Splunk’s Information Security Program. Splunk’s information security program (“ISP”), the elements of which are described below, is designed to help: (i) protect the confidentiality, integrity, and availability of Customer data against any anticipated threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; accidental loss or destruction or damage; and (ii) safeguard information as set forth in any local, state or federal regulations applicable to any service provided by Splunk. Splunk’s ISP contains administrative, technical, and physical safeguards that are appropriate to: (i) the size, scope and type of Splunk’s business; (ii) the amount of resources available to Splunk; (iii) the type of information that Splunk stores; and (iv) the need for security and confidentiality of such information.
Security Awareness Training. Security awareness training includes mandatory security training about the handling and securing of confidential information and sensitive information such as personally identifiable information, financial account information, and health information consistent with applicable law, and periodic security awareness communications and security courses that focus on end-user awareness.
Security Policies and Procedures. Information Security, Use and Management Policies are designed to (i) educate employees and contractors regarding appropriate use, access to and storage of confidential and sensitive information; (ii) restrict access to confidential and sensitive information to members of Splunk’s workforce who have a “need to know” such information; (iii) prevent terminated employees from accessing Splunk information post-termination; and (iv) impose disciplinary measures for failure to abide by such policies. Splunk performs background checks of its employees at time of hire, as permitted by law.
Physical and Environmental Access Controls. Splunk limits physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to its data centers is limited to authorized individuals. Splunk also has camera or video surveillance systems at critical internal and external entry points. Splunk applies air temperature and humidity controls for its data centers and protects against loss due to power failure.
Vulnerability Management. Splunk regularly performs vulnerability scans and addresses detected vulnerabilities on a risk basis. Periodically, Splunk engages third parties to perform network vulnerability assessments and penetration testing.
Cyber Incident Response Plan. Splunk has an incident response plan to manage and minimize the effects of unplanned cyber events that includes procedures to be followed in the event of an actual or potential security breach, including: an internal incident response team with a response leader; an investigation team performing a root causes analysis and identifying affected parties; internal reporting and notification processes; documentation of responsive actions and remediation plans; and a post-incident review of events.
Risk Identification & Assessment. Splunk uses a risk assessment program to help it identify foreseeable internal and external risks to Splunk’s information resources and determine if its existing controls, policies, and procedures are adequate to address the identified risks.
Vendors. Third-party vendors (collectively, “Vendors”) with access to Splunk confidential information are subject to risk assessments to gauge the sensitivity of Splunk information being shared. Vendors are expected to comply with any pertinent contract terms relating to the security of Splunk data, as well as any applicable Splunk policies or procedures. Periodically, Splunk may ask the Vendor to re-evaluate its security posture to aid compliance.