Governance & Integrity
Information Privacy & Security
EMC’s goal is to balance innovation and collaboration within our company while securing personal and confidential information and preserving the trust of our customers and stakeholders. Information privacy and security oversight are critical components in our efforts to protect the confidential information that is entrusted to us.
We implement solutions to mitigate risk and protect personal and confidential information. Our Governance Risk and Compliance Council, which includes senior management, meets quarterly to review and implement our internal information security strategy, which is carried out by our Global Security Organization (GSO).
Protecting Personal Information
We have established and trained our workforce on internal policies that require employees and contractors to protect the privacy and security of confidential and personal information. From a privacy standpoint, personal information may not be used or disclosed except as necessary for legitimate business purposes such as for human resources and employment functions or as otherwise permitted or required by applicable law. From a data security standpoint, we use reasonable administrative, technical and physical measures to safeguard confidential and personal information.
EMC complies with the U.S.-E.U. Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the European Union and Switzerland. In addition, EMC has been awarded TRUSTe’s Privacy Seal signifying that the EMC.com privacy statement and EMC’s practices have been reviewed by TRUSTe for compliance with TRUSTe’s program requirements, including transparency, accountability and choice, regarding the collection and use personal information.
Responding to Cyber Security Risks
Like any large company, EMC experiences and successfully repels multiple cyber attacks on its Information Technology (IT) infrastructure every day.
In March 2011, an extremely sophisticated attack occurred against RSA and resulted in certain information being extracted from RSA's systems. We were able to identify the attack in progress, and we took immediate steps to disclose the event to our customers and to provide resources and tools to help them strengthen the security of their IT systems.
We remain committed to our relentless pursuit of building trust in the digital world. Long before and since the breach at RSA, we've dedicated ourselves to maintaining the confidence of our customers and partners. We are working aggressively to enhance our products and services and strengthen our internal security to better protect our business and our customers from these sophisticated cyber threats.
An unprecedented number of targeted, high-profile attacks on companies over the last year remind us that the question is not whether a company can be breached, but how fast it can react. This sense of urgency drives our strategy to apply lessons learned throughout our product roadmap.
Trust in the Cloud
Cloud Computing and virtualization are powerful tools to manage and use digital information. These tools foster innovative approaches to resource conservation and efficiencies through principles of multi-tenancy, resource sharing, and rapid resource elasticity.
However, these approaches also create new complexities for organizations, including the fundamental challenge of getting the right information to the right people over an infrastructure they can trust. Cloud Computing and virtualization have irrevocably changed the nature of control and visibility: infrastructure becomes virtual, not physical, and people access infrastructure from devices that are outside of IT's direct control.
Information moves with incredible speed across networks and the Cloud, which can make it difficult to know where sensitive information resides. With an IT infrastructure that is shared via the Cloud, organizations must learn new ways to identify and monitor potential risks, threats, and compliance performance.
The formula for building trust in the Cloud is to achieve control over and visibility into the Cloud's infrastructure, identities, and information. The technologies required to achieve this level of control and visibility already exist for both internal (private) Clouds and Cloud services delivered through external providers.
EMC offers products and services addressing the biggest challenges surrounding trust in the Cloud including information control, infrastructure, and identity. Read more about our approach in our Trust in the Cloud white paper.
Read more about our approach in our Trust in the Cloud white paper
IT Proven Program
Through the IT Proven Program, EMC’s GSO implements our security solutions across IT operations throughout the enterprise. By tackling the same problems our customers face, we can test our own products and provide realistic feedback on their performance.
The GSO also develops prototypes of new security solutions for EMC. For example, the GSO developed a Secure Management Infrastructure, using VMware, Cisco, and RSA technology to create a security management portal to manage our data centers.
Critical Incident Response Center
Our Critical Incident Response Center (CIRC) consolidates all information security incident management cases into our Critical Incident Response team with locations in Bedford, MA and Bangalore, India. This centralized management is designed to provide more efficient and effective resolution.
Customer Security Management Office
The Customer Security Management Office (CSMO) serves as an internal resource to help our sales teams and business units effectively respond to customers’ security-related inquiries. The CSMO works directly with internal departments as a customer advocate to enhance our operations to meet or exceed customer expectations.
ISO 27001 Certifications
EMC's security program is based on the ISO 27001 standard for security management systems. We also seek ISO 27001 certification for select business units as the business need arises. Nine business units in four countries are ISO 27001 certified, including all of our RSA data centers servicing the RSA Identity Protection and Verification products.
Employee Training and Credentialing
EMC employees and contractors must complete regular security training related to protecting confidential and personal information. Employees who work on customer sites, including sales force members and field engineers, must undergo supplemental annual training. Additionally, our credentialing program makes a consistent, global practice of conducting employee background checks. This background screening is another effort to help reduce the potential risk to corporate and customer information posed by possible internal threats.
Security in a Changing World
An ongoing challenge for EMC and its divisions is implementing security processes for new, rapidly changing technologies. As our company evolves, we are becoming a hyper-extended enterprise, sharing information with more people and using more technology tools across more geographies than ever before.
Our stringent information security strategy and practices are preparing us for this challenge. We also recognize that we don’t have all the solutions, and we are working with others to address the evolving landscape of security technology. For instance, RSA is an active member of the Cloud Security Alliance, a nonprofit organization promoting best practices for security assurance within Cloud Computing.
Supply Chain Security
Another component of EMC's security strategy is to securely design, implement, deliver, and service our products. Our Product Security Office manages risk across the full supply chain including credentialing, secure product design, the product development life cycle, the protection of intellectual property, and our support and service delivery capabilities.
To learn more, visit Supply Chain Business Continuity.