Introduction

ManageEngine makes IT management solutions that enable IT admins address their IT challenges proactively. We improve our customers' security posture and prioritize their data security and privacy. In this article, we document our security processes at the organizational and product levels. Click here to view our detailed security policy.

Strict adherence to security hygiene

Our security, Network Operations Center (NOC), and privacy teams are dedicated to developing and implementing a rigorous security framework, which includes training and educating our employees periodically; training, building, and maintaining our defence systems; streamlining security review processes across internal teams and departments; and monitoring our corporate networks for any suspicious activities.

Incident response and management process

At ManageEngine, we have a dedicated incident management team to monitor, track, and respond to incidents in real time. Our team detects and responds to incidents with an appropriate corrective strategy. If an incident occurs, we provide our customers with an extensive report that clearly identifies the incident, its root cause, and also the steps taken to mitigate and contain any ramifications due the incident. Moreover, the report includes our strategies to prevent any recurrence of the incident.To report any security or privacy incidents, write to us at incidents@zohocorp.com.

Breach notification

Breach notification is applicable only to customers who have uploaded the logs and data files for debugging. As a data controller, we will notify all concerned data protection bodies of the data breach within 72 hours of we learning of it, as required by the General Data Protection Regulation (GDPR). We will also duly notify our customers as and when required, depending on specific requirements. As a data processor, we will notify the concerned data controllers of the incident as soon as possible. For incidents pertaining to a specific user or organization, we will notify the concerned party through their business email. As for general incidents, we will notify our users through emails, blogs, forums, and social media about the incident and, if required, any planned remedial action.

Vulnerability management: Security fix, builds, and patching process

To ensure tight security, the ManageEngine Security Response Center (MESRC) uses a combination of in-house and third-party tools to identify security vulnerabilities or bugs (listed in CVE or reported on social media) across our products, corporate networks, endpoints, databases, and other assets. Identified and reported vulnerabilities that require timely remediation are logged and prioritized according to their severity. Furthermore, we run extensive risk assessments, vulnerability proofing tests, and mitigate all vulnerable systems by providing appropriate fixes and patch builds in our security releases. More info.

Responsible disclosure

We practice proactive and collaborative IT security

Besides maintaining a robust security routine, we encourage our customers, partners, and security enthusiasts to highlight their security concerns to us. This helps us stay on top of security threats. In addition, we work with industry specialists and researchers to keep ourselves abreast of recent security developments to build foolproof IT security products.

Our vulnerability reporting program, Bug Bounty, is committed to working with the security community to identify, verify, and implement appropriate controls and patches to reported vulnerabilities. If you have discovered a potential security issue with our line of products, please report them to https://bugbounty.zoho.com/ or write to us at security@zohocorp.com.

After a vulnerability is reported, the MESRC, along with product experts, investigates the validity, risks, and severity associated with reported vulnerabilities and implements remediation to our users in the form of bug fixes, upgrade packs, and security patches.

ServiceDesk Plus: Overview

ServiceDesk Plus is a help desk management platform that includes core help desk and IT management applications and project management, contract management, asset management, CMDB, and features for ITIL (information technology infrastructure library) compliance. ServiceDesk Plus is currently used by various organizations; some of them have installed and configured ServiceDesk Plus within their network whereas few others have installed and configured ServiceDesk Plus to be accessed over the internet. So, any compromise on the security of customer data will expose organizations to serious risks. Therefore, ServiceDesk Plus is designed to offer maximum security at all times, including application installation, user authentication, data transmission, storage, and regular use.

Secure by design

Our Software Development Life Cycle (SDLC) model mandates our ServiceDesk Plus engineering team to strictly adhere to our secure coding standards. In addition, we adhere to security standards across the SDLC process.

Security standard during the analysis and design phase.

Security standard during the development phase

Security standard during the QA/release phase

Security review process

We have a security team to ensure the released build/product is free from security vulnerabilities. The team will follow the below process during the security review process.

Security issues handled in ServiceDesk Plus

Security issues raised either by the customer directly or by the internal security team or by the ServiceDesk Plus QA team would be handled on the same priority depending on the impact of the reported issue.

Customers or external users can send us vulnerability or security issues by email to mesecurity@zohocorp.com. This will be created as a ticket in http://bugbounty.zoho.com. A timeline will be set for this ticket based on the severity. In general, the timelines are 10 days for high priority, 20 days for medium priority, and 30 days for low priority.

Any new security issue that gets raised in Bug Bounty will be created as a ticket in our internal issue manager (IM) tool. Based on the severity of the issue, the development team will work on a fix. ServiceDesk Plus QA team will also prioritize security fixes and provide test cases high priority issues. After the fix is ready, it will be validated by our own QA and also by the ManageEngine security team. After the fix is released, the ServiceDesk Plus security team notifies the ManageEngine security team who will inform the customer of the release and close the case. In cases where the implementation may be delayed, the team is notified and an extension is sought.

Other security standards

Besides the security measures described above, we are continuously striving to make the application more secure. The following section provides comprehensive details about security specifications of ManageEngine ServiceDesk Plus.

Customer data protection in ServiceDesk Plus

ServiceDesk Plus is an installable product so all data resides in the customer environment. Therefore, data breach is not possible in the ServiceDesk Plus On Premises version. Only customer's support tickets and log files are stored in the customer support portal.

ServiceDesk Plus: Security specifications

Refer to the below link to know more about product security specifications.

https://www.manageengine.com/products/service-desk/servicedesk-plus-security-specifications.html

Build and patching process