Identify eight examples of how #Slack Prioritizes security governance, risk management and compliance
2 min readSep 3, 2024
Identify eight examples of how Slack prioritizes security governance, risk management and compliance.
- Encryption at rest and in transit: Data at rest in Slack’s production network is encrypted using FIPS 140–2 compliant encryption standards. Slack supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption and SHA2 signatures. You won’t need to know these encryption standards for the Slack Certified Admin exam; just keep them handy for your IT team.
- Network security and server hardening: Systems supporting testing and development activities are hosted in a separate network from systems supporting Slack’s production infrastructure to protect sensitive data. All servers within our production fleet are hardened according to CIS benchmarks and have a base configuration image applied to ensure consistency across the environment.
- Administrative access control: Slack employs multifactor authentication for all administrative access to systems by Slack employees, including our production environment, which houses our customer data. All access to privileged-mode commands is restricted to authorized employees and logged in an immutable enclave. Access is restricted based on business needs and reviewed quarterly.
- System monitoring, logging and alerting: Slack monitors all Slack-owned servers and workstations to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. All production logs are stored in a separate network that is accessible only by the relevant security personnel.
- Endpoint security: All workstations issued to Slack personnel are configured by Slack to comply with our standards for security. These standards require all workstations to be properly configured and updated and be tracked and monitored by Slack’s endpoint management solutions.
- Data retention and disposal: Customer data is removed immediately upon deletion by the end user or upon expiration of message retention as configured by the customer administrator. Slack hard deletes all information from currently running production systems, and backups are destroyed within 14 days.
- Disaster recovery and business continuity plan: Slack utilizes services deployed by its hosting provider to distribute production operations across four separate physical locations. These four locations are within one geographic region but protect Slack’s service from loss of connectivity, power infrastructure and other common location-specific failures.
- External validation: Slack engages independent entities to conduct application-level and infrastructure-level penetration tests at least once per year.