Our security operations foundations
RingCentral’s Information Technology Security management program includes measures to protect RingCentral, RingCentral customers, and their data from the risk of loss or misuse. This helps ensure the continued operation of our services in support of our business and our clients’ operations.
INFORMATION SECURITY MANAGEMENT PROGRAM
Security, policy, and risk management
Our written Information Security program includes documented policies that align with established industry standards and are reviewed and updated to reflect industry changes and our ongoing cybersecurity risk posture.
UCaaS and CCaaS secure operations
We manage our services for our unified communications as a service (UCaaS) and contact centre as a service (CCaaS) to the same standards as our internal environments and applications to ensure the confidentiality, integrity, and availability of our services and your data.
Our comprehensive operational discipline
Our Information Security Management program, including our policies, procedures, and standards, is clearly documented, reviewed annually, communicated to employees, and part of all of our Operations.
We engage qualified, independent, third-party auditors to perform security audits. We audit to many different standards and frameworks, including ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II with FINRA and HIPAA controls, BSI C5:2020, PCI, and HITRUST.
Our policies and procedures are designed to ensure that we hire the right people for the job. We perform background checks (as allowed by law), validate skills and qualifications, and require and provide ongoing security, privacy, and business conduct training as well as role-specific training for all personnel. Non-compliance with our policies may result in disciplinary action.
We ensure that our subcontractors are subject to the same policies and procedures as our employees.
Devices, including laptops and mobile devices must meet RingCentral’s standards before getting access to our networks through our Zero Trust architecture. This means that devices must be current, patched, and up to date with full disk encryption, no administrator access, and endpoint detection and response (EDR) and data loss prevention (DLP) controls in place.
Access to RingCentral facilities is restricted and controlled. Visitors must be approved and escorted when on campus (they are not allowed into our data centres or our Cloud Service Providers’ data centres).
Our data centres and our CSPs' data centres are maintained to a continuous delivery architecture, including redundant utility feeds and network connections from multiple providers.
Not everyone has or needs physical access to systems. This is why we have a documented lifecycle management process to support the full “Transition and Termination” (TnT) process for our employees to ensure that users are properly added and removed from groups/roles in a timely manner.
Users have unique accounts for traceability and do not use shared accounts. Passwords are aligned with National Institute of Standards and Technology (NIST) guidance. 2FA is required for access to protected environments including our Corporate Zero-Trust Architecture.
Our network security program includes both external network security, including firewall (FW), web application firewall (WAF), intrusion detection systems (IDS), distributed denial-of-service (DDoS) protection, and internal network protection through segmentation and isolation. Network vulnerability scans are run regularly to ensure the continued best practice configuration of public-network facing systems.
We maintain a current and accurate list of systems and components across all of our network segments, so we know what is where. We configure our systems and applications to standards such as Centre for Informaton Security (CIS) benchmarks and vendor recommendations, including a robust patch management discipline that ensures that all patches are tested prior to deployment. Network vulnerability scans are run regularly to ensure the continued best practice configuration of systems.
We maintain a current and accurate list of systems and components across all of our network segments, so we know what is where. Our operations teams require two-factor authentication VPN access to our production environment, and all access is logged and monitored. The operations team access is managed in a separate directory from our corporate directory, providing an additional layer of separation across RingCentral employees.
Our secure development discipline covers design, development, testing, and promotion to production (or general availability). Products are subject to security testing through tooling and hands-on reviews and tests, and further subject to at least annual externally penetration tests.
Our build and CI/CD pipelines are secured, and access is controlled to restrict access to authorised individuals only.
All RingCentral data is either Public or Confidential, and all data that we handle on behalf of our customers is considered Confidential. This means that all customer data is subject to strong protection including encryption in transit and at rest as well as access controls to systems and applications hosting data.
Data is deleted according to regulatory requirements and when no longer required, and electronic media is subject to destruction on end of life.
RingCentral’s Incident Response and Cybersecurity Incident Response disciplines are designed to effectively identify and respond to events potentially impacting system and data availability, confidentiality, and integrity.
RingCentral’s Service Abuse and Fraud Management team works 24/7 to monitor for suspicious activities indicating service abuse or fraud, including account takeover, phone verification fraud, and more. Individuals or accounts determined to be breaching our Acceptable Use Policies and Terms of Service, including engaging in service abuse or fraud, are identified and remediated.
RingCentral’s business continuity discipline is part of a robust discipline to provide overall 99.999% availability. Our Business Continuity Plan is designed to ensure the continued provision of services, including in cases of severe impact (such as a global pandemic that causes us to move our entire workforce to a work-from-home scenario).
Our disaster recovery plan covers our infrastructure, technology, systems, and services and is regularly tested (check your email for any of our destructive testing notifications—that is a key part of our testing).
Just as our customers subject us to rigorous reviews including risk assessments, we perform supplier and vendor management activities. Our strategic IT vendors provide us with external audit reports (such as SOC 2 Type II) or are subject to privacy and security reviews.
Let’s find the right solution for your organisation
We’ll have you up and running in no time.
Thank you for your interest in RingCentral
A sales advisor will contact you within 24 hours. If you'd like to speak to someone now, please call 0800 265 8964