Frequently Asked Questions
Is data encrypted at rest? In transit?
Yes, Planview utilizes AES-256 as the encryption algorithm for data at rest and Transport Layer Security (TLS) for data in transit.
Does Planview perform security awareness training for its employees, contractors, etc?
Absolutely. Planview understands, in many cases, the best defense against cyber-attacks is the person behind the keyboard. As a result, at least annually, a formal security awareness training is held with an assessment at the completion to ensure the content was understood. Additionally, other avenues (blog posts, company messages, etc.) are utilized throughout the year to provide relevant information about recent trends in the information security world.
Who can access customer data?
Planview classifies all customer data as sensitive and strives to provide the strictest control over the means to access it. Role-based access is utilized to ensure only those employees with a business need to access customer data have it. Access is reviewed regularly and removed promptly upon an employee’s departure. Access to production environments is granted using multi-factor authentication and logged / monitored by a dedicated security team. Physical access to systems, where possible, is also stringently restricted to those who require it.
Do you perform vulnerability scans / penetration testing?
Planview believes security by design and default isn’t just a saying. We test it regularly. Vulnerability scans are performed monthly, at a minimum. Additionally, Planview engages with an independent third party to perform rigorous penetration testing on each of its products an annual basis. Identified findings are triaged and scheduled for remediation based on criticality.
Will Planview provide test results?
Detailed test results tend to contain information which would be considered confidential (ex. Hostnames, internal IP addresses, usernames, etc). That being said, Planview can provide executive summaries of its annual penetration tests under a non-disclosure agreement.
How does Planview manage change to its products?
Planview adheres to a rigorous change management policy and process which is aligned with the ISO 27001 standards and audited annually. As part of this, Planview has a Change Advisory Board (CAB) which approves changes prior to deployment. Planview maintains separate (non-production) environments which are used to perform numerous tests prior to deploying changes to production.
How does Planview approach Risk Management?
As an ISO 27001 certified organization, Planview approaches risk is a disciplined manner from identification and analysis of risks to evaluation and risk treatment. Our approach is detailed in a Risk Management Policy to ensure a consistent approach. While Planview performs an annual Risk Assessment, we believe assessing risk should be an ongoing effort built into processes throughout the organization. Risks identified are cataloged with corresponding risk treatment plans in a Risk Registry which is regularly reviewed and updated by organizational leadership.
How do I report a security breach or incident?
Planview provides support services to ensure that customers can easily report issues to the appropriate contacts:
For Planview Enterprise One, LeanKit, and PPM Pro, please visit https://support.planview.com, click Submit Case, work through the steps to select the product and version as applicable, and then choose Security in the Type drop-down list.
For LeanKit, visit https://success.planview.com/Planview_LeanKit/Support, click the Submit a Case link, and select Security in the Type drop-down list.
For Projectplace, visit https://success.planview.com/Projectplace/Projectplace_Support, click the Submit a Case link, and select Incident in the Type drop-down list.