SophosLabs Information Security Policy

Learn how Sophos protects personal information that may be transmitted to Sophos Labs.

This is an externally available copy of the policy. It contains the same stance as the internal security policy, but does not link to internal resources and guidance. Any questions regarding the scope, or implementation of this policy should be directed to the Sophos legal team at legal@sophos.com

1.0 Purpose

Sophos must protect against the loss of data to protect the rights of customers and to ensure compliance with information security requirements. The protection of in scope data is a critical business requirement, yet flexibility to access data for legitimate business purpose is also critical. This policy outlines requirements for the handling of data in SophosLabs and supporting functions like Support or IT that may have access to data included in the scope of this policy.

2.0 Scope

1. All data provided to SophosLabs by customers and third party sources.

2. All employees interacting with data as defined by 1. Particularly SophosLabs and those in Support, IT or GEO who handle data or infrastructure that hosts data.

3. Exemptions: Where there is a business need to be exempted from this policy a risk assessment must be conducted being authorised by security management. See Risk Assessment Policy and Written Information Security Program.

3.0 Policy

3.1 Policy - Employee Requirements

1. If you identify an unknown, un-escorted or otherwise unauthorized individual in the physically secured area you need to notify SophosLabs management and security immediately.

2. Visitors to SophosLabs must be escorted by an authorized employee at all times. If you are responsible for escorting visitors you must restrict them to the section of SophosLabs designated for demonstrations to avoid exposure of confidential information.

3. You are required not to reference the subject or content of sensitive or confidential data publically, or via systems or communication channels not controlled by Sophos. For example, the use of external e-mail systems not hosted by Sophos is not allowed.

4. To maintain information security you need to ensure that in scope data is not left on your desk unattended.

5. You need to use a secure password on all Sophos systems as per 3.2 Policy e. These credentials must be unique and must not be used on other external systems or services.

6. Terminated employees will be required to return all records, in any format, containing personal information.

7. You must immediately notify a SophosLabs manager in the event that a device holding data is lost (storage devices, laptops etc).

8. You have a responsibility to uphold the security policy outlined in 3.2 below. In the event that you find a system or process which you suspect is not compliant with this policy you have a duty to inform SophosLabs management so that they can take appropriate action.

9. During the course of your work you may identify information which appears to be sensitive, confidential, personally identifiable or financial in nature. If you are concerned that the identified data falls in to these categories or may have broader privacy implications you must raise this with SophosLabs management. SophosLabs management can take appropriate action to protect the data and advise you on how to proceed. The SophosLabs Information Security Policy training covers the types of data of concern in more depth.

10. If you have been assigned the ability to work remotely you must take extra precaution to ensure that data is appropriately handled. You must validate that you are in compliance with the policy outlined in 3.2. Furthermore, you need to follow these rules for safe working:

i. Please ensure that you minimise the period for which you host in scope data on your local system. Once you have finished interacting with the data please ensure that it is committed back to the physically secured area.

ii. When travelling with a system that has access to in scope data you need to ensure that you understand the regulations of countries to which you are travelling. For example, some countries mandate the right to audit your system or to confiscate it. Where travel to such countries is required you need to ensure that in scope data is not held on the system in question. If you have concerns regarding your responsibilities when travelling to such locations please contact the Sophos legal team.

iii. You need to ensure that your device is physically secured when not monitored. For example, avoid leaving your devices in visible places where theft could obviously occur – such as in clear view in a hotel or a car.

11. Data that must be moved within SophosLabs is to be transferred only via business provided secure transfer mechanisms. Sophos will provide you with systems or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with SophosLabs management.

12. Any information being transferred on a portable device (mass storage device, or a laptop for example) outside SophosLabs or across a public network must be encrypted in line with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek guidance from a SophosLabs manager.

3.2 Policy - Sophos requirements and standards

1. SophosLabs will have a designated area for demonstrations to visitors, which limits exposure to information from customers or other analyst data.

2. Employees in scope will be provided with security awareness training to ensure they are aware of the behaviours, practices and procedures required by this policy.

3. SophosLabs systems and data will be hosted in an area of physical security. Access to SophosLabs is limited to those who need access in order to serve a legitimate business purpose. Approval from SophosLabs management and HR is required to authorise a new individual.

4. Secure authentication protocols will be used to validate the user identity to gain access to the physical secured area (and thus any computer in the secured area). Physical security systems will require token, card or biometric authentication to specifically identify the user.

5. SophosLabs systems will require a secure username and password for access. This username and password must be compliant with Sophos' password policy, which can be found here. Further advice on selecting a strong password can be found here.

6. Systems in SophosLabs must be configured to lock after a period of inactivity, up to, but no longer than 30 minutes. After three failed attempts to unlock a system, the account will be blocked or disabled and access denied until security staff investigate the incident and re-authorize the account.

7. Access logs for systems and physical security will be logged centrally. These logs will be monitored by system owners to identify or prevent unauthorised access attempts. Once discovered, prompt steps will be taken to prevent any further unauthorised access.

8. SophosLabs will routinely receive malicious code samples for which there are legitimate business requirements to hold the data. Sensitive or confidential data may be received which does not have business application, or where specific handling is required given the nature of the data. As per policy 3.1 employees will identify such data to SophosLabs management. Where data is identified and there is no appropriate business purpose, the data must be permanently purged. Where there is business purpose, but the data is particularly sensitive the data must be stored with restricted access rights.

i. SophosLabs will store data for as long as is appropriate where used for legitimate business purposes. When data is no longer required for a legitimate business purpose, it will be permanently purged.

i. SophosLabs will hold malicious code samples indefinitely as they continue to have legitimate business purpose for protection of our customers.

ii. SophosLabs will hold metadata regarding malicious code samples (submitting customer details for example) for a period of 12 months, after which it will be removed.

iii. Where in scope data is identified that does not hold appropriate business purpose it will be purged within 30 days of its discovery.

9. All data provided must be held on systems protected by encryption.

10. Backups of SophosLabs data will be encrypted in line with industry best practices and hosted in an area of physical security to protect against the loss of in scope data. Access to will require authorisation by SophosLabs management. Access to the backups will be restricted to a named group of individuals, enforced by encryption.

11. Terminated employees, or those suspected of mal conduct will have their physical and electronic access to physically secured area and the applicable data immediately blocked. Any passes, devices, codes, passwords and means of obtaining access to such area and such data will be immediately de-activated by HR. SophosLabs management is required to notify HR who will work with IT to revoke access as appropriate.

12. HR will conduct a quarterly audit of the access records to confirm that all IT/SophosLabs held access records are in compliance.

13. Data that must be moved within SophosLabs is to be transferred only via business provided secure transfer mechanisms. Portable devices used to transfer data will be marked for lab use and must not leave the physically secure area. SophosLabs will provide secure transfer mechanisms for employees

14. SophosLabs systems handling sensitive data and malicious code will be appropriately segmented from public and corporate networks to ensure that the data cannot be exfiltrated.

15. SophosLabs systems hosting personal information (broadly, data collected from customers) must be protected in alignment with Sophos corporate standards and industry best practice. Specifically, the systems must operate:

i. Up to date anti-malware protection

ii. A firewall

iii. Encryption

iv. Be appropriately patched

16. Systems which are running a lower protection standard for legitimate business purposes (malware analysis for example requiring emulation of vulnerable systems) must be isolated to mitigate the additional risk.

4.0 Technical Guidelines

Technical guidelines identify requirements for technical implementation and are typically technology specific. These apply in the event that data must be encrypted, or purged as referenced in the policy.

1. Sophos encryption products are the selected technical product for encryption of portable media or laptops where required by the policy.

2. Devices hosting Sophos data will use present industry best practices algorithms and cryptographic strength.

3. Data transported to Sophos will meet the following standards:

i. Encrypted using AES256 or an equivalent industry trusted standard.

ii. Use public key encryption, where data can only be decrypted by SophosLabs.

4. Implementation must pass a Sophos engineering security review.

5. Data will be purged using a secure shred operation on the files or disks as appropriate. A secure shred overwrites the data a minimum of 3 times before removal.

5.0 Reporting requirements

1. HR will provide a quarterly report to SEC Office(OCTO) validating that employee access rights have been checked.

2. SophosLabs will validate when technology or business processes are changed that this policy is still in effect. Any changes to the policy or required exemptions will be raised with the SEC Office(OCTO).

The Sophos program framework will check projects for any changes to the scope of data that might require alteration to this policy.

SophosLabs will contact the SEC Office(OCTO) for any queries regarding the classification of data and Sophos' responsibilities.

6.0 Contact requirements

If you wish to query the contents of this policy, its business application or have a suggestion to enhance it please contact the SEC Office(OCTO) or escalate to your manager.