Logo Basic

Cybersecurity and Data Protection Program

Mirion will comply with applicable statutory, regulatory, and mutually agreed upon contractual obligations that apply to Mirion; however, Mirion does not assume any obligations to make a customer compliant with applicable statutory and regulatory obligations that may apply to the customer.

Information Security Program Overview

Mirion has established a centralized information security program that originates from and is supported by Mirion enterprise policy. The Mirion information security program strives to align with ISO 27000 series framework as an enterprise standard but utilizes other frameworks and controls as needed. Examples include ISO 27001 Annex A controls, NIST controls, SOC 2 controls and NSNC Cyber Essentials practices.

Organizational Controls Category

  • Cybersecurity Policies and Procedures
    • The Mirion information security program maintains specific enterprise policies and procedures which establish security objectives, requirements, and functions. Areas covered by such policies include acceptable use of information assets, data retention and backup, and cybersecurity detection and incident response.
  • Third-Party Audits
    • Our organization uses independent third-party assessments to test security and compliance controls for specific products and services.
  • Third-Party Penetration Testing
    • Mirion performs enterprise level independent third-party penetration testing on an annual basis to help identify and mitigate exploitable vulnerabilities. Certain Mirion products are also subjected to additional penetration testing on a periodic basis.
  • Roles and Responsibilities
    • Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are defined and documented.
  • Least Privilege Access Control
    • Mirion follows the principle of least privilege with respect to identity and access management.
  • Quarterly Access Reviews
    • Mirion performs quarterly access reviews for privileged access.
  • Password Requirements
    • Mirion policy establishes requirements for minimum password complexity. Passwords are required to adhere to a minimum set of password requirements and complexity for access.
  • Disaster Recovery
    • Mirion maintains backups and restore plans in accordance with internal policies and maintains an IT Disaster Recovery Plan which covers critical systems and data.
  • Supplier Risk Management
    • Mirion cybersecurity performs periodic reviews of third-party suppliers for cybersecurity risks. Reviews include the assessment of independent audit reports (e.g. SOC 2, ISO Certification) and assessment for security architecture and integration considerations.

People Controls Category

  • Security Awareness Training
    • Mirion requires employees, consultants, and contractors to go through annual cybersecurity awareness training covering industry standard practices and information security topics such as phishing and password management. Mirion augments the annual training with additional activities such as attack simulations, physical site-specific awareness campaigns, and enhanced topic specific training.
  • Confidentiality
    • All employees are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.
  • Background Checks
    • Performs background checks on all employees in accordance with local laws.

Physical Controls Category

  • Physical Access Controls
    • Mirion uses attendant, locks, and ID cards to limit physical access to facilities where information systems are located.
  • Physical Access Monitoring
    • Mirion uses attendants, surveillance, alarms systems and programable ID cards to monitor physical access to restricted areas.

Technological Controls Category

  • Infrastructure Security
    • Mirion uses a combination of on-premises hosting, IaaS cloud hosting, and SaaS hosting for various services. Hosting decisions are made based on technical requirements, operational needs, and data compliance requirements.
  • Encryption Technologies
    • Mirion deploys technologies to encrypt data in transit and data at rest.
  • Email Filtering
    • Mirion deploys several tools for email filtering to avoid interaction with malicious emails.
  • Cybersecurity Monitoring
    • Mirion uses an Extended Detection and Response (XDR) solution to collect telemetry from and monitor Mirion controlled information systems. Mirion’s monitoring is 24x7x365 and uses a SIEM to correlate telemetry sourced from various types of endpoint and network systems.
  • Vulnerability Scanning
    • Mirion uses several industry leading vulnerability detection and scanning solutions to identify and address vulnerabilities. Vulnerabilities are addressed using a risk-based methodology that targets highest risk vulnerabilities for prioritization.
  • Incident Response
    • Mirion has a written Incident Response Plan and a dedicated team with GCIH certified analysts that follow it while performing investigations.
  • Threat Hunting
    • Mirion has contracted with a third party that provides monthly threat hunts. Mirion cybersecurity analysts also perform additional threat hunting activities in downtime between investigatory actions.
  • Permissions and Authentication
    • Mirion uses a directory service to support authentication and access control. Access to infrastructure and other sensitive tools are limited to authorized employees who require it for their role.
  • Multifactor Authentication
    • Access to Mirion’s network requires multifactor authentication. Mirion is in the process to deploying multifactor authentication and SAML based federation capabilities to additional products.
  • Password Complexity Enforcement
    • Where technically feasible, password complexity requirements are enforced by our authentication systems. Mirion also uses an enterprise class password manager to store personal and shared passwords.
Support

Looking for Services or Support?
We're here to help.