Security governance at Acquia

This topic provides information about how Acquia manages security for Acquia Cloud. It includes the following sections:

Acquia's Director of Information Security develops policies and baselines and manages security risks and incidents. Acquia has also established a cross-functional team called the Security Council with participants from the engineering, operations, professional services, including Acquia employees who are also members of the Drupal Security Team. The Security Council ensures that Acquia's products meet or exceed best practices. It meets monthly to create and review security initiatives and to review risks and security-related incidents.

Acquia's dedicated security staff are available to advise customers on security best practices, secure architecture, and compliance issues. Acquia also offers security professional services to provide in-depth architecture and security reviews and vulnerability analysis.

Security Policies

Acquia has formally documented Security Policies that are aligned with industry best practices and that may be made available to our customers. Acquia's legal, security, and compliance team develops these policies and a corporate governance committee approves them. Acquia's security policies are published to the Acquia intranet and communicated to staff via email. Annually, Acquia's staff is required to certify its acceptance of Acquia's Acceptable Use (Rules of Behavior) policy.

Security incident response

Acquia has formally documented Security Incident Response procedures that describe the following processes:

  • Discovery
  • Investigation
  • Escalation
  • Containment
  • Notification
  • Documentation
A security incident may entail the discovery of malicious code, an attack against either a customer or an Acquia asset, or data loss or breach and is classified as a Severity 0 issue requiring immediate escalation within Acquia. Transparency and the disclosure of our security practices and security events are very important to Acquia; Acquia’s Incident Response procedure is to notify the affected customers within 24 hours of a real or potential security incident.

Security for customer confidential information

Acquia adheres to best practices regarding the security of data while at rest and while in use within the systems it maintains for its customers. Access to customer data is available only to full-time employees who require such access in order to perform their job functions.

Personnel security

Acquia's talented engineers and support staff are the foundation of our company. All Acquia staff sign Acquia's Non-Disclosure Agreement. Acquia uses a third-party service to conduct background checks. All US-based operations and support staff who have privileged access to Acquia Cloud systems undergo background checks before being hired, including criminal, education, and reference checks covering the previous seven years. All staff receive annual ethics and information security training. All staff are required to review and comply with Acquia's Technology Acceptable Use (Rules of Behavior) policies both at the time of hire and annually during their tenure at Acquia.

Acquia has a formal audited employee exit process that ensures that staff who leave Acquia employment are removed from Acquia-managed systems in a timely manner. Exit procedures are audited annually in Acquia's SSAE16 SOC 1 Type II examination.

Role-based access control

Acquia engineers and support staff have access privileges in Acquia Cloud according to their role. Roles are assigned at time of hire, and privileges are propagated to Acquia Cloud servers by the use of groups. Access above and beyond that required for a particular role requires a valid reason and authorization from the platform owner and the employee's manager.

Internal Audits

Acquia conducts internal audits across its hosting infrastructure and related management systems at least twice annually. Acquia's Information Security department conducts the audits according to Acquia's Internal Audit plan. For external audits and attestations, see Compliance with standards and regulations.

Vendor risk management

Acquia uses the BITS Shared Assessments Standard Information Gathering (SIG) process to conduct vendor risk assessments that are necessary whenever any vendor is considered whose services may be critical to providing Acquia services or who may have access to Acquia or customer data. Acquia's Legal and Security teams ensure that standard contracts include security clauses that are designed to protect Acquia and its customers.

Related topics