Company

Software Security, Compliance and Information Security

At Nozomi Networks, we know you rely on our technology to protect some of the largest and most complex industrial environments in the world.

To ensure that we will continue to earn your trust every day, you can count on us. We develop, deliver and operate security and visibility products for operational technology systems with the highest achievable level of quality, security, integrity and availability.

We also strive to protect corporate information, personal information, and customer data against loss, unauthorized access and disclosure.

To deliver on our commitment to you, we rigorously follow industry best practices and regulatory guidelines related to product security and information security.

Software Security

Within our software development life cycle and after release, we utilize several processes to identify potential product security issues

Adhere to the international standard ISO 9001:2015 for quality management and versioning conventions to ensure consistency, traceability and reproducibility

Scan our entire code base regularly with automated tools to find potential vulnerabilities

Use third parties to scan our product for potential vulnerabilities after release

Follow best practices for secure software development, according to the ISO 27001:2013 standard

Monitor disclosures related to third-party software used in our operating system

Provide checksums of the compiled code for customer validation

Conduct internal vulnerability assessments on the continual build process

Ship our system image with a hardened and continually tested configuration

Incident Response Team

After release, the Nozomi Networks Product Security Incident Response Team (PSIRT) is responsible for coordinating the investigation of any potential vulnerability in our products. If a security researcher discovers a potential vulnerability or security risk in one of our products, the PSIRT works with the engineering team to investigate the issue and identify any remediation when appropriate (our Incident Response Policy describes our approach in more detail). Nozomi Networks customers can contact the Nozomi Networks PSIRT directly using our GPG key to report any emerging vulnerabilities in their specific environments.

Remediation can be in the form of a software update and/ or a temporary workaround. We tightly control information about any potential issue until remediation is available to avoid exposing our customers to security threats while a fix is in development.

Once we make a solution available, we notify our customers about the issue and update the Security Portal.

Information Security

To secure all information assets, which includes all data we may collect from our customers, we use the Information Security Management System (ISMS) in support of the international standard ISO/IEC 27001:2013. To preserve the confidentiality, integrity and availability of our information, we have established and enforce a range of policies and procedures.

These policies and procedures include:
General security requirements for the protection of information assets
Restrictions on access and use of information assets
Definition of roles and responsibilities for the protection of information assets
Nozomi Networks information protection policies include the following:
Human Resources Security
Information Asset Change Management
Operations Security
Password Security
Personal Data
Acceptable Use of Technology
Access Control
Data Handling
Data Management and Retention
Encryption
Physical Security
Security Incident Management
System Configuration
System Development and Maintenance
Third Party Supplier Management

Use of Third Parties

At Nozomi Networks we are very aware of potential risks introduced with supply chain dependencies. We develop all of our software products in-house. In those cases where our products rely on third-party code to operate, we have customized our systems to minimize its use and the risk exposure.

We assess all third-party products and providers associated with our business operations with a comprehensive due diligence program.

Our Employees

We carefully select, screen and evaluate our Nozomi Networks employees against the ethical standards of the company. We seek and retain top cybersecurity talent from around the world to contribute to the development of our products and the security of our network infrastructure.

They also deploy our product into our customers’ networks, investigate incidents affecting our customers, and conduct research into the latest threats and trends. The combined result of different teams’ efforts is that we have developed additional proprietary and non-public methods of protection against cyber threats.

These methods enhance the cybersecurity of the product and network security processes and policies described above.

Compliance and Certifications

We are committed to complying with relevant regulatory standards and industry best practices that improve security for critical systems. Our initiatives in this area include:

ISO 9001: 2015 Certified

We are committed to complying with relevant regulatory standards and industry best practices that improve security for critical systems. Our initiatives in this area include:

ISO 27001: 2013 Certified

Nozomi Networks has certified information security management systems that show that we do as much as possible to reduce identified risks to an acceptable level and manage them effectively.

ISO 27001: 2013 Certificate – IQNetISO 27001: 2013 Certificate – SQS
IEC 62351 TC57 WG15

Nozomi Networks actively contributes to this standard which defines secure-by-design components for power grids. Examples include end-to-encryption, user and identity management, and networking monitoring systems.

ISA Global Security Alliance (GSA)

Nozomi Networks is a founding member of this group dedicated to advancing the adoption of IEC ISA 62443 automation and control systems cybersecurity standards.

SOC 2 Type 1 & 2 Certification

Nozomi Networks has achieved SOC 2 Type 1 certification in August 2021 and SOC 2 Type 2 certification in March 2022. For the latest available SOC 2 Type 2 report, contact compliance@nozominetworks.com.

Security Visa for ANSSI- CSPN certification

Nozomi Networks Guardian sensors have undergone rigorous auditing and testing by the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) and been awarded the Security Visa for CSPN certification for its Guardian NSG-M (product version 21.3 certification report ANSSI-CSPN-2021/28).

Software Bill of Materials

If you are a customer and you would like to request an SBOM for our products, please visit our support portal.

Support Portal