One Identity Compliance Commitment

A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. These reports are issued by independent third party auditors covering the principles of Security, Availability, Confidentiality, and Privacy.

What’s the primary purpose of this initiative?

Provides an independent assessment of One Identity’s security and privacy control environment. The assessment includes a description of the controls, the tests performed to assess them, the results of these tests, and an overall opinion on the design and operational effectiveness of the same.

What’s the scope?

One Identity’s SOC 2 Type 2 Report covers the AICPA’s Trust Services Principles and Criteria for Security, Availability, Confidentiality, and Privacy. The report also includes a mapping of the controls tested to ISO/IEC 27001:2013 Annex A / ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, HIPAA security requirements, and FFIEC’s examination guidelines for GLBA Information Security.

How often are you evaluated/audited?

Audits are performed annually.

Who is the primary audience?

Customers and relevant third parties with a business need.

The ISO 27018:2019 standard provides guidance in the form of objectives, controls, and guidelines. One Identity aligned its existing privacy controls to be compliant to this standard in order to augment its privacy program. These controls are tested as part of the periodic SOC 2 Type 2 report and an independent body has audited our compliance with this standard as part of our ISO 27001:2013 certificate annual audits.

What’s the primary purpose of this initiative?

The ISO 27018:2019 standard provides guidance in the form of objectives, controls, and guidelines. Alignment with this standard provides additional assurance of the adequacy of One Identity’s Privacy Program.

What’s the scope?

One Identity’s Privacy Program and its alignment with recommended objectives, control, and guidelines.

How often are you evaluated/audited?

The ISO 27018:2019 controls are tested as part of the periodic SOC 2 Type 2 Report Audits and our ISO 27001:2013 Certification audits.

Who is the primary audience?

Customers and relevant third parties with a business need.

The ISO 27017:2015 standard provides guidance to both cloud service providers and consumers of these services in the form of objectives, controls, and guidelines. One Identity aligned its existing security controls to be compliant to this standard in order to augment its security program. These controls are tested as part of the periodic SOC 2 Type 2 report and an independent body has audited our compliance with this standard as part of our ISO 27001:2013 certificate annual audits.

What’s the primary purpose of this initiative?

The ISO 27017:2015 standard provides guidance to both cloud service providers and consumers of these services in the form of objectives, controls, and guidelines. Alignment with this standard provides additional assurance of the adequacy of One Identity’s Security Program.

What’s the scope?

One Identity’s Security Program and its alignment with recommended objectives, control, and guidelines.

How often are you evaluated/audited?

The ISO 27017:2015 controls are tested as part of the periodic SOC 2 Type 2 Report Audits and our ISO 27001:2013 Certification audits.

Who is the primary audience?

Customers and relevant third parties with a business need.

The ISO 27001:2013 standard helps organizations keep information assets secure. Using this family of standards helps One Identity manage the security of assets such as financial information, intellectual property, employee details, and information entrusted to us by third parties. An independent body has audited our compliance with this standard and issued our ISO 27001:2013 certificate, which required annual audits to maintain.

What’s the primary purpose of this initiative?

Provides an independent assessment and certification of One Identity’s Information Security Management System (ISMS). The ISMS includes all aspects of security and privacy that impact both One Identity and its customers.

What’s the scope?

The scope of the ISO 27001:2013 certification is the ISMS supporting the management of the infrastructure and services used to support One Identity’s Enterprise Identity and Access Management solution.

How often are you evaluated/audited?

A comprehensive certification audit is performed every three years and surveillance audits are performed 12 and 24 months after each comprehensive audit. In addition, One Identity performs an annual internal audit using an independent third party as part of the ISO 27001:2013 requirements.

Who is the primary audience?

Customers and relevant third parties with a business need.

Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud services based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.

What’s the primary purpose of this initiative?

Provide an objective evaluation of OneLogin’s security capabilities based on criteria developed in conjunction with the Cloud Security Alliance.

What’s the scope?

OneLogin’s security controls evaluated against a specific set of criteria developed by Skyhigh Networks in conjunction with the Cloud Security Alliance.

How often are you evaluated/audited?

An evaluation is performed periodically at Skyhigh Network’s discretion and when changes are submitted by OneLogin.

Who is the primary audience?

Customers and relevant third parties with a business need.

One Identity welcomes the GDPR as an important and necessary evolution in the data protection laws across the EU. One Identity’s privacy and security program meets and exceeds the highest standards in the industry, including compliance with the GDPR.

The new General Data Protection Regulation (“GDPR”), which replaces the European Commission’s Data Protection Directive, goes into effect on May 25, 2018. Its goal is to unify European Union (EU) privacy regulations and better protect EU citizen personal data both within the EU and outside the EU. As a data processor and controller, One Identity has verified that we meet all GDPR requirements and we will continue to actively uphold GDPR compliance. We are also providing resources and documentation to support our customers in their roles as data controllers.

At One Identity, ensuring that all customer data is handled securely and responsibly is our number one priority. Here is an overview of what to expect from GDPR, how we are complying with this new regulation, and how we are empowering customers to comply.

What is the purpose of GDPR?

GDPR is a comprehensive data protection law that serves two purposes:

1. Protect individual’s data: GDPR gives control over personal data back to the EU residents and prohibits organizations from exploiting that data.

2. Guidelines for Organizations: GDPR makes data protection law identical throughout the single market. It provides businesses with simpler legal guidelines, which can be more easily enforced by government bodies.

Who does GDPR apply to?

GDPR applies to any organization operating within the EU, as well as organizations that offer goods or services to customers or businesses in the EU. This broadens the scope of protection of EU residents for improved privacy control.

How will GDPR affect me?

If you are a resident of the EU, congratulations! The European Union is taking steps to ensure that your data is used safely and appropriately.

If your organization provides services within the EU, you will need to be compliant with GDPR. This will impact the way that you store, process, and utilize user data in a number of ways. See this overview of key changes introduced by GDPR as it replaces the European Commission’s Data Protection Directive.

Right to access and portability: Users can request confirmation as to whether their personal data is being processed, where and for what purpose. Further, the data controller is required to provide a copy of the personal data, free of charge, in an electronic format.

Breach notification requirement: Breaches, which are likely to “result in a risk for the rights and freedoms of individuals”, must be reported within 72 hours of first having become aware of the breach.

Privacy by design:Companies must take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process. Companies must also take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process.

Right to be forgotten: Companies must allow users to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

This is not an exhaustive list. But fail to meet any of these requirements, and you may be fined up to 4% of your annual growth turnover, or €20 million.

What steps is One Identity taking to be GDPR compliant?

One Identity is a global organization that both processes and controls data from around the world, including the EU. Our existing certifications and long-standing commitment to privacy frameworks prepare us for GDPR in many ways.

• To meet GDPR requirements, organizations are required to articulate data flows, and demonstrate how privacy is controlled and maintained. Our “Blank Page” approach to redrawing our data flows and building out very detailed data mapping diagrams helps us to achieve this.

• Updated Standard MSA and Data Processing Agreement: Organizations are also required to update their contractual language to reflect the additional accountability required by GDPR. To this end, One Identity leverages data breach notification language, uses subcontractors, and communicates responsibilities to our own data processing vendors.

• Data Protection Officer: One Identity utilizes an independent external consultant based in the EU to serve as our DPO.

How is One Identity helping customers to be compliant?

One Identity is dedicated to empowering customers with the resources they need to comply with GDPR. Here’s how:

Right to access and portability

• IT administrators can easily find a user in the system and print out their information as stored in any of the user directories.
• User privileges and role assignments in One Identity indicate where the user’s metadata is used (i.e. all applications they have access to.)

Breach notification requirement

• One Identity’s event streaming service can help identify breach attempts much faster when correlated with additional enterprise security events.
• Following the identification of a potential breach, administrators can use One Identity’s event dashboard and reporting tool in order to investigate further.

Right to be forgotten

• One Identity allows for the automated deprovisioning of users from other systems and external applications.
• Admins can delete users immediately to meet both privacy and enterprise security requirements.
• Admins can also manually audit provisioned apps.

Privacy by design: One Identity is a trusted partner
Privacy by design is a particularly challenging requirement, but as a vendor we are well-prepared for it.

• The One Identity service has always handled information that must be protected; whether due to privacy regulations, credit card industry regulation, its designation as shared secrets, or several other data protection requirements.
• One Identity incorporates privacy impact assessments that are performed periodically and as part of the design process for new features.

Privacy by design: A better architecture with One Identity
Especially if you are an architect in IT or engineering, you might be thinking not only about your third parties’ compliance, but the compliance challenges in your own systems. Consider the advantages of building your integrations on top of One Identity’s platform.

Many of the compliance challenges are the result of older architectures that allow for limited control over how data is stored, managed, and processed. For example, it used to be very common for legacy applications to access the corporate directory directly. This meant they typically had access to all user information with few restrictions on what they modify, cache or store.

We have come a long way since.

To understand how, let’s start with some essentials. The core of One Identity’s identity platform is modern protocols, including SAML, OpenID Connect and SCIM. These modern protocols use secure tokens, security assertions and automated provisioning.

• Secure tokens: The user never signs-in to an app directly. Instead, the user always signs-in securely using a Single Sign-On (SSO) portal. Any trusted app can receive a secure token that represents the user.
• Security assertions: Identity information (e.g. user name, employee ID) is digitally signed by a trusted party, specifically an identity provider.
• Automated provisioning/deprovisioning: When a user is granted access to an application, their relevant metadata is pushed to the app. Similarly, when a user’s access is revoked, their relevant metadata is deleted from the app.

One Identity’s Identity Platform enables you to leverage modern protocols for virtually any public cloud or private/custom app.

Advantages:

• Applications do not authenticate users directly, which means better security and privacy.
• Applications do not have direct access to the corporate directory for read/write to the entire user base.
• Applications get only the user metadata they need — only for users with access to the app, and user’s access can even be anonymous.
• Applications can get role/privilege information without direct access to the user’s information.

You can learn more about how we are embracing GDPR by reviewing our privacy policy.

If you have questions or need more information please email privacy@onelogin.com.

The EU Model Contract Clauses are designed to facilitate transfers of personal data from the European Economic Area (EEA) to other countries, while providing appropriate safeguards for the protection of personal data. These clauses are part of our Data Processing Addendum and offer an alternative means of fulfilling adequacy requirements, and therefore are an alternative to the US Privacy Shield Framework or Binding Corporate Rules.

What’s the primary purpose of this initiative?

Provide a mechanism for customers in the EEA, who are considered the data controllers, to work with One Identity, the data processor, and mutually agreeing to the transfer personal data outside of the EEA only under the proper safeguards and in compliance with EU data protection law.

What’s the scope?

The model contract clauses are standard for all data processing providers and document the provider’s commitment to abide by the EU data protection law.

How often are you evaluated/audited?

EU model contract clauses are executed on an as needed basis

Who is the primary audience?

Customers who are going to be transferring EEA personal data to One Identity.

Applications penetration tests are performed by independent third parties on a yearly basis. The objective of these tests is to help ensure we discover potential security vulnerabilities in our applications and are steering clear of the OWASP Top 10 and the SANS Top 25. Testers are granted access to their own account and the underlying source code.

What’s the primary purpose of this initiative?

Penetration tests help One Identity identify potential security vulnerabilities in our applications, including those in the OWASP Top 10 and the SANS Top 25.

What’s the scope?

The core applications are covered during every assessment and additional services including mobile applications and browser extensions are focus areas on a rotational basis.

How often are you evaluated/audited?

Third party penetration tests are performed annually.

Who is the primary audience?

One Identity - internal use only

Bug bounty programs provide another vehicle for organizations to discover vulnerabilities in their systems by tapping into a large network of global security researchers that are incentivized to responsibly disclose security bugs via a reward system. Operationally, the end results are very similar to a vendor-performed penetration test, but the number of researchers searching for bugs is much higher and not timeboxed, unlike a typical penetration test exercise.

What’s the primary purpose of this initiative?

Similar to our scheduled penetration tests, the bug bounty program helps OneLogin identify potential security vulnerabilities in our app, including those in the OWASP Top 10 and the SANS Top 25.

How often are you evaluated/audited?

Ongoing program.

Who is the primary audience?

OneLogin - internal use only

The Gramm-Leach-Bliley Act (GLBA) of 1999 first established a requirement to protect consumer financial information. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to protect the security, confidentiality, and integrity of such information. The Federal Financial institutions Examination Council (FFIEC) supports this mission by providing extensive, evolving guidelines for compliance. OneLogin does not store consumer financial information, but has mapped its controls framework to FFIEC guidelines to validate that we are able to comply with GLBA if the need arose. This control framework is tested as part of the SOC 2 Type 2 reports.

What’s the primary purpose of this initiative?

Validate that OneLogin would be able to comply with FFIEC guidelines designed per GLBA requirements to protect consumer financial information.

What’s the scope?

OneLogin’s security controls evaluated against the FFIEC guidelines for testing compliance with GLBA.

How often are you evaluated/audited?

The security controls aligned with FFIEC guidelines for the testing GLBA requirements are tested as part of the periodic SOC 2 Type 2 Report Audits.

Who is the primary audience?

Customers and relevant third parties with a business need.

The National Institute of Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) in response to Executive Order 13636. The framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. One Identity aligned its existing security controls to be compliant with this framework in order to augment its security program. These controls are tested as part of the periodic SOC 2 Type 2 report.

What’s the primary purpose of this initiative?

Provide an additional reference point for developing and maintaining One Identity’s Security Program.

What’s the scope?

The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.

How often are you evaluated/audited?

The security controls aligned with the NIST Cybersecurity Framework’s Framework Core are tested as part of the periodic SOC 2 Type 2 Report Audits.

Who is the primary audience?

Customers and relevant third parties with a business need.

UK public sector organizations and arm’s length bodies can use the Digital Marketplace to buy cloud-based services. In order to do so, suppliers must agree to and abide by the G-Cloud framework and OneLogin participates in this program.

What’s the primary purpose of this initiative?

Provide OneLogin service data to UK public sector organizations and arm’s length bodies according to G-Cloud framework requirements.

What’s the scope?

The G-Cloud framework requires a supplier declaration which contains standard data elements that enable organizations to evaluate suppliers based on the same criteria. Data elements include information on the support of open standards, onboarding and offboaring, provisioning, data storage, asset protection and resilience, vulnerability management, and incident management, among others.

How often are you evaluated/audited?

Each G-Cloud framework iteration typically lasts for 12 month periods, at which point a new iteration is created and suppliers must submit a new declaration based on that iteration’s requirements.

Who is the primary audience?

UK public sector organizations and arm’s length bodies.