Jive leverages multiple layers of defense to protect key information and handle all critical facets of network and application security, including authentication, authorization and assurance. We use an ISMS (Information Security Management System) as a structured approach towards maintaining our security program. Jive systematically evaluates and prioritizes information security risks, taking into account the impact of company threats and vulnerabilities. Adherence to the ISO 27001 standard, regular third-party audits and close attention to customer input and industry trends help ensure that our security program keeps pace with a changing security landscape, and customer requirements.
Third Party Certifications and Audits
Third-party certifications and audits are an important component of any mature security program. We have a number of respected third-party agencies that certify and audit our environment.
Jive’s certifications and audits include:
- SOC2 Type 2.
- Privacy Shield Certification.
- Health Insurance Portability and Accountability Act (HIPAA) Compliant.
- Gramm Leach Bliley Act (GLBA) Compliant.
- Jive’s legacy third party data center facilities are either ISO 27001 or SOC 2 certified, while it’s next generation environment in Amazon Web Services (AWS) is SOC 2 certified.
Jive Security Architecture
Jive’s security architecture is designed to protect the confidentiality, integrity and availability of all customer information that we host. We apply stringent, risk-adjusted security controls in layers ranging from facilities (physical security) to network infrastructure (network security), IT systems (system/host security) and information and applications (application security). Jive has the following security controls:
- Secure data centers – Jive leverages Amazon Web Services (AWS) as our datacenter provider of the future. Amazon AWS provides customers with the ability to view their SOC2 Type 2 report. Instructions on registering for, and obtaining this report, are available at https://aws.amazon.com/compliance/soc-faqs/.
- Jive AWS Cloud Infrastructure is designed in accordance with best practices guidelines.
- Security monitoring – Our networks and systems are continuously monitored for security issues. Security events are correlated for evaluation by our security team, using a Security Information and Event Management System (SIEM) tool.
- Strict access controls (both system and network) – Jive enforces strict access control on all its systems. We perform regular internal audits and use automated tools to verify desired configurations.
- Everything is audited (internally and by 3rd parties) – Includes strong third-party auditing in the form of our SOC2.
- Strict ingress and egress points – Access to the application is restricted to ports 80/443. Jive administration is limited to a small group of Jive workers using a secure 2-factor VPN to access customer environments. All activity is logged.
- Hardened operating systems – All operating systems are configured to only use the minimal number of required services.
- Encryption – Jive provides strong encryption options for customers to use, which secures the Data in Transit (DIT) from the client side, to our core services. As part of our migration to Amazon Web Services (AWS), customers also gain the benefit of having all of their data encrypted by AWS, providing Data at Rest (DAR).
- Separated services (web, database and storage) – All services are isolated and not shared, minimizing the risk of unintended data disclosure.
- Application Programming Interfaces (API) – Secure API’s are available for customers, which can be used to export security data to a Security Information and Event Management (SIEM) solution. More information can be found at https://community.jivesoftware.com/docs/DOC-112283.
- Cookies – More information on how our cookies are used is available here.
The following diagram represents the Jive security architecture using standard AWS components. The Jive production network is completely segregated from the Jive corporate network. During the migration phase, some services may exist in the Jive data centers and others on AWS.
All of our security controls and risk analysis are based around the premise of protecting customer data. Jive hosting supports various encryption methods to protect data transiting over untrusted networks. Customers can choose to implement SSL or VPN technology to add a layer of protection to their hosted site. Encryption has also been implemented for both transit and storage of offsite backups in the remote data center facilities.
In addition to encryption, Jive’s customer data security controls include:
- Restricted access to customer data – Jive’s access to customer data is highly restricted, and access requests by our support personnel follows a highly controlled and documented process. Before access is granted, employees must complete special security training to handle customer data.
- Logging and audit – All activity is logged in a protected system and is audited using automated tools.
- Incident and response – Jive has an incident response process designed to handle customer data incidents.
- Training – All Jive employees are required to participate in security training.
Certified Security Personnel
Jive’s Security team includes certified Information Security professionals with expertise in application, network and architecture security who help define our security policies and security controls. The Jive security team is composed of professionals with graduate-level degrees, 10 years industry experience, and security certifications including CISSP, CISA, CRISC, ITIL v3, and ISO 27001 Lead Auditor.
Software Engineering Security Process
Security is continuously improved and tested throughout the Jive product lifecycle. All new feature designs are audited for high-level security considerations, and feature implementations are checked for security flaws throughout development. Existing features are audited for security vulnerability regressions, and application-wide audits are performed to ensure that feature integration is secure. Third-party components used by Jive are researched and monitored carefully for vulnerabilities. Jive has a security team focused on application security testing, using both manual and automated methodologies.
Jive maintains secure programming best practice documents based on OWASP requirements. Best-practice documents are updated on a regular basis to reflect current vulnerability knowledge, and also provide developers with real-world examples of previous programming mistakes and how to avoid them. Topics covered include input/output data sanitation, proper usage of authentication and authorization, avoiding information disclosure and secure file system (and other resource) usage.
Jive engages trusted third-party testers to perform a comprehensive security review of its product, based on OWASP standard methodologies. OWASP Top 10 Project, CWE and the SANS Top 25 Most Dangerous Software Errors are analyzed.
Such tests include:
- Application discovery and reconnaissance
- Identification of weak point
- Penetration testing using tools and techniques that mimic malicious attackers
- Reporting of vulnerabilities
- Patch verification
Application Security Process
Security Assessment Policy
Jive’s release readiness workflow includes continuous security tests and assessments. Manual and automated security tests are conducted at critical milestones, prior to public release. Security vulnerabilities discovered during these tests are then reviewed for criticality, and assigned to Engineering for resolution. Based on criticality, the issue may be resolved prior to release, or addressed in a future update.
Jive conducts continuous vulnerability scanning of our cloud and hosted environments, and has a Patch and Vulnerability Policy that provides oversight of our patching process. Customers are free to install the security patches in an on-premise instance, and the hosting team is available to apply security patches per customer requests. Jive leverages US-CERT alerts, open source data and internal testing to identify potential vulnerabilities. Remediation efforts are prioritized based on the risk level calculated by the Common Vulnerability Scoring System (CVSS).
Product Security Features
The Jive platform has a number of built-in features for configuring security at a level appropriate to your organization. Our Professional Services team is available to perform customizations on your instance, if the out-of-the-box options don’t meet your security requirements.
Jive utilizes best-in-class security tools to monitor our environment, such as:
- Intrusion Detection Systems (IDS) monitoring
- Distributed Denial of Service (DDoS) detection and mitigation
- Security Information and Event Management (SIEM) logging and analysis
- Web Application Firewall (WAF)
- Application security scanning, using multiple products
Jive strives to maintain excellent uptime for our customers. Instance-specific uptime reports are available for review, on a monthly basis.
*Definition of availability: The solution is available if Jive can complete the following tasks using its automated metric calculation tools:
- Access the home page of the administrative interface for the community and confirm correct rendering of the page,
- Log into the solution using the Private Jive Account (i.e., no SSO login) and confirm correct rendering of the page,
- Navigate to the community landing page and confirm correct rendering of the page.
Our commitment to privacy is second to none in the industry. When it comes to protecting the data that our customers, partners and website visitors entrust to us, we make no compromises. The following certifications attest to our best-in-class privacy program.
Certifications with the Department of Commerce
EU-U.S. & SWISS-US PRIVACY SHIELD
Jive has achieved EU-U.S. & SWISS-US PRIVACY SHIELD certification with the US Department of Commerce.
Certifications by Third-Party Data Compliance Services Provider
The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information Jive’s assessment is based on a third party audit of controls found in the Federal Financial Institutions Examination Council (FFIEC) IT Security Handbook To ensure GLBA compliance, Jive engages a 3rd party audit firm to assess controls and issue a report. These reviews occur biennially.
Jive provides information technology solutions for entities that are considered Covered Entities under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). To ensure HIPAA compliance, Jive engages a 3rd party audit firm to assess controls and issue a report. These reviews occur biennially.
On 25 May 2018, the General Data Protection Regulation (GDPR) took effect in the European Union (EU). The new regulation imposes broad new data privacy protections for EU individuals and applies to any company that collects or handles EU personal data. Jive is committed to helping our customers comply with the GDPR through privacy and security protections in our products and services. We have taken steps to implement GDPR-compliant functionality in our Jive Interactive Intranet product. The new features are supported in Jive cloud, hosted, and on-premise software deployments. More information can be found in Jive’s GDPR whitepaper, which can be found at https://community.jivesoftware.com/community/customers/gdpr-updates.