Security and Compliance

We conform to the most stringent compliance frameworks.

Certifications

Service Organization Control 2
Service Organization Control 2 (SOC2)

SOC2 (Service Organization Control 2) compliance is an internationally recognized security standard that helps organizations, including cloud service providers, protect customer data and demonstrate compliance with applicable regulations. The standard was developed by the American Institute of Certified Public Accountants (AICPA) and is based on the AICPA's Trust Services Criteria. SOC2 compliance requires organizations to meet specific security and privacy requirements related to data storage, processing, and transmission. Compliance involves the implementation of appropriate technical, physical, and administrative controls that are monitored on an ongoing basis.

International Organization for Standardization (ISO)
ISO/IEC

ISO/IEC 27001 (International Organization for Standardization / International Electrotechnical Commission) is an international standard that outlines the requirements for an information security management system (ISMS). It provides a framework of security controls to help organizations manage their information security risks. It is designed to help protect organizations from security threats, such as data breaches, malicious software, and cyber-attacks. ISO/IEC 27001 is a widely recognized standard for information security management and is accepted by many organizations around the world.

flag of europe
NIS 2

The NIS 2 Directive, an EU-wide legislation aimed at bolstering network and information system security across member states, establishes a framework for achieving higher levels of security. For organizations striving to comply with these regulations, understanding how cybersecurity controls map to NIS 2 is essential. Ivanti is committed to supporting its customers in their cybersecurity endeavors. For a brief list of ISO 27001 control articles covered by Ivanti, please click here. The complete list can be viewed on Whistic.

fedramp
FedRAMP

FedRamp (Federal Risk and Authorization Management Program) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It is designed to help agencies assess and authorize cloud products and services more efficiently and cost-effectively. FedRamp was developed by the General Services Administration (GSA) in collaboration with the Department of Homeland Security (DHS), Department of Defense (DoD), National Institute of Standards and Technology (NIST), and other federal agencies.

fedramp ato
U.S. Federal Government Agency Authorization to Operate (ATO)

Authorization to Operate (ATO) is the security approval required to launch a new IT system in the federal government. Government agencies determine whether to grant an information system authorization to operate for a period of time by evaluating if the security risk is acceptable.
Ivanti has received ATOs from the Air Force, Army, Department of Defense (DoD), Defense Health Agency (DHA), Department of Homeland Security (DHS), National Guard, Navy, Pacific Air Forces (PACAF), United States Special Operations Command (SOCOM), and U.S Strategic Command (STRATCOM).

common criteria
Common Criteria

As Common Criteria Compliance is a set of standards that are used to evaluate the security of IT products and services. It provides a common framework for organizations to measure and compare the security features of different IT products and services. The standards are established by an international committee and are used by organizations to evaluate the security of IT products and services they are considering for procurement. The standards cover areas such as authentication, authorization, encryption, audit, and other security-related topics.

vpat 508
VPAT 2.4 Section 508: Revised Section 508 Standards

508 VPATs (Voluntary Product Accessibility Template) are documents that provide detailed information on how accessible a product or service is to people with disabilities. The documents are developed in accordance with Section 508 of the U.S. Rehabilitation Act of 1973, which requires federal agencies to ensure that their electronic and information technology is accessible to people with disabilities. VPATs are often used by government agencies when procuring software, hardware, and other technology products and services.

cyber essentials
Cybersecurity Essentials

As of 2014, the United Kingdom has required suppliers that handle certain kinds sensitive and personal information for the central UK government to obtain Cybersecurity Essentials certification. This certification assures customers that Ivanti has an understanding of our cyber security level that we work to secure our IT against cyber attack. You can search for our up-to-date certification by visiting the IASME site and searching for "Ivanti".

irap logo
IRAP

The Australian Information Security Registered Assessors Program (IRAP) assessment reviews ICT systems against the Australian Government’s strict cyber security standards.

The assessment process uses the security guidance detailed in Australian Attorney-General’s Department’s (AGD) Protective Security Policy Framework (PSPF), the Australian Government Information Security Manual (ISM), produced by the Australian Cyber Security Centre (ACSC), and the Digital Transformation Agency’s (DTA) Secure Cloud Strategy and other cyber security guidance. The assessment covers the modular components of Ivanti Neurons for ITSM and complementary SaaS services.

The assessment and corresponding report provide an overview of the effectiveness of the implementation of security controls, necessary for authorizing systems to hold, process and communicate Australian government information classified up to and including PROTECTED.

Ivanti and acquired company security profiles

Ivanti Public Security Profile

Request Ivanti’s public security and compliance certifications and resources on Whistic >

Request Ivanti’s other security and compliance certifications and resources (requires click-through NDA) on Whistic >

MobileIron Private Security Profile

Request security and compliance certifications and resources on Whistic >

Cherwell Private Security Profile

Request security and compliance certifications and resources on Whistic >

Privacy Compliance

General Data Protection Regulation (GDPR)

Ivanti’s GDPR Compliance Statement is available here. If you have more questions about how Ivanti meets GDPR requirements, please reach out to [email protected].

Information Comissioner's Office

View Ivanti’s ICO registration here.

Privacy & Legal documentation

Standardised Information Gathering (SIG)

Using a comprehensive set of questions (content library), the SIG gathers information to determine how security risks are managed across 18 risk control areas, or “domains”, within a service provider’s environment. The library houses comprehensive risk and cybersecurity frameworks as well as industry-specific controls.

SigLite Compliance is a certification standard developed by the American National Standards Institute (ANSI). It is designed to ensure that biometric devices, such as fingerprint scanners, meet certain minimum requirements for accuracy and security when used in authentication applications. The certification covers areas such as fingerprint image quality, image capture accuracy, and system security.

Ivanti’s SIG Lite is scoped to the corporate level with designations for on-premise or hosted products and is available here.

Security Whitepapers

Ivanti Service Manager Security Whitepaper
Ivanti Neurons Security Whitepaper
Ivanti Content Research, Testing, and Validation of Authenticity Whitepaper
FedRAMP Security Posture
Improving Security Posture Public Sector Whitepaper

Penetration Testing

A pen test, also known as a penetration test or a pen test, is a simulated cyber attack against a computer system, network or web application to check for exploitable vulnerabilities. It involves gathering information about the target before attempting to break in, attempting to break in, and reporting back the results. The process typically includes gathering information about the system and its security, researching known vulnerabilities, exploiting any known vulnerabilities, and reporting the results.

Click on the product below to view its penetration letter:

2020 Pentest Schedule Customer Letter
Service Manager Customer Letter
Application Controls Customer Letter
License Optimizer Customer Letter
Xtraction Customer Letter
Asset Manager Customer Letter
Patch for SCCM Customer Letter
Security Controls Customer Letter
Endpoint Manager Customer Letter
File Director Customer Letter
Service Desk Customer Letter
Device Application Control Customer Letter
Workspace Control Customer Letter
Ivanti Neurons Customer Letter
ConnectPro Customer Letter
Performance and Environment Manager Customer Letter
Endpoint Security Customer Letter
Identity Director Customer Letter
Avalanche Customer Letter

Resources by Product

Service Manager

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Ivanti Neurons

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Asset Manager

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Endpoint Manager

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

License Optimizer

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Service Desk

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Security Controls

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Patch for SCCM

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Application Control

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

File Director

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Xtraction

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Device Application Control

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Workspace Control

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Performance Manager and Environment Manager

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Identity Director

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Endpoint Security

Request security and compliance certifications and resources on Whistic >

Learn more about this product >

Avalanche

Request security and compliance certifications and resources on Whistic >

Learn more about this product >