The following is an excerpt from the 2019 CSR report.
Cisco is the industry leader in creating safe and secure connections and applications for processing data. And in a world with more data, more users, and more services than ever, there’s more to protect than ever. What’s more, cyberthreats are always evolving.
In light of high-profile security breaches and privacy abuses, it’s no surprise that fear and uncertainty abound. Standards and regulations aim to protect against data misuse by both those who are and those who are not authorized to access and use it. Unfortunately, this has produced the unintended effect of a global patchwork of inconsistent guidelines and requirements that can be difficult for data handlers and users to understand and follow.
It doesn’t have to be this way. We’re committed to incorporating privacy and security into every phase of product development, from ideation to end of life. We strive to enhance trust and provide transparency for our customers with our privacy and security policies and practices. We lead development of industry standards to enhance global cybersecurity.
Security by design
We’ve been building security into every level of our solutions and services for more than 10 years with the Cisco Secure Development Lifecycle (Cisco SDL). Cisco SDL provides a foundation for addressing evolving threats. We also follow specifications for our Information Security Management System (ISMS). And our entire services business is ISO 27001 certified. These verifications give customers peace of mind that their data is safe with Cisco.
We have integrated privacy engineering into the Cisco SDL. For example, a privacy impact assessment is now a mandatory step prior to product release. We’ve trained our product engineers and our lawyers who counsel them on privacy engineering and put them through privacy requirements workshops. For data-rich products and services, the information gathered during Cisco SDL is converted into plain language and published on the Cisco Trust Center as Privacy Data Sheets and visualized as Privacy Data Maps. We’ve also published our Master Data Protection Agreement that sets out our privacy and security promises (for customers) and requirements (for suppliers). These enhancements to our program provide greater transparency, fairness, and accountability in how we process personal information.
How do we identify privacy risks? We start with threat modeling and privacy scoping workshops during ideation and design. Next, we conduct operations and user experience testing. During these tests, we ensure appropriate controls are in place to properly manage personal data throughout its life cycle, from creation to disposition.
We continue to conduct penetration testing and check for vulnerabilities even after products have been deployed. All of our security products incorporate Talos threat intelligence, backed by a team that reviews 1.7 million malware samples per day. Meanwhile, the Product Security Incident Response Team (PSIRT) and Computer Security Incident Response Team (CSIRT) monitor network and attack traffic for security vulnerabilities and incidents in our products and corporate environments, respectively. Thanks to these safeguards, we had no reportable data breaches in the past year. To further enhance and expand our capabilities, we acquired two security companies in FY19. Sentryo is a provider of device visibility and security solutions for industrial control system networks. We also completed the acquisition of Duo Security for unified access security and multifactor authentication.
The European Union’s (EU) General Data Protection Regulation (GDPR) has been in effect for more than a year, and dozens of other privacy laws have been enacted or are being updated around the world. We continue to mature and improve our privacy program to align to the evolving landscape to ensure privacy is respected and protected. In the past year, we:
- Updated and published additional Privacy Data Sheets and Data Maps to provide transparency for our data handling practices
- Revised our Product Security Baseline and Security Readiness Criteria in Cisco SDL to build in privacy-enhancing features and functionality in our products
- Enhanced and automated aspects of our Data Subject Access Request (DSAR) management process for more rapid response
- Created a network and practice community of privacy leads in regions worldwide
- Renewed our EU/Swiss-US Privacy Shield and APEC Cross Border Privacy Rules system certifications
- Obtained APEC Privacy Recognition for Processors certification
Building bridges across our industry
Our work doesn’t happen in a vacuum. Just as we connect people and businesses in global networks, we are part of a network of peers working together to ensure security and privacy for all. We’re committed to respecting privacy as a human right, helping to shape new regulations and industry standards to protect privacy while supporting data-driven innovation, and working with our customers, partners, peers, and others to do the same. When we’re all better informed on these critical issues and work together to develop solutions, we’re all better off.
In FY19, Cisco called for comprehensive U.S. federal data protection legislation anchored to core principles of transparency, fairness, and accountability, because privacy is a human right. Specifically, we recommended that the U.S. develop an omnibus federal privacy law ensuring a consistent baseline of protection. Our perspective considers how today’s trends, such as IoT, 5G, and artificial intelligence will impact and reshape our lives today and into the future. New laws should drive responsible, accountable use of data and address the complex privacy needs of a world where tens of billions of devices will soon be online.
Cisco is leading the development of privacy frameworks around the world. We’re speaking out in support of policies that favor interoperable global standards and a safe, free, and open Internet.