Executive Summary
About Iron Mountain security
Iron Mountain incorporates an in-depth security approach
that covers content ingestion, storage, and processing
of digital documents as well as hosting in a secure data
center. Iron Mountain leverages the National Institute
of Standards and Technology (NIST) Cyber Security
Framework (CSF) as our enterprise security framework.
We provide secure deployment of services, data storage
with end-user privacy safeguards, communications
between services, and administration support with
separation of duties.
Training
Iron Mountain works with highly regulated industries
requiring workforce security and privacy training.
Employees take various security courses and training
developed throughout the year as mandated by our
enterprise-wide training program. The training includes
annual security awareness, data privacy training, secure
code training, code of ethics, and business conduct. We
work with customers so that personnel are properly vetted with background checks. Our employment is
contingent upon a background investigation as applied
through various local and client requirements.
Iron Mountain InSight products
I. Compliance programs
Iron Mountain InSight has established a broad and
specific security compliance program aligning with
industry and regulatory customer needs. This includes
security compliance and data privacy.
Compliance attestations
- ISO-27001 - InSight has been continuously certified
since 2020. This is an international standard that
helps organizations manage the security of their
information assets. It provides a management
framework for implementing an information
security management system (ISMS) to ensure the
confidentiality, integrity, and availability of all data.
- SOC2 Type 2 - Iron Mountain has maintained a
SOC2 Type 2 attestation for InSight since 2020.
SOC2 Type 2 Report is a Service Organization
Control (SOC) audit on how a cloud-based service
provider handles sensitive information.
Industry compliance
- InSight is 21 CFR Part 11 capable.
- StateRAMP - Ready status received in
January 2024.
- FedRAMP (NIST 800-53/37) - Third-party testing
performed against the NIST 800-53 Revision
4 controls, as well as additional FedRAMP
requirements. InSight has received FedRAMP
Authorizations to Operate (ATO) as well as
FedRAMP Ready status.
Data privacy
- General Data Protection Regulation (GDPR) -
InSight has undergone a GDPR assessment and a
copy of the report is available upon request.
- Health Insurance Portability and Accountability
Act (HIPAA) - InSight is HIPAA-compliant and has
implemented privacy and security measures to
protect the privacy and security of personally
identifiable information (PII).
II. Operational security overview
Identity and access management
- We implement and enforce role-based access
control for privileged users wherein their
use and allocation is restricted. Multi-factor
authentication (MFA) is mandatory so that access
is limited to authenticated users. Least privilege is
implemented for authorized users and processes.
Monitoring
- Security scanning - The InSight environment
includes a monitoring system which
scans container images and systems, and
detects vulnerabilities.
- Application security testing - InSight conducts
static application security testing (SAST), dynamic
application security testing (DAST) and manual
penetration testing.
- System monitoring and audit logs - InSight
includes a security information and event
management (SIEM) system for log management, real time monitoring of security events, correlation
and alerting of security events, and audit logs.
- Incident response - Our cyber incident and
response team (CIRT) is responsible for classifying
audit events that are of particular interest for the
Iron Mountain InSight information system, and for
conducting reviews and analysis of audit records.
- Incident management - Our cyber incident
and response team (CIRT) maintains a cyber
response plan to identify, protect, detect,
respond, and recover in real time to include
comprehensive logging and monitoring of our
products and infrastructure. We also maintain
employee awareness and training programs to
include internal information security policies
and procedures.
Business continuity
- InSight’s Recovery Time Objective (RTO) for Tier 1
business applications is between 10 - 24 hours and
the Recovery Point Objective (RPO) was assessed
to be 1 hour in our last business continuity plan
(BCP) test conducted in Q4 2023. RTO/RPO can be
modified based upon customer needs.
Disaster recovery
- InSight’s disaster recovery test is designed so that
we can effectively recover objects, databases,
and indices from accidental deletion or update, as
those are the sources of persistent data for the
InSight application within the given RTO/RPO as
documented in our business continuity plan (BCP).
Capacity planning
- Our capacity planning is geared towards
monitoring workload performance and allowing
capacity to meet current and future demands. This
includes measuring performance and monitoring
so that we do not reach capacity limits.
Patching and vulnerability management
- Patching and vulnerability management,
anti-malware, endpoint disk encryption, and
intrusion prevention are managed through our
Information Technology asset and endpoint
management solutions.
Encryption
- All data is encrypted in flight and at rest following
the Federal Information Processing Standards (FIPS
140-2) using industry standards such as Advanced
Encryption Standard (AES) 256 and service
managed keys.
III. Data privacy
Data residency
- Data residency describes where customer’s data is
stored at rest. To help comply with data residency
requirements, InSight has the ability to control
where data is stored and also customize and
restrict data storage to certain regions.
Data protection
- InSight applies appropriate technical,
organizational and administrative measures,
including encryption and multi-factor
authentication (MFA) so that customer data
remains secure at all times. InSight can
deploy a web application firewall (WAF) at a
customer’s request.
Data protection impact assessments (DPIAs)
- Iron Mountain handles private and personally
identifiable information on behalf of others. As a
data controller or data processor, Iron Mountain
can handle or process customer information
without being made aware of the actual content or
origin of the data.
- When we act as a data controller or data processor
from the European Economic Area (EEA) and
Switzerland (or access data from the United
States in the EEA or Switzerland) data will be
processed pursuant to the applicable Privacy
Shield Principles.
- We conduct data protection impact assessments
(DPIAs) at regular intervals as mandated
associated with the processing of personal data.
NOTE: Please view Iron Mountain’s privacy policy
statement for information about the types of personal
data and the purposes for which such data is transferred
and processed, as well as the third parties with whom
such data may be shared.
Elevate the power of your work
For more than 70 years, Iron Mountain has been your
strategic partner to care for your information and assets.
A global leader in storage and information management
services and trusted by more than 225,000 organizations
around the world, including over 90% of the Fortune 1000,
we protect, unlock, and extend the value of your work—
whatever it is, wherever it is, however it’s stored.