incident Response Process: Armis has put in place a security incident management process for managing security incidents that may affect the confidentiality, integrity, or availability of its systems or data, including Customer Data. The process specifies courses of action, procedures for notification, escalation, mitigation, post-mortem investigations after each incident, response process, periodic testing, and documentation. Armis has a dedicated SOC function, which manages & monitors a Security Information & Event Management (SIEM) solution deployed across the organization.
Security and Data Privacy Awareness Training Process: New employee onboarding security training session conducted with each new employee. Employees are provided with security awareness and data privacy training within a month of joining and yearly thereafter. The process also includes ongoing assessment by the Infosec Team of the security training program, including creation of new content, role specific trainings and other updates.
Personal Machines Security Setup: Documented process for setting up personal computers issued to new employees with focus on security updates, applications and settings.
Employee Hiring & Termination Policy: Detailed process for ensuring appropriate access controls to newly hired employees, proper documentation completion by newly hired employees, tailored infosec employee training, return of all data and relevant Company equipment held by departing employees to Armis, and eliminating employees’ access to all Armis systems.
Confidentiality Arrangement Policy: Every new employee, or vendor or agent with access to Armis systems, proprietary information or customer data, is required to execute a comprehensive confidential information agreement in which such employee or agent commits to maintain all Armis and Armis customers information in strict confidence and only use such information in providing services to Armis or a Armis Customer.
Vendor Risk Management: All vendor engagements must be approved by Armis, Infosec, Legal, Finance and Procurement Teams, who review each vendor with respect to risk associated with Armis data and risk associated with vendor relations. Vendors are otherwise required to enter comprehensive confidentiality and quality controls commitments, commit to comprehensive information security standards, agree to reasonable vendor audits & respond to annual security vendor risk assessment questionnaire
Systems Development and Maintenance: Armis’ policy continuously considers the security properties and implications of applications, systems, and services used or provided by Armis throughout a given project lifecycle. The policy requires individuals to implement appropriate security measures in applications, systems, and services being developed, commensurate with identified security and concerns. The Company’s Infosec Team is responsible for providing security-related guidance and risk assessment. aComprehensive procedure is also in place for code development, code review, Q&A cycle, change request process, code freezing and rollout.
Other Administrative Security Measures
Designated Heads of Information Security Program: The Infosec Team is headed by a designated implementation lead, working closely with a compliance lead to define and execute information security program goals.
Geography-based Customer Data Processing/Storage: Armis has implemented an infrastructure configuration whereby customers may select to store all management console data in certain data centers located in geographies selected by customers.
Internal Audit Program: Armis has implemented an internal audit program, to ensure an organized audit process for the Company’s information security policies, processes, technical measures and practices.
Personnel Security: Armis utilizes a 3rd party service to perform comprehensive background checks of all new hires and contractors with access to customer data, subject to local law limitations. Such background checks, as allowed by local laws, include criminal history, prior employment, educational background and reference checks.
Technical Security Measures
Encryption Practices: All communications with Armis servers, and among Armis servers in different locations, is encrypted in transmission. 256 bit TLS 1.2 is supported. All password information is encrypted at rest. In addition, all customers data is encrypted at rest using AES 256.
Network Security: Customers management consoles servers are isolated such that no access is possible among servers of different customers. The Armis network is protected by redundant firewalls, commercial-class router technology, regular audits, and a host intrusion detection system on the firewall that monitors malicious traffic and network attacks.
Vulnerability Assessment and Pen-Testing: Armis conducts annual, comprehensive penetration testing by a top-tier third party service, including penetration testing our SAAS and agents (black and grey box), corporate infrastructure penetration testing and social targeted attack, and public website automatic testing for open vulnerabilities. A licensed tool is used to perform periodic network vulnerability assessment on all servers in corporate networks as well as CSP cloud.
MFA: Multi-factor authentication is enabled for access to all critical systems, as well as all admin-level accounts.
Multi-factor authentication and Single-Sign-On (SAML2) systems are implemented with respect to all in-product accesses, as well as Company security devices.
Physical Security Measures
Data Center Perimeter Security: Armis utilizes fully managed data centers from Amazon Web Services (AWS). These data centers are geographically distributed and employ a variety of best-in-class physical security measures. The standard physical security controls at each Data Center consist of reliable, well-tested technologies that follow generally accepted industry best practices: custom-designed electronic card access control systems, alarm systems, biometric identification systems, interior and exterior cameras, and a 24X7X365 presence of security guards. Access to areas where systems or system components are installed or stored is restricted to personnel whose identities are verified through biometric security measures and who have gone through background checks. Such areas are segregated from general office and public areas.
Access to Armis offices is protected via custom-designed electronic card access control systems including individually-assigned cards and access logging, round-the-clock interior and exterior surveillance, close circuit cameras and alarm systems. We also maintain important contact information with local emergency agencies.
Data Privacy
Because Armis’ collection of assets data and activity is focused on system-level analysis, the majority of the data Armis collects does not include any personally identifiable information, or information which may lead to the identification of a unique individual (PII). The Customer Data collected by the Platform that may constitute PII including: assets ID and User Names (as assigned by Customers’ IT function); limited number of customers employees’ names, emails (for admin login purposes as well as communication and alerts to customers’ admins); IP addresses;.
As part of its data privacy compliance plan, Armis has implemented a system configuration which allows customers to choose specific geographic data centers where they can store all management console data. For example, European customers can choose to store all their management console data in Armis’s CSP data centers in Frankfurt, Germany.
Armis continuously updates its Privacy Policy and privacy practices, achieving timely compliance with the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and implementing a host of data privacy compliance steps to ensure continued compliance with prevalent data privacy legislation. Such practices include, among other things, accountable management of all PII processed by Armis on behalf of its customers and employees, mapping and documentation of all PII processing, privacy-specific training, breach notification/remediation process, PII access/review/export requests policy and process, appointment of a data privacy officer, permanent deletion of PII once no longer needed to provide the Armis Solutions, and continuous monitoring of emerging data privacy legislation in geographies where Armis does business.