While I doubt Umbraco the software, Umbraco HQ the organization, or Umbraco Cloud the platform are actually SOC 2 compliant at this point, I think what the client is really after is something that gives them the warm and fuzzies, like this page: https://www.progress.com/sitefinity-cms/platform/security
In essence, they want to see something that assures them that their data and their customer's data is being managed well.
I'm wondering if you all have information on this. Some examples of things that would be useful:
Umbraco Software A link to a page that shows that the Umbraco software manages data well.
Umbraco HQ A link to a page that shows that the Umbraco HQ has practices to ensure that the software they build manages data well.
Umbraco Cloud A link to a page that shows that Umbraco Cloud manages data well.
That itself does not seem sufficient. I'm looking for more examples that show Umbraco manages data well (more for the software itself, and the company).
umbraco core, regular pen tests, code practices and reviews, reference to OWASP, https, error handling
back office security, password rules, encryption, support for OAuth
previous alerts and patch notes
It's probably worth mentioning that Umbraco is only part of the picture in this, being that you'll be developing against Umbraco with your own custom implementation, it's highly likely there are steps that you'll need to adhere to as well.
Umbraco Warm and Fuzzies for: Security, Availability, Integrity, Confidentiality, Privacy
A client is interested in a "CMS that is SOC 2 compliant". Here's some info on SOC 2 compliance:
Source: https://www.imperva.com/learn/data-security/soc-2-compliance/
More useful information: https://www.blissfully.com/guides/soc-2-compliance/
While I doubt Umbraco the software, Umbraco HQ the organization, or Umbraco Cloud the platform are actually SOC 2 compliant at this point, I think what the client is really after is something that gives them the warm and fuzzies, like this page: https://www.progress.com/sitefinity-cms/platform/security
In essence, they want to see something that assures them that their data and their customer's data is being managed well.
I'm wondering if you all have information on this. Some examples of things that would be useful:
Here's one example that shows that Umbraco Cloud takes security seriously: https://umbraco.com/products/umbraco-cloud/security/
That itself does not seem sufficient. I'm looking for more examples that show Umbraco manages data well (more for the software itself, and the company).
does the GDPR stuff make any difference here? https://umbraco.com/about-us/privacy/gdpr/
Hi Bob,
That does help, thanks. If anybody has additional info, that would also help.
There's a more general security overview here that details what Umbraco do from a security point of view. https://umbraco.com/products/umbraco-cms/security/
Highlights:
It's probably worth mentioning that Umbraco is only part of the picture in this, being that you'll be developing against Umbraco with your own custom implementation, it's highly likely there are steps that you'll need to adhere to as well.
Hi Thomas,
That looks pretty useful. Thank you. Here's a summary of the resources I have so far:
There's also this: https://our.umbraco.com/Documentation/Reference/Security/
And a bit of information about security on Cloud on this page: https://our.umbraco.com/documentation/Umbraco-Cloud/Frequently-Asked-Questions/
Came across this guide recently as well, which details how to prep for being SOC 2 compliant.
https://www.strongdm.com/best-guide-soc-2-type-1-audit/
is working on a reply...