Information Security & Privacy in Our Operations
The unprecedented number of targeted, increasingly sophisticated cyber-attacks is requiring companies to rethink and redefine their security strategies for this new threat environment. EMC is adopting a new Intelligence-Driven Security strategy to address not only today’s threats but also the evolving challenges of tomorrow.
Traditional perimeter-focused security practices of firewalls, anti-virus, and intrusion detection systems have been rendered moot as the perimeter has been eroded by the dramatic adoption of social and cloud-based applications and mobile devices. Today’s business and IT practices, coupled with a more dangerous threat landscape, require us to evolve from solely focusing on preventing network intrusions to being able to rapidly detect and effectively respond to attacks. Intelligence-Driven Security provides EMC the necessary visibility, insight, and ability to respond to threats that enables us to protect both our own infrastructure and any sensitive information we hold about our customers and our products.
EMC’s Global Security Organization (GSO) develops the security strategy that identifies the high-level objectives to be addressed and strategic initiatives to be undertaken to fulfill EMC's security mission.
To achieve this mission, the GSO addresses the following organizational responsibilities via the functions described below:
- Service Operations and Incident Response
- Emerging Technology and Security Engineering
- Governance, Risk and Controls Assurance
Service Operations and Incident Response
Critical Incident Response Center
Uses technical solutions coupled with detailed processes and skilled analysts to provide a holistic approach to monitoring, analyzing, responding to and researching the latest threats to the enterprise.
Emerging Technology and Security Engineering
Provides consulting to internal business units and delivers designs for application and data security. These internal teams include product engineering and customer service. This ensures the back-office applications used by these teams have inherently secure designs.
Works with EMC IT telecom to design and build EMC’s global network infrastructure, including WAN, LAN, Internet gateways, remote access infrastructure, wireless infrastructure, firewalls, internet filtering technology, IDS and network monitoring. With the goal of providing a secure operating environment for EMC’s business units, this team also pays special attention to EMC product engineering to provide a secure network.
Strategy and Emerging Technology
Evaluates new technology, drives proof of concept program, provides input to architecture and consulting teams and wider IT. Many EMC products that are eventually sold to the U.S. government are initially evaluated via this group, which provides critical feedback about features, usability and integrations needed to support customers with complex IT environments.
Governance, Risk and Controls Assurance
Works to identify, test, and implement automated tools to enable business units to monitor and measure controls effectiveness and reporting. This team primarily supports EMC’s newly-formed governance committees, which have the responsibly to understand EMC’s overall compliance to applicable regulations and standards. Many standards—for example, Product Source Code Protection—are included in this assurance process.
Consulting group with alignment to specific areas of EMC to understand their unique operations and align information security protection strategies for them. This team supports the EMC governance process by administering much of the risk management, resolving identified security issues and providing guidance on the direction of key programs such as Product Source Code Protection.
Develops and manages the EMC FirstLine Security Awareness and Training Program. This program is one of the most critical components in establishing a “culture of security” to inform our business practices and promote and reinforce employee behaviors that safeguard EMC’s information and assets. EMC’s FirstLine Security Awareness and Training Program involves everyone in the organization. The program components include employee training in secure best practices in areas such as phishing detection and reporting, developing and using strong passwords, safe use of social networking sites, smartphone security, safe web browsing and social engineering; a FirstLine website with security alerts and learning resources; awareness videos and presentations; articles, blogs, newsletters and e-mail campaigns; posters and collateral; and both employee and community-focused events and programs, such as National Cyber Security Awareness Month and in-school cyber security awareness and cyberbullying programs.
Provides strategic planning for security priorities, suggests updates for IT security policies and standards, facilitates cross-functional collaboration for security priorities, and reviews and prioritizes security findings.
Responding To Cyber Security Risks
Like any large company, EMC experiences and successfully defends numerous cyber-attacks on its IT infrastructure every day. We remain committed to our relentless pursuit of building trust in the digital world and have dedicated ourselves to maintaining the confidence of our customers and partners. Through a rigorous process of regular enhancements to our products and services, we continuously strengthen EMC’s internal security to better protect our business and customers from cyber threats.
IT Proven Program
Through the IT Proven Program, EMC’s GSO implements our security solutions across IT operations throughout the enterprise. By tackling the same problems our customers face, we can test our own products and provide real-world feedback on their performance.
The GSO also develops prototypes of new security solutions for EMC. For example, the GSO developed a Secure Management Infrastructure, using VMware, Cisco, and RSA technology to create a security management portal to manage our data centers.
Protecting Personal Information
At EMC, confidential, personal information may not be used or disclosed except as necessary for legitimate business purposes, such as for human resources and employment functions or as otherwise permitted or required by applicable law. From a data security standpoint, we use state-of-the-art administrative, technical, and physical measures to safeguard confidential, personal, and corporate information.
EMC complies with the U.S.-E.U. Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework, as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information from the European Union and Switzerland. In addition, EMC has been awarded TRUSTe’s Privacy Seal. The seal signifies that the EMC.com privacy statement and EMC’s practices have been reviewed by TRUSTe for compliance with TRUSTe’s program requirements, including transparency, accountability, and choice regarding the collection and use of personal information.
ISO 27001 Certifications
EMC’s security program is based on the ISO 27001 standard for security management systems. We also seek ISO 27001 certification for select business units as the business need arises. Nine business units in four countries are ISO 27001 certified, including all of our RSA data centers servicing the RSA Identity Protection and Verification products.
Partnering for Security in a Changing World
An ongoing challenge for EMC, and all large companies, is implementing security processes for new, rapidly changing technology environments. As our company evolves, we are becoming a hyper-extended enterprise, sharing information with more people and using more technology tools across more geographies than ever before.
Our stringent information security strategy and practices prepare us for this challenge. We also recognize that we don’t have all the solutions, and we are working with partner organizations to address the evolving security landscape. Some of our 2013 initiatives include:
- National Cyber Security Alliance (NCSA) – Through funding and board-level participation, EMC actively supports the NCSA, a nonprofit organization dedicated to promoting Internet safety and security at home, work, and school. For the seventh year in a row, we collaborated with NCSA to celebrate National Cyber Security Awareness Month in October 2013.
- SAFECode – As it relates to product security and privacy, EMC continues to participate with SAFECode, a global organization it helped launch in 2007 that is focused on improving trust in IT products and services. In 2013, EMC contributed to five software development training modules through SAFECode. The modules are free and publicly available and aim to help raise the bar on software development security across the industry. To learn more, visit Product Information Security & Privacy.
- Internet Engineering Task Force (IETF) – EMC supports the development of Internet standards through our work with IETF, an open, international community of IT professionals and researchers concerned with the evolution of Internet architecture and seamless operation. EMC’s involvement continued to grow in 2013 as one of our senior staff was nominated and selected as one of the two area directors for security. EMC will be sponsoring her as she focuses on providing security insight and approval for a new set of IETF standards.
- Open Group – EMC is a member of Open Group, a nonprofit organization working to develop open, secure, vendor-neutral IT standards and certifications. Through the Open Group Trusted Technology Forum (OTTF), EMC is helping the organization to develop solutions for a more trusted global supply chain.
- Computer Security Research Alliance (CSRA) – In 2013, EMC continued to work with CSRA, a nonprofit research consortium it helped found in 2012 that aims to tackle information security challenges. The consortium works closely with industry members, universities, and government agencies to develop breakthrough technologies to improve cyber security.
- Cloud Security Alliance (CSA) – RSA, EMC’s security division, is a member of CSA, a nonprofit industry coalition that promotes best practices in security assurance within cloud computing and provides education on the uses of cloud computing to help secure all other forms of computing. In 2013, we co-created a paper with CSA focused on software development for the cloud. Though the information was already available to CSA employees and limited other parties, it is now accessible to the broader IT industry.
- The Fast IDentity Online (FIDO) Alliance – At the beginning of 2014, RSA joined the Board of the FIDO Alliance to help develop specifications for user authentication that help improve usability, increase security, and ensure user privacy. Our goal is to work with the FIDO Alliance community to create a new “general purpose” open authentication framework that is based on standards and protocols and supported by an interoperable ecosystem of vendors.
- Financial Services – Information Sharing and Analysis Center (FS-ISAC) – Information sharing is a key component of an Intelligence-Driven Security strategy. In 2013, RSA continued its strategic relationship with FS-ISAC’s global operations, including maintaining its Board position with the organization.
- Organization for the Advancement of Structured Information Standards (OASIS) – EMC employees actively participate on several OASIS Technical Committees helping to define industry standards in areas such as security, content management, and cloud computing. These standards help ensure that EMC products are able to interoperate with other systems and products.
- Security for Business Innovation Council (SBIC) – In 2008, EMC formed SBIC, a group of leading security executives from Global 1000 enterprises. SBIC publishes recommendations to help advance information security worldwide. In 2013, we sponsored two reports focused on the transformation of two of the three elements of information security: people and processes. A report focused on the third element, technology, is planned in 2014. To learn more, visit the SBIC website.
To learn more about information security and privacy in our products, visit Our Products and Customers.