Nozomi Networks is committed to maintaining customer trust. This addendum describes and summarizes the minimum-security standards that Nozomi Networks maintains in order to protect Customer Data (as defined in the Agreement) from unauthorized use, access, disclosure, theft, loss, or manipulation.
In addition, the administrative, technical, logical and physical controls as well as third party security audit certifications, that are applicable to the Nozomi Networks SaaS and IT Services are described and summarized below.
Overview of Security Organization & Program
Established control framework based on cyber-risk-based assessment security program.
Framework includes administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, integrity, and availability of Customer Data.
The Compliance group is responsible for Nozomi Networks’ security and compliance program. This team conducts, facilitates and supports independent audits and assessments by third parties.
The security framework is based on the ISO 27001 Information Security Management System (ISMS) and includes programs covering Policies and Procedures for: Acceptable Use of Technology & Cloud Services, Access Control, Asset Management, Business Continuity, Change Management, Cryptography, Data Management and Retention, Data Breach, Encryption, Human Resources Security, Password Security, Physical Security, Operations Security, Security Incident Management, System Configuration, System Development and Maintenance, Teleworking, Supplier Management, Vulnerability and Patch Management.
Security is represented at the highest levels of the company, with Nozomi Networks’ CTO and Security Officer meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.
Information security policies and standards are reviewed and approved by management at least annually and are made available to all Nozomi Networks employees.
Nozomi Networks has controls in place to maintain the confidentiality of Customer Data that our customers make available to Nozomi services, in accordance with the Agreement.
Specifically, Nozomi Networks’ established control frameworks include the following:
1. People Security
- Background checks in accordance with applicable local laws. The checks cover: education and previous employment, and professional references.
- Criminal, credit, immigration, and security checks in accordance with local labor law or statutory regulations.
2. Employee Training
- Security and privacy training, security policies, security best practices, and privacy principles.
- Phishing awareness campaigns and communicating emerging threats to employees.
3. Third-Party Supplier Management
- Security-risk based assessments of suppliers to assess compliance with Nozomi Networks security requirements.
- Periodic review of each supplier for security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements.
- Requirements of Customer Data returned and/or deleted at the end of a supplier relationship.
- Written agreements with all of its suppliers, which include confidentiality, privacy and security obligations that provide an appropriate level of protection for the personal data contained within the Customer Data that these suppliers may process.
Nozomi Networks is compliant with the following certifications:
- ISO/IEC 27001:2013 certification. ISO 27001 is a globally recognized information security standard that outlines the requirements for an organization’s information security management system (ISMS).
- ISO 9001:2015 certification. ISO 9001 is defined as the international standard that specifies requirements for a quality management system (QMS). The QMS is designed to organize processes, improve the efficiency of processes and continually improve.
Nozomi Networks has committed to, and is planning to obtain the following security-related certifications for the Nozomi Networks SaaS, aka “Vantage”:
- System and Organization Control (“SOC”) 2 – Type I & II
Nozomi Networks will obtain SOC 2 – Type I & II certification for Nozomi Networks Services described as “OT, IoT Security and Visibility Services” by the end of 2021. The scope SOC 2 Type I & II certification addresses trust services principles and criteria (security, availability and confidentiality), maintained by independent and annual validation of safeguards for production service operations, backup and recovery procedures, software development processes, and logical security controls.
The Nozomi Networks OT, IoT Security and Visibility Services use and leverage AWS data centers. Information about AWS certifications are available at AWS Compliance.
5. Architecture and Data Segregation
- Vantage SaaS is cloud-native, hosted by Amazon Web Services (“AWS”), and utilizes select provider technologies for development, service provisioning and management.
- The regional location of the AWS data centers is customer selectable.
- All compute environments are logically isolated using Virtual Private Cloud (VPC).
- Network segregation is applied using different security zones in the production, staging, test, development and corporate environments.
- Vantage SaaS separates Customer Data using logical identifiers tagging all communications data with the associated Customer ID.
- APIs are designed to identify and allow access only to and from unique tags and enforce access controls to ensure the confidentiality and integrity requirements for each Customer are appropriately addressed.
- Strong controls are in place so one customer’s communications cannot be accessed by another customer.
- For Vantage SaaS and corporate IT Services, all network access to production networks is restricted.
- Corporate IT Services are located at the corporate headquarters office (Mendrisio, CH). The are no VPN connections to the production networks.
- Firewalls are in place to allow only authorized services to interact in the production network.
- Firewall rules are reviewed regularly.
6. Security by Design
The development lifecycle defines the process to release secure products. Product security engineers perform numerous activities and apply proven security measures, including:
- Consistent use of purpose-built and hardened AMI’s and OS images.
- Continual assessment of third party components.
- Internal security reviews before products are released.
- Development and training of software engineering teams for secure coding practices.
7. Access Controls
- Least privilege principle for system access is applied throughout.
- Authorized access Customer Data is enforced based on job function, role and responsibilities.
- Access requires approval of the employee’s manager.
- Access rights to production environments are reviewed at quarterly.
- Access to Customer Data is promptly removed upon termination of the employment.
- Logs of privileged actions and changes in the production environment are monitored.
- Detection of any deviation from internal technical standards that could indicate anomalous/unauthorized activity are in place.
8. Physical Security
- Headquarters and office spaces have a physical security program that manages visitors, building entrances. Visual surveillance systems are deployed for all egress areas.
- All employees, contractors and visitors are issued and must carry identification badges.
- All visitors and contractors are required to present identification and escorted by authorized staff.
9. Password Controls
- Authorized users must have a unique username and password.
- Multi-factor authentication is implemented throughout and wherever possible.
- Password requirements are enforced according to policies, exceeding minimal best-practice requirements.
10. Change Management
- Formal change management process is embedded in the product release process, applications and system software.
- Infrastructure change requests are recorded using a formal, auditable, system of record.
- High-risk changes are subjected to special assessment for impact and risk.
- Deployment into production requires review, testing, appropriate approvals and roll back procedures.
11. Encryption in Transit
- Vantage SaaS services supports TLS 1.2 for encryption.
- Corporate IT uses supplier provided implementation of TLS 1.2 for all customer and data communications (Microsoft Office365, Salesforce, Dropbox).
12. Vulnerability Management
- Assessment of security vulnerabilities are conducted on a continual basis. Remediation activities are balanced with risk and the business/operational requirements.
- Third-party vulnerability assessments tools are deployed for continuous scans of dependencies used in product services.
- Critical software patches are evaluated, tested and applied proactively.
- For Vantage SaaS, all patches are applied through the controlled regeneration of service components and deployed to all customer facing instances.
13. Penetration Testing
- Independent and period penetration tests are conducted for all products and application-level services.
- Results of penetration tests are prioritized, triaged and remediated promptly by the DevOps Engineering teams.
14. Security Incident Management
- Security incident management policies and procedures are in place and periodically tested.
- The minimal retention of operational security logs is for 90 days.
- The Product Security Incident Response Team (PSIRT) assesses the threat of all relevant or reported product vulnerabilities or security incidents and establishes remediation and mitigation actions for all reports. See Nozomi Networks’ PSIRT and Incident Response notification programs.
- All security incidents will be investigated promptly: To the extent that is permitted by applicable law, we promptly notify our customers. Customers will receive notification via email to the registered contact of the Nozomi Networks product.
15. Resilience and Service Continuity
- The infrastructure for both the Vantage SaaS and IT Services is designed for high availability and resiliency.
- Vantage leverages AWS-provided cloud-native database technology to achieve rapid scaling, clustering, replication and automation.
- Vantage SaaS spans multiple AWS availability zones in geographic regions physically separated from one another.
- Vantage SaaS leverages specialized tools to monitor server performance, data, and traffic load capacity within each availability zone and processing centers.
16. Backups and Recovery
- Regular backups customer account information, data collections, and other critical data using Amazon cloud storage are performed.
- Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption.