Three Guiding Principles for Security
ForgeRock has founded its security approach on the three core principles of information security:
- Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes
- Integrity: The property of safeguarding the accuracy and completeness of information and such asset
- Availability: The property of information is accessible and usable upon demand by only authorized entities
Together, these three principles deliver one thing to our customers — a product and service that allows people to simply and securely access the digital world and a company they can trust to help them do that.
ForgeRock takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to ForgeRock resources.
- All ForgeRock contractors and employees undergo background checks prior to being engaged or employed by ForgeRock in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
- All development projects at ForgeRock, including on-premises software products, support services, and ForgeRock's own Digital Identity Cloud offerings follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
ForgeRock deploys automated vulnerability scanning of all production and Internet facing systems on a regular basis.
- All new systems and services are scanned prior to being deployed to production.
- We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
- We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
ForgeRock is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of ForgeRock’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices ForgeRock has in place.
SOC 2 Type II
SOC 2 Type II
ForgeRock successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that ForgeRock’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, and confidentiality. Our adherence with these standards will be externally validated annually.
Customers and prospects can request access to the audit report here.
ISO 27001 is an industry standard for information security. ForgeRock has been independently assessed and certified to the ISO 27001 standard for all major offices where development happens, for all of our product offerings as both stand-alone on-premises products and our Identity Cloud service, as well as all supporting infrastructure, systems, and internal processes.
UK Cyber Essentials Plus
The UK Cyber Essentials Plus certification helps guard against the most common cyber threats and demonstrate ForgeRock's commitment to cyber security. This certification provides extra reassurance for our customers in the United Kingdom, which is where ForgeRock manages support for all of our major products.
CSA Star Level 2
Cloud Security Alliance (CSA) is the first step of the many cloud-specific certifications. ForgeRock continues to demonstrate our commitment to industry-accepted security controls and transparency for our cloud services. ForgeRock Identity Cloud has recently completed an external audit to validate that we meet the criteria required for the Cloud Security Alliance (CSA) Star Level 2 attestation. Both the CSA Star Level 2 attestation and the CSA Consensus Assessments Initiative Questionnaire v3.1 can be seen on the CSA Star Level 2 registry page.
HIPAA and HITECH
Health Insurance Portability and Accountability Act (HIPAA) is the U.S. national standard for health information security and privacy that governs the use and disclosure of sensitive protected health information (PHI). ForgeRock Identity Cloud complies with HIPAA security standards and Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements.