Secureworks® Taegis™ Security Posture
Secureworks® is committed to developing secure software. We implement modern software development techniques to minimize software flaws that could result in compromising confidentiality, integrity, or availability of Secureworks, our customers, and our partners. Secureworks utilizes Static Application Security Testing (SAST) tools and processes in our Continuous Integration/Continuous Development (CI/CD) pipeline to detect potential flaws and bugs. Findings are reviewed by senior software engineers as part of code review and peer programming practices. Secureworks also leverages Dynamic Application Security Testing (DAST) scan tools and processes in functional and unit testing before code is pushed to production. Secureworks performs adversarial simulations against the Taegis™ platform to identify potential vulnerabilities in the production and pilot platforms. Any identified vulnerabilities are given a criticality rating by the Secureworks CISO team and mitigated based on the severity’s SLAs. Secureworks incorporates various Open-Source technologies into the Taegis platform and, as such, Secureworks continuously conducts Software Composition Analysis (SCA) of upstream projects and evaluates if those projects continue to meet our security, performance, scalability, and product design goals.
All authentication to enter Taegis environments require multi factor authentication with strong password requirements.
Vulnerability Scanning ⫘
All our customers’ environments are continuously scanned for vulnerabilities both within our cloud environments and with the hosts themselves. Any identified vulnerabilities are given a criticality rating by the Secureworks CISO team and mitigated based on the severity’s SLAs. Pentesting is done regularly with a third-party penetration test run at least annually.
Incident Response ⫘
Our systems and our customers’ environments are scanned for malicious files and network traffic. Any suspicious activity is tracked by the Secureworks CISO team and investigated. If a true positive is discovered, our extensive playbooks are brought into action to remediate the issue and ensure no further incidents occur.
Third Party Services ⫘
Our Supplier Oversight Program reviews data protection and security measures of vendors that process personal data on our behalf (i.e. our subprocessors). We have updated relevant vendor agreements to include the obligations required by Article 28 of the GDPR and to ensure we flow these obligations down the processing chain. We also have in place a due diligence process to help us select vendors that meet our rigorous requirements for processing and safeguarding personal data so that we can select those vendors that provide sufficient guarantees. A Vendor Management Office is also in place and is responsible for governing and overseeing processes and controls throughout the vendor lifecycle.
Regulatory Compliance ⫘
Soc2, ISO 27001 ⫘
Data is stored in specific regions to easier comply with regional data compliance regulations. Current locations are the United States and European Union (Germany).
As a service provider whose sole focus is security, Secureworks takes appropriate steps to ensure the confidentiality, integrity and availability of customer data and the services that we provide.
Secureworks has obtained ISO 27001 certification of its Information Security Management System (ISMS) supporting infrastructure and services used to support the Taegis platform. The details of our ISMS certification are publicly available at https://www.schellman.com/certificate-directory.
Secureworks has completed a Type II SOC2 examination. This provides to our customers reasonable assurance that Secureworks’ service commitments and system requirements are based on the trust services criteria relevant to security, availability, and confidentiality (’applicable trust services criteria’) set forth in TSP section 100, Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
Secureworks, as a managed security service provider, aligns with and follows security best practices outlined by COBIT, NIST SP800-53, FFIEC (including GLBA-Security and Privacy), and FIPS (FIPS 140-2 Encryption), as well as entities such as US-CERT (United States Computer Emergency Readiness Team).
In addition, the FFIEC has responsibility for oversight and supervision of Secureworks as a Technology Service Provider (TSP). Annual FFIEC Examinations are conducted that focus on underlying risk issues that would affect Financial Institution customers of Secureworks. These risk issues include Management of Technology, Integrity of Data, Confidentiality of Information, Availability of Services, Compliance, and Financial Stability.
All Ingress and Egress data to the Taegis environment as well as any data stored within Taegis is encrypted using modern cryptography including ciphers, modes, key strength, and rotation.
Employee Compliance and Security Training ⫘
Secureworks team members are responsible for protecting personal data and using it only for authorized purposes in line with established policies and procedures. All Secureworks employees are required to take both information security and privacy compliance training on an annual basis. We also provide targeted privacy training as needed to various functions within Secureworks. Where permitted by applicable law, we carry out appropriate checks of our staff as part of our hiring process.