Product Information Security & Privacy
EMC and RSA, the security division of EMC, are guiding our customers and the industry toward a new strategy that focuses on the essential capabilities for protecting an organization’s most valuable cyber assets. Traditional security practices concentrate more on defending a well-defined organizational perimeter with preventative controls and tools (firewalls, anti-virus, intrusion-detection systems, etc.). That approach has been rendered moot as the perimeter has been eroded by the pervasive adoption of cloud-based applications and mobile devices.
Today’s business and IT practices, joined with a more dangerous threat landscape, require organizations to move beyond merely attempting to prevent network intrusions to rapid detection of and effective response to attacks before they result in damage or loss. This prevention, detection and response strategy provides organizations with the ability they need to defend themselves from external or internal threats.
RSA provides the products and services companies need to gain that visibility, analysis and ability to act by focusing on the following areas:
- Advanced Security Operations
- Identity and Access Management
- Governance, Risk and Compliance
- Fraud and Risk Intelligence
As a provider of information infrastructure products, it is also critical for EMC to establish processes that ensure our own products and services are resilient against cyber-attacks. Our Product Security Office leverages advanced security engineering and secure supply chain practices to minimize the risk of vulnerabilities in our products.
Secure Product Development
EMC’s Product Security Office promotes secure development via a set of requirements integrated into a product security standard. We apply this standard through specification, design, development, documentation, testing, readiness and vulnerability response, in order to minimize risk in our products.
When security issues do arise, EMC’s Product Security Response Center proactively alerts our customers. We issue EMC Security Advisories to notify customers about potential vulnerabilities and provide corrective measures before adversaries are able to exploit the situation.
To learn more about EMC’s approach to product security, visit emc.com/security.
Secure Supply Chain
EMC’s security strategy manages the risk of counterfeit or malicious components across the full supply chain and encompasses credentialing, supplier management, secure product development lifecycle, the protection of intellectual property, and support and service delivery capabilities. This program complements our existing controls for secure product development, and helps ensure we deliver trustworthy products to our customers.
To learn more, visit Supply Chain.
Compliance and Risk Management
We engage risk practitioners from across our organization through our Governance, Risk and Compliance (GRC) framework that spans our business units, functions and geographic locations. Reporting to the EMC Management Risk Committee, the Enterprise GRC council drives our enterprise risk management program, provides a point of strategic governance, and initiates policies to drive compliance across the organization. GRC Councils at the various enterprise, business unit and function levels meet monthly or more frequently based on the needs of specific initiatives including information security and privacy. Each of EMC’s product business units, as well as our geographical regions, has a risk assessment program that reports outcomes into the GRC framework. We utilize the RSA Archer® eGRC software as a common platform to gather, monitor and report on risks and controls throughout the company. The EMC risk management platform supports over 20 separate risk program processes within a centralized database that offers executive and board level reporting.
RSA’s GRC team advises on compliance with data security requirements including PCI, ISO 27001 and SSAE-16 in RSA’s Software as a Service (SaaS) environment.
To learn more, visit Risk Management.
Partnering to Advance Security
As with any company today, one of the ongoing challenges for EMC and its divisions is maintaining and enhancing our security processes in technology environments that are constantly new and changing. As our company evolves, we are becoming a hyper-extended enterprise, sharing information with more people and using more technology tools across more geographies than ever before.
Our stringent information security strategy and practices – including the compliance and risk management approach mentioned above – continue to prepare us for this challenge.
We also recognize that we don’t have all of the answers and we are working with partners to address the evolving technology landscape. EMC continues to participate with SAFECode, a global organization it helped launch in 2007 that is focused on improving trust in IT products and services. In 2015, EMC’s Senior Director of Product Security Eric Baize was elected Chairman of SAFECode. Additionally, EMC coauthored a SAFECode whitepaper, “Principles for Software Assurance Assessment,” and was a major contributor to the 12 free, publicly available software development training modules through SAFECode. These modules are free and publicly available and aim to raise the bar on software development security across the industry.
To learn more about 2015 partnerships, visit Information Security & Privacy in Our Operations.