Security governance at Acquia
This topic provides information about how Acquia manages security for Acquia Cloud. It includes the following sections:
- Security policies
- Security incident response
- Security for customer confidential information
- Personnel security
- Role-based access control
- Internal audits
- Vendor risk management
Acquia's Director of Information Security develops policies and baselines and manages security risks and incidents. Acquia has also established a cross-functional team called the Security Council with participants from the engineering, operations, professional services, including Acquia employees who are also members of the Drupal Security Team. The Security Council ensures that Acquia's products meet or exceed best practices. It meets monthly to create and review security initiatives and to review risks and security-related incidents.
Acquia's dedicated security staff are available to advise customers on security best practices, secure architecture, and compliance issues. Acquia also offers security professional services to provide in-depth architecture and security reviews and vulnerability analysis.
Acquia has formally documented Security Policies that are aligned with industry best practices. Acquia's legal, security, and compliance team develops these policies and a corporate governance committee approves them. Acquia's security policies are published to the Acquia intranet and communicated to staff via email. Annually, Acquia's staff is required to certify its acceptance of Acquia's Acceptable Use (Rules of Behavior) policy.
Acquia has formally documented Security Incident Response procedures that describe the following processes:
Acquia adheres to best practices regarding the security of data while at rest and while in use within the systems it maintains for its customers. Access to customer data is available only to full-time employees who require such access in order to perform their job functions.
Acquia's talented engineers and support staff are the foundation of our company. All Acquia staff sign Acquia's Non-Disclosure Agreement. Acquia uses a third-party service to conduct background checks. All US-based operations and support staff who have privileged access to Acquia Cloud systems undergo background checks before being hired, including criminal, education, and reference checks covering the previous seven years. All staff receive annual ethics and information security training. All staff are required to review and comply with Acquia's Technology Acceptable Use (Rules of Behavior) policies both at the time of hire and annually during their tenure at Acquia.
Acquia has a formal audited employee exit process that ensures that staff who leave Acquia employment are removed from Acquia-managed systems in a timely manner. Exit procedures are audited annually in Acquia's SSAE16 SOC 1 Type II examination.
Acquia engineers and support staff have access privileges in Acquia Cloud according to their role. Roles are assigned at time of hire, and privileges are propagated to Acquia Cloud servers by the use of groups. Access above and beyond that required for a particular role requires a valid reason and authorization from the platform owner and the employee's manager.
Acquia conducts internal audits across its hosting infrastructure and related management systems at least twice annually. Acquia's Information Security department conducts the audits according to Acquia's Internal Audit plan. For external audits and attestations, see Compliance with standards and regulations.
Acquia uses the BITS Shared Assessments Standard Information Gathering (SIG) process to conduct vendor risk assessments that are necessary whenever any vendor is considered whose services may be critical to providing Acquia services or who may have access to Acquia or customer data. Acquia's Legal and Security teams ensure that standard contracts include security clauses that are designed to protect Acquia and its customers.