When organizations implement a cloud-based solution, they put their trust in the solution provider to protect their data and deliver a secure platform.
Lexmark takes this trust seriously.
All user data is kept secure. Only required personal data, such as email addresses, names, and student ID numbers, is collected. No financial data is collected or stored.
This document is intended for Lexmark customers and Lexmark partners who are interested in understanding how the information assets are handled within Lexmark Testing Assistant. The document also contains information on how the solution interacts with the information systems of the customer.
Lexmark uses some of the most advanced technology for Internet security commercially available today.
Users are required to create a unique username and password that must be entered each time they log in. User passwords must meet the complexity requirements.
All user passwords are encrypted in the database as a nonreversible salted hash.
Users are warned if they try to set a vulnerable password that a third party already leaked.
Secure Sockets Layer (SSL) technology is used to protect all data, in motion and at rest, using server authentication and data encryption. User data is safe, secure, and available only to authorized persons.
Role-based access control method is used to restrict access to authorized users.
Data center certifications:
SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70)
SOC 2
SOC 3
FISMA, DIACAP, and FedRAMP
DOD CSM Levels 1–5
PCI DSS Level 1
ISO 9001 / ISO 27001
ITAR
FIPS 140-2
MTCS Level 3
The data centers are staffed with accredited technicians.
The data centers are secured using two-factor authentication, video surveillance, intrusion-detection systems, and 24/7 security personnel.
The data centers are equipped with digital surveillance systems.
The data centers are equipped with state-of-the-art fire detection and suppression systems.
The data centers have environmental controls for temperature and humidity.
All customer data is stored on servers in North America (USA or Canada).
Magnetic storage devices that have reached the end of their useful life are demagnetized and physically destroyed in accordance with industry-standard best practices.
Fully redundant IP connections.
Multiple independent connections to Tier 1 Internet access providers.
24/7 uptime monitoring with escalation to Lexmark representatives for any downtime.
All services have quick failover points and redundant hardware across multiple availability zones.
The services are scalable to meet demand.
The data centers are equipped with backup generators.
The servers have redundant power supplies and uninterruptible power supplies.
Application services are load-balanced, stateless, and redundant to make sure that a server is always ready to handle requests.
Secure layered stateful firewalls restrict access to servers.
The network provides protection against traditional network security issues such as DDoS attacks, MITM attacks, IP spoofing, port scanning, and packet sniffing.
The cloud servers have antivirus and threat-detection software to protect against malware and targeted attacks.
Layered intrusion-detection systems continuously monitor for unauthorized access.
Next-generation persistent-threat monitoring ensures high threat prevention performance to safeguard against malicious activity and prohibited access.
Network security audits are performed regularly using an automated security assessment service.
All environments are logically isolated using secure virtual private clouds.
All data, both at rest and in flight (inbound and outbound), in encrypted.
All off-site backups are encrypted.
Sensitive data elements are doubly secured using layer encryption.
Customer data is stored on RAID 1 arrays.
Backups occur internally daily and hourly to a centralized backup system for off-site storage.
Encrypted off-site backups are replicated in real time to centralized backup systems in North America (USA or Canada).
Role-based advanced access control systems are used to restrict administrative access based on a user’s role.
Access controls to sensitive data on the databases and systems are set on a need-to-know basis.
Access to server control panel requires multifactor authentication.
System audit logs are maintained and monitored.
Internal information security policies are reviewed and updated regularly.
Background screening on all employees is performed.
Engineers use industry-standard best practices and secure coding guidelines.
The latest patches are applied regularly to all operating systems and application files.
No method of data transmission over the Internet, or method of electronic storage, is completely secure. Lexmark cannot guarantee absolute security. If Lexmark learns of a security breach or potential security breach, then the affected users are notified electronically so that they can take appropriate protective steps. Lexmark may also post a notice on the website.
Lexmark makes sure that the systems are secure, but keeping data secure also depends on users. Users must create complicated passwords and store them safely to maintain the security of their account. Users must not divulge their passwords to anyone, write it down where it could be associated with another personal ID, or reuse it in another location. Devices used to access the Lexmark Cloud Services must have sufficient security to keep any data downloaded away from prying eyes.