2. OutSystems security certifications, governance and compliance
OutSystems aims to protect all forms of information with improved resilience, thereby creating lasting relationships that guarantee customer success. To that end, OutSystems has implemented an Integrated Management System for Quality, Information Security, and Business Continuity, in the scope of OutSystems Support services, in its offices located in the U.S., Portugal, Japan, and Malaysia.
As part of our commitment to security best practices in cloud computing, OutSystems is a member of the CSA. In addition, we have completed the CSA STAR Self-Assessment and published the results to their website.
- Overview of relevant security certifications
- Compliance with industry standards and regulations
- Security audit and assessment processes
- Threat intelligence and incident response
Overview of relevant security certifications
OutSystems holds a long list of certifications that can be consulted at all times in the dedicated OutSystems Trust Center, including these standouts:
Compliance with industry standards and regulations
OutSystems maintains compliance with the following industry standards and regulations.
Security audit and assessment processes
OutSystems undergoes regular audits to meet and maintain existing and new certifications according to each process requirements.
Threat intelligence and incident response
OutSystem has a dedicated Computer Security Incident Response Team (CSIRT), which provides security monitoring services to protect OutSystems from cyberattacks and the loss of its intellectual assets.
The primary mission of the OutSystems CSIRT is to help ensure company, system, and data preservation through comprehensive investigations into computer security incidents and to contribute to the prevention of such incidents. Therefore, it engages in proactive threat assessment, mitigation planning, incident trend analysis, security architecture review, and vulnerability management.
If a potential attack is reported, the OutSystems combined security teams and mechanisms take the following steps:
- Triage the reported behavior to eliminate false positives.
- Classify and report the severity of any reported incident.
- Contain the attack to prevent further damage using predefined playbooks that address the type of attack identified in the triage stage. This could involve quarantining compromised containers and blocking network traffic used by the attacker.
- Eradicate the threat and remove any introduced content, such as attempts to install backdoors in affected containers.
- Recover the attacked services, which may involve redeploying them with a new version that is hardened against similar attacks.
By implementing these measures, our goal is to swiftly detect and resolve security incidents, minimizing their impact on our customers' applications and data. Furthermore, the gathered information is used in dedicated feedback loops for in-depth post-mortem analysis and root cause identification, ensuring valuable insights are applied for future incident management.