Information Security & Privacy in Our Operations

The unprecedented number of targeted, increasingly sophisticated cyber-attacks is requiring companies to rethink and redefine their security strategies for this new threat environment. EMC pursues a strategy that focuses on the essential security capabilities needed to protect an organization’s most valuable assets from the cyber threats of today and tomorrow.

The preventative value of traditional perimeter-focused security practices of firewalls, anti-virus and intrusion detection systems has been dramatically diminished as the perimeter has been eroded by the pervasive adoption of social and cloud-based applications and mobile devices. Today’s increasingly agile and user-focused business and IT practices, coupled with a more dangerous threat landscape, require a change in our approach from one that concentrates on preventing network intrusions to one that is able to detect and respond rapidly and effectively to attacks in a highly-dynamic environment. The RSA portfolio of security products and services provides EMC the necessary visibility, insight and ability to respond to threats and to secure both our own infrastructure and any sensitive information we hold about our customers and our products.

EMC’s Global Security Organization (GSO) develops the security strategy that identifies the high-level objectives to be addressed and strategic initiatives to be undertaken to fulfill EMC's security mission. To achieve this mission, the GSO addresses the following organizational responsibilities:

  • Security Operations and Incident Response
  • Emerging Technology and Security Engineering
  • Governance, Risk and Compliance

These responsibilities are fulfilled through the following functions:

Critical Incident Response Center

  • Uses technical solutions coupled with detailed processes and skilled analysts to provide a holistic approach to operating, monitoring, analyzing, responding to and researching the latest threats to the enterprise.

Security Architecture

  • Provides consulting to IT and other internal business units and delivers designs for application and data security. These internal teams include product engineering and customer service.

Security Engineering

  • Works with other IT functions to design and build EMC’s global network infrastructure, including WAN, LAN, Internet gateways, remote access infrastructure, wireless infrastructure, firewalls, internet filtering technology, IDS and network monitoring. The goal of this team is to provide a secure operating environment for EMC’s business units and a secure network for EMC product engineering.

Strategy and Emerging Technology

  • Evaluates new technology, drives proof of concept programs, and provides input to architecture and consulting teams and to wider IT.


  • Works to identify, test, and implement automated tools to enable business units to monitor and measure controls effectiveness and reporting. This team primarily supports EMC’s governance, risk and compliance (GRC) committees, which have the responsibility to understand EMC’s overall compliance to applicable regulations and standards. Many standards—for example, Product Source Code Protection—are included in this assurance process.

Security Enablement

  • Consulting group with alignment to specific areas of EMC to understand their unique operations and align information security protection strategies for them. This team supports the EMC governance process by administering much of the risk management, resolving identified security issues and providing guidance on the direction of key programs that are ultimately delivered to our customers as products and services.

Security Relations

  • Develops and manages the EMC FirstLine Security Awareness and Training Program. This program is one of the most critical components in establishing a “culture of security” to inform our business practices, and promote and reinforce employee behaviors that safeguard EMC’s information and assets. EMC’s FirstLine Security Awareness and Training Program involves everyone in the organization. The program components include employee training in areas such as phishing detection and reporting, developing and using strong passwords, safe use of social networking sites, smartphone security, safe web browsing and social engineering; a FirstLine website with security alerts and learning resources; awareness videos and presentations; articles, blogs, newsletters and e-mail campaigns; posters and collateral; and both employee and community-focused events and programs such as National Cyber Security Awareness Month as well as in-school cyber security awareness and cyberbullying prevention programs.


  • Provides strategic planning for security priorities, suggests updates for IT security policies and standards, facilitates cross-functional collaboration for security priorities, and reviews and prioritizes security findings.

Information Risk Management

  • Maintains the information risk management framework in accordance with EMC’s enterprise risk management framework and provides risk-based assessments and analysis for major projects, programs and initiatives related to information technology. Manages ongoing risk elements in cooperation with governance and compliance functions.

Responding To Cyber Security Risks

As with any large company, EMC experiences and successfully defends numerous cyber-attacks on its IT infrastructure every day. We remain committed to delivering a secure IT environment for communication, collaboration and commerce, and have dedicated ourselves to maintaining the confidence of our customers and partners. Through a rigorous process of regular enhancements to our products and services, we continuously strengthen EMC’s internal security to better protect our business and customers from cyber threats.

IT Proven Program

Through the IT Proven Program, EMC’s GSO implements our security solutions across IT operations throughout the enterprise. By tackling the same problems our customers face, we test our own products and provide real-world feedback on their performance.

The GSO also supports the development of new security solutions for EMC. For example, in collaboration with RSA product management, the GSO developed a Security Operations Management module for RSA’s Archer® GRC software platform. This module enables enterprises to seamlessly orchestrate people, process and technology to respond to security incidents.

Protecting Personal Information

At EMC, confidential, personal information may not be used or disclosed except as necessary for legitimate business purposes, such as for human resources and employment functions or as otherwise permitted or required by applicable law. From a data security standpoint, we use reasonable administrative, technical and physical measures to safeguard confidential, personal and corporate information.

In October 2015, the European Court of Justice (ECJ) invalidated the long-standing U.S./EU Safe Harbor program ("Safe Harbor").  EMC is taking the ECJ’s decision seriously and recognized the potential for this development.  In the absence of the Safe Harbor program, EMC has put in place EU Standard Contractual Clauses as intra-group agreements, which include EMC Corporation as a signatory.  EMC continues to protect personal data in accordance with EU data privacy laws and regulations. In addition, EMC has been awarded TRUSTe's Privacy Seal signifying that its Privacy Statement and EMC’s practices as described in that statement have been reviewed by TRUSTe for compliance with TRUSTe’s program requirements.

Partnering for Security in a Changing World

An ongoing challenge for EMC, and for all large companies, is the implementation of security processes for new, rapidly changing technology environments. As our company evolves, we are becoming a hyper-extended enterprise, sharing information with more people and using more technology tools across more geographies than ever before.

Our information security strategy and practices prepare us for this challenge. We also recognize that we don’t have all the solutions, and we are working with partner organizations to address the evolving security landscape. Some of our 2015 initiatives included:

  • National Cyber Security Alliance (NCSA) – Through funding and board-level participation, EMC actively supports the NCSA, a nonprofit organization dedicated to promoting Internet safety and security at home, work and school. For the ninth year in a row, we collaborated with NCSA to celebrate National Cyber Security Awareness Month in October 2015.
  • FirstLine – Each year, as part of our FirstLine cyber security awareness program for employees, EMC raises awareness about an important information security-related topic during National Cyber Security Awareness Month, which takes place in October.  This year, EMC kicked off a quarter-long integrated communications and training campaign to bring attention to the threats posed by “tailgating” or gaining access into buildings and other restricted areas without proper authentication by simply following someone else who has authenticated properly.  The campaign included a video featuring employees demonstrating the risks associated with tailgating as well as best practices for discouraging these behaviors; training on physical security topics; and a contest employees entered by obtaining a perfect score on a quiz on the information from the video and training. The campaign also included an interview with EMC’s Chief Security Officer and articles featuring EMC executives communicating their support for the initiative published on EMC’s employee Intranet, blogs, in web and email banners, and through live informational sessions, posters and giveaways such as lanyards and badge reels.

Caption: EMC’s “Tailgate Block” video brought attention to the threats posed by “tailgating” into buildings.

Caption: EMC’s “Tailgate Block” video brought attention to the threats posed by “tailgating” into buildings.

Last year, we brought our EMC FirstLine Cyber Security Awareness Volunteer Program to the next level, launching our volunteer in-school and community education program on a year-round basis. In 2015, EMC employee volunteers continued to deliver educational programs for students at primary and secondary schools, at institutions of higher education, and with community groups across the U.S. and around the world. The “STOP.THINK.CONNECT” national cyber security education and awareness campaign developed by the Anti-Phishing Working Group and the National Cyber Security Alliance serves as the foundation for this program.

Caption: EMC employees deliver cyber security awareness to students as part of the FirstLine Cyber Security Awareness Volunteer Program.

Caption: EMC employees deliver cyber security awareness to students as part of the FirstLine Cyber Security Awareness Volunteer Program.

  • SAFECode –EMC continues to participate with SAFECode, a global organization it helped launch in 2007 that is focused on improving trust in IT products and services. In 2015, EMC’s Senior Director of Product Security, Eric Baize, was elected Chairman of SAFECode. Additionally, EMC coauthored a SAFECode whitepaper, “Principles for Software Assurance Assessment”, and was a major contributor to the 12 free, publicly available software development training modules through SAFECode. These modules are free and publicly available, and aim to raise the bar on software development security across the industry. To learn more, visit Product Information Security & Privacy.
  • Internet Engineering Task Force (IETF) – EMC supports the development of Internet standards through our work with IETF, an open, international community of IT professionals and researchers concerned with the evolution of Internet architecture and seamless operation. EMC’s involvement continued in 2015 with EMC’s Global Lead Security Architect Kathleen Moriarty serving as the organization’s IETF Security Area Director. EMC is sponsoring her as she focuses on providing security insight and approval for a new set of IETF standards.
  • Open Group – EMC is a member of Open Group, a nonprofit organization working to develop open, secure, vendor-neutral IT standards and certifications. Through the Open Group Trusted Technology Forum, EMC is helping the organization to develop solutions for a more trusted global supply chain.
  • Cloud Security Alliance (CSA) – EMC is an executive member of CSA, a nonprofit industry coalition that promotes best practices in security assurance within cloud computing and provides education on the uses of cloud computing to help secure all other forms of computing. In 2015, EMC’s Senior Technologist Said Tabet was awarded with the CSA Ron Knode Service Award for his contributions towards promoting best practices in cloud computing and next-generation IT.
  • Forum for Incident Response (FIRST) – EMC is an active member of FIRST, a premier organization and a recognized global leader in incident and vulnerability response.
  • Financial Services – Information Sharing and Analysis Center (FS-ISAC) – Information sharing is a key component of any effective security strategy. In 2015, RSA continued its strategic relationship with FS-ISAC’s global operations, including maintaining its Board position with the organization.
  • PCI Security Standards Council (PCI SSC) – RSA continues to be a Participating Organization and serve on the Board of Advisors for the PCI SSC, an open global forum launched in 2006, that is responsible for the development, management, education and awareness of best practices for securing consumers’ payment card data.
  • FIDO (Fast IDentity Online) Alliance – RSA is a Board member of FIDO, an non-profit industry organization dedicated to addressing the problems users face with creating and remembering multiple usernames and passwords for websites and cloud applications – a key issue in making users safe online.
  • Organization for the Advancement of Structured Information Standards (OASIS) – EMC employees actively participate on several OASIS Technical Committees helping to define industry standards in areas such as security, content management and cloud computing. These standards help ensure that EMC products are able to interoperate with other systems and products.
  • Security for Business Innovation Council (SBIC) – In 2008, EMC formed SBIC, a group of leading security executives from Global 1000 enterprises. SBIC publishes recommendations to help advance information security worldwide. To learn more, visit the SBIC website.

To learn more about information security and privacy, visit Our Products and Customers.

Additional Information

Practices for Secure Development of Cloud Applications

EMC Corporation Privacy Statement