NEWS: Laptops Cause Crashes
Mobile PC Manager: Security Statement
Information Security Policy
Information security roles and responsibilities are defined within the organization. Mobile PC Manager focuses on information security, security auditing and compliance, as well as defining the security controls for protection of Mobile PC Manager’s hardware infrastructure.
Mobile PC Manager’s data and information system assets are comprised of customer and end-user assets as well as corporate assets. These asset types are managed under our security policies and procedures. Mobile PC Manager authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by Mobile PC Manager security policies.
Mobile PC Manager employees are required to conduct themselves in a manner consistent with the company’s guidelines, including those regarding confidentiality, business ethics, appropriate usage, and professional standards. All newly hired employees are required to sign confidentiality agreements and to acknowledge the Mobile PC Manager code of conduct policy. The code outlines the company’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company.
Physical and Environmental Security
Mobile PC Manager has policies, procedures, and infrastructure to handle both physical security of its data centers as well as the environment from which the data centers operate.
Our information systems and infrastructure are hosted in our data center in McKenny, Texas. The standard physical security controls implemented at the data center include electronic card access control systems, fire alarm and suppression systems, interior cameras and exterior cameras. Physical access is centrally managed and strictly controlled by data center personnel. All visitors and contractors are required to present identification, are required to log in, and be escorted by authorized staff through the data center.
Access to areas where systems, or system components, are installed or stored are segregated from general office and public areas. The cameras and alarms for each of these areas are centrally monitored 24×7 for suspicious activity. Servers have redundant internal and external power supplies. Data centers have backup power supplies and can draw power from diesel generators and backup batteries.
Mobile PC Manager maintains a change management process to ensure that all changes made to the production environment are applied in a deliberate manner. Changes to information systems, network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process. Changes are reviewed, approved, tested and monitored post-implementation to ensure that the expected changes are operating as intended.
While Mobile PC Manager utilizes third party suppliers and vendors to provide the physical hardware used in the data center, all software is developed by employees of Mobile PC Manager in the United States. Mobile PC Manager does not give our suppliers or vendors direct access to network/equipment management responsibility.
Auditing and Logging
We maintain audit logs on systems. These logs provide an account of which personnel have accessed which systems. Access to our auditing and logging tool is controlled by limiting access to authorized individuals. Security events are logged, monitored, and addressed by trained security team members. Network components, workstations, applications and any monitoring tools are enabled to monitor user activity. Organizational responsibilities for responding to events are defined. Security events that record critical system configuration changes and administrators are alerted at the time of change. Retention schedules for the various logs are defined in our security control guidelines.
Antivirus and Malware Protection
Antivirus and malicious code protection is centrally managed and configured to retrieve the updated signatures and definitions available. Malicious code protection policies automatically apply updates to these protection mechanisms. Anti-virus tools are configured to run scans, virus detection, real-time file write activity and signature file updates. Laptop and remote users are covered under virus protection. Procedures to detect and remove unauthorized or unsupported (e.g. freeware) applications are documented.
Mobile PC Manager has backup standards and guidelines and associated procedures for performing backup and restoration of data in a scheduled and timely manner. Controls are established to help safeguard backed up data (onsite and off-site). We also work to ensure that customer data is securely transferred or transported to and from backup locations. Periodic tests are conducted to test whether data can be safely recovered from backup devices.
Our infrastructure servers reside behind high-availability firewalls and are monitored for the detection and prevention of various network security threats. Firewalls are utilized to help restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need.
Mobile PC Manager maintains separate development and production environments. Our next generation firewalls (NGFWs) provide adequate network segmentation through the establishment of security zones that control the flow of network traffic. These traffic flows are defined by strict firewall security policies.
Automated tools are deployed within the network to support near-real-time analysis of events to support of detection of system-level attacks. Next generation firewalls deployed within the data center as well as remote office sites monitor outbound communications for unusual or unauthorized activities, which may be an indicator of the presence of malware (e.g., malicious code, spyware, adware).
Mobile PC Manager strives to apply the latest security patches and updates to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. Patch management processes are in place to implement security patch updates as they are released by vendors. Patches are tested prior to being deployed into production.
Secure Network Connections
HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients. The level of encryption is negotiated to either SSL or TLS encryption and is dependent on what the web browser can support.
Role Based Access
Role based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors.
Authentication and Authorization
We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password best practices enforce the use of complex passwords that include both alpha and numeric characters, which are deployed to protect against unauthorized use of passwords. Passwords are individually salted and hashed.
Mobile PC Manager employees are granted a limited set of default permissions to access company resources, such as their email, and the corporate intranet. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines. Approvals are managed by workflow tools that maintain audit records of changes.
Software Development Lifecycle
We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our products. Our products are deployed on an iterative, rapid release development lifecycle. Security and security testing are implemented throughout the entire software development methodology. Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities. Our secure development lifecycle follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments.
Mobile PC Manager has a formalized incident response plan (Incident Response Plan) and associated procedures in case of an information security incident. The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.
An incident response team is responsible for providing an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
Business Continuity and Disaster Recovery
To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, we implement a disaster recovery program at our data center location. This program includes multiple components to minimize the risk of any single point of failure. Application data is replicated to multiple systems within the data center and, in some cases, replicated to secondary or backup data center that is geographically dispersed to provide adequate redundancy and high availability. High-speed connections between our data centers help to support swift failover.
We apply a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organizational security measures. We give additional attention and care to sensitive personal data and respect local laws and customs, where applicable.
Last Update: March 15, 2019