Three Guiding Principles for Security
ForgeRock has founded its security approach on the three core principles of information security:
- Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
- Integrity: The property of safeguarding the accuracy and completeness of information and such asset
- Availability: The property of information is accessible and usable upon demand by only authorized entities
Together, these three principles deliver one thing to our customers — a product and service that allows people to simply and securely access the digital world and a company they can trust to help them do that.
ForgeRock takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to ForgeRock resources.
- All ForgeRock contractors and employees undergo background checks prior to being engaged or employed by ForgeRock in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
- All development projects at ForgeRock, including on-premises software products, support services, and ForgeRock's own Digital Identity Cloud offerings follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
ForgeRock deploys automated vulnerability scanning of all production and Internet facing systems on a regular basis.
- All new systems and services are scanned prior to being deployed to production.
- We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
- We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
ForgeRock is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of ForgeRock’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices ForgeRock has in place.
SOC 2 Type II
ForgeRock successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that ForgeRock's information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, and confidentiality. Our adherence with these standards will be externally validated annually.
Customers and prospects can request access to the audit report here.
ISO 27001, 27017 and 27018
ISO 27001 is an industry standard for information security. ForgeRock's information security management system (ISMS) has been independently assessed and certified to the ISO 27001 standard. ForgeRock has included ISO 27017 and ISO 27018 into its certified ISMS and additionally has achieved independent certifications validating the controls and implementation guidance relevant to those standards are in place and operational.
The scope of ForgeRock's ISMS covers all major offices used in the development of ForgeRock products, all of our product offerings including our standalone on-premise products, Identity Cloud service, and Autonomous products, as well as all supporting infrastructure, systems, and internal processes.
CSA STAR (Level 2)
Cloud Security Alliance (CSA) is the first step of the many cloud-specific certifications. ForgeRock continues to demonstrate our commitment to industry-accepted security controls and transparency for our cloud services. ForgeRock Identity Cloud has recently completed an external audit to validate that we meet the criteria required for the Cloud Security Alliance (CSA) STAR (Level 2) attestation. Both the CSA STAR Level 2 attestation and the CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4 can be seen on the CSA STAR Level 2 registry page.
HIPAA and HITECH
Health Insurance Portability and Accountability Act (HIPAA) is the U.S. national standard for health information security and privacy that governs the use and disclosure of sensitive protected health information (PHI). ForgeRock Identity Cloud complies with HIPAA security standards and Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements.
Trusted Information Security Assessment Exchange (TISAX)
The Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for the information security of enterprises, governed by ENX on behalf of the German VDA. The exchange allows recognition of assessment results among the participants. TISAX may be accessed by active participants via https://enx.com/tisax. TISAX and TISAX results are not intended for general public. ForgeRock Inc. & ForgeRock Ltd. are active TISAX participants with assessment results available through the ENX portal at: https://portal.enx.com/en-US/TISAX/tisaxassessmentresults under scope ID: SZZMC3 and assessment ID: AZ5YYL-1.