Security Controls Overview
Bandwidth’s network environment is monitored 24×7 by a team of Network Operations Technicians. All site locations have firewalls, and traffic monitoring deployed.
Automated vulnerability and policy scans are performed on Bandwidth’s environments and assets.
Application Security (BW AppSec)
Bandwidth’s application security program actively performs static and dynamic scanning of systems
and software code. Continuing education for developers is based on OWASP Top 10 with educational feedback loops
in the development lifecycle to bring additional awareness of our secure software delivery.
Bandwidth’s Change Review Board oversees change requests and change approvals. The approval process contains a review of risk, test plan, and back-out plan before changes can be made. Changes are scheduled during off-peak times to minimize disruptions.
Bandwidth desktops, laptops and mobile devices are centrally managed and are fully encrypted. All end-user computers have anti-virus and anti-malware protection.
Access to all Bandwidth offices is restricted and controlled by assigned proximity badges. Visitors must sign in, display a visitor badge, and be escorted by the sponsoring employee. Entrances and exits to all sites/offices are under video surveillance. Data Centers hosting Bandwidth’s equipment are certified SOC II or ISO 27001:2013 compliant. Each site location provides layers of security, including biometrics, security guards, cameras and equipment secured in isolated rack/cages.
Third-Party Penetration Testing
Bandwidth uses third-party partners to perform external penetration testing against applications and networks.
Vendor Risk Management
The Bandwidth VRM (vendor risk management) program enables Bandwidth to appropriately identify and protect its business data and intellectual property hosted/stored by third-party vendors. Bandwidth evaluates third-party vendors for data security and continues to reevaluate security posture of each vendor for ongoing compliance.
All Bandwidth security logs are collected and stored for one year in a centralized logging infrastructure that is analyzed real-time by the Bandwidth Security Incident Event Monitoring (SIEM) system. In addition to real-time alerting, Bandwidth has established a SOC for 24×7 monitoring of events and alerts.
Identity & Access Management
Access to Bandwidths production systems and services by employees is on a need-to- know model. Bandwidth continuously monitors user accounts using behavioral analytics and anomaly detection. Bandwidth requires 2-factor authentication for all remote access to Bandwidth networks and systems.
Governance, Risk, & Compliance (GRC)
Bandwidth’s information security program, information security policies, standards, and guidelines, are built on the ISO/IEC 27002 code of best practices for information security. The Bandwidth security team performs ongoing audits and risk assessments across the organization as part of Bandwidth’s information security management system (ISMS) in compliance with ISO/IEC 27001:2013.
Bandwidth has a formal incident management program and has a dedicated incident response team to assemble and manage incident investigations.
Bandwidth performs background checks on all potential new employees before employment. All new-hires must complete security awareness training at the start of employment and ongoing for all employees.