As a leader in application and data security, Imperva’s mission is to protect data and all paths to it. Some of the world’s largest companies and governments trust us to secure their applications and data. Imperva analyzes activity from its start at websites and APIs through applications to its end at structured, semi-structured and unstructured data stores. We use advanced analytics across thousands of customer networks and apply automation to quickly respond to stop novel attacks and zero-day exploits. But it is important to not only create world-class application and data security solutions, we must protect the security of those solutions as well. That’s where Imperva’s information security program comes in.
Overview of Imperva’s Information Security Program
Imperva has a robust information security program to protect the security of our cloud security solutions. This program consists of various policies and procedures implemented throughout Imperva’s operations, including specialized policies and procedures related to data classification and use, access controls, incident response, business continuity and disaster recovery, and more.
Here are a few examples of the information security controls we’ve implemented under our information security program:
Software Development Lifecycle Management
We don’t just sell security, we practice it. Our security solutions are not just designed and developed by engineers who are passionate about security. They’re also designed and developed in consultation with a team of security architects who participate in each phase of the software development lifecycle.
Business Continuity And Disaster Recovery
Maintaining availability of our cloud services is a core goal for us. That’s why we have developed, implemented, and maintain a business continuity and disaster recovery program: to help ensure that our cloud services don’t miss a beat when disaster strikes.
Our BCP/DR program leverages technical measures such as a globally distributed network of more than 40 points of presence, redundant ISP connections, continuous system health checks, and active failover. We also deploy a globally distributed network operations team that is available 24×7 and a BCP/DR team that tests and reassesses the BCP/DR Program annually and performs periodic red-team and tabletop exercises.
Imperva maintains an incident response plan, which includes the formation of a cross-functional, cross-departmental incident response team.
Although it’s important to prevent bad actors from reaching your data in the first place, it’s good to have a backup plan. That’s why Imperva leverages encryption as an additional layer of protection. This includes a variety of encryption features available to our clients, including encryption in transit and at rest.
Data Masking and Hashing
In addition to traditional encryption, Imperva adds an additional layer of protection by using masking and hashing technology to minimize the sensitive data to which Imperva may have access.
Imperva maintains vendor management controls that are designed to ensure that any vendor with access to Imperva is vetted by Imperva’s team of security professionals.
Imperva our datacenters implement physical controls such as security camera surveillance systems, 24×7 security guards, and electronic locks and access cards. Imperva also implements technical access control measures to protect the security of our cloud services. Such measures include strong password policies, role-based permissions, elevated permissions policies, and credential management policies (including in the context of employee departures).
Logging And Monitoring
Imperva’s information security program includes intrusion detection measures and controls log access to Imperva’s systems and networks.
Statistically speaking, humans are the weakest link. That’s why Imperva personnel are required to complete security awareness training, which includes annual updates about relevant policies, standards, and new or modified attack vectors, and how to appropriately report incidents to Imperva’s Incident Response Team. Records of annual training are documented and retained for performance and tracking purposes.
Certifications & Audit Reports
Don’t just take our word for it. Imperva engages trusted and accredited auditors and assessors to verify Imperva’s security practices against internationally recognized frameworks such as ISO 27001, SOC 2 Type 2, and PCI DSS. If you’re interested in obtaining a copy of Imperva’s latest certifications, audit reports, and/or attestations of compliance, please contact your Imperva Account Executive.