Risk Management Program
Hootsuite’s security risk management framework sets out the general mandate and commitment, guiding principles, and established roles and accountabilities for managing, monitoring, and improving risk management practice within the organization. This program is adaptive to reflect the internal organizational and external environment, technology advancements, and business changes. The framework includes the assessment and treatment of information security risks for all security processes, including vendor / supplier review, application / server patching, security incident management, and vulnerabilities remediation.
Hootsuite has a dedicated team whose mission is to provide objective assurance and advisory activities designed to add value and strengthen Hootsuite’s operations. The scope of its mandate is to determine whether Hootsuite’s arrangement of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning as intended for all business units which includes Hootsuite’s operations. This involves:
- Ensuring that management has implemented reliable internal controls.
- Advising business units regarding risk, and helping management identify controls to mitigate risks.
- Assessing the controls and operations within business units, and reporting the results of the assessment to management.
There is a structured risk assessment process to identify and manage risks that could affect Hootsuite’s ability to provide services for its customers. The assessment is performed on an annual basis or when there has been a significant change to the environment or business process. The assessment involves the following steps: identify, analyze, evaluate, and effectively treat risks.
Information Security Policies
Hootsuite has established an information security management system (ISMS) to guide its operations. Policies and processes are in place to provide management with direction and support for information security in accordance with business requirements and relevant frameworks, laws, and regulations.
Hootsuite has a comprehensive set of information security policies that are based on the ISO/IEC 27001/27002 information security standards, Trust Service Criteria (SOC 2), NIST 800-53, and GDPR. They include policies related to:
- Acceptable Use
- Access Control
- Asset Management
- Change Management
- Configuration Management
- Disaster Recovery
- Endpoint Security
- Information Classification
- Human Resource Security
- Logging and Monitoring
- Operations Backup
- Physical and Environment Security
- Security Incident Management
- Security Risk Management
- Security Vulnerability Management
- Third-Party Risk Management
- Wireless Security
The security policies are grounded in the key principles of least-privilege, need-to-know, and segregation of duties. The policies are reviewed annually or when there has been a significant change to the environment or business process.
Hootsuite performs internal testing of key security and privacy controls to validate adherence to established frameworks. This includes third party security penetration testing on an annual basis. The results are communicated to executive management; remediation efforts are monitored and controls are re-tested as required to ensure compliance.
Security and privacy controls are audited yearly by an independent 3rd party to verify that technology, processes and procedures are in place and being followed. You may request a summary of our SOC 2 Type II report through your account manager.
Our SOC 3 report outlines information related to Hootsuite’s internal controls for security, availability, processing integrity, confidentiality and privacy and is available for download here.
The UK Government’s National Cyber Security Strategy requires all suppliers to be compliant with Cyber Essential controls for bidding on government contracts that involve handling sensitive and personal information. Cyber Essentials was developed by the UK Government, in consultation with industry and provides a foundation of basic cyber hygiene measures. Hootsuite has achieved compliance with the Cyber Essentials program.
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that standardizes security assessment for cloud services used by US Federal agencies. FedRAMP ensures that companies meet rigorous standards that are governed by an external body. US Federal agencies are encouraged to host data with external cloud service providers that have FedRAMP authorization.
FedRAMP authorization follows a certification process that is audited against the NIST SP 800-53 standard. There are different levels of authorization depending on the type of federal data handled by the provider. Hootsuite is authorized against the FedRAMP Tailored Li-SaaS standard.
If you have questions about Hootsuite’s risk management program, information security policies, or independent verification process, ask your customer success representative or contact us to learn more.