This section covers the following topics:
BMC understands that the confidentiality, integrity and availability of your operational information are vital to your organization. BMC uses a multi-layered approach to protect your data, constantly monitoring and improving applications, systems, and processes. The BMC Security Operations Center (SOC) and Network Operations Center (NOC) teams work 24 hours a day, seven days a week, and 365 days a year to ensure the continuous and secure operation of your service.
BMC's OnDemand offerings are designed based upon NIST (National Institute of Standards & Technology) controls in order to provide enterprise grade security for our customers. BMC utilizes a defense in depth methodology that focuses on redundant controls to prevent and mitigate impacts to the confidentiality, availability, and integrity of customer data and services.
BMC’s security strategy includes the following layers:
BMC completes a Type 2 Service Organization Control (SOC 2) examination annually. The examination is conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA). The SOC 2 report is issued by an independent CPA firm and includes a qualified opinion on BMC's controls relative to the security, availability and confidentiality trust services principles and criteria of its OnDemand services. The purpose of the SOC 2 report is to provide assurance to BMC and its customers that the OnDemand services are designed and implemented using effective security controls. During the examination, the independent auditors evaluate and test controls over the following domains:
The SOC 2 audit results are available upon request and with a signed non-disclosure agreement. For more information, contact your BMC Account Manager or Business Relationship Manager.
For a summary of compliance types specific to BMC's data centers, see Data center overview.
Safeguarding the privacy and security of personal information is a top priority for BMC Software in our data driven-economy. In July 2015, BMC became the world's first IT management provider to get its Data Privacy Binding Corporate Rules Policy (BCRs) approved by the European data protection authorities, both as a Controller and a Processor. BCRs are considered to be the platinum standard for compliance in data privacy and personal data protection worldwide. BMC’s BCRs apply to all personal information of past, current and potential BMC employees, customers, resellers, suppliers, service providers and other third parties. All BMC entities, employees and third party providers comply with and respect the BCRs which govern the collection, use, access, storage and transfer of personal data among BMC entities and third-party sub-processors worldwide.
BMC is officially listed (see link under the
List of companies for which the EU BCR cooperation procedure is closed section) as one of the few BCR-certified companies, and our BCRs have been largely recognized by our customers as providing an adequate transfer mechanism to move their personal information from the European Union to third countries, as well as a key instrument demonstrating BMC’s commitment to privacy. While alternative transfer mechanisms are heavily criticized and may even be suspended (Privacy Shield, EU Model Clauses), and in a context where the Brexit raises significant concerns around transfers between the EU and the UK, our BCRs serve as a robust and reliable global instrument. They will sustain BMC’s ability to comply with the increasing number of data privacy laws and regulations adopted around the world, many of which are inspired by the EU principles.
For more information, please see Data Privacy Binding Corporate Rules.
On May 25, 2018, the European General Data Protection Regulation (“GDPR”) entered into force and modified the legislation underlying BMC’s BCRs. As advised by the EU Regulators, BMC has updated its BCRs to reflect the relevant changes and notified the updated version to the French Data Protection Authority (“CNIL”), who initially approved our BCRs in 2015. The most significant changes include Accountability, Transparency, Individual Privacy Rights and Privacy by Design.