Compliance Reference Materials
Service Level Agreements (SLAs): SLAs are important to ensure that there is a guaranteed percentage of "uptime" and to identify what happens if the ASP fails to meet the specified service level. Read More
Application Service Provider (ASP) Security Evaluation Criteria: Cisco offers ASP security evaluation criteria as a step toward mitigating the risks of outsourcing to ASPs. These criteria are specific measurements of an ASP's security posture and maturity. Learn More
Standardized Information Gathering Questionnaire: Shared Assessments promotes voluntary control standards for security, privacy and business continuity for outsourcers and service providers. In support of this, Shared Assessments has published a Standardized Information Gathering Questionnaire as a template for customer security questionnaire responses as they relate to commonly known industry security and privacy frameworks, standards and regulations. Learn More
Priviacy by Design: Product Development Guidelines for Engineers & Product Managers: Cisco has created guidelines for our engineers and product managers with high level principles relating to privacy and data protection. Becoming familiar with these principles allow the development team to design into our products, systems, and services features and functionalities that will make it easier for Cisco, customers and users to comply with and/or enforce legal and business requirements to protect personal information. As a result, privacy becomes an essential component being delivered and is not bolted on as an add-on, after the fact. Read More
Personal Data Registry: Cisco has developed a Personal Data Registry (PDR), an online tool to allow our database developers and owners to register their databases. The registration captures, among other things, whether the databases store or process any personal data, who has access to the databases, and where the databases reside. The PDR program includes an annual validation process and robust reporting capabilities. Learn more about the PDR tool registration by referencing this excerpt
Internal Privacy Portal: Cisco has an internal privacy portal that centralizes relevant resources accessible to all employees and contractors, including online training modules, policies and guidelines, tools, contract templates, playbooks, FAQs, and links to a number of additional external resources. For reference, excerpts from the privacy portal are coming soon.
Global Supplier Enrollment Program: Our Global Supplier Enrollment Program requires that suppliers enter into a data usage and protection agreement (DUPA). Key sections of the DUPA include privacy and data security compliance provisions, prohibition against use of sub-processors and export of data without Cisco's prior consent, and auditing and reporting requirements. Read More
Online Incident Reporting Tool: Cisco has a formal cross-functional program with a standard, global, "closed-loop" process for monitoring, categorizing, referring, investigating and reporting alleged incidents that includes an online incident reporting tool and tracking function. Learn more about the request form for the online incident reporting tool
Cloud Reference Materials
Compliance Checklist for Prospective Cloud Customers: Customers can manage privacy and security risks with cloud solutions by asking the right questions that are most critical for compliance and should be considered when selecting a provider. Read More
Cloud Computing, a Primer on Legal Issues, Including Privacy and Data Security Concerns (Presentation by Hogan Lovells): Cloud computing presents a number of unique legal and regulatory issues that need to be addressed. Learn More
Cloud Security Alliance Governance Risk & Compliance Stack: The Cloud Security Alliance (CSA) promotes the use of best practices for providing security assurance within Cloud Computing, and provides education on the uses of Cloud Computing to help secure all other forms of computing. The CSA Governance Risk & Compliance (GRC) Stack toolkit is an instrument to assess both private and public clouds against industry established best practices, standards and critical compliance requirements. The GRC Stack is an integrated suite of three CSA initiatives: CloudAudit, Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire (see below). The GRC Stack is available for free download at www.cloudsecurityalliance.org/grcstack.zip.
CloudAudit is a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments. Learn More
Cloud Controls Matrix provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. Learn More
Consensus Assessments Initiative Questionnaire provides a set of questions a prospective cloud customer may wish to ask of a cloud provider. Learn More