X
Identity and Access Management
Data Access Access to client data is not granted to any employees by default.The ability to request temporary access is based on role and the principle of least privilege, and is typically exercised for troubleshooting purposes since the ingestion/processing pipeline is automated.Access is removed for terminated employees within 24 hours.
Password Security The following password requirements are enforced for employees:At least 10 minimum length of charactersAlpha-Numeric charactersSpecial charactersCase sensitiveLiveRamp requires passwords to be changed at least every 90 days.LiveRamp prevents the re-use of 6 previous passwords.
Access Reviews LiveRamp performs quarterly access reviews.
Role-Based Access Control LiveRamp manages access centrally through an access management tool and adheres to the principle of least privilege and role-based access control.Separation of duties is implemented.
MFA MFA is required to access all LiveRamp systems and applications.VPN with MFA is used for access to production systems.
X
Business Continuity
Business Continuity and Disaster Recovery LiveRamp maintains a formal Business Continuity and Disaster Recovery program.LiveRamp leverages GCP automatic zone-to-zone failover capabilities and runs multi-zonal/regional deployments.LiveRamp uptime can be measured and tracked here.LiveRamp BCP plans are reviewed and tested at least annually.
Recovery Time Objective LiveRamp RTO is 72 hours.LiveRamp uptime can be measured and tracked here.LiveRamp BCP plans are reviewed and tested at least annually.
Recovery Point Objective LiveRamp does not maintain a Recovery Point Objective for client data as it is not backed up.Operations of essential missions and business functions have established RPOs based on criticality.
Hosting LiveRamp uses Google Cloud Platform (GCP) as a hosting provider.LiveRamp operates from a secure VPC in the US Central1 region.
Backups LiveRamp does not backup client data.LiveRamp performs critical backups only such as database configurations, source code, etc.Critical backups are stored within different zones of GCP.
X
Secure Development
Code AnalysisLiveRamp conducts automated and manual code reviews.LiveRamp performs static code scans.DAST is performed during the annual third-party web application penetration tests.Peer code review is done before deploying into production.
Credential ManagementLiveRamp-managed keys are stored in Hashicorp Vault, and Google-managed keys are stored in Google KMS.
Software Development LifecycleLiveRamp has a formal SDLC that focuses on OWASP's top 10 standards.All proposed changes to production must also pass a suite of automated security tests before being eligible to be merged into production.LiveRamp provides its developers with secure development training focusing on OWASP's top 10 annually.
X
Endpoint Security
Disk Encryption LiveRamp employees’ laptops are secured with full-disk encryption.
Endpoint Detection and Response An anti-virus/anti-malware solution (Crowdstrike) is installed on all employee endpoints.The anti-virus/anti-malware is updated in real-time.
Data Security LiveRamp uses the latest End Detection and Response (EDR) solution on all user endpoints.LiveRamp uses Cloud Access Security Broker (CASB) and Secure web gateway to inspect all traffic from user devices and block all http/s malicious traffic.
X
Infrastructure
Google Cloud Platform GCP is our hosting provider but no Google personnel have logical access to customer data.GCP manages the physical assets used to receive and process customer data.LiveRamp follows Google’s standard shared responsibility model, specific to the product(s) in use.Google Cloud compliance reports and whitepapers can be viewed/downloaded directly from Google.
Anti-DDoS GCP Cloud Armor is used to protect against DDoS attacks.The scale of Google's network also provides native protection from DDoS.
Infrastructure Security LiveRamp utilizes a host-based Intrusion Detection System.LiveRamp conducts infrastructure penetration testing at least annually.The physical infrastructure security of the data center is taken care of by Google.
Separate Production Environment The development, test, and staging environment is separate from the production environment.Production data is prohibited from being used in non-production environments.
X
Network Security
Firewall LiveRamp has installed firewalls on the network.Administering the firewalls is restricted to authorized personnel only.LiveRamp DevOps and Security engineers perform quarterly firewall configuration reviews.LiveRamp utilizes a WAF to protect the web infrastructure.
Traffic Filtering LiveRamp is safeguarded by a Web Application Firewall (WAF) that filters traffic on its network.
Corporate Network LiveRamp uses WPA2 encryption for the wireless networks.LiveRamp uses an active wireless intrusion detection system (WIDS) and wireless intrusion prevention systems (WIPS) are deployed.LiveRamp ensures that 802.1x authentication is enabled for all access to the corporate network.
X
Security Governance
Policies LiveRamp maintains a Security Policy and Acceptable Use policy, along with a full set of domain-specific standards.The policies are based on industry-standard frameworks including NIST, ISO 27001, and SOC 2.All policies are reviewed at least annually (or more frequently, if required by changes in technology, frameworks, and/or organizational risk tolerance). Annual reviews include approval and sign-off from our CISO.
Governance Review Process LiveRamp maintains a governance review process which requires initiatives (such as new products, major changes to existing products, use of AI, etc.) to be reviewed and approved by our governance teams (security, legal, data ethics, and compliance).
X
Logging and Monitoring
Logging Logs from across LiveRamp's environment (corporate and production systems) are aggregated in a SIEM tool, Chronicle.Alerts are configured in the SIEM based on specific detections.Logs are retained for two years.
Monitoring LiveRamp maintains a 24/7 Security Operations Center to review alerts from the SIEM.
X
Security Risk Management
Internal Assessments LiveRamp has a security risk management team, an enterprise risk management team, and an independent internal audit team that performs internal audits and risk assessments continuously throughout the year.Results of enterprise-wide risk assessments are tracked and reported to the Board of Directors.Security risk assessments are conducted at least on an annual basis with a specific product/asset or compliance program scope. Risks are tracked to remediation.
X
Personnel Security
Employee Training LiveRamp employees are required to complete security awareness training upon hire and annually thereafter.Training includes a test with an 80% minimum passing score.Training includes topics such as social engineering, phishing, smishing/vishing, physical security, remote work, password policies, and insider threat.As part of training, employees are also required to review the Security and Acceptable Use Policies and confirm their receipt fo these documents.LiveRamp provides our developers with secure development training annually.
Background Checks LiveRamp performs a background check on all new employees and contractors that includes identity verification, criminal history, OFAC (Office of Foreign Asset Control), terror watch list, employment and education verification, and a drug screening.Background checks are completed prior to the start of employment and before any access to LiveRamp systems is granted.
Employee Policies Upon hire, employees and contractors at LiveRamp must sign confidentiality agreements, the employee handbook/code of conduct, an acceptable use policy, acknowledge internal security and privacy policies, and pass security and privacy awareness training.
X
Asset Management
Asset Management Practices LiveRamp has an asset management program documented that has been approved by management, communicated to appropriate constituents, and has an owner to maintain and review.
Corporate Asset Management All corporate end-points are centrally managed and tracked in JAMF.
Production Asset Management GCP manages the physical assets which are used to process customer data but no Google personnel has logical access to the LiveRamp environment.GCP's native Asset Manager functionality is leveraged for tracking virtual assets.
X
Configuration and Change Management
Infrastructure as Code LiveRamp leverages Terraform as an infrastructure-as-code solution for configuration management in its cloud environment.Infrastructure changes follow the same process as software changes, with peer review required for PRs.
Major Changes Major changes require peer review and approval and must pass a suite of automated testing before being pushed to production.
X
Threat and Vulnerability Management
Threat Detection Automated vulnerability scanning tools are in use within the organization.LiveRamp monitors and subscribes to external sources for new and emerging threats and vulnerabilities.New threats and vulnerabilities are reviewed and risk-assessed using the organization's risk assessment process.
Penetration Testing LiveRamp performs penetration testing annually which is conducted by a third party.
Vulnerability and Patch Management LiveRamp manages patching and vulnerability management on its own schedule with no impact on the client.LiveRamp utilizes tools to provide automated vulnerability scans across critical systems and networks.System-level patches are applied at least quarterly.Production assets within GCP have auto-upgrade enabled, and receive updates as they become available from Google/Linux.LiveRamp conducts weekly application and internal vulnerability scans.
X
System and Information Integrity
Email Protection LiveRamp uses Gmail which provides native scanning and filtering capabilities.LiveRamp enhances email security with Proofpoint, utilizing its advanced features like URL and attachment scanning, quarantining suspicious emails.LiveRamp has implemented DMARC, DKIM, and SPF.
Anti-malware An anti-virus/anti-malware is installed on all workstations and servers.The anti-virus/anti-malware is updated in real-time.
X
Incident Response
Incident Response LiveRamp has a documented incident response standard in place for addressing and mitigating security incidents.LiveRamp Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents.The Incident Response Program is reviewed at least annually.Incident Response testing is conducted on an annual basis.
Incident Notification LiveRamp standard policy is to notify clients within 72 hours of the discovery of an incident that impacts their data.
X
Third Party Management
Initial Vendor Evaluation LiveRamp reviews the inherent risk for all new third parties based on the data types and systems accessed.For high-risk vendors, or medium-risk vendors with access to sensitive data, LiveRamp reviews security documentation including policies, penetration test reports, and responses to a due diligence questionnaire to derive the residual risk associated with the vendor.
Vendor Monitoring High risk vendors are subject to monitoring on an annual basis; security documentation is reviewed to ensure that the vendor's security posture is still appropriate for the associated inherent risk level.
Vendor Request for Response When a zero-day vulnerability or significant industry breach is reported, LiveRamp proactively reaches out to critical vendors to understand if LiveRamp data or operations related to the vendor have been impacted.
X
Cryptography
Encryption-at-rest LiveRamp encrypts customer data at all times with AES 256 at rest.
Encryption-in-transit LiveRamp encrypts customer data at all times with TLS1.2+ in transit.
X
Physical and Environmental Security
Office Physical Security LiveRamp has physically separated office space from other tenants.LiveRamp has access-controlled entry points.LiveRamp implements a Clear Desk/Clear Screen Policy.
Data Center Security Google manages the physical security and infrastructure within the data center. GCP Physical Security
X
Connect
SAML 2.0 LiveRamp does not natively support MFA for Connect; however, LiveRamp supports SSO integration with SAML 2.0, so authentication can be delegated to a client's IdP for use of MFA.
Data Retention LiveRamp has a policy for data destruction.Data is securely deleted 30 days from the time of upload in line with NIST guidelines for media sanitization via GCS configurations.
