WEBTRENDS

Security Statement

Last Updated: January 2023

1  Risk Management

Webtrends business continuity planning includes practices to assist management in identifying and managing risks that could affect the organization’s ability to provide reliable services to its clients (as further described below). These practices are used to identify significant risks for the organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.

Webtrends evaluates and manages risks related to its On Premises solutions throughout their lifecycle, taking into considerations the consequences for our clients of loss of confidentiality or availability of the information collected, processed and stored.

Webtrends maintains coverage to insure against major risks. Policies include errors and omissions liability, commercial general liability, auto liability, commercial umbrella liability, workers’ compensation and employer’s liability, fiduciary liability, directors’ and officers’ liability, and crime bond. Insurance companies, which management believes to be financially sound, provide coverage. Coverage is maintained at levels which Webtrends considers reasonable given the size and scope of its operations.

2  Security Policies & Organization of Information Security

2.1 Policies

Webtrends information security management system is based on ISO 27002. Webtrends maintains a general Information Security Policy, updated annually, that explicitly addresses the confidentiality, integrity and availability of client data and information technology resources, and details employee’s responsibilities and managements’ role.

Webtrends also maintains several internal policies that cover privacy of both client data as well as individual data, in compliance with the GDPR and the CCPA.

Policies are approved by senior management, communicated to all affected Personnel to whom the policies apply, and clearly state the consequences of non-compliance. All employees must review and sign Webtrends’ Information Security policies during onboarding. In addition, all employees receive mandatory security and privacy awareness training upon hire and annually thereafter.

2.2 Information and Communication

Webtrends utilizes various methods of communication, including email and the corporate intranet to update employees on current events and policies, and share information relevant to employees, such as corporate data, industry news, training and development materials, employee resources, and other corporate policies.

Updates of key documents such as policies require email notification to the affected staff.

2.3 Information Security Coordination

Webtrends management coordinates all security and privacy activities within Webtrends. Responsibilities include:

  • Driving security initiatives
  • Policy review
  • Security planning and program management
  • Review effectiveness of the security program
  • Coordinate Webtrends security incident response plan
  • Perform annual security and privacy assessment and reviews

Implementation of security controls rests with the management of each relevant function.

2.4 Segregation of Duties

Only authorized personnel can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organization.

3  Human Resources Security

3.1 Employee Screening

Webtrends has background checks performed on all employees at the time of hire (to the extent permitted by law), and requires that non-disclosure and/or confidentiality agreements are signed by all Personnel. Webtrends policy prohibits employees from using confidential information (including Client Data) other than for legitimate business purposes, such as providing technical support, and this obligation continues after their employment ends.

An employee’s failure to cooperate fully in any background check and any dishonesty or omission of information pertaining to a background check by an employee precludes employment with Webtrends.

Background checks are performed by a reputable third-party company for all full time and temporary employees.

Background checks differ by geography to account for local laws. In all cases, they include criminal checks, education and employment reports. All background checks for US employees comply with the Fair Credit Reporting Act.

3.2 Terms of Employment

Webtrends operates an onboarding process including at a minimum the following steps:

  • Communication to the new employees of policies, code of conduct and behavioral standards.
  • Employee signature of the employment agreement (which includes a confidentiality agreement) and Webtrends Information Security Policy.
  • Background checks (subject to local laws).
  • Security and Privacy Awareness training.

General information security responsibilities are documented in Webtrends Information Security Policy, which all employees must sign as part of their onboarding.

3.3 Training

General information security training is provided to all new employees (both full time and temporary) as part of their onboarding. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding.

Development and SaaS Operations staff receives further training specific to product development, deployment and management of secure applications. Additional security training is also provided to employees who handle client data.

3.4 Termination of Employment

Webtrends maintains a formal termination or change of employment process that, promptly upon termination or change of employment, requires return of all Webtrends and Client assets, disables or adjusts access rights, and reminds ex-employees of their remaining employment restrictions and contractual obligations. All access (logical and physical) are terminated on or before the termination date. Webtrends uses pre-defined checklists to help ensure the consistency and completeness of the termination process.

Access expiration dates are preset for all contractors, and may only be extended with appropriate management approval.

4  Asset management

4.1 Media Handling

Webtrends Information Security Policy prohibits copying client data on removable media device, including flash drives, hard drives, tapes or other media, other than for legitimate business purposes and with the express authorization from the client.

Webtrends’ decommissioning procedures are designed to prevent access to client data by unauthorized persons. Webtrends follows NIST Guidelines for Media Sanitization (Special Pub 800-88) to destroy data. All printed Confidential Information, including Client Data, is disposed of in secured containers for shredding.

Webtrends deletes all client data, other than backup copies held for disaster recovery purposes, on a scheduled basis.

5  Access Control & Physical Security

Webtrends manages access control policies and procedures for the corporate network and access control policies.

5.1 User Access Management

Accounts on Webtrends network, including for network administrators and database administrators, are mapped directly to employees using unique identifiers based on employee names. Microsoft’s Active Directory enforces uniqueness. Generic administrative accounts are not used. Upon notification by HR as part of the formal termination notification process, all physical and system accesses are immediately adjusted to the new role or revoked.

Password complexity rules and account lockouts are enforced in all environments to protect against brute force dictionary attacks or other passwords threats.

Webtrends periodically reviews employee access to internal systems. Reviews ensure that employees’ access rights and access patterns are commensurate with their current positions.

5.2 User responsibilities

Webtrends Information Security Policy requires employees to notify corporate IT immediately if they believe that the security of their password has been compromised. Employees must abide by all Webtrends policies, including all sections of the Information Security Policy.

5.3 System and Application Access Control

Authentication and robust access controls ensure that all clients’ confidential information is secured against unauthorized access.

Accesses to resources are controlled by explicit rights in all environments. Employees are given appropriate accounts on systems which they are authorized to access following the “least privilege” principle. Generally, access controls are provided by Microsoft’s Active Directory services and appropriate configuration of the operating system, file system and application settings.

Two-factor authentication is required for remote access and for access to corporate environments. Further, separate accounts are used to access elevated environments which are only provided to authorized personnel.

Access to client data is limited to legitimate business need, including activities required to support clients’ use of the On Premises solutions. Employees may only access resources relevant to their work duties. Processes ensure that any data used by Webtrends Technical Support for testing (sent with client consent) is automatically deleted after 14 days.

5.3.1 Access control to program source code

Write access to Webtrends On Premises source code is limited to the engineering staff. Anti-malware scans are performed during all build processes.

6  Physical and Environmental Security

Webtrends SaaS Solutions utilize Amazon Web Services and Microsoft Azure for corporate, development and testing environments.  Both AWS and Azure operate extremely secure data centers with strict physical security measures, including 24×7 security guards, electronic key systems, biometric access, and CCTV.

7  Operations Security

Webtrends infrastructure is managed by a team and employs industry best practices such as default deny rules for firewalls, intrusion detection systems and automated patch management.

7.1 Documented Procedures

Webtrends maintains documented procedures that include at a minimum:

  • security control measures for all systems in the environment;
  • hardening – disabling of all non-essential processes and ports, removing all default users;
  • patches deployed promptly on all applicable systems per manufacturer recommendation, and no more than within 3 days for critical security patches;
  • change management procedures; and
  • incident detection and management.
7.2 Change Management

Webtrends maintains, communicates and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked. All key business owners such as Technical Support, Engineering, and DevOps are represented at the daily change management meeting.

All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the change management meeting team prior to implementation.

Webtrends relies on well-defined processes, disciplined execution and continual training of staff.

All critical decisions must be approved by Webtrends management.

Evaluating the probability and impact of all changes drives the risk management process to protect against activities such as spoofing, tampering, disclosure or denial of services which could expose the corporate environment to attacks, compromise the privacy and confidentiality of client data, or disrupt the availability of the Webtrends solutions.

Emergency changes must be peer reviewed and may be initially made without formal authorization. The Change Management process requires that all emergency changes must be documented.

7.3 Separation of development, testing and operational facilities

All systems used for the Solutions are managed by the Webtrends DevOps team. All access is limited to the least privilege needed and requires authentication. Access logs are reviewed at least quarterly.

Promotion of code from engineering into production is controlled by the change management process. Testing, other than deployment validation, is prohibited in the production environment.

7.4 Protection against Malware

Webtrends deploys anti-malware software with automatic scanning and update on all workstations; installs anti-malware software on all Windows external-facing web servers with weekly scans; and scans all deployed code for malware.

Systems are scanned continuously. Updates are managed and pushed out via workstation/server policy management. Definitions are automatically updated. Employees cannot disable the solution. Where optimal performance precludes active scanning, anti-virus scans are scheduled weekly.

Webtrends uses a leading commercial solution for email security, including incoming and outgoing filtering for spam, phishing attacks and malware.

7.5 Logging and Monitoring

Webtrends maintains audit information and logs for all information technology resources, applications and network accesses, monitors these logs for abnormal pattern and unauthorized access attempts, and maintains defined processes for security alerting, escalation and remediation. Logs are centralized in a limited-access system that prevents deletion and changes.

Escalation procedures exist to ensure the timely communication of significant security incidents through the management chain and ultimately to any affected client.

7.6 Technical Vulnerability Management

Webtrends subscribes to manufacturers and independent security notification services to monitor potential external threats.

Manual and automated vulnerability testing are performed during the development process. Webtrends engages an independent third-party security firm annually to conduct a vulnerability scan of all external-facing (public) infrastructure devices and application penetration test of its Solutions.

Vulnerabilities are logged as defects, resolved or mitigated, and verified fixed.

7.6.1 Hardening Controls

Webtrends uses automated tools and documented procedures to build and configure all network equipment, systems and servers from predefined build configuration procedures in accordance with good industry practices such as those defined by NIST. All systems, platforms and applications are configured to minimize security risks. Specifically:

  • Webtrends follows manufacturers hardening recommendations and documented standard operating procedures;
  • Webtrends disables unnecessary ports, protocols, services and features;
  • Only necessary components, scripts, drivers, web services are included and enabled;
  • Only enable network ports that are required;
  • All new systems are deployed with most recent patches;
  • Password parameters are configured to comply with Webtrends standards;
  • All systems are monitored and protected with anti-malware software; and
  • Only supported operating systems are used.
7.6.2 Patch Management

Webtrends operates a commercial patch management solution to maintain network device, system, OS and application level security patches. Reviews performed on a regular basis ensure patching is consistent and current based on industry standards. Webtrends deploys security patches released by the vendors as necessary to development, testing, and production systems after validation in pre-production environment.

Patches are applied on a monthly schedule, unless criticality demands a quicker response. Critical patches are evaluated and deployed as promptly as possible, based on Webtrends review of server/workstation vulnerabilities and the risks to any operating applications. Patch applicability and urgency is evaluated based on the zone of deployment (perimeter, DMZ, applications, storage), its relevance (i.e. is the service being patched enabled in the environment) and threat severity (likelihood x impact).

7.7 Encryption of Data

All data is encrypted in transfer and rest with industry standard protocols and cyphers. HTTPS is enforced on all sites. Webtrends client workstations, servers, and storage systems utilize full disk encryption.

8  Communications Security

8.1 Network Security Management

Network-based intrusion detection systems (IDS) monitor network traffic and activity for intrusion and Webtrends personnel leverage multiple network and application monitoring tools to continuously scan for errors or suspicious activities.

Comprehensive and centralized system and application logging and monitoring facilitate alerting, trend analysis, and risk assessment. A network configuration management tool tracks and catalog changes, which are reviewed. Escalation procedures exist to ensure the timely communication of security incidents through the management chain and ultimately to any affected client.

8.2 Confidentiality and Non-Disclosure Agreements

All Webtrends employees must sign Webtrends confidentiality agreement at the time they join the organization. Upon termination, employees are provided another copy of their agreement.

Webtrends requires a non-disclosure agreement or confidentiality clauses in all contracts of third parties accessing computing facilities or information assets as well as prior to sharing or providing access to any confidential information outside of Webtrends, whether verbally or in writing.

9   System Acquisition, Development and Maintenance

9.1   Security Requirements

Webtrends development methodology uses security significant requirements and threat modeling to ensure security concerns are considered and addressed during design.

9.2   Security in Development and Support Process

Webtrends follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security and security testing are implemented throughout the entire software development methodology.

Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities. Our main test areas include volume, stress, security, performance, resource usage, configuration, compatibility, installation, and recovery testing.

Webtrends uses defense in depth best practices and validates them using both internal and third-party security vulnerability scans.

Code reviews are part of the application development process. The internal quality assurance function also exhaustively tests all application end-points for vulnerabilities, including those identified in OWASP Top Ten.

The development process includes a review of all embedded third-party components to ensure that security updates are incorporated. Use of open source software is subject to technical and legal review and approval.

10   Supplier Relationships

Webtrends may use contractors for development and testing tasks. These individuals work under the direct supervision of Webtrends employees.

Webtrends doesn’t give suppliers direct access to client data or network/equipment management responsibility.

Webtrends uses reputable third-party suppliers that are evaluated against strict requirements (such as SOC2 reports and/or ISO certifications) to ensure adherence to industry standard security and operational requirements.

11   Incident Process

Webtrends has developed a robust Security Incident Response Process (SIRP) to address security and privacy related events in an efficient and timely manner. The SIRP framework describes how the team is deployed, documents the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements, and establishes contact information.

The SIRP core team is composed of senior employees with an executive sponsor reporting directly to Webtrends CEO. This team is deployed and disbanded for each event and meets periodically in the absence of events for training and process maintenance. The SIRP process identifies key roles to facilitate the effective coordination of Webtrends response to a security incident, and defines a secure methodology for the confidentiality of all information and communication.

Incidents are triaged in three impact categories, each with different response levels:

  • Severity 1 – Critical incidents involving a successful breach trigger the immediate deployment of the process.
  • Severity 2 – Significant incidents involving an unsuccessful breach attempt trigger the deployment of the process within business work hours.
  • Severity 3 – Benign incidents such as probes not requiring change to systems do not trigger the deployment of the team, but are logged and a retrospective is performed as part of the next SIRP meeting.

The SIRP process is based on industry standard best practices and methodology. It specifies roles and responsibilities as well as priorities for each of the six phases:

  • Identification – Alerts may come from a variety of sources, typically our Technical Support, IT and SaaS Operations teams, or automatically from monitoring systems. These teams are trained in the identification and escalation processes.
  • Triage – The team evaluates the criticality of the incident based on defined guidelines, logs the incident and triggers the formal deployment of the SIRP if necessary.
  • Containment – The first goal of the SIRP team is to prevent the situation from getting worse and keep client data safe. During this phase, the team isolates compromised systems and starts planning for the following phases.
  • Eradication – Once the situation is under control, the SIRP team moves to mitigate the impact of the incident and resolve the immediate situation. It identifies the root cause of the incident and prepares for the recovery by documenting known facts and identifying impacted clients, if any.
  • Recovery – The recovery phase starts as soon as possible, but may require the eradication phase to be complete. Systems are returned to normal operation, patches or configuration changes are applied, documentation is finalized and communications go out to necessary parties.
  • Retrospective – This critical phase allows Webtrends to learn from the incident. Documentation of the incident as well as the response process are reviewed to identify, define and deploy needed improvements to process, policies, system configurations, etc.

Security incidents are managed by Webtrends Security Incident Response Process team. All communications with clients in case of security or privacy incident will be through our support team and/or agreed upon contacts.

Webtrends Technical Support team will notify client contacts assigned to the account as soon as possible after confirming them as being affected by a security or privacy breach or by a DR event, but in any event within 24 hours for significant events and within 2 business days for non-critical events.

12   Business Continuity & Disaster Recovery

Webtrends maintains and tests a business continuity plan (BCP) and disaster recovery (DR) plan that prioritizes critical functions supporting the delivery of its Solutions to its clients.

13   Compliance

Webtrends complies with statutory and regulatory requirements, and uses reasonable efforts to comply with applicable industry standards.

13.1   Privacy

For information on GDPR, CCPA, and other privacy related compliance, please see the Webtrends Privacy Statement.