1 OVERVIEW
SophosLabs receives malicious code and false positive samples from customers in order to enhance the detection service that Sophos provides. This policy outlines how SophosLabs handles customer data received and processed by it. Such data could be sensitive, confidential, personally identifiable or financial in nature.
SophosLabs uses a “Hub and Spoke” architecture. “Spokes” are self-contained, highly automated components, working autonomously with minimal human interaction that is generally limited to performing maintenance and upgrades. Spokes are located in different countries in Europe, North America, and Asia Pacific, and typically serve their surrounding geographic regions. Spokes do not transfer data they process elsewhere, except in the case of a subset of data which may be transferred to the SophosLabs Hub in circumstances described below. The SophosLabs Hub is Sophos’ permanent repository of threat intelligence data, gathered from different sources and used for improving the protection of Sophos customers. SophosLabs has a single hub located in the UK.
SophosLabs systems and data are hosted in a segregated area which is protected from unauthorised access both physically and electronically. This protects the security and integrity of customer data, and also ensures that the malicious code being handled by SophosLabs is appropriately segmented from public and corporate networks.
Any questions regarding this policy should be directed to the VP Labs or dataprotection@sophos.com.
2 SCOPE
Personnel
This policy applies to all SophosLabs employees and other limited individuals with authorised access, such as employees who manage the hosting infrastructure for SophosLabs.
Data
This policy applies to all file samples and other data provided to SophosLabs by customers ("In-Scope Data"). In-Scope Data is currently received by SophosLabs via the following methods:
a) Customers may elect to submit malicious code and/or false positive samples to SophosLabs via online forms such as https://support.sophos.com/support/s/?language=en_US#t=AllTab&sort=relevancy and https://support.sophos.com/support/s/filesubmission?language=en_US;
b) Files which have been processed and subsequently categorised as malicious by the Sandstorm product are automatically routed to the SophosLabs Hub;
c) If the customer uses Sophos Live Protection and the protected device has identified an object, such as a file or other item (what we refer to as a “Threat Object”) as malware or suspicious, some limited Threat Object metadata or a hashed representation of the Threat Object will be sent to perform a look-up against the SophosLabs database in order to determine or confirm the nature of that Threat Object (e.g. whether it is clean or malicious);
d) If the customer uses a product that offers functionality for submitting samples to Sophos (whether on a manual or automatic submission basis), and the look-up described in (c) above determines that SophosLabs does not already hold a copy of the Threat Object (i.e. the submitted sample), a copy of the customer’s Threat Object will be submitted to SophosLabs for further analysis; and
e) If the customer enables the root cause analysis and/or snapshot sharing features of the Intercept X product, data will be sent to SophosLabs for further analysis.
The customer may elect to disable Live Protection, in-product sample submission, root cause analysis and snapshot sharing within the configuration options for applicable Sophos products, however it is strongly recommended that the customer enables these features in order to benefit from up-to-date, enhanced protection.
3 EXCEPTIONS
Where there is a business need to be exempted from any of the requirements in this policy (too costly, too complex, adversely impacting other business requirements), authorisation must be obtained from VP Labs and dataprotection@sophos.com. All exemptions must be subject to a risk review.
4 REQUIREMENTS
Access
a) Secure authentication protocols are used to validate user identity prior to enabling access to the physically secured area (and thus any computer in the secured area). Physical security systems will require token, card or biometric authentication to specifically identify the user.
b) Systems require a secure username and password for access which is compliant with Sophos' password policy. These credentials must be unique to SophosLabs and must not be used on any other internal or external systems or services.
c) Systems must be configured to lock after a period of inactivity, up to, but no longer than 30 minutes.
d) Access logs for systems will be logged centrally. These logs will be monitored by system owners to identify or prevent unauthorised access attempts. Once discovered, prompt steps will be taken to prevent any further unauthorised access.
e) Access is limited to SophosLabs employees and other limited individuals who need access in order to serve a legitimate business purpose. Approval from SophosLabs management is required to authorise a new individual.
f) Terminated or suspended individuals will have their physical and electronic access blocked. Any passes, devices, codes, passwords and means of obtaining access to such area and such data will be de-activated.
g) SophosLabs management conduct a quarterly review of access entitlements.
h) SophosLabs has a designated area for demonstrations to visitors. Visitors must be escorted by an authorized employee at all times. If you are responsible for escorting visitors, you must restrict them to the section of SophosLabs designated for demonstrations only, in order to avoid exposure of confidential information.
i) If an unknown, unescorted or otherwise unauthorized individual is identified in the physically secured area, SophosLabs management must be notified immediately.
General Security
j) Customer and other confidential data must not be left desks unattended.
k) SophosLabs management, security@sophos.com and dataprotection@sophos.com must be notified immediately in the event that a device holding data is lost.
l) In-Scope Data is stored on the separate SophosLabs network. Laptops should only be used for the storage of normal business data which is not covered by the scope of this policy.
m) Remote access to In-Scope Data is secured via a two-stage authentication process which firstly requires the user to log onto the corporate network via a laptop and secondly requires the user to log onto the separate SophosLabs network. In-Scope Data will remain on the separate SophosLabs network and the user controls the desktop PC situated within the separate SophosLabs network via the remote laptop.
n) In-Scope Data that must be moved within SophosLabs may only be transferred via approved secure transfer mechanisms. Sophos will provide systems or devices that fit this purpose. You must not use other mechanisms to handle In-Scope Data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with SophosLabs management.
o) Systems must be protected in line with Sophos corporate standards and industry best practice. All company laptops are built with this standard protection. Specifically, the systems must operate:
(i) Up-to-date anti-malware protection;
(ii) A firewall;
(iii) Encryption;
(iv) Appropriate patching.
p) Systems which are running a lower protection standard for legitimate business purposes (for example malware analysis requiring emulation of vulnerable systems) must be isolated.
Encryption
q) All In-Scope Data must be protected by encryption as follows:
(i) Sophos encryption products are the selected technical product for encryption of portable media or laptops;
(ii) Backups of SophosLabs data will be encrypted in line with industry best practices and hosted in an area of physical security to protect against the loss of in scope data. Access to the backups will be restricted to a named group of individuals authorised by SophosLabs management;
(iii) Devices hosting data within SophosLabs will use current industry best practice algorithms and cryptographic strength where appropriate;
(iv) Data in transit from the Sophos products to SophosLabs is encrypted using an industry trusted standard.
5 DATA RETENTION
SophosLabs will retain In-Scope Data as follows:
(a) Malicious code samples will be retained indefinitely in order to offer continued protection of customers through regression testing of old malicious samples to prevent loss of detection from updated or new signatures;
(b) A single copy of each file submitted and designated as clean or a false positive by a user will be retained indefinitely in order to protect customers against false positive conviction of valid clean files. Other files detected as clean after analysis will be retained for up to 14 days before being deleted;
(c) Sandbox and EDR samples are retained in the respective Sandbox and EDR environments within the customer’s regional Spoke for up to 30 days, whereupon clean files are deleted and convicted files are sent to the SophosLabs Hub and retained in accordance with (a) above. The customer ID code is not submitted to SophosLabs with the convicted file;
(d) If data received is a repeat sample of a file which is already held by SophosLabs, Sophos will retain only one logical master copy;
(e) Threat Object metadata follows the retention period of the associated Threat Object. In some cases, SophosLabs may retain some of such metadata for up to 6 months for research purposes, regardless of whether the associated Threat Object was convicted or detected as clean.
(f) On occasion, Threat Objects and associated metadata that have been submitted manually by the customer and that require deeper manual inspection may be retained for up to 6 months.
6 RESPONSIBILITIES
Employees in scope will be provided with security awareness training to ensure they are aware of the behaviours, practices and procedures required by this policy.
You have a responsibility to uphold this security policy. If you find a system or process which you suspect is not compliant with this policy you have a duty to inform SophosLabs management so that they can take appropriate action.
7 OWNER & APPROVAL
VP Labs is the owner of this document and is responsible for awareness and compliance among members of the SophosLabs team.
This policy was approved by the Legal department and is issued on a version controlled basis. A current version of this document is published at https://www.sophos.com/legal.
Last updated 22 April 2019