Lookout Compliance Corner

Back to Legal Home

To help you with compliance and reporting, Lookout shares information, best practices, access to certification information and some policy documentation. Our organization regularly undergoes independent verification of security, privacy, and compliance controls, achieving certifications against global standards to earn and keep your trust. Certifications, general policies and links to relevant information are provided here. If you have questions please contact compliance@lookout.com.

         

Policies and procedures

Lookout maintains an extensive policies and procedures library to satisfy the requirements of the ISO/IEC 27000 series, FedRAMP, Legal and Regulatory as well as Customer commitments. A summarization of some of our policies can be found here. To ensure the confidentiality and integrity of Lookout information, some policies and all procedures require a non-disclosure agreement. For additional information please contact relevant information are provided here. If you have questions please contact compliance@lookout.com.

ISO/IEC 27001

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with an international membership of 163 national standards bodies. The ISO/IEC 27000 family of standards helps organizations keep their information assets secure.

ISO/IEC 27001 outlines and provides the requirements for an Information Security Management System (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks. ISO/IEC 27002 is also used as guidance to shape and create the required Information Security Management System (ISMS). Lookout uses both frameworks to ensure a comprehensive and continually improving model for security management.

To ensure full compliance with the selected standards, Lookout is audited annually against the ISO/IEC 27001and 27002 standards by an independent third-party audit team. The Lookout products have been certified as ISO/IEC 27001 and 27018 compliant since 2017. The Lookout ISO/IEC 27001 and 27018 certificates can be found here.

ISO/IEC 27018

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 163 national standards bodies.

ISO/IEC 27018 relates to one of the most critical components of cloud privacy: the protection of personally identifiable information (PII). This standard focuses in two ways on security controls for public-cloud service providers that process PII. ISO 27018 builds upon existing ISO/IEC 27002 controls by adding specific items for cloud privacy and provides security controls for personal data.The Lookout products are certified as ISO/IEC 27018 compliant.The Lookout ISO/IEC 27001 and 27018 certificate can be found here.

ISO 27017

The ISO/IEC 27017:2015 gives guidance for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for 37 relevant controls specified in ISO/IEC 27002.

These controls address: roles and responsibilities between the cloud service provider and the cloud customer, the removal/return of assets when a contract is terminated, protection and separation of the customer’s virtual environment, virtual machine configuration, administrative operations and procedures associated with the cloud environment, customer monitoring of activity within the cloud, as well as virtual and cloud network environment alignment.

Lookout complies with ISO/IEC 27017 controls.

Business Resiliency

Businesses, government and non-profit organizations as well as individuals depend on Lookout to secure their mobile devices and protect them from phishing attacks. With mobile devices used to complete business processes, access company data and perform two-factor authentication, we know our customers rely on our software to deliver round-the-clock protection.

At Lookout, we understand that the reliability of our platform, products, and people is essential to keep mobile devices safe for your business and yourself as it is the true convergence of our personal and professional identity. We take the necessary measures to protect our customers and their services through our high-availability platform architecture; resilience practices and requirements built into our development and operational processes. These efforts enable us to maintain a world-class business continuity program while also mitigate risk. This is in an effort to provide protection to our people, customers, and products.

With that, we want to assure you that our teams are working diligently to ensure business continuity and product availability during these new and unprecedented times. In addition, we want to share some insight into our business continuity program.

The Lookout business continuity and disaster recovery program is aligned to ISO and FedRAMP standards and is reviewed and tested on a quarterly and annual schedule.

The business continuity disaster recovery committee is staffed with members of the Lookout executive management team and senior leadership and is complete with a Pandemic Team who are fully engaged to ensure that Lookout continues to operate in a business-as-usual capacity.

In order to mitigate risks and reduce threats, the Lookout business continuity program assesses and tracks risk across all business functions and has been architected by using the results of a formal business impact analysis to ensure we have a full line of sight into all critical components of the organization. These components include recovery time objective (RTO) and recovery point objective (RPO), monitoring of customer, third party and internal service level agreements (SLAs), incident identification and response, crisis management, and pandemic response planning and plan implementation.

Business resilience is a critical component in maintaining the high standard of service that we've established with our customers and partners. During this time of international emergency, Lookout continues to invest time and resources to ensure we continue to deliver high-quality products and services and maintain the expected level of performance and security coverage for our people, customers, and products.

Lookout complies with ISO/IEC 22301.2019 standards.

FedRAMP

The U.S. Federal Government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All Federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).

Lookout maintains a FedRAMP Moderate provisional Authorization To Operate (P-ATO) from the FedRAMP Joint Authorization Board (JAB). Lookout also maintains additional Moderate ATO’s from Federal Agencies. See the FedRAMP Marketplace for additional information.

Cloud Security Alliance STAR

The Cloud Security Alliance is a non-profit organization whose mission is to “promote the use of best practices for providing security assurance within Cloud Computing and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

The CSA’s Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a Cloud Service Provider through a three-step program of self-assessment, third-party audit, and continuous monitoring.

Lookout has submitted for the self-assessed CSA STAR Level 1: Attestation for Lookout MES and Consumer Products.

SOC2 Type 2 and Type 1

Lookout currently maintains SOC2 Type2 for the MES product and has achieved SOC2 Type1 for SSE and anticipates achieving SOC2 Type2 status for SSE by the end of 2023. 

According to AICPA.org The scope of SOC2 Type2 and Type 1 can be described as follows. 

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Similar to a SOC1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.

Still have questions? Email us at compliance@lookout.com

Table of Contents