We want to share with our customers, colleagues in other legal departments and other interested parties our privacy and security compliance journey - and it is a journey since the legal framework and regulations in this area are still evolving. We hope you will find useful materials and resources featured in each tab below. We also hope that you will share your best practices and give us feedback on how we can improve. Cisco is pleased to host this collaborative site in support of the privacy community and is committed to continuously refreshing content, so please bookmark the site for future reference.
Safeguarding personal information--that of customers, partners, and employees-- is one of an organization's most important responsibilities. At Cisco, we recognize that a key to our business is building and maintaining the trust of our customers, partners and employees, reducing risk, and simply doing what is right. Fundamental to that concept is our philosophy that "Protecting information is everyone's responsibility."
Our Cloud Journey: We recognize that many companies share our concerns regarding protecting privacy and securing personal data. While it is our goal to minimize the risk, it is important to recognize that not every risk can be protected against or eliminated. Learn more about Cisco's ongoing journey with the cloud and our innovative use of security offerings to reduce risks and improve the privacy of information.
Trusted Products and Services: Cisco offers a whole suite of products designed to help our customers keep their networks and their information secure with “privacy by design” in mind, particularly those services over the cloud. Learn More
General Counsel Corner: Check out our tools and resources to assist you with: (i) developing a privacy compliance program; and (ii) addressing common issues associated with cloud computing. Learn More.
There are a number of aspects of our privacy compliance program that we consider to be leading practices. Here are highlights as they pertain to the various phases in the information lifecycle; click on each phase for additional details and supporting reference materials:
Cisco has developed several white papers that highlight how we design privacy and security compliance in our products and services:
Cisco Cloud Security Solutions - Cisco offers technologies and platforms in the data center that cloud service providers can use to address their customer's concerns with security, availability, and performance for applications hosted in the cloud. Read More
Cisco IronPort Cloud Email Security - This cloud solution utilizes multiple methods to provide comprehensive email security, incorporating preventive and reactive measures to maximize defense. Read More
Cisco Security Intelligence Operations (SIO) - SIO is a cloud-based service that connects global threat information, reputation-based services, and sophisticated analysis to Cisco network security devices to provide stronger protection with faster response times.
Cisco Solutions for Payment Card Industry (PCI) - Cisco offers numerous technology solutions and advanced services to help companies address their PCI requirements. They go beyond just the requirements -- for example, with new technologies such as virtualization -- and provide comprehensive best practices for security sensitive information. Read More
Cisco ūmi - Cisco ūmi transforms standard-definition video conferencing into high-definition telepresence, where the objective is not just to see or hear someone who is at a remote location, but to provide an experience so clear and lifelike that ūmi callers will see what each other sees, hear what they hear, and feel what they feel. To ensure the integrity of communications through the Cisco ūmi cloud, the Cisco ūmi security team has implemented a number of layered security measures. Read More
Cisco Virtualized Multi-Tenant Data Center (VMDC) Solution for Infrastructure-as-a-Service - Cisco has designed, tested, and validated the VMDC architecture with intelligent technologies, platforms, and solutions at each level of the network to help service providers build secure public clouds and help enterprises and other organizations build private clouds, which combine the flexible, on-demand qualities of a cloud with the control and stability of a traditional data center. Read More
Secure Cloud Architecture - This overview details the features and technologies that NetApp, Cisco and VMware provide to deliver a fully featured cloud infrastructure solution that is as secure, reliable, and powerful as traditional silo deployments, which achieving the flexibility, efficiency, and OPEX/CAPEX reduction benefits of a cloud architecture. Read More
More to come!
Additional information regarding these solutions is available here:
Cloud computing changes the way information and services are provided and consumed. Faster, more responsive, and more efficient use of resources leads to better business performance and competitiveness At the same time, cloud computing introduces new security risks and concerns around technology and business processes. To succeed, organizations must address cloud security concerns - Learn more below about our cloud journey.
Cloud Security for Everyone Stay safe in the cloud! While there are many things that can threaten data and services in the cloud, this blog addresses primary concerns and actions you can take to address them.
"Fact or Fiction" Interview: Is Cloud Computing a Security Nightmare?
With John N. Stewart, Vice President and Chief Security Officer, Cisco
Fact or Fiction: Cloud computing is a security nightmare. Fiction, according to John N. Stewart who shares why he's not having nightmares. Discover why cloud security is not a show stopper, and how to better understand, manage, and mitigate the risks associated with a move to the cloud to take advantage of these new innovations in your environment. (7:41 min)
About John N. Stewart
As vice president and chief security officer, John N. Stewart works with Cisco customers, partners, and government leaders in defense, the intelligence community, and civilian agencies to advance the safety, privacy, and integrity of critical network infrastructure.
Cloud computing as a developing area presents new risks and challenges, but just because it is a different environment does not automatically make it less safe. The best approach is not to fear the cloud, but understand how to adapt to it to be more secure. (2:10 min)
Service Level Agreements (SLAs): SLAs are important to ensure that there is a guaranteed percentage of "uptime" and to identify what happens if the ASP fails to meet the specified service level. Read More
Application Service Provider (ASP) Security Evaluation Criteria: Cisco offers ASP security evaluation criteria as a step toward mitigating the risks of outsourcing to ASPs. These criteria are specific measurements of an ASP's security posture and maturity. Learn More
Standardized Information Gathering Questionnaire: Shared Assessments promotes voluntary control standards for security, privacy and business continuity for outsourcers and service providers. In support of this, Shared Assessments has published a Standardized Information Gathering Questionnaire as a template for customer security questionnaire responses as they relate to commonly known industry security and privacy frameworks, standards and regulations. Learn More
Priviacy by Design: Product Development Guidelines for Engineers & Product Managers: Cisco has created guidelines for our engineers and product managers with high level principles relating to privacy and data protection. Becoming familiar with these principles allow the development team to design into our products, systems, and services features and functionalities that will make it easier for Cisco, customers and users to comply with and/or enforce legal and business requirements to protect personal information. As a result, privacy becomes an essential component being delivered and is not bolted on as an add-on, after the fact. Read More
Personal Data Registry: Cisco has developed a Personal Data Registry (PDR), an online tool to allow our database developers and owners to register their databases. The registration captures, among other things, whether the databases store or process any personal data, who has access to the databases, and where the databases reside. The PDR program includes an annual validation process and robust reporting capabilities. Learn more about the PDR tool registration by referencing this excerpt
Internal Privacy Portal: Cisco has an internal privacy portal that centralizes relevant resources accessible to all employees and contractors, including online training modules, policies and guidelines, tools, contract templates, playbooks, FAQs, and links to a number of additional external resources. For reference, excerpts from the privacy portal are coming soon.
Global Supplier Enrollment Program: Our Global Supplier Enrollment Program requires that suppliers enter into a data usage and protection agreement (DUPA). Key sections of the DUPA include privacy and data security compliance provisions, prohibition against use of sub-processors and export of data without Cisco's prior consent, and auditing and reporting requirements. Read More
Online Incident Reporting Tool: Cisco has a formal cross-functional program with a standard, global, "closed-loop" process for monitoring, categorizing, referring, investigating and reporting alleged incidents that includes an online incident reporting tool and tracking function. Learn more about the request form for the online incident reporting tool
Cloud Reference Materials
Compliance Checklist for Prospective Cloud Customers: Customers can manage privacy and security risks with cloud solutions by asking the right questions that are most critical for compliance and should be considered when selecting a provider. Read More
Cloud Computing, a Primer on Legal Issues, Including Privacy and Data Security Concerns (Presentation by Hogan Lovells): Cloud computing presents a number of unique legal and regulatory issues that need to be addressed. Learn More
Cloud Security Alliance Governance Risk & Compliance Stack: The Cloud Security Alliance (CSA) promotes the use of best practices for providing security assurance within Cloud Computing, and provides education on the uses of Cloud Computing to help secure all other forms of computing. The CSA Governance Risk & Compliance (GRC) Stack toolkit is an instrument to assess both private and public clouds against industry established best practices, standards and critical compliance requirements. The GRC Stack is an integrated suite of three CSA initiatives: CloudAudit, Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire (see below). The GRC Stack is available for free download at www.cloudsecurityalliance.org/grcstack.zip.
CloudAudit is a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments. Learn More
Cloud Controls Matrix provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. Learn More