Access Control
ISO-27001 ISO-22301 ISO-27701 SOC2
References in this section refer to attestations and reports which can be provide by on request - tmo@mimecast.com
Remote Access
ISO-27001
Mobile device policy (section 6 controls)
Information classification (section 8 controls)
Management of removable media (section 8 controls)
Secure logon procedures (section 9 controls)
Addressing security within supplier agreements (section 15 controls)
ISO-27701
Management direction for information security (section 6 controls)
System and application access control (section 6 controls)
Addressing security within supplier agreements (section 6 controls)
Records related to processing PII (section 8 controls)
ISO-22301
Establishing business continuity objectives (section 6 controls)
Risk assessment (section 8 controls)
General (section 8 controls)
SOC2 (Trust Principle section)
Principle service commitments
Components of the system
Mobile device policy (section 6 controls)
Information classification (section 8 controls)
Management of removable media (section 8 controls)
Secure logon procedures (section 9 controls)
Addressing security within supplier agreements (section 15 controls)
ISO-27701
Management direction for information security (section 6 controls)
System and application access control (section 6 controls)
Addressing security within supplier agreements (section 6 controls)
Records related to processing PII (section 8 controls)
ISO-22301
Establishing business continuity objectives (section 6 controls)
Risk assessment (section 8 controls)
General (section 8 controls)
SOC2 (Trust Principle section)
Principle service commitments
Components of the system
Identification and Authorisation
ISO-27001
Use of secret authentication information (section 9 controls)
ISO-27701
Management of secret authentication information of users (section 6 controls)
ISO-22301
General (section 9 controls)
SOC2 (Trust Principle section)
Principle service commitments
Components of the system
Use of secret authentication information (section 9 controls)
ISO-27701
Management of secret authentication information of users (section 6 controls)
ISO-22301
General (section 9 controls)
SOC2 (Trust Principle section)
Principle service commitments
Components of the system
Least Privilege and Monitoring
ISO-27001
Access to networks and network services (section 9 controls)
User access provisioning (section 9 controls)
System and application access control (section 9 controls)
ISO27701
Access to networks and network services (section 6 controls)
User access provisioning (section 6 controls)
System and application access control (section 6 controls)
ISO22301
Audit programme(s) (section 9 controls)
SOC2 (Trust Principle section)
Principle service commitments
Components of the system
Access to networks and network services (section 9 controls)
User access provisioning (section 9 controls)
System and application access control (section 9 controls)
ISO27701
Access to networks and network services (section 6 controls)
User access provisioning (section 6 controls)
System and application access control (section 6 controls)
ISO22301
Audit programme(s) (section 9 controls)
SOC2 (Trust Principle section)
Principle service commitments
Components of the system
Policy and Procedures
ISO-27001
Information security risk assessment (section 6 controls)
Business requirements of access control (section 9 controls)
Event logging (section 12 controls)
ISO-27701
Access control policy (section 6 controls)
User access management (section 6 controls)
Event logging (section 6 controls)
ISO-22301
Internal audit (section 9 controls)
SOC2 (Trust Principle section)
Principle service commitments
Components of the system
Information security risk assessment (section 6 controls)
Business requirements of access control (section 9 controls)
Event logging (section 12 controls)
ISO-27701
Access control policy (section 6 controls)
User access management (section 6 controls)
Event logging (section 6 controls)
ISO-22301
Internal audit (section 9 controls)
SOC2 (Trust Principle section)
Principle service commitments
Components of the system
All Mimecast staff and contractors are subject to an Acceptable Use Policy, Business Code of Conduct and Ethics, and general Security and Compliance awareness training, which includes acceptable use of corporate assets. Mimecast implements a variety of technical solutions to monitor compliance to these areas. In addition to this, employees are instructed and trained to report information security concerns to the Mimecast Security team. Suspected compliance issues are emailed directly to the Corporate Compliance Officer or discovered and addressed through internal audit activities.
As a part of the automated on-boarding & de-registration process, information asset owner or delegates are informed of any new starter or job change and are required to change access rights according to the job function's profile. This may involve removal or editing access rights, as well as the addition of new access rights. Mimecast reviews standard user access rights during internal audits and this is also audited by Mimecast's external ISO-27001 auditors. This is done at least annually, often bi-annually. Asset owners must review the privileged account holders on a quarterly cycle. The effectiveness of the review process is monitored during internal audit investigations.
Mimecast uses a Role Based Access Control model with a "least privileged" approach with all user accounts associated to a unique individual identifier. All new access requests follow access control processes. Existing privileged access rights are reviewed for appropriateness and changes to access rights are fully auditable within system logs. In the event of an invalid login, there is no distinction between user ID or password, and neither are identified in failed notification.
Virtual Private Network (VPN) connections into Mimecast are secured via two-factor authentication involving a pin and a physical or soft token. Remote access attempts, connection time, disconnection time, and location are logged. Multiple failures generate an alert to the Security Team.
As a part of the automated on-boarding & de-registration process, information asset owner or delegates are informed of any new starter or job change and are required to change access rights according to the job function's profile. This may involve removal or editing access rights, as well as the addition of new access rights. Mimecast reviews standard user access rights during internal audits and this is also audited by Mimecast's external ISO-27001 auditors. This is done at least annually, often bi-annually. Asset owners must review the privileged account holders on a quarterly cycle. The effectiveness of the review process is monitored during internal audit investigations.
Mimecast uses a Role Based Access Control model with a "least privileged" approach with all user accounts associated to a unique individual identifier. All new access requests follow access control processes. Existing privileged access rights are reviewed for appropriateness and changes to access rights are fully auditable within system logs. In the event of an invalid login, there is no distinction between user ID or password, and neither are identified in failed notification.
Virtual Private Network (VPN) connections into Mimecast are secured via two-factor authentication involving a pin and a physical or soft token. Remote access attempts, connection time, disconnection time, and location are logged. Multiple failures generate an alert to the Security Team.