mirantis-kubernetes-engine-icon-medium

Security Compliance at Mirantis

Learn how Mirantis implements information security company wide

Mirantis runs a mature Information Security Management System (ISMS), which ensures that our key infrastructure, services, and development environments are safe and secure. Our system implements a holistic approach to information security across the entire organization.

Industry Certifications

Many of our customers need their trusted suppliers to demonstrate security compliance to achieve their regulatory goals and pass both internal and external audits.

Mirantis has achieved the following security compliance certifications:

  • ISO 27001— Information security management
  • TISAX — Trusted Information Security Assessment Exchange
    • Mirantis registered member number P31T23
    • Mirantis Assessment Level 2 (AL2)

In addition, Mirantis is certified for the following industry standards:

  • ISO 9001— Quality management systems
  • ISO 14001 — Environmental management systems

Holistic Implementation

For more than a decade, Mirantis has been creating and implementing policies and procedures forinformation security. To address specific market conditions and customer requirements, Mirantis first began by hiring security experts and establishing organizational units focused on product security, including a Product Security Incident Response Team. We also began focusing on improving our infrastructure security and technical compliance.

Today we have several industry certifications for both product and information security management (copies available on request). We base our security philosophy on a deep understanding of the processes and activities that we want to protect.

Sustainability of our services is based on ensuring maturity in processes related to Availability, Backup and Connectivity.

Three Pillars of Mirantis Security

From an operational perspective, our security is based on the following three pillars:

  1. People – Employees are our most important resource. We train our employees to constantly monitor the threats that may affect them in both their daily work and personal life. We place a high priority on periodic employee training designed to increase their level of awareness of security issues.

  2. Product – We believe that the appropriate product development processes, including security tests, acceptance tests and performance tests, will prepare our clients’ software for various situations and threats.

    We make every effort during project risk analysis to identify possible risk scenarios and properly prepare the configuration for them.

  3. Infrastructure – This is the greatest challenge in ensuring security. Our activities include both the “heavy” infrastructure related to the services provided by our Data Center and the “light” infrastructure used by employees to perform their daily duties.

    We monitor the condition of both types of infrastructure in accordance with the current guidelines and the requirements of our clients.

We as an organization are always ready to address new information security challenges from our clients. We believe that each new requirement provides an opportunity to further develop our security strategies and allows us to better prepare for market challenges.

Documentation Examples

The documentation for our Information Security Management System fulfills requirements set by international security standards. Below are some excerpts from our ISMS documentation:

Information Security Policy

The Company has implemented an information security policy to define the directions of information security in the company and to indicate to our employees the general principles of information security. Detailed process descriptions can be found in internal documents such as process policies or work instructions.

Access Control Policy

We make every effort to ensure that access to systems and applications is granted in accordance with the best information security guidelines. Access management is documented, periodically analyzed and the review is subject to the periodic revision in terms of the suitability of the rights granted.

Change Management

Mirantis people believe that a well-implemented change management process in terms of the product and infrastructure allows for accountability of work, analysis of the causes of problems in the processes, and proper information feedback within the organization and departments participating in the process. Change management is periodically analyzed and documented on an ongoing basis.

Acceptable Use Policy

Ensuring monitoring is a challenge for the security department, but we are convinced that without sensible and conscious employees – it will be difficult to maintain an appropriate level of security.The policy is a set of guidelines for good and safe behavior for our employees when using the office infrastructure and cooperation with clients.

Business Continuity Policy

We pay special attention to business continuity, we have developed our own ABC methodology which allows us to monitor the continuity of technological processes related to IT infrastructure on an ongoing basis. We have basic critical scenarios that we periodically test and document.

Incident Management and Tracking

Monitoring security incidents is one of the most complex processes for us. Our approach integrates incident management in several areas. We have teams that monitor the Internet 24 hours a day in search of problems that could apply to products, software or other topics related to our company.

The method of reporting incidents is agreed with our clients on a case-by-case basis.

Supplier Management Policy

We carefully select companies cooperating with us in accordance with the expectations of our clients. Suppliers are assessed in accordance with the adopted methodology. If there are any risks related to the cooperation, they are discussed with the partner.

Mirantis implemented a policy of cooperation with suppliers, which also introduces the third-party risk assessment process. Supplier risk assessment results are documented and periodically monitored as needed.