Child pages
    • Security


    To view the latest information for BMC Helix services and policies, go to BMC Helix Subscriber Information.

    Skip to end of metadata
    Go to start of metadata

    This section covers the following topics:

    Security overview

    BMC understands that the confidentiality, integrity and availability of your operational information are vital to your organization. BMC uses a multi-layered approach to protect your data, constantly monitoring and improving applications, systems, and processes. The BMC Security Operations Center (SOC) and Network Operations Center (NOC) teams work 24 hours a day, seven days a week, and 365 days a year to ensure the continuous and secure operation of your service.

    The BMC OnDemand NOC makes extensive use of BMC’s world class monitoring and automation solutions. All customer environments are monitored 24 hours a day and seven days a week. The NOC frequently resolves potential incidents before they impact customers.

    Should your service be impacted, automated root cause analysis data is provided via the BMC TrueSight Operations Management solution and extensive automations using BMC Atrium Orchestrator dramatically reduce the Mean Time to Repair (MTTR).

    BMC's OnDemand offerings are designed based upon NIST (National Institute of Standards & Technology) controls in order to provide enterprise grade security for our customers. BMC utilizes a defense in depth methodology that focuses on redundant controls to prevent and mitigate impacts to the confidentiality, availability, and integrity of customer data and services.

    BMC’s security strategy includes the following layers:

    • Governance
    • Physical
    • Perimeter
    • Network
    • End Point
    • Application
    • Data


    Third party audit

    BMC completes a Type 2 Service Organization Control (SOC 2) examination annually.  The examination is conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA). The SOC 2 report is issued by an independent CPA firm and includes a qualified opinion on BMC's controls relative to the security, availability and confidentiality trust services principles and criteria of its OnDemand services.  The purpose of the SOC 2 report is to provide assurance to BMC and its customers that the OnDemand services are designed and implemented using effective security controls.  During the examination, the independent auditors evaluate and test controls over the following domains:

    • Organization and management
    • Communications 
    • Risk management and design and implementation of controls
    • Monitoring of controls
    • Logical and physical access controls
    • System operations
    • Change management

    The SOC 2 audit results are available upon request and with a signed non-disclosure agreement. For more information, contact your BMC Account Manager or Business Relationship Manager.

    For a summary of compliance types specific to BMC's data centers, see Data center overview.

    Data privacy

    Safeguarding the privacy and security of personal information is a top priority for BMC Software in our data driven-economy. In July 2015, BMC became the world's first IT management provider to get its Data Privacy Binding Corporate Rules Policy (BCRs) approved by the European data protection authorities, both as a Controller and a Processor. BCRs are considered to be the platinum standard for compliance in data privacy and personal data protection worldwide. BMC’s BCRs apply to all personal information of past, current and potential BMC employees, customers, resellers, suppliers, service providers and other third parties. All BMC entities, employees and third party providers comply with and respect the BCRs which govern the collection, use, access, storage and transfer of personal data among BMC entities and third-party sub-processors worldwide.

    BMC is officially listed (see link under the List of companies for which the EU BCR cooperation procedure is closed section) as one of the few BCR-certified companies, and our BCRs have been largely recognized by our customers as providing an adequate transfer mechanism to move their personal information from the European Union to third countries, as well as a key instrument demonstrating BMC’s commitment to privacy. While alternative transfer mechanisms are heavily criticized and may even be suspended (Privacy Shield, EU Model Clauses), and in a context where the Brexit raises significant concerns around transfers between the EU and the UK, our BCRs serve as a robust and reliable global instrument. They will sustain BMC’s ability to comply with the increasing number of data privacy laws and regulations adopted around the world, many of which are inspired by the EU principles. 

    For more information, please see Data Privacy Binding Corporate Rules.

    General Data Protection Regulation (GDPR)

    On May 25, 2018, the European General Data Protection Regulation (“GDPR”) entered into force and modified the legislation underlying BMC’s BCRs. As advised by the EU Regulators, BMC has updated its BCRs to reflect the relevant changes and notified the updated version to the French Data Protection Authority (“CNIL”), who initially approved our BCRs in 2015. The most significant changes include Accountability, Transparency, Individual Privacy Rights and Privacy by Design. 

    Related topic

    Data encryption