INFORMATION SECURITY & PRIVACY
The world’s dependence on information technology (IT) has brought with it increasing concern about the infrastructure security and information privacy. Cyber attacks designed to steal and disrupt critical infrastructure are becoming increasingly sophisticated, demanding a coordinated response from governments, industry leaders, and customers. As a leading security and Big Data solutions provider, we seek to preserve the trust of our stakeholders by employing new strategies to secure our own IT systems and the sensitive information in our charge. We also design engineering and supply chain processes that protect customers and help them minimize risk by providing advanced products that are more resilient to attacks. By leveraging the expertise of our RSA security division, we are developing entirely new defense strategies that are transforming cyber security risk management for our customers and enhancing trust in the cloud.
SECURING OUR OWN IT SYSTEMS
As a leading technology provider, EMC is a potential target for cyber attacks and has an imperative to protect our own IT systems, as well as sensitive information about our customers and our products. Through the EMC Global Security Organization (GSO), we take a proactive approach to protecting our systems and sensitive information using advanced technology and risk-based programs.
PROTECTING PERSONAL INFORMATION
We have established and trained our workforce on internal policies that require employees and contractors to protect the privacy and security of confidential, personal, and corporate information. From a privacy standpoint, confidential, personal information may not be used or disclosed except as necessary for legitimate business purposes such as for human resources and employment functions or as otherwise permitted or required by applicable law. From a data security standpoint, we use reasonable administrative, technical, and physical measures to safeguard confidential, personal, and corporate information. In 2012, a laptop containing personal information of a Greenplum customer was stolen from the home of a Greenplum employee. The theft was reported to local police who investigated the crime. We participated in the investigation and assisted the customer in its response. Although the laptop was not encrypted, we have no reason to believe that any personal information has been misused as a result of the incident. We have put additional encryption safeguards in place to ensure compliance with our laptop encryption policy.
EMC complies with the U.S.-E.U. Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the European Union and Switzerland. In addition, EMC has been awarded TRUSTe’s Privacy Seal. The seal signifies that the EMC.com privacy statement and EMC’s practices have been reviewed by TRUSTe for compliance with TRUSTe’s program requirements, including transparency, accountability, and choice regarding the collection and use of personal information.
RESPONDING TO CYBER SECURITY RISKS
Like any large company, EMC experiences and successfully defends multiple cyber attacks on its IT infrastructure every day. We remain committed to our relentless pursuit of building trust in the digital world and have dedicated ourselves to maintaining the confidence of our customers and partners. Through aggressive enhancements to our products and services, we are strengthening EMC’s internal security to better protect our business and customers from cyber threats. In 2012, there was no meaningful impact on EMC's networks or IT systems from security breaches.
CRITICAL INCIDENT RESPONSE CENTER
Our Critical Incident Response Center (CIRC) consolidates all information regarding incidents against EMC and provides it to our Critical Incident Response teams located in Bedford, Massachusetts and Bangalore, India. This centralized management is designed to provide more efficient and effective resolution. Learn more about how we manage internal security here.
IT PROVEN PROGRAM
Through the IT Proven™ Program, EMC’s GSO implements our security solutions across IT operations throughout the enterprise. By tackling the same problems our customers face, we can test our own products and provide realistic feedback on their performance.
The GSO also develops prototypes of new security solutions for EMC. For example, the GSO developed a Secure Management Infrastructure, using VMware®, Cisco, and RSA technology to create a security management portal to manage our data centers.
EMPLOYEE TRAINING AND CREDENTIALING
EMC employees and contractors must complete regular security training related to protecting confidential and personal information. EMC sales force members and field engineers who work on customer sites must undergo supplemental annual training. In addition, our credentialing program makes a consistent, global practice of conducting employee background checks. This background screening is another effort to help reduce the potential risk to corporate and customer information posed by possible internal threats.
To prevent internal data spills—unintentional data transfers—we established the EMC Firstline program for employees. EMC Firstline is a comprehensive and continuously evolving user awareness and education program that trains our employees on how to handle sensitive data through a wide-ranging selection of videos, poster campaigns, emails, and application programming.
ISO 27001 CERTIFICATIONS
EMC’s security program is based on the ISO 27001 standard for security management systems. We also seek ISO 27001 certification for select business units as the business need arises. Nine business units in four countries are ISO 27001 certified, including all of our RSA data centers servicing the RSA Identity Protection and Verification products.
BUILDING AND DELIVERING SECURE PRODUCTS
As a provider of information infrastructure products, it is critical for EMC to establish processes that make our products and services more resilient against cyber attacks. Our Product Security Office leverages advanced security engineering and supply chain practices to minimize the risk of vulnerabilities in our products. We also actively participate in SAFECode, an industry-led organization working to increase trust in IT.
CUSTOMER SECURITY MANAGEMENT OFFICE
EMC’s Customer Security Management Office (CSMO) serves as an internal resource to help our sales teams and business units effectively respond to customers’ security-related inquiries. The CSMO works directly with internal departments as a customer advocate to enhance our operations to meet or exceed customer expectations.
PRODUCT SECURITY OFFICE
Another component of EMC’s security strategy is to securely source, implement, deliver, and service our products. EMC manages risk across the full supply chain including credentialing, supplier management, secure product development life cycle, the protection of intellectual property, and our support and service delivery capabilities.
We take secure product development very seriously at EMC. Our approach includes identifying a set of functional and nonfunctional security requirements integrated into a product security standard. We apply this standard through requirements, design, development, documentation, testing, readiness, and vulnerability response, minimizing the risk of vulnerabilities in our products. To learn more about EMC’s approach to product security, visit www.emc.com/security.
Our security development lifecycle overlays security on standard development processes to achieve a high degree of compliance with the EMC product security policy. The EMC security development lifecycle follows a rigorous approach to secure product development that involves executive-level risk management before our products are shipped.
EMC Product Security Response Center also proactively alerts customers when security issues with our products arise. Through our Product Security Response Center, we issue EMC security advisories (ESAs) to notify customers about potential vulnerabilities and provide corrective measures before hackers are able to exploit the situation. In 2012, we issued more than 50 ESAs to our customers.
COMPLIANCE AND RISK MANAGEMENT TEAM
RSA’s Compliance and Risk Management (CRM) team helps ensure compliance in RSA Software as a Service (SaaS) environment with external regulations including PCI, HIPAA, ISO 27001, and SSAE-16. This group also performs third-party reviews of downstream suppliers of RSA to ensure end-to-end compliance.
PROTECTING CUSTOMERS FROM CYBER ATTACKS
The unprecedented number of targeted, increasingly sophisticated attacks on companies in recent years has created an industry shift toward a blended approach of security response technology and preventive actions. In January 2013, we launched RSA Security Analytics, an innovative security monitoring platform designed to help organizations defend digital assets against these advanced security challenges and threats.
RSA Security Analytics, recognized as the next generation in security technology, transforms security operations by leveraging the power of Big Data to better detect and investigate threats that can be overlooked by traditional tools. Additionally, the platform reduces time and cost associated with threat detection, investigation, and response through quick capture and analysis and automated compliance reporting. To learn more about our approach, read our Big Data Fuels Intelligence-Driven Security white paper.
ENSURING TRUST IN DIGITAL SYSTEMS
Cloud computing and virtualization are powerful tools to manage and use digital information. These tools foster innovative approaches to resource conservation and efficiencies through principles of multi-tenancy, resource sharing, and rapid resource elasticity.
However, these approaches also create new complexities for organizations, including the fundamental challenge of getting the right information to the right people over an infrastructure they can trust. Cloud computing and virtualization have irrevocably changed the nature of control and visibility: infrastructure becomes virtual, not physical, and people access infrastructure from devices that are outside of IT’s direct control.
Information moves with incredible speed across enterprises, mobile networks, and the cloud, which can make it difficult to know where sensitive information resides. With an IT infrastructure that is shared via the cloud, organizations must learn new ways to identify and monitor potential risks, threats, and compliance performance.
The formula for building trust in today’s highly connected, mobile, and cloud-dependent infrastructures is to achieve control over and visibility into the management of infrastructure, identities, and information. The technologies required to achieve this level of control and visibility already exist for both internal (private) clouds and hybrid cloud environments, which span enterprise-based and hosted applications and information.
Case Study: RSA Archer eGRC—Trusting in the Cloud to Measure Compliance with Regulatory Controls in a Cloud-Based Environment
EMC enhances trust in digital systems through our continuously evolving RSA Archer eGRC platform, the market-leading solution for managing enterprise governance, risk, and compliance (GRC). Designed to draw data from a variety of systems, the RSA Archer eGRC platform integrates information about security alerts and threats, gathers metrics about the effectiveness of security controls and processes, and analyzes the security and business environment to create actionable, realtime intelligence to help customers manage GRC.
ADVANCING SECURITY IN A CHANGING WORLD
An ongoing challenge for EMC and its divisions is implementing security processes for new, rapidly changing technologies. As our company evolves, we are becoming a hyper-extended enterprise, sharing information with more people and using more technology tools across more geographies than ever before.
Our stringent information security strategy and practices are preparing us for this challenge. We also recognize that we don’t have all the solutions, and we are working with partners to address the evolving landscape of security technology. Some of our 2012 efforts include:
- National Cyber Security Alliance (NCSA): Through funding and board-level participation, EMC actively supports NCSA, a nonprofit organization dedicated to promoting Internet safety and security at home, work, and school. To celebrate National Cyber Security Awareness Month in October 2012, we collaborated with NCSA for the sixth year in a row to raise awareness of cyber security by hosting educational events at schools in 21 states in the U.S. and 17 countries around the world. During the month, EMC employee volunteers taught thousands of school-age children about safe and responsible Internet use, and reinforced ongoing cyber security training programs within EMC with live events and testing, including an internal spear-phishing campaign.
- RSA/Radio Disney Partnership: RSA partners with Radio Disney to support cyber security awareness and digital responsibility at middle schools in Massachusetts, Rhode Island, and Connecticut. In 2012, we extended our partnership with Radio Disney to encourage interest in data science among students. To learn more, visit Education Partnerships.
- SAFECode: In 2007, EMC collaborated with Adobe, Microsoft, and other industry partners to launch SAFECode, a global organization focused on improving trust in IT products and services. The mission of SAFECode is to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services. EMC regularly contributes new things we learn from our work with SAFECode. For instance, in 2012, we worked with industry partners to publish an in-depth report on how to secure software using agile development, an approach that allows for adaptive planning and rapid, flexible response abilities.
- Open Group: EMC is a member of Open Group, a nonprofit organization working to develop open, secure, vendor-neutral IT standards and certifications. Through the Open Group Trusted Technology Forum (OTTF), EMC is helping the organization to develop solutions for a more trusted global supply chain.
- Computer Security Research Alliance (CSRA): In 2012, EMC became a founding member of CSRA, a nonprofit research consortium aimed at tackling information security challenges. The consortium will work closely with industry members, universities, and government agencies to develop breakthrough technologies to improve cyber security.
- Cloud Security Alliance (CSA): RSA, EMC’s security division, is a member of CSA, a nonprofit industry coalition that promotes best practices in security assurance within cloud computing and provides education on the uses of cloud computing to help secure all other forms of computing. As co-chair of CSA’s SME council, we led a number of important cloud security initiatives in 2012. One initiative included helping CSA engage with international Standards Developing Organizations (SDOs) such as ISO. We also played a key role as a member of CSA’s International Standards Council (ISC), which is leading the review of new standards proposals.
- Internet Engineering Task Force (IETF): EMC supports the development of Internet standards through our work with IETF, an open, international community of IT professionals and researchers concerned with the evolution of Internet architecture and seamless operation.
- Security for Business Innovation Council (SBIC): In 2012, EMC formed SBIC, a group of leading security executives from Global 1000 enterprises. SBIC publishes recommendations to help advance information security worldwide. In 2012, we sponsored a report highlighting 2013 trends to demonstrate the critical importance of improving cloud security.