Security

Bandwidth’s network environment is monitored 24×7 by a team of Network Operations Technicians. All site locations have firewalls, intrusion detection, DDoS protection services and traffic monitoring deployed.

Vulnerability scans are performed internal and external on Bandwidth’s environments, web services and assets daily.

Bandwidth’s application security program proactively performs static and dynamic scanning of systems and software code. Continuing education for developers is based on OWASP Top 10 with continuous educational feedback loops in the development life cycle to bring additional awareness to our secure software delivery.

All changes to production environments must be reviewed and approved by Bandwidth’s Change Review Board. Approval requires risk analysis, test, and back-out plan before any changes can be made. Changes are scheduled during offpeak times to minimize disruptions.

Bandwidth desktops, laptops and mobile devices are centrally managed and are fully encrypted. All end-user computers have anti-virus and anti- malware protection.

Access to all Bandwidth offices is restricted and controlled by assigned proximity badges. Visitors must sign in, display a visitor badge, and be escorted by the sponsoring employee. Entrances and exits to all sites/offices are under video surveillance.

Bandwidth hosted data centers are SOC 2 Type II or ISO 27001:2013 certified. Each data center site location provides layers of security, including biometrics, security guards, cameras and equipment secured in isolated rack/cages.

Bandwidth uses third-party partners to perform external penetration testing against applications and networks at a minimum on an annual basis.

The Bandwidth VRM (vendor risk management) program enables Bandwidth to appropriately identify and protect its business data and intellectual property hosted/stored by third-party vendors. Bandwidth evaluates all third-party vendors for data security. Continuous third-party evaluations are done to reevaluate security posture of vendors for ongoing compliance.

Bandwidth security logs are collected and stored for one year in a centralized logging infrastructure that is analyzed realtime by the Bandwidth Security Incident Event Monitoring (SIEM) system. In addition to real-time threat analysis and alerting, Bandwidth has established a SOC for 24×7 monitoring of events and alerts.

Access to Bandwidths production systems and services by employees is on a need-to-know model with least privileges. Bandwidth continuously monitors user accounts using security analytics and anomaly detection. Bandwidth requires two-factor authentication for all remote access to Bandwidth networks and systems.

Bandwidth’s information security program, information security policies, standards, and guidelines, are built on the ISO/IEC 27002 code of best practices for information security. The Bandwidth security team performs ongoing audits and risk assessments across the organization as part of Bandwidth’s information security management system. Bandwidth maintains ISO 27001:2013 Certification and SOC 2 Type II attestation for all Trust Services Criteria for our products and services.

Bandwidth has a formal incident management program and has a dedicated incident response team to assemble and manage incident investigations.

Bandwidth performs background checks on all potential new employees before employment. All new-hires must complete security awareness training at the start of employment and ongoing for all employees.

Bandwidth’s network environment is monitored 24×7 by a team of Network Operations Technicians. All site locations have firewalls.

Vulnerability scans are performed on Bandwidth’s environments and assets daily.

Bandwidth’s application security program proactively performs static and dynamic scanning of systems and software code. Continuing education for developers is based on OWASP Top 10 with continuous educational feedback loops in the development lifecycle to bring additional awareness to our secure software delivery.

All changes to production environments must be reviewed and approved by Bandwidth’s Change Review Board. Approval requires risk analysis, test, and back-out plan before any changes can be made. Changes are scheduled during off-peak times to minimize disruptions.

Bandwidth desktops, laptops and mobile devices are centrally managed and are fully encrypted. All end-user computers have anti-virus and anti-malware protection.

Access to all Bandwidth offices is restricted and controlled by assigned proximity badges. Visitors must sign in, display a visitor badge, and be escorted by the sponsoring employee. Bandwidth hosted data centers are SOC 2 Type II or ISO 27001:2013 certified. Each data center site location provides layers of security, including biometrics, security guards, cameras and equipment secured in isolated rack/cages.

Bandwidth uses third-party partners to perform external penetration testing against applications and networks at a minimum on an annual basis.

The Bandwidth VRM (vendor risk management) program enables Bandwidth to appropriately identify and protect its business data and intellectual property hosted/stored by third-party vendors. Bandwidth evaluates all third-party vendors for data security. Continuous third-party evaluations are done to reevaluate the security posture of vendors for ongoing compliance.

Bandwidth security logs are collected and stored for one year in a centralized logging infrastructure that is analyzed real-time by the Bandwidth Security Incident Event Monitoring (SIEM) system. In addition to real-time threat analysis and alerting, Bandwidth has established a SOC for 24×7 monitoring of events and alerts.

Access to Bandwidths production systems and services by employees is on a need-to-know model with least privileges. Bandwidth continuously monitors user accounts using security analytics and anomaly detection. Bandwidth requires two-factor authentication for all remote access to Bandwidth networks and systems.

Bandwidth’s information security program, information security policies, standards, and guidelines, are built on the ISO/IEC 27002 code of best practices for information security. The Bandwidth security team performs ongoing audits and risk assessments across the organization as part of Bandwidth’s information security management system.

Bandwidth has a formal incident management program and has a dedicated incident response team to assemble and manage incident investigations.

Bandwidth performs background checks on all potential new employees before employment. All new-hires must complete security awareness training at the start of employment and ongoing for all employees.