Security Controls Overview

Security at Bandwidth is a high priority for our network and business. Bandwidth has a dedicated information security team that oversees Bandwidth’s security program. Bandwidth recognizes information must be managed, controlled and protected as it has a significant impact on our products and customers.

Bandwidth’s Information Security program is designed and achieved ISO 27001:2013 certification to protect assets against unauthorized use, disclosure, alteration, and destruction.

Network Security

Bandwidth’s network environment is monitored 24×7 by a team of Network Operations Technicians. All site locations have firewalls, and traffic monitoring deployed.

Vulnerability Management

Vulnerability and policy scans are performed on Bandwidth’s environments and assets weekly, internal and external.

Application Security (BW AppSec)

Bandwidth’s application security program proactively performs static and dynamic scanning of systems and software code.

Continuing education for developers is based on OWASP Top 10 with continuous educational feedback loops in the development lifecycle to bring additional awareness of our secure software delivery.

Change Management

All changes to production environments must be reviewed and approved by Bandwidth’s Change Review Board. Approval requires risk analysis, test, and back-out plan before any changes can be made. Changes are scheduled during off-peak times to minimize disruptions.

Endpoint Security

Bandwidth desktops, laptops and mobile devices are centrally managed and are fully encrypted. All end-user computers have anti-virus and anti-malware protection.

Physical Security

Access to all Bandwidth offices is restricted and controlled by assigned proximity badges. Visitors must sign in, display a visitor badge, and be escorted by the sponsoring employee. Entrances and exits to all sites/offices are under video surveillance.

Data Centers hosting Bandwidth’s equipment are certified SOC II or ISO 27001:2013 compliant. Each site location provides layers of security, including biometrics, security guards, cameras and equipment secured in isolated rack/cages.

Third-Party Penetration Testing

Bandwidth uses third-party partners to perform external penetration testing against applications and networks at a minimum on an annual basis

Vendor Risk Management

The Bandwidth VRM (vendor risk management) program enables Bandwidth to appropriately identify and protect its business data and intellectual property hosted/stored by third-party vendors. Bandwidth evaluates all third-party vendors for data security. Continuous third-party evaluations are done to reevaluate security posture of each vendor for ongoing compliance.

Log/Event Management

All Bandwidth security logs are collected and stored for one year in a centralized logging infrastructure that is analyzed real-time by the Bandwidth Security Incident Event Monitoring (SIEM) system. In addition to real-time alerting, Bandwidth has established a SOC for 24×7 monitoring of events and alerts.

Identity & Access Management

Access to Bandwidth’s production systems and services by employees is on a need-to-know model with least privileges. Bandwidth continuously monitors user accounts using behavioral analytics and anomaly detection. Bandwidth requires
2-factor authentication for all remote access to Bandwidth networks and systems.

Governance, Risk, & Compliance (GRC)

Bandwidth holds the internationally recognized ISO 27001:2013 Certification for our product and services. Bandwidth’s information security program, information security policies, standards, and guidelines, are managed and monitored through centralized GRC platform .The Bandwidth security team performs ongoing audits and risk assessments across the organization as part of Bandwidth’s information security management system (ISMS).

Log/Incident Management

Bandwidth has a formal incident management program and has a dedicated incident response team to assemble and manage incident investigations.

People/HR Security

Bandwidth performs background checks on all potential new employees before employment. All new-hires must complete security awareness training at the start of employment and ongoing for all employees.