Skip to Content

System access

This section provides information about security issues related to BMC personnel.

Confidentiality

BMC ensures that all personnel granted access to customer systems have committed themselves to protecting customer data by executing written confidentiality obligations to the extent legally necessary. The obligation to treat customer data pursuant to such confidentiality obligations survives the termination of employment. Applying the principle of least privilege, customer data is made available only to personnel that require access to such data for the performance of BMC's contractual obligation to you.

Technical protection measures

Access control to BMC's facilities and assets to prevent unauthorized persons from gaining access to customer systems and data are controlled by the following measures:

  • BMC has an identity management system fully integrated with its directory system to provide full lifecycle management for BMC user accounts and access to data.
  • Accounts and system access are revoked immediately upon termination of employment.
  • BMC user accounts are generated on a per-individual basis and are not shared. Unique user IDs are created to ensure that activities can be attributed to the responsible individual.
  • User passwords are stored using a one-way hashing algorithm and are never transmitted unencrypted.
  • User password encryption is enforced via current industry encryption standards while in transmission. Following a successful authentication, a random session ID is generated and stored in the user's browser to preserve and track session state.
  • Access to customer data, including data transferred via support effort is restricted to BMC authorized personnel only.
  • BMC's data center facilities are provided by industry-recognized providers and include:
    • Multiple compliance certifications
    • 24 hour security
    • Restricted, multi-factor access requirements

Control-M SaaS is hosted in AWS data centers. Currently, the regions used are US West (Oregon) and EU West (Ireland). These regions have at least three availability zones, which are independent data centers. Control-M SaaS components are replicated across all availability zones, providing an extremely high level of resiliency. The Data Centers comply with ISO 27001 and multiple other standards.

User password controls

BMC user accounts that provide access to customer systems are created using strict password controls to prevent unauthorized use. Controls include: 

  • User passwords are stored using a one-way hashing algorithm and are never transmitted unencrypted.
  • User password encryption is enforced via current industry encryption standards while in transmission. Following a successful authentication, a random session ID is generated and stored in the user's browser to preserve and track session state.
  • Controls ensure generated initial passwords are reset upon first use.
  • Controls are in place to revoke access after several consecutive failed login attempts.
  • Controls are in place to limit the number of invalid login attempts before the user is locked out.
  • Controls force user password expiration after a set period of use.
  • Controls terminate a user's session after a period of inactivity.
  • Password history controls are in place to limit password reuse.
  • A password policy is enforced to include length controls, complexity requirement and a verification question setting for use when resetting a password.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

Control-M SaaS