Service Organization Control 2
Service Organization Control 2 (SOC 2) helps businesses attest that they provide non-financial reporting controls that meet certain levels of service related to the security, availability, processing integrity, confidentiality, and privacy of a system.
For Ivanti, The Cadence Group conducted this attestation of compliance. The attestation report describes Ivanti’s Cloud Service Platform (CSP), assesses the fairness of the CSP’s description of its controls, and evaluates whether the controls are appropriately designed and operating effectively over the specified assessment period.
International Organization for Standardization (ISO) & International Electrotechnical Commission (IEC)
The ISO and IEC provide standards that help customers deploy and automate IT solutions with processes that align with the Information Technology Infrastructure Library (ITIL).
ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls. The basis of this certification is the development and implementation of a suitable Information Security Management System (ISMS), which defines how Ivanti manages security and data protection. The certification process verifies that Ivanti does the following:
- Evaluates the information security risks of the cloud services, considering the impact of - threats and vulnerabilities.
- Implements a comprehensive set of information security controls and other forms of risk management to address customer and architecture security risks.
- Performs periodic checks that the information security controls meet the requirements.
Ivanti Service Manager has been found in general compliance with the standards outlined by the ISO and IEC, as stated in the audit plan.
California Consumer Protection Act (CCPA)
The California Consumer Privacy Act (CCPA) regulates how Ivanti handles personal information of California residents and gives certain rights with respect to their personal information.
If you have more questions about how Ivanti meets CCPA requirements, please reach out to [email protected].
Privacy Shield Framework
We comply with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework with respect to the transfer of personal data from the EEA, the United Kingdom, and/or or Switzerland, to our servers which are in the US.
These frameworks were designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EEA, the United Kingdom, and/or Switzerland to the United States.
You can view our current certification here.
Ivanti Service Manager has received an official FedRAMP Authorized designation!
The Federal Risk and Authorization Management Program (FedRAMP) is a United States Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. Ivanti’s ATO (authority to operate) designation can be found on the FedRAMP Marketplace.
You can view our press release for more information here.
U.S. Federal Government Agency Authorization to Operate (ATO)
Authorization to Operate (ATO) is the security approval required to launch a new IT system in the federal government. Government agencies determine whether to grant an information system authorization to operate for a period of time by evaluating if the security risk is acceptable.
Ivanti has received ATOs from the Air Force, Army, Department of Defense (DoD), Defense Health Agency (DHA), Department of Homeland Security (DHS), National Guard, Navy, Pacific Air Forces (PACAF), United States Special Operations Command (SOCOM), and U.S Strategic Command (STRATCOM).
Section 508 standards are the technical requirements and criteria used to measure conformance to the U.S. Rehabilitation Act. This federal law requires agencies and companies to provide individuals with disabilities equal access to electronic information and data comparable to those who do not have disabilities. More information on Section 508 can be found at Section508.gov.
The following Ivanti products have been deemed 508 compliant through self-attestation: Asset Manager, Endpoint Manager, Patch for Windows, License Optimizer, Service Manager, and User Workspace Manager.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) gives EU individuals more freedom to say how their personal data is handled and creates an opportunity for Ivanti to better serve our customers and reaffirm that we are dedicated to data protection.
We’ve carefully reviewed the requirements set by the GDPR, and actively improve our products, internal systems and processes, and verify contracts to comply with the GDPR mandates. We review how information comes into our systems, how it is secured while it is in our care, how we ensure that only authorized individuals have access to that data, and how we securely handle data retention and deletion.
If you have more questions about how Ivanti meets GDPR requirements, please reach out to [email protected].
Information Commissioner’s Office
The Information Commissioner’s Office is “responsible for upholding information rights in the interest of the public for the United Kingdom. The Data Protection Regulations 2018 requires organizations who process personal information to register with the Information Commissioner’s Office.
You may view Ivanti’s ICO registration here.
As of 2014, the United Kingdom has required suppliers that handle certain kinds sensitive and personal information for the central UK government to obtain Cybersecurity Essentials certification. This certification assures customers that Ivanti has an understanding of our cyber security level that we work to secure our IT against cyber attack.
You can view our current certification here.