Data protection

This topic provides the following information: 

Malware protection

BMC utilizes McAfee Endpoint Security on all servers, workstations, and email gateways for core threat prevention, endpoint detection and incident response.  Protection includes virus scanning, and spyware and adware detection.  McAfee agents are updated daily and managed centrally using a centralized policy server.  Viruses and malware alerts are reported to the Security Information and Event Management (SIEM) system and assessed weekly as part of the Security Operations Control reporting procedure.  All customer servers contain the McAfee agent and have no anti-malware exceptions.

Incoming files and attachments

Incoming data files are scanned automatically when sent via email. Scanning is also performed on-access as part of the standard security policy.

Regarding scanning of file uploads, any malware/virus scanning on customer-initiated file attachments, specifically uploaded via web interfaces of BMC subscription services, cannot be initiated by BMC without potentially harming the integrity of the data being added into the system. For this reason, any interaction with the file attachment content is a shared responsibility between both BMC and the customer, as noted below. It is important to note that there are several capabilities and compensating controls available to further minimize potential impact.

 Existing controls:

• In order to upload attachments within the application environment, a user must already be authenticated and have been authorized to perform such actions.
• All attachments uploaded into the application are stored directly within the database and do not have the permissions or ability to be executed from within the environment.
• BMC maintains file restrictions and detection/prevention capabilities on all supporting systems and customer environments.

 Customer responsibilities:

1. Manage end-user access and permissions within the application environment.
2. On local systems and networks that may read attachment data from the application environment, utilize client-side and network-based controls to detect/prevent the writing and/or execution of any potentially malicious attachments, in accordance with customer endpoint and perimeter protection policies.
3. Configure file type restrictions within the application, that can further minimize the ability to upload and/or view attachments that do not meet customer policy requirements. 

More information can be found at the following links:

• Restricting users from uploading and viewing files with specific extensions
• BMC Helix Customization policy

SaaS Media Protection policy

BMC's SaaS Media Protection policy addresses practices that control the use of data on removable media and mobile devices. BMC restricts access to customer information to those with a legitimate need to know and requires that:

• any stored encrypted magnetic tapes be locked in containers in the data center; and
• laptops and desktops be configured to restrict the use of the following types of portable media devices: diskettes, external/removable hard drives, flash/thumb drives, compact discs, and optical drives.

Other types of portable media are handled in the following manner described, including but not limited to:

• notebook/laptop computers are encrypted at the boot level
• personal digital assistants are encrypted
• cellular phones/smartphones are encrypted
• non-digital media (paper) is to be locked in a desk employing the BMC clean desk policy or disposed of in supplied secure shred bins