High Level Security Policy Overview

Sophos Trust Center

Introduction

Sophos has a dedicated cybersecurity team. The team has developed and deployed security policies, standards, and procedures validated by an active governance and audit program.

Sophos aligns with the NIST Cybersecurity Framework and ISO 27001 controls.

Sophos has a Security Operations Center (SOC) operating 24/5. 

Sophos has deployed its security products internally. This includes firewalls, malware detection, and a MTR (managed threat response) service that monitors the environment 24/7. 

Sophos Labs analyzes malware samples in a segregated environment.

Sophos has a defined incident response and breach notification process.

Security Controls

There are specific security controls around the following areas:

  • Data protection, privacy, and security
  • Risk management
  • Access and user management
  • Password management and authentication controls
  • Encryption and key management
  • Threat and vulnerability management
  • Logging and monitoring
  • Secure development life cycle and bug bounty program
  • Threat modeling
  • Network security – zero-trust network model
  • Change management
  • Third-party vendor security
  • Disaster recovery plan – high availability cloud hosting
  • Physical security
  • Human Resources Security
  • Sophos staff undergo pre-employment background checks
  • Staff and contractors undergo regular security training and awareness training