Software Security, Compliance and Information Security
Our commitment to you
At Nozomi Networks, we know you rely on our technology to protect some of the largest and most complex industrial environments in the world.
To ensure that we will continue to earn your trust every day, you can count on us. We develop, deliver and operate security and visibility products for operational technology systems with the highest achievable level of quality, security, integrity and availability.
We also strive to protect corporate information, personal information, and customer data against loss, unauthorized access and disclosure.
To deliver on our commitment to you, we rigorously follow industry best practices and regulatory guidelines related to product security and information security.
Software Security
Within our software development life cycle and after release, we utilize several processes to identify potential product security issues
- Adhere to the international standard ISO 9001:2015 for quality management and versioning conventions to ensure consistency, traceability and reproducibility
- Scan our entire code base regularly with automated tools to find potential vulnerabilities
- Use third parties to scan our product for potential vulnerabilities after release
- Follow best practices for secure software development, according to the ISO 27001:2013 standard
- Monitor disclosures related to third-party software used in our operating system
- Provide checksums of the compiled code for customer validation
- Conduct internal vulnerability assessments on the continual build process
- Ship our system image with a hardened and continually tested configuration
Incident Response Team
After release, the Nozomi Networks Product Security Incident Response Team (PSIRT) is responsible for coordinating the investigation of any potential vulnerability in our products. If a security researcher discovers a potential vulnerability or security risk in one of our products, the PSIRT works with the engineering team to investigate the issue and identify any remediation when appropriate (our Incident Response Policy describes our approach in more detail). Nozomi Networks customers can contact the Nozomi Networks PSIRT directly using our GPG key to report any emerging vulnerabilities in their specific environments.
Remediation can be in the form of a software update and/ or a temporary workaround. We tightly control information about any potential issue until remediation is available to avoid exposing our customers to security threats while a fix is in development.
Once we make a solution available, we notify our customers about the issue and update the Security Portal.
Information Security
To secure all information assets, which includes all data we may collect from our customers, we use the Information Security Management System (ISMS) in support of the international standard ISO/IEC 27001:2013. To preserve the confidentiality, integrity and availability of our information, we have established and enforce a range of policies and procedures.
These policies and procedures include:
- General security requirements for the protection of information assets
- Restrictions on access and use of information assets
- Definition of roles and responsibilities for the protection of information assets
Nozomi Networks information protection policies include the following:
- Human Resources Security
- Information Asset Change Management
- Operations Security
- Password Security
- Personal Data
- Acceptable Use of Technology
- Access Control
- Data Handling
- Data Management and Retention
- Encryption
- Physical Security
- Security Incident Management
- System Configuration
- System Development and Maintenance
- Third Party Supplier Management
Use of Third Parties
At Nozomi Networks we are very aware of potential risks introduced with supply chain dependencies. We develop all of our software products in-house. In those cases where our products rely on third-party code to operate, we have customized our systems to minimize its use and the risk exposure.
We assess all third-party products and providers associated with our business operations with a comprehensive due diligence program.
Our Employees
We carefully select, screen and evaluate our Nozomi Networks employees against the ethical standards of the company. We seek and retain top cybersecurity talent from around the world to contribute to the development of our products and the security of our network infrastructure.
They also deploy our product into our customers’ networks, investigate incidents affecting our customers, and conduct research into the latest threats and trends. The combined result of different teams’ efforts is that we have developed additional proprietary and non-public methods of protection against cyber threats.
These methods enhance the cybersecurity of the product and network security processes and policies described above.
Compliance and Certifications
We are committed to complying with relevant regulatory standards and industry best practices that improve security for critical systems. Our initiatives in this area include:
ISO 9001: 2015 Certified
Nozomi Networks has certified quality management systems that demonstrate our ability to consistently provide products and services that meet customer and regulatory requirements.
ISO 9001: 2015 Certificate – IQNet >
ISO 9001: 2015 Certificate – SQS >
IEC 62351 TC57 WG15
Nozomi Networks actively contributes to this standard which defines secure-by-design components for power grids. Examples include end-to-encryption, user and identity management, and networking monitoring systems.
SOC 2 Type 1 & 2 Certification
Nozomi Networks has achieved SOC 2 Type 1 certification in August 2021 and SOC 2 Type 2 certification in March 2022. For the latest available SOC 2 Type 2 report, contact compliance@nozominetworks.com.
ISO 27001: 2013 Certified
Nozomi Networks has certified information security management systems that show that we do as much as possible to reduce identified risks to an acceptable level and manage them effectively.
ISO 27001: 2013 Certificate – IQNet >
ISO 27001: 2013 Certificate – SQS >
ISA Global Security Alliance (GSA)
Nozomi Networks is a founding member of this group dedicated to advancing the adoption of IEC ISA 62443 automation and control systems cybersecurity standards.
Security Visa for ANSSI- CSPN certification
Nozomi Networks Guardian sensors have undergone rigorous auditing and testing by the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) and been awarded the Security Visa for CSPN certification for its Guardian NSG-M (product version 21.3 certification report ANSSI-CSPN-2021/28).
Software Bill of Materials
If you are a customer and you would like to request an SBOM for our products, please visit our support portal.
