ProjectManager.com Security White Paper Standards & Practices www.projectmanager.com
Introduction ProjectManager.com (PM) developed its Security Framework to continue to provide a level of security for its clients commensurate with the times. The PM Security Framework consists of standards and practices that form a multi-tiered approach to safeguarding data integrity and confidentiality, as well as infrastructure and network stability. The Framework also embeds best practices for industry compliance through internal review and audits to maintain the most up-to-date security practices and protocols. The ProjectManager.com (PM) Security Framework includes: Application Security Network & Infrastructure Security Data Security Organizational Security Cloud Security Industry Compliance Keeping our customers data secure is core to our product development and testing processes, our customer service practices and our vetting of technology partners. About ProjectManager.com ProjectManager.com is a leading project management and work collaboration software-as-aservice (SaaS) platform. The simple yet powerful online project management tools enable teams throughout the enterprise to plan, track, monitor and report on tasks and projects in real-time. Since 2008, thousands of customers, including Fortune 500 companies and government agencies like NASA and the United Nations trust ProjectManager.com to manage their projects in the cloud. Teams of all sizes across a wide range of industries use ProjectManager.com for IT development, manufacturing processes, marketing campaigns, product launches, and civil engineering projects. The platform offers a comprehensive API and is also integrated with Google Apps, Zapier, MSProject and Excel. 2 ProjectManager.com Security White Paper
Application Security Cloud Authentication SINGLE SIGN-ON (SSO) The ProjectManager.com platform integrates with OneLogin to provide single sign-on solutions for all users. The OneLogin SSO service support organizations looking to implement two-factor authentication, a more secure process for validating and verifying identity. We also support SSO through Google Apps for Work. SESSION TIME-OUT To secure user accounts, ProjectManager.com enables an application sign-out after extended periods of inactivity. If you enable the auto-save data feature on your account, you can customize how often your data is auto-saved and ensure any changes since the last save are recorded in the event of session time-out. Once a session has timed out, users must re-login to their account. FORMS AUTHENTICATION All ProjectManager.com users are required to have a unique ID and password. Administrators in ProjectManager.com accounts manage and control individual user security and permissions, including adding or subtracting user licenses. Credentials are submitted through secured communications port (HTTPS/443) in order to establish a secure connection with the ProjectManager.com cloud. Users are not required to download or install software to access data or projects. Password Policy SECURE PASSWORD POLICY The secure password policy governs the creation and protection of the user s account data. Every ProjectManager.com user must have a unique account ID and password in order to access the service. Passwords are passed through to the web server and browser to the 3 ProjectManager.com Security White Paper
account online through a hypertext protocol secured connection (HTTPS), an industry-standard encryption protocol. ACCOUNT LOCKOUT As an added measure of protection against brute force attacks, ProjectManager.com initiates an account lockout policy. After numerous unsuccessful login attempts, the account will be locked. Security & Testing Processes The ProjectManager.com software development life cycle embeds defined security processes aligned with best practices into every phase. Defined application security processes are embedded into every phase of ProjectManager.com s software development life cycle (SDLC). Our team: Researches and adopts SaaS & Cloud Infrastructure security best practices Regularly conducts security reviews of architecture, new features, integrations and cross-platform solutions Conducts manual and automated source code reviews for vulnerabilities and code quality. Performs regular reviews and assessment of pre-production environments Encryption ENCRYPTION ProjectManager.com uses 256bit SSL encryption to safeguard customer data and our sites are protected by 2048bit Digicert certificates. All data between the user browser and the ProjectManager.com cloud is established through an HTTPS connection. This connection encrypts the communication and secures the web server identity. PASSWORD STORAGE ENCRYPTION All passwords stored on the ProjectManager.com cloud servers are encrypted using an industry-standard cryptographic safeguard to deploy additional layers of security. 4 ProjectManager.com Security White Paper
Network & Infrastructure Security Data Centers The ProjectManager.com cloud application is hosted by LiquidWeb in their highly secure data centers in Michigan Data Center. The ProjectManager.com dedicated servers have a global uptime average of >99.999% with Tier 1 Premium Bandwidth. DATA CENTER CERTIFICATES The ProjectManager.com servers meet the following standards for certification and compliance: SSAE-16 Audit Compliance HIPAA Compliance SafeHarbour Certified PHYSICAL SECURITY The ProjectManager.com servers are located at Liquid Web s highly secured Michigan Data Centers with the following security protocols in place: 24/7/365 Manned Facilities CCTV Security Cameras Covering Inside, Outside and All Entrances Site Entrances Require Electronic Perimeter Access Card System Sites Remotely Monitored By 3rd Party Security Company Entrances Secured by Mantraps with Interlocking Doors SSAE-16 & HIPAA Compliant, Safe Harbor Certified COOLING SYSTEMS Multiple Liebert 20, 22, 30 and 45 Ton upflow and downflow AC Units Stand alone HVAC systems that don't allow for large scale failure Designed For Addition of Air-Side Economization NETWORK HARDWARE 5 ProjectManager.com Security White Paper
Redundant Fiber Entrance Expandable to 1,840 Gigabits Per Second Multiple Redundant Gigabit Ethernet Links to Data Center 1 and Data Center 2 Fully Redundant Cisco 6509 Sup720 and Nexus 7000 Distribution Switches Redundant Gigabit Ethernet Links to Each Rack Switch Cisco 4948 48-Port 10/100/1000 Rack Switches The ProjectManager.com security processes support full redundancy, vulnerability management and business continuity plans. SERVER POWER & BACKUP Expandable 13,500 kva Utility Power Feeds Multiple ASCO Closed Transition Bypass Isolation Transfer Switches Multiple N+1 Generac Diesel Generators Multiple N+1 Powerware 9395 550 kva UPS systems Liebert & Eaton Power Distribution Units Multiple Service Entrance Feeds Disaster Recovery & Continuity The ProjectManager.com dedicated servers at LiquidWeb s Michigan Data Center are located in one of three highly secure facilities and offer continuous backup and business continuity. In addition to 24/7/365 onsite security, the servers are monitored 24/7 to assess system health, optimal performance and early detection of problems and have a dedicated immediate response team. REDUNDANCY ProjectManager.com has processes that require full redundancy with our network infrastructure, from Tier 1 Premium Bandwidth, to uninterruptible power supplies with redundant battery cabinets, to state-of-the-art environmental conditions and onsite security, The LiquidWeb Michigan Data Centers support all of those redundancy requirements, feature several zones for added redundancy within the region, as well as geographic redundancy for disaster recovery. VULNERABILITY MANAGEMENT Using a combination of manual and automated processes and tools, ProjectManager.com continuously monitors for security threats and has protocols in place to investigate and remediate any vulnerabilities. 6 ProjectManager.com Security White Paper
BUSINESS CONTINUITY TESTING In addition to our disaster recovery plan, ProjectManager.com and its data centers operate with a business continuity plan. That plan calls for regularly testing to ensure network infrastructure and security processes are working according to plan. Our Business Continuity Plan is a comprehensive approach to restoring all systems as quickly as possible in the event of any service interruption. Firewalls ProjectManager.com has secured data in a number of ways, including the implementation and regular management of system firewalls. Engineers regularly apply tests to the firewall to ensure operability and compliance with the latest threats to cyber security. In addition, our servers are built with full redundancy in order to secure data in the event of any impacts. 7 ProjectManager.com Security White Paper
Organizational Security Processes ProjectManager.com has developed internal policies that are best-in-class for managing data and security risks. Our infrastructure and development team defined and implemented strategies for escalation, management, risk assessment, disaster recovery, business continuity and ongoing operational management. We continually strive to improve our processes over time with a continuous assessment and monitoring model and regular assessments of processes and protocols. NIST CYBER SECURITY FRAMEWORK ProjectManager.com follows the guidelines set out by the 2014 NIST Cyber Security Framework, a collaboration between the U.S. government and industry in response to Executive Order 13636 Improving Critical Infrastructure Cyber Security, issued in February. The framework is categorized by five key policies Identify, Protect, Detect, Respond and Recover in order to follow a comprehensive planning, monitoring and action response plan to bolster cloud security. For more information about how ProjectManager.com aligns to the NIST Cyber Security Framework, refer to the NIST Cloud Security Checklist document located here. Personnel ProjectManager.com has strict security policies for employee access to customer data. All data access events are monitored and logged, and we restrict access to customer data to those with appropriate internal clearance. Access to data centers requires authentication along with personal certificates and is tightly restricted. All employees are bound by our confidentiality agreement and our acceptable use agreement, as well. Privacy Internal processes are designed to safeguard customer privacy and confidentiality of sensitive information. The ProjectManager.com Privacy Policy discloses the type of information we can collect and how we may use this information. We do not collect personally identifiable information unless voluntarily submitted by visitor to our sites or service. Access to customer data is strictly limited to select personnel and only on an as-needed basis. 8 ProjectManager.com Security White Paper
Contact Us The ProjectManager.com Support Team is available Monday through Friday, 8 am 6 pm Central Time. Office Address 3420 Executive Center Drive Suite 160 Austin, TX 78731 T: 800-765-2495 support@projectmanager.com 9 ProjectManager.com Security White Paper