Loading...
Last Updated: 2026-05-28 Flexera's Organizational Controls apply to both internal corporate activities and engineering activities (development and operations). Corpororate Security Controls deal with Flexera internal security concerns, while Production Security Controls deal with customer facing systems and customer data. Flexera maintains a strong separation of concerns between the two. In contrast, the Organizational Controls provide the foundation for both Corporate and Product control sets, with a focus on governance, management, and compliance.
Flexera's global security policies are aligned with ISO27001:2022 domains and are reviewed at planned intervals and when significant changes occur. These policies are developed, approved by management, published, communicated to and acknowledged by employees and other relevant parties.
Flexera follows policies and processes that implement segregation of duties and areas of responsibility to prevent individuals from independently performing conflicting tasks. Security team structures and role assignments reflect these principles to maintain clear boundaries and support governance and operational integrity.
Flexera maintains a distinct separation between internal corporate activities and engineering activities (development and operations).
Flexera's security organisation includes dedicated teams and roles led by the Chief Information Security Officer (CISO), who guides overall security strategy. Teams include Information Security, GRC Security, Security Engineering, and Product Security. Employee information security responsibilities are defined and communicated to ensure obligations are understood and consistently applied.
Flexera's management oversees and supports information security practices by requiring all personnel to apply security controls in accordance with the information security policy and related topic-specific policies and procedures. This reinforces clear accountability, awareness, and compliance across the organisation.
Flexera maintains appropriate contact with relevant authorities to support timely incident response and regulatory compliance. Contact lists are regularly updated to enable effective incident management and business continuity.
Flexera personnel in security roles engage with relevant special interest groups and security forums. Participation in professional associations (including ISACA and ISC2) helps teams stay current on security developments and receive early alerts and advisories on attacks and vulnerabilities.
Flexera systematically collects and analyses information from tested internal and external sources to understand existing and emerging threats. The results are used as input to preventive and detective technical controls to support informed, proactive risk decisions.
Policy and process exist to integrate security into the project management process for all projects. Flexera follows a detailed SDLC for software development that ensures that security concerns are identified and addressed at the earliest instance and that appropriate reviews are performed for the stages of the development lifecycle.
Flexera maintains accurate, up-to-date inventories of information and other relevant assets. Asset ownership is assigned to an individual or a group, and asset owner responsibilities are defined.
Flexera's Acceptable Use Policy defines requirements for protecting and handling information and other relevant assets; personnel and external parties with access are informed and trained on these requirements, and processes are in place to monitor acceptable use.
Procedures are in place to ensure employees and relevant parties return all company assets when their employment or contract ends or changes. Flexera identifies and documents all information and other relevant assets that need to be returned, including user endpoint devices, authentication hardware, portable storage devices and any specialist equipment.
Flexera employs a classification scheme that defines three primary categories of information: public, internal, and confidential. This scheme is consistently applied across the organization and is integrated into Flexera's operational processes. Accordingly, all employees are required to classify information and assets according to these established categories, ensuring uniformity and clarity in information handling throughout the company.
Additional information classification categories exist specifically for distinguishing different classes of confidential data from each other in a production context ''these classifications are used only for the management of production data.
Flexera implements information labelling procedures aligned to its classification scheme. Personnel are trained and made aware of these procedures to ensure information is correctly labelled, handled appropriately, and shared in accordance with labelling requirements.
Flexera follows established processes for secure information transfer within and outside the organization. Rules, procedures, and agreements reflect the information's classification. Transfer agreements with third parties are maintained to protect information in all forms during transit.
Flexera enforces strict access control policies so that only authorized personnel can access information and assets.
Physical and logical access mechanisms are designed and enforced in accordance with business needs and information security standards, adhering to the principles of need-to-know, need-to-use, and least privilege.
Privileged access rights are systematically monitored and subject to quarterly review.
Flexera has policies and procedures to manage the entire identity lifecycle, granting, changing, and revoking access, and employees are trained in these procedures. Records are kept of all significant events relating to the use and management of user identities and authentication information.
Identities assigned to non-human entities are subject to segregated approval and ongoing monitoring. Username+password credentials are not considered sufficient to protect access to sensitive information; additional technical controls are mandatory; at the minimum an additional factor is required for authentication.
Flexera has processes to ensure that access rights to information and other relevant assets are granted, reviewed, updated, and revoked per Flexera's established access control policies and rules. Quarterly reviews cover both corporate and production environments to identify discrepancies and remove outdated permissions.
Flexera defines and implements processes to manage information security risks from suppliers' products and services, including conducting security risk assessments and reviewing security aspects of intended products/services before engaging new suppliers to ensure alignment with organisational requirements. Additionally, the security aspects of the intended product or service are thoroughly reviewed to identify any potential vulnerabilities or risks.
Flexera establishes, agrees, and documents relevant information security requirements in supplier agreements, tailoring requirements to the nature of each supplier relationship and the associated risk to Flexera's information assets.
Processes and procedures are defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
Flexera uses a structured process to identify, assess, and address supply chain risks, ensuring that information security standards are maintained throughout every step of working with suppliers.
Flexera has established policies and processes to monitor, review, and manage changes to supplier services to maintain agreed information security and service levels in line with supplier agreements.
Flexera has processes for the acquisition, use, management, and exit from cloud services.
The information security requirements related to the use of cloud services include the roles and responsibilities related to the use and management of cloud services; information security controls managed by the cloud service provider and the ones managed by the Flexera; information security capabilities provided by the cloud service provider; assurance regarding the effectiveness of information security controls established by cloud service providers (shared responsibility model); and procedures for responding to information security incidents associated with cloud service usage.
Flexera has established information security incident management policy and processes. Roles and responsibilities to carry out the incident management procedures are determined, and an information security incident management plan is documented and tested annually.
Dedicated Flexera personnel assess security events to determine whether they qualify as incidents, using an agreed categorisation and prioritisation scheme. The outcome of the assessment is recorded in detail for future reference and verification.
Information security incidents are addressed and managed by a designated team with the necessary competencies and training. The Incident Management Response team operates according to an established procedures for responding to security incidents, ensuring a structured and consistent approach throughout the incident management process.
Flexera uses the information gained from information security incidents to strengthen and improve information security controls and reduce the likelihood or consequences of future incidents. The knowledge obtained also enhances user awareness and training and helps quantify and monitor incident types, volumes, and costs.
Flexera has procedures to identify, collect, preserve, document, and securely store evidence related to security events. Flexera maintains the integrity and reliability of evidence throughout its lifecycle to support incident handling and potential legal actions.
Flexera maintains business continuity policy and plans that define information security controls to be applied during disruptions.
Business continuity plans are reviewed and tested annually to maintain required effectiveness levels when operations are affected.
Flexera's business continuity planning considers a range of concerns, including security and continued delivery of sufficient service levels.
Flexera prepares ICT systems to support secure business continuity by conducting an annual (or change-driven) business impact analysis to define critical resources, RTO/RPO, and ICT capacity needs. ICT continuity plans are established and tested to keep essential services available and restore them within required time frames after interruptions.
Flexera identifies applicable legal, statutory, regulatory, and contractual information security requirements. The requirements are documented, reviewed, and updated to ensure ongoing compliance and alignment of controls with current obligations.
Flexera has policy and process to protect intellectual property and comply with legal, regulatory, contractual, and licensing requirements. Policy mandates include but are not limited to, using approved software from trusted sources; retaining proof of licenses; and regularly verifying that only authorised and licensed software is installed.
Flexera has policies and processes to safeguard records by preserving integrity and confidentiality, and to maintain their availability. There are defined rules for secure storage, retention, disposal, and exchange to protect information, throughout its lifecycle, from unauthorised access, alteration, and loss.
Flexera identifies and complies with the requirements for PII protection according to applicable laws, regulations and contractual obligations. Policy on PII protection is reviewed, updated, and communicated to all relevant parties; furthermore, employees are trained in PII protection and data privacy.
Independent reviews of information security are conducted to assess the effectiveness of controls and identify areas for improvement. Flexera undergoes numerous security reviews, risk assessments, audits, and penetration tests that are performed by independent external technical specialists and auditors.
Flexera maintains adherence to its information security policies and procedures by implementing a process of continuous monitoring and evaluation. This approach ensures that all requirements are effectively met and enables the identification of any areas requiring corrective action.
Flexera maintains routinely updated operating procedures to safeguard information assets, promote best practices in daily activities, and support training and awareness. This reinforces a unified approach to safeguarding assets and resources.