Access Control

    Access Control

    ISO-27001    ISO-22301    ISO-27701    SOC2

    References in this section refer to attestations and reports which can be provide by on request - tmo@mimecast.com

    ISO-27001
    Mobile device policy (section 6 controls)
    Information classification (section 8 controls)
    Management of removable media (section 8 controls)
    Secure logon procedures (section 9 controls)
    Addressing security within supplier agreements (section 15 controls)

    ISO-27701
    Management direction for information security (section 6 controls)
    System and application access control (section 6 controls)
    Addressing security within supplier agreements (section 6 controls)
    Records related to processing PII (section 8 controls)

    ISO-22301
    Establishing business continuity objectives (section 6 controls)
    Risk assessment (section 8 controls)
    General (section 8 controls)

    SOC2 (Trust Principle section)
    Principle service commitments
    Components of the system
     
    ISO-27001
    Use of secret authentication information (section 9 controls)

    ISO-27701
    Management of secret authentication information of users (section 6 controls)

    ISO-22301
    General (section 9 controls)

    SOC2 (Trust Principle section)
    Principle service commitments
    Components of the system
    ISO-27001
    Access to networks and network services (section 9 controls)
    User access provisioning (section 9 controls)
    System and application access control (section 9 controls)

    ISO27701
    Access to networks and network services (section 6 controls)
    User access provisioning (section 6 controls)
    System and application access control (section 6 controls)

    ISO22301
    Audit programme(s) (section 9 controls)

    SOC2 (Trust Principle section)
    Principle service commitments
    Components of the system
    ISO-27001
    Information security risk assessment (section 6 controls)
    Business requirements of access control (section 9 controls)
    Event logging (section 12 controls)

    ISO-27701
    Access control policy (section 6 controls)
    User access management (section 6 controls)
    Event logging (section 6 controls)

    ISO-22301
    Internal audit (section 9 controls)

    SOC2 (Trust Principle section)
    Principle service commitments
    Components of the system
    All Mimecast staff and contractors are subject to an Acceptable Use Policy, Business Code of Conduct and Ethics, and general Security and Compliance awareness training, which includes acceptable use of corporate assets. Mimecast implements a variety of technical solutions to monitor compliance to these areas. In addition to this, employees are instructed and trained to report information security concerns to the Mimecast Security team. Suspected compliance issues are emailed directly to the Corporate Compliance Officer or discovered and addressed through internal audit activities.

    As a part of the automated on-boarding & de-registration process, information asset owner or delegates are informed of any new starter or job change and are required to change access rights according to the job function's profile. This may involve removal or editing access rights, as well as the addition of new access rights. Mimecast reviews standard user access rights during internal audits and this is also audited by Mimecast's external ISO-27001 auditors. This is done at least annually, often bi-annually. Asset owners must review the privileged account holders on a quarterly cycle. The effectiveness of the review process is monitored during internal audit investigations.

    Mimecast uses a Role Based Access Control model with a "least privileged" approach with all user accounts associated to a unique individual identifier. All new access requests follow access control processes. Existing privileged access rights are reviewed for appropriateness and changes to access rights are fully auditable within system logs. In the event of an invalid login, there is no distinction between user ID or password, and neither are identified in failed notification.

    Virtual Private Network (VPN) connections into Mimecast are secured via two-factor authentication involving a pin and a physical or soft token. Remote access attempts, connection time, disconnection time, and location are logged. Multiple failures generate an alert to the Security Team.
    Haut de la page