×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Helix Subscriber Information Security

System access

This section covers the following topics relative to BMC personnel:

Confidentiality

BMC ensures that all personnel granted access to customer systems have committed themselves to protect customer data by executing written confidentiality obligations to the extent legally necessary. The obligation to treat customer data pursuant to such confidentiality obligations survives the termination of employment. Applying the principle of least privilege, customer data is made available only to personnel that requires access to such data for the performance of BMC's contractual obligation to you.

Technical protection measures

Access control to data center facilities and assets to prevent unauthorized persons from gaining access to customer systems and data are controlled by the following measures:

  • BMC has an identity management system fully integrated with its directory system to provide full lifecycle management for BMC user accounts and access to data.
  • Accounts and system access are revoked immediately upon termination of employment.
  • BMC user accounts are generated on a per-individual basis and are not shared. Unique user IDs are created to ensure that activities can be attributed to the responsible individual.
  • User passwords are stored using a one-way hashing algorithm and are never transmitted unencrypted.
  • User password encryption is enforced via current industry encryption standards while in transmission. Following successful authentication, a random session ID is generated and stored in the user's browser to preserve and track the session state.
  • Access to customer data, including data transferred via the File transfer process, is restricted to BMC authorized personnel only.
  • BMC's data center facilities are provided by industry-recognized providers and include:
    • Multiple compliance certifications
    • 24-hour security
    • Restricted, multi-factor access requirements

See Service locations for additional detail.

User password controls

BMC user accounts that provide access to customer systems are created using strict password controls to prevent unauthorized use. Controls include: 

  • User passwords are stored using a one-way hashing algorithm and are never transmitted unencrypted.
  • User password encryption is enforced via current industry encryption standards while in transmission. Following successful authentication, a random session ID is generated and stored in the user's browser to preserve and track the session state.
  • Controls ensure generated initial passwords are reset upon first use.
  • Controls are in place to revoke access after several consecutive failed login attempts.
  • Controls are in place to limit the number of invalid login attempts before the user is locked out.
  • Controls force user password expiration after a set period of use.
  • Controls terminate a user's session after a period of inactivity.
  • Password history controls are in place to limit password reuse.
  • A password policy is enforced to include length controls, complexity requirements, and a verification question setting for use when resetting a password.
Was this page helpful? Yes No Submitting... Thank you
Last modified by Dhanya Menon on Jul 12, 2022

Comments

Log in or register to comment.

Data protection
Data encryption
© Copyright 2018 - 2023 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.