Progress Software operates an Executive Security Committee which has directed that a security program and supporting policy framework be operated to protect the security interests of company infrastructure, the software it produces, and customer solutions it operates. The company information security program is responsible for protecting the confidentiality, integrity, and availability of information handled by company technology systems and outwardly facing technology products. It is established that this function will identify, assess, monitor, and remediate security issues in a manner that keeps risks under control and within company and customer appetite. The program is operated according to applicable laws, regulations, and industry best practices. The function shall leverage colleagues from across the company to effectively manage risk, and efforts remain transparent to leadership. The following program components underpin the Progress’ Information Security Program.
On an annual basis, company information security officers present to management a revised corporate information security strategy aimed at protecting the confidentiality, integrity, and availability of company systems and customer facing products. Throughout the course of a given year risks are identified and tracked, existing information Security solutions are monitored, and new Security Technologies are researched. These ingredients converge on an annual basis into a strategic security plan that governs corporate information security strategy and product security related practices. These plans then influence initiatives, projects, policies and procedures across the company.
Information Security at Progress is governed by an interrelated hierarchy of working groups which is overseen by an Executive Security / Executive Risk Management Committee. The ERM committee approves new policy and security standards, hears from working groups on emerging security risks, and provides guidance & direction on top level strategy. The committee members advise on, and prioritize the development of information security initiatives. The committee establishes additional working groups or subcommittees as it deems necessary.
A Corporate Information Security Working Group, (aka Corporate InfoSec) governs and manages security matters related to company IT infrastructure and IT operations. Its governance duties include approving policy drafts that seek final approval by Executive Security Committee, approving security standards & procedural guidelines, identifying security risks, providing guidance & direction on remediation strategies, tracking of aging risks, and reporting of major risk issues to Executive Security Committee. INFOSEC provides leadership in the protection of company information assets and technology. The committee members advise on and prioritize the development of information security initiatives. INFOSEC advocates for the prioritization of security activities throughout the company. This group may also establish other working groups or subcommittees to identify and develop strategic direction and recommendations.
A Product Information Security Working Group, (aka PSWG) is an entity appointed to manage security matters related to company products. Its members collaborate on security best practices, share knowledge, and develop policy documentation that effects all products. Working group members discuss and debate security initiatives to improve product security and work together to maintain security compliance posture.
Progress conducts a range of compliance activities throughout the course of any given year. These focus on Sarbanes-Oxley (SOX), SOC2, HIPAA, and GDPR. Compliance reports are available on request to assist customers with vendor diligence activities.
Progress maintains a family of Information Security Policy documents that take the form of policies, standards, and procedural guidelines. Each of these types of document are published inside of progress to shape employee behaviors, maintain the security of our environment, and the security of our products. Such documents are kept in an electronic policy binder and made available to all employees. On an annual basis company information security policy is circulated to all employees for acknowledgement and signoff.
All employees undergo a regimen of security training throughout the year. Content is selected by committee and features such topics as General Security awareness, email security, phishing awareness, HIPAA ePHI Training, GDPR training, and secure coding.
Company Security Architecture planning is an ongoing activity managed by Corporate Information Security and Product Information Security Staff. Throughout the course of a given year risks are identified and tracked, existing information Security solutions are monitored, and new Security Technologies are researched for possible implementation. Standard approaches to perimeter Network Security, cloud infrastructure security, web and application security, authentication, and database security are just some of the disciplines we focus on. Our engineers work together within products and across products to ensure best practices in security design are implemented and maintained.
From corporate networks, to web applications, to cloud offerings, to employee computing environments, Progress employs a defense in depth strategy in the protection of our corporate assets and our customer environments. Network perimeter security, intrusion detection and prevention, anti-malware, anti-virus, server hardening, secure load balancing, secure authentication, encryption of data in transit, encryption of data at rest, stringent user access control, database security, security monitoring, and event management are just a few of the technologies involved in protecting our business and our customers.
Access to company software applications, especially administrative access to production customer applications, is tightly controlled via best practices and access management technologies. Corporate and business applications are tightly connected to HR employee management activities to ensure that our users just the right to access while abiding by the model of least privilege. Administrator activities are logged and reviewed for unusual patterns, and administrator accounts are reviewed occurring basis to verify need.
All software products at progress are developed a via the use of modern methodologies, techniques, technologies, and processes. Our software development life cycles employ Agile methodologies while including numerous waves of security planning and testing. These include security requirements planning, security design planning, code level security scanning, vulnerability scanning, and penetration testing.
Ongoing threat and vulnerability management activities performed on all corporate assets and customer facing product environments. These activities include monitoring of key government and media outlets to stay apprised of emerging security issues, vulnerability scanning of internal and external systems, penetration testing of products and corporate environments.
Progress subjects itself to a regular regimen of assessment activities to identify information security risks. Such activities may include self-initiated security assessments via a contracted 3rd party security firms, systems controls reviews by external industry authorities, or internal assessment activities using the expertise of existing staff. As such activities are conducted, any finding will be processed in a consistent manner that mitigates risk.
The Executive Security Committee at Progress has directed that an Incident Management function be operated that handles all corporate and customer related incident matters. In the case of an information security incident that threatens the availability, confidentiality, and integrity of information assets, information systems, and the networks that deliver the information, a response is conducted in a consistent manner. Appropriate leadership and technical resources are involved in any incident situation, in order to make key decisions and promptly restore any operations impacted. Exercises are performed on a recurring basis to ensure staff familiarity with procedures and identify any new lessons that should be incorporate into response plans.
Questions about Progress’ privacy practices and how we handle your personal firstname.lastname@example.org
Use of Progress Software copyrighted materials or notice of copyright email@example.com
Questions about or requests to use Progress Software trademarks, logos or firstname.lastname@example.org
Questions about Security, Privacy, Compliance and Due Diligencesecurity@progress.com