Episerver’s information security compliance framework is based on the ISO 27001 standard. The ISO 27001 standard is an information security standard published by the International Organization for Standardization and currently the most widely used standard in the world.
It is a specification for an information security management system (ISMS) including comprehensive coverage with recommended security controls. These controls help to address the risks that are identified and measured within Episerver.
Episerver’s 3 Lines of Defense strategy is based on the risk management principles adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41, Episerver has focused its responsibilities to 3 key segments for effectively managing information security risks: 1 – operation, 2 – compliance, and 3 – assurance.
Episerver’s Security Governance Board consists of Episerver’s executive management team reporting to the CEO. They are responsible for the assurance function and all assets within the organization.
Episerver’s Information Security Steering Committee is an appointed group of leaders from the respective business divisions within the organization. This team is responsible for the overall programs for our risk management as well as carrying out the protection of assets with an Information Security Management System.
The 1st line of defense from the actual operation of our program. Those responsible are from our team of professionals that directly interface with customers and partners. Working with their respective leaders, our teams utilize Episerver’s security framework and controls to protect against risk from associated assets.
The 2nd line of defense assumes the risk management function within our organization and responsible for identifying, measuring, and managing risks. The team responsible is comprised of business unit leaders from the Security Steering Committee where common policy, frameworks, and controls are created, implemented, and maintained.
The 3rd line of defense is led by our Security Governance Board and the level that managed the oversight and assurance for our information security compliance programs. This board is ultimately responsible for ownership of the assets, resources, and risk at Episerver. Leadership at this level also ensures that adequate resources are available to properly address requirements from information security standards used to measure and address risks.
Episerver’s security controls are based on a Risk Management Methodology that accounts for assets used and handled by Episerver. This framework appoints ownership assignment and responsibilities for all assets as well as any associated risks.
As risks are addressed in several effective ways, a measurement system helps understand the key impact, likelihood, and overall score. This score is carefully assessed against our tolerance set by the asset and risk owners for each. The outcome is a decision on how to handle the risk in the form of a risk treatment plan.
Risk treatment plans are intended to reduce the likelihood or impact of threats by better handling specific aspects that can be measured, monitored, and controlled.
Episerver’s incident management policies and procedures are based on the goals of quickly and efficiently dealing with information security incidents while maintaining optimal integrity of services. Based on ITIL Incident Management as well key concepts from the NIST service publication 800-61, the workflow and logic of the Episerver Incident Management Framework is focused on identifying and managing information security incidents.
While the goals of our incident management framework are focused on identification and maintaining integrity of services, our program also accounts for corrective action and preventative actions to continuously make improvements.
Episerver Digital Experience Cloud Service leverages the Microsoft Azure platform, therefore the underling infrastructure follows Microsoft Azure compliance standards, certifications, and supporting processes. Episerver Find leverages the Amazon AWS platform and therefore the underlying infrastructure follows Amazon AWS compliance standards, certifications, and supporting processes.
Microsoft Azure is compliant with more than fifty (50) of the top global compliance programs. The primary landing pages for Microsoft Azure compliance information are the Trust Center https://azure.microsoft.com/en-us/support/trust-center/ and the compliance landing page https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx
A recent white paper on Azure Security, Privacy and compliance is also available here: http://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf