SophosLabs Information Security Policy

1 Overview

SophosLabs receives malicious code and false positive samples from customers in order to enhance the detection service that Sophos provides. This policy outlines requirements for the handling of customer data received and processed by the SophosLabs department. Such data could be sensitive, confidential, personally identifiable or financial in nature.

SophosLabs systems and data are hosted in a segregated area which is protected from unauthorised access both physically and electronically. This protects the security and integrity of customer data, and also ensures that the malicious code being handled by SophosLabs is appropriately segmented from public and corporate networks.

Any questions regarding this policy should be directed to the VP Labs or dataprotection@sophos.com.

2 Scope

Personnel

This policy applies to all SophosLabs employees and other limited individuals with authorised access, such as employees who manage the hosting infrastructure for SophosLabs.

Data

This policy applies to all file samples and other data provided to SophosLabs by customers (‘In-Scope Data’). In-Scope Data is currently received by SophosLabs via the following methods:

a) Customers may elect to submit malicious code and/or false positive samples to SophosLabs via https://secure2.sophos.com/en-us/support/contact-support.aspx;

b) Files which have been processed and subsequently categorised as malicious by the Sandstorm product are automatically routed to SophosLabs;

c) If the customer uses Sophos Live Protection and the protected device has identified a file as malware or suspicious, some limited file data will be sent to perform a look-up against the SophosLabs database in order to determine whether such file is clean or malicious;

d) If the customer uses the in-product sample sharing feature with Sophos, if the look-up described in (c) above determines that SophosLabs does not already hold a sample of the file, a copy of the customer’s file will be submitted to SophosLabs for further analysis; and

e) If the customer enable the root cause analysis and/or snapshot sharing features of the Intercept X product, data will be sent to SophosLabs for further analysis.

The customer may elect to disable Live Protection, in-product sample sharing, root cause analysis and snapshot sharing within the Sophos product itself, however it is strongly recommended that the customer enables these features in order to benefit from up-to-date, enhanced protection.

3 Exceptions

Where there is a business need to be exempted from any of the requirements in this policy (too costly, too complex, adversely impacting other business requirements), authorisation must be obtained from VP Labs and dataprotection@sophos.com. All exemptions must be subject to a risk review.

4 Requirements

Access

a) Secure authentication protocols are used to validate user identity prior to enabling access to the physically secured area (and thus any computer in the secured area). Physical security systems will require token, card or biometric authentication to specifically identify the user.

b) Systems require a secure username and password for access which is compliant with Sophos' password policy. These credentials must be unique to SophosLabs and must not be used on any other internal or external systems or services.

c) Systems must be configured to lock after a period of inactivity, up to, but no longer than 30 minutes.

d) Access logs for systems will be logged centrally. These logs will be monitored by system owners to identify or prevent unauthorised access attempts. Once discovered, prompt steps will be taken to prevent any further unauthorised access.

e) Access is limited to SophosLabs employees and other limited individuals who need access in order to serve a legitimate business purpose. Approval from SophosLabs management is required to authorise a new individual.

f) Terminated or suspended individuals will have their physical and electronic access blocked. Any passes, devices, codes, passwords and means of obtaining access to such area and such data will be de-activated.

g) SophosLabs management conduct a quarterly review of access entitlements.

h) SophosLabs has a designated area for demonstrations to visitors. Visitors must be escorted by an authorized employee at all times. If you are responsible for escorting visitors, you must restrict them to the section of SophosLabs designated for demonstrations only, in order to avoid exposure of confidential information.

i) If an unknown, unescorted or otherwise unauthorized individual is identified in the physically secured area, SophosLabs management must be notified immediately.

General Security

j) Customer and other confidential data must not be left desks unattended.

k) SophosLabs management, security@sophos.com and dataprotection@sophos.com must be notified immediately in the event that a device holding data is lost.

l) In-Scope Data is stored on the separate SophosLabs network. Laptops should only be used for the storage of normal business data which is not covered by the scope of this policy.

m) Remote access to In-Scope Data is secured via a two-stage authentication process which firstly requires the user to log onto the corporate network via a laptop and secondly requires the user to log onto the separate SophosLabs network. In-Scope Data will remain on the separate SophosLabs network and the user controls the desktop PC situated within the separate SophosLabs network via the remote laptop.

n) In-Scope Data that must be moved within SophosLabs may only be transferred via approved secure transfer mechanisms. Sophos will provide systems or devices that fit this purpose. You must not use other mechanisms to handle In-Scope Data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with SophosLabs management.

o) Systems must be protected in line with Sophos corporate standards and industry best practice. All company laptops are built with this standard protection. Specifically, the systems must operate:

(i) Up-to-date anti-malware protection;

(ii) A firewall;

(iii) Encryption;

(iv) Appropriate patching.

p) Systems which are running a lower protection standard for legitimate business purposes (for example malware analysis requiring emulation of vulnerable systems) must be isolated.

Encryption

q) All In-Scope Data must be protected by encryption as follows:

(i) Sophos encryption products are the selected technical product for encryption of portable media or laptops;

(ii) Backups of SophosLabs data will be encrypted in line with industry best practices and hosted in an area of physical security to protect against the loss of in scope data. Access to the backups will be restricted to a named group of individuals authorised by SophosLabs management;

(iii) Devices hosting data within SophosLabs will use current industry best practice algorithms and cryptographic strength;

(iv) Data in transit from the Sophos products to SophosLabs is encrypted using an industry trusted standard.

5 Data Retention

SophosLabs will retain In-Scope Data as follows:

(a) Malicious code samples will be retained indefinitely in order to offer continued protection of customers through regression testing of old malicious samples to prevent loss of detection from updated or new signatures;

(b) A single copy of each clean file submitted will be retained indefinitely in order to protect customers against false positive conviction of valid clean files;

(c) Sandbox samples are retained in the Sandbox environment for up to 30 days, whereupon clean files are deleted and convicted files are sent to SophosLabs and retained in accordance with (a) above. The customer ID code is not submitted to SophosLabs with the convicted file;

(d) If data received is a repeat sample of a file which is already held by SophosLabs, Sophos will retain only one logical master copy, which will also be backed up.

6 Responsibilities

Employees in scope will be provided with security awareness training to ensure they are aware of the behaviours, practices and procedures required by this policy.

You have a responsibility to uphold this security policy. In the event that you find a system or process which you suspect is not compliant with this policy you have a duty to inform SophosLabs management so that they can take appropriate action.

7 Owner & Approval

VP Labs is the owner of this document and is responsible for awareness and compliance among members of the SophosLabs team.

This policy was approved by the Legal department and is issued on a version controlled basis. A current version of this document is published at
https://www.sophos.com/legal.aspx.