Building Trust Through Transparency: New Compliance Initiatives Section

January 5th, 2016   /     /   company news, security and compliance

Building and maintaining customer trust is a key objective for any cloud service provider, or any business for that matter. It’s especially important for a business that holds customer data to craft a compelling message about their security, and in this day and age, privacy as well. Similar to most SaaS providers, we deliver that message via our personnel (like our sales team), via documentation (like audit reports and whitepapers), or via certification images on our website (like the ISO 27001 certification logo).

We wanted to take this a step further and provide more transparency to our customers on what we do around security and privacy. To that end, we developed the OneLogin Compliance Initiatives section of our website. This section not only details what we do as part of our security and privacy programs, but also explains why we do it, how often, where to get more information, and in short, as a OneLogin customer, why you should care about compliance initiative XYZ. In a sense, we hope the information is specific to what OneLogin is doing, but it also provides agnostic information that you can leverage to have meaningful conversations with your other service providers about security and privacy matters that are important to you.

This is by no means a static set of pages sitting on our website; that would reflect a stagnant security and privacy program, which is not what we strive for. We have been very aggressive about furthering our security and privacy efforts for the last two years. And building this out follows our other initiatives for 2015. These efforts included:

-Alignment of security controls with the NIST Cybersecurity Framework

-Test driving a private bug bounty program for future roll out

-Additional app vulnerability scanning as part of our post deploy process

-Participating in G-Cloud program

-One of the first Identity and Access Management providers to align our privacy controls with ISO 27018:2014

-Offering EU Model Contract Clauses in lieu of the current state of Safe Harbor

-First Identity and Access Management provider to sign the Student Privacy Pledge

We are definitely not the first to do this, but we are proud to be one of the few in this space to have done so. We are also looking forward to relaunching our new uptime page that will help bring more transparency to how we report on availability. Stay tuned for that launch and for updates to the OneLogin Compliance Initiatives section throughout 2016.

About the Author

Alvaro Hoyos is OneLogin’s Chief Information Security Officer and is tasked with architecting and leading the company’s risk management, security, and compliance efforts. Alvaro also works with prospects, customers, and vendors to help them understand OneLogin’s Security, Confidentiality, Availability, and Privacy posture and how it works alongside, or in support of, customer’s own risk management strategy. He has worked over 15 years in the IT sector and prior to joining OneLogin, spent 8 years working with startups, SMBs, and Fortune 500 companies with their security, compliance, and data privacy efforts.

View all posts by Alvaro Hoyos