Customer Trust Portal

Business Continuity Management Program

Symantec's Business Continuity Management (BCM) Program is a key component of our business model. The BCM Program’s focus is to identify actual and potential risks to business function resilience, mitigate those risks by ensuring respective business functions design, and document and exercise business continuity strategies. If there is a disruption to critical Symantec functions, the BCM Program facilitates the execution of strategies to maintain our ability to deliver services to our customers.

• Symantec Business Continuity Management Program Summary

Incident Response Plan Summary

Symantec's Incident Response Plan defines and implements an operational framework including the processes, skills, and tools necessary for Symantec to detect, contain, investigate and report on cyber security incidents potentially impacting Symantec systems, networks, and data. This includes customer, partner or supplier information in Symantec's possession. This forward-looking plan supports Symantec's mission to its customers, partners, shareholders and employees as a trusted leader in information security risk management.

• Symantec Incident Response Plan Summary

Information Security Policy

Through our Information Security Policy, Symantec is committed to the protection of the company's information technology, brand, intellectual property, personal information, and customer data from misuse or compromise. This external-facing policy defines how Symantec protects its assets and reputation from threats associated with misuse or compromise of information/data. This includes whether the threat is internal or external, deliberate or accidental in nature.

• External-Facing Information Security Framework
• Symantec Service Support Security Standards

Pandemic/Infectious Disease Program

Symantec Corporation recognizes that a pandemic or infectious illness outbreak would pose a significant health risk to employees and could lead to the interruption of business. Symantec has been engaging in pandemic planning activities since early 2005. We initiated the Pandemic Preparedness Program with a global team comprised of key business group leaders knowledgeable in company operations to address these risks and respond to the consequences of a pandemic/infectious outbreak.

• Symantec Pandemic/Infectious Disease Program Summary

Payment Card Industry (PCI) Attestation of Compliance

The PCI Data Security Standard (DSS) provides an actionable framework for developing a robust payment card data security process, which includes prevention, detection and appropriate reaction to security incidents. Symantec Corporation meets the criteria for a Level 1 Merchant.

• Symantec Corporation PCI AOC - Merchants - contact us for additional information
• Symantec Managed Security Services PCI AOC - Service Provider

Software Security Process

Symantec takes a proactive approach to secure software development. The Software Security Process document summarizes how we implement security review into all stages of the software development process and strive to continually improve our overall software security.

• Software Security Process Document

Supplier Trust Program

Symantec's Supplier Trust Program is an important part of our risk management function. Through collaboration with Legal and Procurement, the Symantec Supplier Trust Program manages the security risk of Symantec's supply chain. From initial engagement to annual monitoring and due diligence, Symantec is committed to holding its suppliers to the appropriate security standards.

• Supplier Management Process

Accessibility for Customers with Disabilities

Symantec is committed to meeting the accessibility needs of our customers with disabilities. In compliance with the “Accessibility for Ontarians with Disabilities Act, 2005”, below are links to the Symantec’s Customer Service Standards and Accessibility Policy under the Integrated Accessibility Standards. Comments and feedback can be submitted to Symantec’s technical and customer support team.

• Symantec Canada Customer Service Standards - Providing Goods and Services to People with Disabilities
  
• Symantec (Canada) Corporation Accessibility Policy Integrated Accessibility Standards

Code of Conduct

The Symantec Code of Conduct aligns our business practices with our values. Symantec is committed to conducting its business in an ethical and lawful manner. The reputation of Symantec is a valuable business asset, and ethical and legal conduct at all levels of our business is essential for our continued success.

Corporate Responsibility

Symantec considers the protection of information central to corporate responsibility in this digital age. We conduct our business with a commitment to ethical operation, sound environmental management, and positive societal impact.

Internal Control Over Financial Reporting (Sarbanes-Oxley (SOX)) Program

A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP). Symantec Corporation maintains effective internal control over financial reporting as reported in our annual 10-K filing with the Security Exchange Commission (SEC).

Privacy Statement

Symantec's Privacy Statement describes the types of information we collect via Symantec’s web sites, how we may use that information and with whom we may share it. Our Privacy Statement describes the measures we take to protect the security of the information. We also tell you how you may contact us to update your information, remove your name from our mailing lists or get answers to questions you may have about our privacy practices at Symantec.

Mission

Symantec’s global staff of certification professionals actively promotes awareness of global certification best practices and provides overarching guidance and support to our product teams to walk them through the necessary business and technical channels to obtaining and maintaining Symantec product certifications.

Please email Joan Barbieri for certification support and further assistance.

Symantec Certifications

Common Criteria

The international Common Criteria Recognition Arrangement (CCRA) brings together 26 nations who agree to accept a unified approach to the evaluations of information technology products and protection profiles for information assurance and security. This arrangement benefits member nation governments and other customers of IT products by creating more clarity in procurement decisions, more precision in evaluations, a better balance of security and features, and more rapid access to products from industry.

As the basis for the international standards ISO/IEC15408 and ISO/IEC 18045, Common Criteria is a framework in which:

• government, military and other users can specify their security functional and assurance requirements through the use of protection profiles,
• vendors can then implement and/or make claims about the security attributes of their products,
• and testing laboratories can evaluate the products to determine if they actually meet the claims.

Source: Common Criteria IT Security Evaluation & the National Information Assurance Partnership

Please also refer to National Information Assurance Policy and Common Criteria for additional information.

 

Federal Identity, Credential and Access Management (FICAM)

The FICAM TFS is the federated identity framework for the U.S. Federal Government. It includes guidance, processes, and supporting infrastructure to enable secure and streamlined citizen and business facing online service delivery.

NSL IDEF certification Achieved. IDEF is the Identity Ecosystem Framework version 1.0. This is a valid and active certification and applicable for both public sector and commercial markets.

The following Norton Secure Login and Managed Public Key Infrastructure certification packages are applicable to the FICAM program run by GSA.  Refer here for a list of approved identity providers.

• Voluntary Product Accessibility Template - Norton Secure Login
• Authority to Offer Services for FICAM TFS Approved Identity Services
• MPKI Security Accreditation Decision Letter (Valid until July 2016)
  

For additional information, please contact Adam Madlin.

Federal Information Processing Standard Publication 140-2 (FIPS 140-2)

FIPS 140-2 Product Status

Federal Information Processing Standard 140-2 (FIPS 140-2) validation is important to any vendor selling cryptography to the Federal market space. If your IT product utilizes any form of encryption, it will likely require validation against the FIPS 140-2 criteria by the Cryptographic Module Validation Program (CMVP) run jointly by the National Institute of Standards and Technology (NIST), in the United States and Communications Security Establishment (CSE) in Canada before it can be sold and installed in a Federal agency or DoD facility.

FIPS 140-2 describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the NIST, has been adopted by the CSE, and is jointly administered by these bodies under the umbrella of the CMVP.

The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.  Please refer here for additional information regarding FIPS 140-2 requirements, including NIST links.

Symantec Validated Products List

Listed below are the Symantec products with a status as to whether a listed product is:

• FIPS 140-2 validated
  • Product uses an existing encryption module (Symantec or 3rd party) and has gone through a "private label" validation process
• Compliant
  • Product uses an existing validated 3rd party module, but has not explicitly obtained a private validation from NIST
• N/A
  • Product does not contain an encryption module
• Not at this time
  • Product has an encryption module but is not FIPS 140-2 validated at this time

This snapshot in time below involves an in flux product line so there are no guarantees as to accuracy, but we try to keep this updated with the current status/FIPS 140-2 status per products. Symantec does not certify that all its software and hardware products, services or appliance solutions are compliant or validated per FIPS 140-2 requirements.

For questions regarding FIPS 140-2 statuses/content herein or to note an updated FIPS product status, please contact us.

FIPS Compliant Symantec Products

 

FIPS Validated Symantec Products

 

Non-FIPS Symantec Products

 

Federal Risk and Authorization Management Program (FedRAMP)

Symantec Product	Status
Symantec VIP	In Progress (E.g. Planning/Readiness Activities)

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.

Goals

• Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
• Increase confidence in security of cloud solutions achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP
• Ensure consistent application of existing security practice, increase confidence in security assessments
• Increase automation and near real-time data for continuous monitoring

Benefits

• Increase re-use of existing security assessments across agencies
• Save significant cost, time, and resources – “do once, use many times”
• Improve real-time security visibility
• Provide a uniform approach to risk-based management
• Enhance transparency between government and Cloud Service Providers (CSPs)
• Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

Main Players

Main Players There are three main players in the FedRAMP process: Agencies, CSPs, and Third Party Assessment Organizations (3PAOs). Agencies are responsible for selecting a cloud service, leveraging the FedRAMP Process, and requiring CSPs to meet FedRAMP requirements. CSPs provide the actual cloud service to an Agency, and must meet all FedRAMP requirements before they implement their services. 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  FedRAMP provisional authorizations (P-ATOs) must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

Key Processes

FedRAMP authorizes cloud systems in a three step process:

1. Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
2. Leveraging and Authorization: Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
3. Ongoing Assessment & Authorization: Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.

Governance

FedRAMP is a government-wide program with input from numerous departments, agencies, and government groups. The program’s primary decision-making body is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA.  In addition to the JAB, OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) play keys roles in effectively running FedRAMP.

 

Federal Service for Technical and Export Control (FSTEK)

The Federal Service for Technical and Export Control (FSTEK) certification is required in order to sell information security systems in Russia. The regulations covering these requirements were  introduced by the Russian government  in July 2011. The Russian government  introduced  these requirements to ensure that establishments handling personal/confidential/government data are compliant with data security norms and regulations (FZ 152). The regulations detail  the security requirements with which  information security systems which process personal/confidential/government data need to comply. Compliance with the requirements is affirmed by a certificate granted by the Russian Government  (Order of FSTEC  #17, #31 and #21).

For additional information, please refer to hФСТЭК России.

 

UK Cyber Essentials

From 1 October 2014, the UK government has made it mandatory that all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.

The scheme’s five security controls apply to:

• Access Control
• Malware Protection
• Patch Management
• Secure Configuration
• Boundary Firewall and Internet Gateway
  

There are two level of certification available: Cyber Essentials and Cyber Essentials Plus. A Cyber Essentials certification is awarded on the basis of a verified self-assessment and approved by a senior executive and verified by an independent Certification body.  Cyber Essentials Plus offers a higher level of assurance through external testing of an organization’s cyber security approach.

UK Symantec	Certification Status
Cyber Essentials	UK Cyber Essentials (CE)

Obtaining a Symantec Product Certification (Internal Users)

If you would like assistance obtaining a product certification, please complete a business case and email to Joan Barbieri or Ilya Troitskiy. 

Completed VPAT™ Voluntary Product Accessibility Templates

The purpose of the Voluntary Product Accessibility Template, or VPAT™, is to assist Federal contracting officials and other buyers in making preliminary assessments regarding the availability of commercial “Electronic and Information Technology” products and services with features that support accessibility.

Symantec supports the U.S. Government's efforts to increase access to electronic and information technology (E&IT) for the disabled. Symantec does not certify that its software products, services or appliance solutions are compliant with 508 requirements.

For additional questions regarding these VPAT forms, please contact us.

• Symantec Critical System Protection
  • Stand-alone Console for Symantec Security: Server 6.0, Symantec Security: Server Advanced 6.0 and Symantec Critical System Protection Client Edition
  • Web Console for Symantec Security: Server 6.0, Symantec Security: Server Advanced 6.0 and Symantec Critical System Protection Client Edition
• Symantec Control Compliance Suite - CCS v11.1
• Symantec Cyber Security DeepSight Datafeed vNOV2014
• Symantec Data Center Security
  • Stand-alone Console for Symantec Security: Server 6.0, Symantec Security: Server Advanced 6.0 and Symantec Critical System Protection Client Edition
  • Web Console for Symantec Security: Server 6.0, Symantec Security: Server Advanced 6.0 and Symantec Critical System Protection Client Edition
• Symantec Data Loss Prevention - DLP v12.5
• Symantec Encryption (PGP)
  • Symantec Encryption Desktop v 10.3.2
  • Symantec Encryption Management Server v3.3.2
  • Symantec Endpoint Encryption - SEE v11.0
  • Symantec Encryption Desktop v10.4
  • Symantec Encryption Management Server v3.4
  • Symantec PGP Command Line v10.4
• Symantec Endpoint Protection
  • Symantec Endpoint Protection for Linux v12.x
  • Symantec Endpoint Protection Client v12.1.6
• Symantec Ghost Solution Suite
  • Symantec Ghost Solution Suite - GSS v3.0
  • Symantec Ghost Solution Suite - GSS v2.5
• Symantec Identify Access Manager - SAM v2.0.2
• Symantec IT Management Suite - ITMS v7.5
• Symantec Managed PKI for SSL 2015
• Symantec Messaging Gateway - SMG v10.5.3
• Symantec Messaging Gateway - SMG v10.6
• Symantec Mobility Suite
  • Symantec Mobility Suite Hosted - v5.0
  • Symantec Mobility Suite Hosted - v5.1
  • Symantec Mobility Suite Hosted - v5.2
  • Symantec Mobility Suite Hosted - v5.3
  • Symantec Mobility Suite On Premise - v5.0
  • Symantec Mobility Suite On Premise - v5.1
  • Symantec Mobility Suite On Premise - v5.2
  • Symantec Mobility Suite on Premise - v5.3
• Symantec Security Simulation Platform - SSP v1.0
• Symantec Web Gateway - SWG v5.2.2
• Create/Submit NEW VPAT™ Voluntary Product Accessibility Templates
• Representations & Certifications (FAR, DFAR)
• Trade Agreements Act - Country of Origin