Professional Documents
Culture Documents
www.symanteccloud.com
Table of Contents
Scope of this document
Data security
Human Resources
Customer assurance
Microsoft Secure Development Lifecycle (SDL) processes, which are formally documented and mandated
by policy. Practices such as threat modelling, enumeration of the attack surface are used.
Detailed security testing during development. This includes testing to abuse cases as well as the more
traditional use cases; these specify what the system should not do, as well as what it should.
After code is released from development, the Quality Assurance group carry out their own independent
security testing.
Major enhancements and new systems or services are subject to a security review by an industry leading
independent third party, including code review, design analysis and black/white/greybox penetration testing
methods as appropriate.
Page 3
All administrative activity is carried out over a segregated Management Network, which runs over encrypted
site-to-site IPSec VPNs. In addition protocols such as RDP over SSL and Ssh v2 are used to add an
additional layer of protection.
ClientNet implements granular, role-based access restrictions, configured and managed by each customer.
Network Operations Center (NOC) engineers and analysts are subject to background checks.
NOC engineers and analysts receive role-based security training, including mandatory annual Security
Awareness training.
Privileged activity on all Linux systems is associated with a named account and centrally logged; regular log
reviews are conducted. Permissions are granular, ensuring correct privileges for differing support tiers. No
direct root logins are permitted.
System access privileges are regularly reviewed, verifying that correct account management has been
applied to employees who have changed roles or left the organization.
Multi-factor authentication for access to (e.g. smartcard or biometric technologies) our dedicated suites and
cages.
All site visitors must be on a pre-approved list held by the facility operator.
Centrally-monitored fire detection and suppression; intruder and movement sensors and alarms.
Our own independently operated CCTV monitoring system in addition to the facility operators systems.
Page 4
Data security
Data security
The fundamental focus of customers is security of their data. Logical controls over data include:
Formal Change Control policy and procedures that strictly enforce criteria that must be met before changes
are made to production systems. Criteria include peer review, sign-off by system owners and a roll-back
plan. A formally constituted Change Approval Board meets weekly. Provision is made for emergency
changes to be made out-of-cycle, although stringent review processes are still enforced.
Regular Access Entitlement Reviews to ensure only authorized personnel have access to systems which
process customer data.
Broken or obsolete media such as server hard drives from systems that have handled either customer data
or Symantec proprietary information are physically destroyed through secure channels.
Human Resources
The Human Resources department maintains an ISO 27001 certification covering its on-boarding and
terminations processes and related HR controls pertinent to .cloud.
The HR Department has also completed a Safe Harbor compliance program and is applying for Safe Harbor
self-certification registration.
The Legal Department operates mandatory annual CBL training that has covered subjects ranging from
handling confidential data, information security, privacy / data protection, etc. Successfully passing an exam
at the end is part of the mandatory requirement.
Page 5
Customer assurance
Customer assurance
Our customers demand high levels of assurance about our security standards, to meet this demand
Symantec.cloud has:
ISO/IEC 27001 certification covering the entire Operations Department, which includes all production
infrastructure.
o
ISO 27001 certification scope reads The Symantec.cloud ISMS scope applies to the people, processes
and technology within Symantec.cloud Operations for the delivery of the Symantec.cloud Web, Email,
Instant Messaging, End Point and Back Up services. This is in accordance with the Statement of
Applicability v1.4.
All US Data Centers hold current SAS 70 Type II or the updated SSAE 16 accreditations. Data Centers
located on the European continent are ISO27001 certified.
As a publicly traded US-based corporation, Symantec is subject to Sarbanes-Oxley audits as well as a wide
variety of other regulatory requirements, both internal and external.
A comprehensive Data Protection and Privacy Audit of Symantec.cloud has been conducted by a major
global audit firm as part of an annual cycle of ISAE3000 audits.
Symantec operates a number of independent internal groups to ensure strong governance and
management of information security and other risks, including Customer Assurance, an Information Security
Department, a Trade Compliance group and an independent Ethics and Compliance team, a Privacy and
Data Protection Team, Corporate Risk Assurance, and Legal.
Page 6
United States
Australia
Austria
Belgium/Luxembourg
Level 14
207 Kent Street
NSW 2000 Sydney
Australia
Wipplinger Strasse 34
1010 Wien
Austria
Telecom Gardens
3rd floor Medialaan 38
1800 Vilvoorde
Belgium
Canada
Denmark
France
17 avenue de l'Arche
Tour Ege
92671 Courbevoie
France
Sales: +45 33 32 37 18
Support: +45 88 71 22 22
+44 (0) 870 850 3014
Main: +45 33 32 37 18
Sales: +33 1 41 38 57 00
Support: +44 (0) 870 850 3014
+44 (0) 1452 627766
Main: +33 1 41 38 57 00
Germany
Hong Kong
India
Konrad-Zuse-Platz 2-5
81829 Munich
Germany
Room 3006
Central Plaza
18 Harbour Road
Tower II
Wanchai
Hong Kong
Support: 000-800-001-6406
Main: +91 22 3067 157
Italy
Japan
New Zealand
Via Rivoltana
2/d
20090 Segrate (MI)
Italy
Akasaka Intercity
1-11-44 Akasaka
Minato-ku
107-0052 Tokyo
Japan
Sales: 0120-47-4220
Support: 03-5114-4600
Main: +81 3 5114 4540
Fax: +81 3 5114 4020
Norway
Singapore
Spain
6 Temasek Boulevard
#11-01 Suntec Tower 4
038986 Singapore
Singapore
Paseo de la Castellana 35
Planta Baja
28046 Madrid
Spain
Sweden
Taiwan
2F-7 No.188
Sec.5
Nanjing E.Road
105 Taipei
Taiwan
Symantec 2012
All rights reserved