Privacy and Security Compliance Journey

PRIVACY AND SECURITY COMPLIANCE JOURNEY

We want to share with our customers, colleagues in other legal departments and other interested parties our privacy and security compliance journey - and it is a journey since the legal framework and regulations in this area are still evolving. We hope you will find useful materials and resources featured in each tab below. We also hope that you will share your best practices and give us feedback on how we can improve. Cisco is pleased to host this collaborative site in support of the privacy community and is committed to continuously refreshing content, so please bookmark the site for future reference.

Photo of Van Dang
Van Dang,
VP, Law &
Deputy General Counsel
Welcome Message

 

Learn more about privacy and security compliance

I am a:


Customer/Partner Privacy and Security Compliance Information

Privacy Professional Privacy and Security Compliance Information

 

  • Safeguarding personal information--that of customers, partners, and employees-- is one of an organization's most important responsibilities. At Cisco, we recognize that a key to our business is building and maintaining the trust of our customers, partners and employees, reducing risk, and simply doing what is right. Fundamental to that concept is our philosophy that "Protecting information is everyone's responsibility."
  • Our Cloud Journey: We recognize that many companies share our concerns regarding protecting privacy and securing personal data. While it is our goal to minimize the risk, it is important to recognize that not every risk can be protected against or eliminated. Learn more about Cisco's ongoing journey with the cloud and our innovative use of security offerings to reduce risks and improve the privacy of information.
  • Our Compliance Program: Learn More about our comprehensive and innovative compliance program incorporates leading industry practices.


  • Trusted Products and Services: Cisco offers a whole suite of products designed to help our customers keep their networks and their information secure with “privacy by design” in mind, particularly those services over the cloud. Learn More
  • General Counsel Corner: Check out our tools and resources to assist you with: (i) developing a privacy compliance program; and (ii) addressing common issues associated with cloud computing. Learn More.
 

 



There are a number of aspects of our privacy compliance program that we consider to be leading practices.  Here are highlights as they pertain to the various phases in the information lifecycle; click on each phase for additional details and supporting reference materials:

 
trusted

Cisco has developed several white papers that highlight how we design privacy and security compliance in our products and services:



Cisco Cloud Security Solutions - Cisco offers technologies and platforms in the data center that cloud service providers can use to address their customer's concerns with security, availability, and performance for applications hosted in the cloud.  Read More

Cisco IronPort Cloud Email Security - This cloud solution utilizes multiple methods to provide comprehensive email security, incorporating preventive and reactive measures to maximize defense.  Read More

Cisco Security Intelligence Operations (SIO) - SIO is a cloud-based service that connects global threat information, reputation-based services, and sophisticated analysis to Cisco network security devices to provide stronger protection with faster response times.

Cisco Solutions for Payment Card Industry (PCI) - Cisco offers numerous technology solutions and advanced services to help companies address their PCI requirements.  They go beyond just the requirements -- for example, with new technologies such as virtualization -- and provide comprehensive best practices for security sensitive information.  Read More

Cisco Virtualized Multi-Tenant Data Center (VMDC) Solution for Infrastructure-as-a-Service - Cisco has designed, tested, and validated the VMDC architecture with intelligent technologies, platforms, and solutions at each level of the network to help service providers build secure public clouds and help enterprises and other organizations build private clouds, which combine the flexible, on-demand qualities of a cloud with the control and stability of a traditional data center.  Read More

Secure Cloud Architecture - This overview details the features and technologies that NetApp, Cisco and VMware provide to deliver a fully featured cloud infrastructure solution that is as secure, reliable, and powerful as traditional silo deployments, which achieving the flexibility, efficiency, and OPEX/CAPEX reduction benefits of a cloud architecture. Read More

More to come!

Additional information regarding these solutions is available here:

Cloud image Cloud computing changes the way information and services are provided and consumed. Faster, more responsive, and more efficient use of resources leads to better business performance and competitiveness At the same time, cloud computing introduces new security risks and concerns around technology and business processes. To succeed, organizations must address cloud security concerns - Learn more below about our cloud journey.

Cisco Cloud Security Accelerates Cloud Adoption
Cloud security has its own architectural structure with several key considerations, including logical separation and access control.

Cloud Security for Everyone
Stay safe in the cloud! While there are many things that can threaten data and services in the cloud, this blog addresses primary concerns and actions you can take to address them.

Cisco Any Device: Planning a Productive, Secure, and Competitive Future
As Cisco ventured out on the "Any Device" journey, we identified critical business areas that are affected by this new paradigm. Learn the steps and decisions that IT and security professionals need to consider along the "Any Device" journey.

Cloud Computing Security

"Fact or Fiction" Interview: Is Cloud Computing a Security Nightmare?
With John N. Stewart, Vice President and Chief Security Officer, Cisco

Fact or Fiction: Cloud computing is a security nightmare. Fiction, according to John N. Stewart who shares why he's not having nightmares. Discover why cloud security is not a show stopper, and how to better understand, manage, and mitigate the risks associated with a move to the cloud to take advantage of these new innovations in your environment. (7:41 min)

About John N. Stewart

As vice president and chief security officer, John N. Stewart works with Cisco customers, partners, and government leaders in defense, the intelligence community, and civilian agencies to advance the safety, privacy, and integrity of critical network infrastructure.

Cloud Computing Security

Viewing this video requires the latest version of Adobe Flash Player with JavaScript enabled.

Get the Flash Player


Cloud Computing Security

Video with John N. Stewart

Cloud computing as a developing area presents new risks and challenges, but just because it is a different environment does not automatically make it less safe. The best approach is not to fear the cloud, but understand how to adapt to it to be more secure. (2:10 min)

 

Cloud Computing Security

Viewing this video requires the latest version of Adobe Flash Player with JavaScript enabled.

Get the Flash Player

Compliance Reference Materials

Service Level Agreements (SLAs): SLAs are important to ensure that there is a guaranteed percentage of "uptime" and to identify what happens if the ASP fails to meet the specified service level. Read More

Application Service Provider (ASP) Security Evaluation Criteria:  Cisco offers ASP security evaluation criteria as a step toward mitigating the risks of outsourcing to ASPs.  These criteria are specific measurements of an ASP's security posture and maturity.  Learn More

Standardized Information Gathering Questionnaire:  Shared Assessments promotes voluntary control standards for security, privacy and business continuity for outsourcers and service providers.  In support of this, Shared Assessments has published a Standardized Information Gathering Questionnaire as a template for customer security questionnaire responses as they relate to commonly known industry security and privacy frameworks, standards and regulations.  Learn More

Priviacy by Design:  Product Development Guidelines for Engineers & Product Managers: Cisco has created guidelines for our engineers and product managers with high level principles relating to privacy and data protection. Becoming familiar with these principles allow the development team to design into our products, systems, and services features and functionalities that will make it easier for Cisco, customers and users to comply with and/or enforce legal and business requirements to protect personal information. As a result, privacy becomes an essential component being delivered and is not bolted on as an add-on, after the fact. Read More

Personal Data Registry: Cisco has developed a Personal Data Registry (PDR), an online tool to allow our database developers and owners to register their databases. The registration captures, among other things, whether the databases store or process any personal data, who has access to the databases, and where the databases reside. The PDR program includes an annual validation process and robust reporting capabilities. Learn more about the PDR tool registration by referencing this excerpt

Internal Privacy Portal: Cisco has an internal privacy portal that centralizes relevant resources accessible to all employees and contractors, including online training modules, policies and guidelines, tools, contract templates, playbooks, FAQs, and links to a number of additional external resources. For reference, excerpts from the privacy portal are coming soon.

Global Supplier Enrollment Program: Our Global Supplier Enrollment Program requires that suppliers enter into a data usage and protection agreement (DUPA). Key sections of the DUPA include privacy and data security compliance provisions, prohibition against use of sub-processors and export of data without Cisco's prior consent, and auditing and reporting requirements. Read More

Online Incident Reporting Tool: Cisco has a formal cross-functional program with a standard, global, "closed-loop" process for monitoring, categorizing, referring, investigating and reporting alleged incidents that includes an online incident reporting tool and tracking function. Learn more about the request form for the online incident reporting tool

 

Cloud Reference Materials

Compliance Checklist for Prospective Cloud Customers: Customers can manage privacy and security risks with cloud solutions by asking the right questions that are most critical for compliance and should be considered when selecting a provider. Read More

Cloud Computing, a Primer on Legal Issues, Including Privacy and Data Security Concerns (Presentation by Hogan Lovells): Cloud computing presents a number of unique legal and regulatory issues that need to be addressed. Learn More

Cloud Security Alliance Governance Risk & Compliance Stack: The Cloud Security Alliance (CSA) promotes the use of best practices for providing security assurance within Cloud Computing, and provides education on the uses of Cloud Computing to help secure all other forms of computing.  The CSA Governance Risk & Compliance (GRC) Stack toolkit is an instrument to assess both private and public clouds against industry established best practices, standards and critical compliance requirements.  The GRC Stack is an integrated suite of three CSA initiatives: CloudAudit, Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire (see below).  The GRC Stack is available for free download at www.cloudsecurityalliance.org/grcstack.zip.

CloudAudit is a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments.  Learn More

Cloud Controls Matrix provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.  Learn More

Consensus Assessments Initiative Questionnaire provides a set of questions a prospective cloud customer may wish to ask of a cloud provider.  Learn More

We value your opinions. Should you have any questions or comments related to Cisco's privacy compliance journey, please send an email to privacy@cisco.com.

Industry Participation and Leadership Security Monitoring Controls and Enforcement Collecting Data Transferring / Sharing Data Storing Data retaining / deleting data

TRUSTe's Case Study

“Very few companies take privacy and security
as seriously as Cisco.”

Fran Maier,
President and Chair
TRUSTe

Cisco's groundbreaking privacy portal inspired TRUSTe to conduct a case study highlighting Cisco’s approach to privacy and increasing collaboration within the privacy community.