A Message from Our CISO
Ping Identity is a security company. As a security company, we know that the expectations are great and the stakes are high. Job one for security at Ping Identity is creating products and services that are secure, resilient and assured. Second is ensuring that Ping Identity’s business operations are secure and communicated. This starts by investing in the right people, processes and technologies, but it also requires a culture of security that permeates the entire organization. Every employee of Ping Identity understands the importance of our mission, and their role in fulfilling it.
To provide customers with assurance of our program, we’ve modeled our Information Security Management System (ISMS) on industry best practices and frameworks such as ISO 27001 and NIST 800-53. We provide assurance of the effectiveness of our security practices through ISO 27001 certification, SOC 2 and other independent third-party testing of both our products and control framework.
Thank you for taking the time to investigate our security program. Please reach out if you have any questions about the security of Ping Identity’s solutions or corporate practices. If you’d like to dig into the details, see our Security and Operational Practices.
CISO, Ping Identity
Ping Identity has created a responsible disclosure program as one avenue for identifying and remediating vulnerabilities within our products. If you’re a security researcher and have discovered a security vulnerability in any of our solutions, we appreciate your help in disclosing it to us privately and giving us an opportunity to address it before publishing technical details. We will validate, respond and address vulnerabilities in support of our commitment to security and privacy.
Share the details of any suspected vulnerabilities with Ping Identity’s Information Security Team by filing a support case. Please don’t publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following:
Product name and version
Vulnerable URL: the endpoint where the vulnerability occurs
Vulnerable Parameter: if applicable, the parameter where the vulnerability occurs
Vulnerability Type: the type of the vulnerability
Steps to Reproduce: step-by-step information on how to reproduce the issue
Screenshots or video: a demonstration of the attack
Attack scenario: an example attack scenario may help demonstrate the risk and get your issue resolved faster
If you identify a verified security vulnerability in compliance with this responsible disclosure program, Ping Identity commits to:
Establish a remediation timeline with a definite end date.
Disclose the vulnerability through our support page to best protect our customers (if in our customers’ best interest).
Certifications & Affiliations
ISO/IEC 27001:2013 Certification
Ping’s corporate office in Denver and our key products are ISO/IEC 27001:2013 certified. ISO 27001 is the international standard outlining best practices for information security management systems. Compliance with these standards demonstrates our commitment to a repeatable, continuously improving, risk-based security program. The management system was inspected by Coalfire ISO, Inc., a certification body for management systems accredited through the ANSI-ASQ National Accreditation Board (ANAB).
Established by the International Organization for Standardization (ISO), the standard requires the certification of an organization’s information security management controls for areas such as data security and business continuity. The certification extends to every level of an organization’s IT infrastructure stack, including asset management, access control, human resource security and application security.
The in-scope products for the ISO certification include PingOne, PingID, PingFederate, PingDirectory, PingAccess, PingDataSync and PingDataGovernance.
Service Organization Controls (SOC)
SOC Reports help customers build trust and confidence in Ping Identity’s control procedures via stringent verification and validation of Ping’s control activities and processes conducted by an independent Certified Public Accountant. The American Institute of Certified Public Accountants (“AICPA”) created the Service Organization Control Report framework replacing SAS 70 with SSAE 16.
The SOC 2 Report focuses on controls, called Trust Services Principles, related to security, availability, confidentiality, processing integrity and privacy - validating that the system is protected against unauthorized physical and logical access, for example. As with SAS 70 reports, an organization can receive either a Type I or a Type II report. Type I merely reports on the suitability of the controls, while Type II tests the effectiveness of the controls. Our SOC 2 Report focuses on the Security and Availability principles. The SOC 2 Report is available to customers and prospective customers upon request and execution of a Non-Disclosure Agreement (NDA). Please contact your Account Manager if you would like to have a copy of the report.
The Information Systems Security Association (ISSA) is an international not-for-profit organization of information security professionals and practitioners. It provides education forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.
ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure. The Denver chapter has been recognized as the largest chapter in the world with over 500 members to date. The Denver chapter president is Ping Identity’s own Chief Information Security Officer, Robb Reck, and numerous Ping employees are active members. Visit www.denver.issa.org to learn more.
The CSA Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.
CSA STAR is open to all cloud providers, and allows them to submit self-assessment reports that document compliance to CSA-published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
Please visit Ping Identity’s member site for access to our CAI questionnaire.
InfraGard members have access to an FBI secure communications network featuring an encrypted website, web mail, listservs and message boards. The website plays an integral part in the FBI’s information-sharing efforts to disseminate threat alerts and advisories, as well as to send out intelligence products from the bureau and other agencies.
There are 85 InfraGard chapters with a total of more than 35,000 members who work with the FBI through field offices to ward off attacks against critical infrastructure that can come in the form of computer intrusions, physical security breaches or other methods. These members represent state, local and tribal law enforcement, academia, other government agencies, communities and private industry. Ping Identity employees are affiliated with the InfraGard Denver Members Alliance (IDMA).
The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate and maintain applications that can be trusted. All of the OWASP tools, documents, forums and chapters are free and open to anyone interested in improving application security. They advocate approaching application security as a people, process and technology problem because the most effective approaches to application security include improvements in all of these areas. Visit www.owasp.org to learn more.