Cisco Cloud Security Privacy Data Sheet

Size: px

Start display at page:

Download "Cisco Cloud Security Privacy Data Sheet"

Myra Flynn
5 years ago
Views:

1 Cisco Cloud Security Privacy Data Sheet This Privacy Data Sheet describes the processing of personal data (or personal identifiable information) by Cisco Cloud Security. Overview of Cisco Cloud Security Capabilities Cloud Security ( CES ) is a cloud-based security service that blocks spam and security threats from the Internet and, depending on the features licensed, prevents the accidental or intentional leakage of customer data. CES offers inbound protection and outbound control of your traffic. The following feature functionalities are available as part of CES depending on the licensed features purchased: Anti-spam Intelligent Multi-Scan Anti-spam Anti-virus Outbreak Filters Advanced Malware Protection Safe Unsubscribe Image Analysis Encryption (CRES) Data Loss Prevention For more information about CES, please see: The following paragraphs describe the personal data that Cisco processes to deliver the CES services, the location of such data and how it is secured in accordance with privacy principles, laws and regulations. 1. Personal Data Processing The tables below list the personal data used by CES to carry out the services and describe why Cisco processes such data. Table 1. Personal Data Processing Personal Data processed by CES Customer Account/Contact Information Envelope Header: Sender, Recipient, Host/IP address Data Header: From, To, Subject, Reply-to Headers (including CC/BCC), Name/Title of Attachment (but not the content of the Attachment) Purpose of Processing Product administration: Creating an account, validating license entitlements, general product support and administration. Identify Envelope Sender, Envelope Recipient (e.g. jsmith@company.com) for security purposes. Identify the From, To, Subject, Reply-To headers (e.g. Jane Smith <jsmith@company.com>), Attachment name for security purposes.

2 Body: content and/or entire Attachment (but only if the customer purchases and enables the Quarantine feature) IP Address (note that customer may opt-out of collection for Cisco global threat intelligence research purposes) Evaluate for threats and apply any customer created policies. IP Addresses are stored for security purposes as part of an audit log to identify IP addresses trying to access customer s CES instance, as well as for Cisco global threat intelligence research. 2. Cross-Border Transfers: When a new customer purchases a CES subscription, that customer s account information is always created, processed and stored in the United States regardless of the subsequent provisioning of such customer s accounts into its chosen regional cloud (i.e. U.S., Canada or EU). For example, upon receipt of a purchase order for CES from a new EU customer, such customer s account details are created in the CES administrative systems in the United States, even though the customer later chooses to provision the CES services to the CES EU Cloud. All subsequent data from such customer that is associated with the CES product function (i.e. Customer Account Information, Message Tracking, Reporting, Quarantine and Data Loss Prevention data) will then be processed in the EU Cloud. However, if customer has not chosen to Opt-Out of sending certain telemetry data to Cisco via the Senderbase Network Participation ( SBNP ), where Table 1 above specifies that IP addresses are processed for the purposes of Cisco global threat intelligence research, such SNBP processing is conducted by Cisco s global threat intelligence teams, Talos and TIP, which have data centers in the U.S. only. If a customer considers an IP address as personal data, please note this cross-border transfer of such personal data to the Talos and TIP data centers located in the U.S. Cisco CES leverages third party cloud hosting providers to provide the services globally, as follows: Table 2: Cisco CES, Talos and TIP Data Center Locations Data Center Locations: CES, Talos and TIP Equinix: The Equinix infrastructure for the CES cloud runs in the following regions: - USA: California - Canada - United Kingdom The Talos data centers run in the following regions: - USA: California, Texas, Virginia Amazon Web Services (AWS): The AWS infrastructure for the CES cloud runs in the following regions: - USA: Oregon, USA - USA: Virginia Switch: The Switch infrastructure for the CES cloud runs in the following region: - USA: Nevada Q9: The Q9 infrastructure for the CES cloud runs in the following region: - Canada KPN: The KPN infrastructure for the CES cloud runs in the following region: - Netherlands Vazata: The TIP cloud runs in the following region: - USA: Texas 3. Access control

3 Table 3: Access Control Personal Data processed by CES Who has access Purpose of the access Customer Customer account/contact information for product administration Cisco Employees Sales Administration, Licensing Operations, CES Operations Creating an account and validating license entitlements and general product support and operations. Customer Envelope Header Cisco Employees CES Operations staff only Providing security analytics and forensics for product usage. Data Header Customer Cisco Employees CES Operations staff only Providing security analytics and forensics for product usage. Body (only if the customer purchases and enables the Quarantine feature) IP Addresses Customer Cisco Employees CES Operations staff only Customer (only as part of Message Tracking Data, as described below) Cisco Employees CES Operations staff only Cisco Talos and TIP staff Providing security analytics and forensics for product usage. Security administration/maintain audit logs, and global threat intelligence research. 4. Retention Period / Deletion: A. Data Processed in the CES Cloud 1. Customer Account/Contact Information. Customer account information is currently retained indefinitely. Since this account information is processed in the U.S.A. prior to Customer provisioning to its selected CES regional cloud, such account information is also subject to daily backup to the colocation facility for that data center. When a customer terminates its CES subscription, it can specifically request that its account information be purged from Cisco s datastores and backups by opening a Cisco TAC case. 2. Message Tracking Data. Data stored in the Message Tracking feature of CES includes the Envelope Headers, Data Headers and IP Addresses* (collectively, the Message Tracking Data ). Message Tracking Data does not include the Body. The retention period for Message Tracking Data is tied to the amount of disk space available within the Message Tracking feature. For the average customer that sees approximately 40,000-60,000 s per hour, the expected default retention period is fourteen (14) days. However, if the customer has a lower than average volume, more disk space is available, so the customer may see retention periods of one (1) year or more. Outside of the default retention period, the customer may control Message Tracking Data retention by reallocating disk space for such data. The less space allocated, the shorter the retention period. Thus, even a customer with low volume can reallocate disk space to ensure a shorter retention period. In no event will the actual retention period be shorter than the default retention period noted in this section. Once the Message Tracking Data reaches the end of its then-current retention period, CES automatically deletes it via a First In, First Out process. While the Message Tracking feature is enabled by default, it may be disabled by the customer. Disabling the Message Tracking feature will limit the functionality of CES. Please see the CES documentation for more information.

4 *IP Addresses included in Message Tracking Data are accessible by the customer and subject to the retention period and deletion policies in these Message Tracking Data terms. 3. Reporting Data Data stored in the Reporting feature of CES includes information such as Envelope Header, Data Header and statistics and trends on volumes and verdicts (e.g. how many s were flagged as spam, how many were flagged as containing a virus, etc.) (collectively, the Reporting Data ). Reporting Data does not include the Body. The retention period for Reporting Data is tied to the amount of disk space available within the Reporting feature. For the average customer that sees approximately 40,000-60,000 s per hour, the expected default retention period is one (1) year. However, if the customer has a lower than average volume, more disk space is available, so the customer may see retention periods of more than a year. Outside of the default retention period, the customer may control Reporting Data retention by reallocating disk space for such data. The less space allocated, the shorter the retention period. Thus, even a customer with low volume can reallocate disk space to ensure a shorter retention period. In no event will the actual retention period for Reporting Data be shorter than the default retention period noted in this section. Once the Reporting Data reaches the end of its then-current retention period, CES automatically deletes it via a First In, First Out process. While the Reporting feature is enabled by default, it may be disabled by the customer. Disabling the Reporting feature will limit the functionality of CES. Please see the CES documentation for more information. 4. Quarantine Data. There are three types of Quarantines available: Spam, Policy and Dynamic/System Quarantines. Note that CES enables Spam Quarantine by default. Each type of Quarantine is triggered to hold data based on the applicable policy defined by the customer. The data captured and stored by each type of Quarantine includes the Envelope Header, the Data Header and the Body, (collectively, the Quarantine Data ). However, the overall Quarantine feature must be enabled for CES to store the Quarantine Data. The retention period for each type of Quarantine Data is tied to the settings defined for the type of Quarantine selected by the customer. The default retention period is fourteen (14) days for the Spam Quarantine, ten (10) days for Policy Quarantines and one (1) day or less for Dynamic/System Quarantines. After the applicable retention period expires, CES will treat the in accordance with the Quarantine policy set by the customer. Note that the CES s default Quarantine setting will delete s after the applicable retention period expires. Retention periods can be modified by the customer as required, subject to the total disk space allocated to the Quarantine feature. While only the Spam Quarantine feature is enabled by default, all three types of Quarantines may be disabled by the customer. Disabling the Quarantine feature will limit the functionality of CES. Please see the CES documentation for more information. 5. Data Loss Prevention Data. The Data Loss Prevention (DLP) feature of CES is not a default feature. It must be separately purchased, licensed and enabled. If customer purchases the DLP feature and enables the Matched Content Logging option, then Message Tracking will store the that portion of the Body that matches the customer created Matched Content Logging criteria for a DLP violation (the DLP Data ). The DLP Data supplements the information in the Message Tracking Data noted above. For example, if the customer sets its Matched Content Logging policy to track only credit card numbers, then only the credit card number that triggered the DLP violation will be logged and visible in the Message Tracking feature. The Matched Content Logging option must be enabled for CES to store the DLP Data. If Matched Content Logging is enabled, the retention period for the DLP Data is tied to the amount of disk space available within Message Tracking as noted above. For the average customer that sees approximately 40,000-60,000 s per hour, the expected retention period is fourteen (14) days. However, if the customer has a lower than average volume or more disk space is allocated, the customer may see retention periods of up to one year. Outside of the default retention period, the customer may control DLP Data retention by reallocating disk space for such data. The less space allocated, the shorter the retention period. Thus, even a customer with low volume can reallocate disk space to ensure a shorter retention period. In no event shall the actual retention period for DLP Data be shorter than the default retention period noted in this section. Once the DLP Data reaches the end of then-current retention period, it is automatically deleted. Matched Content Logging may be disabled by the customer after it has been licensed. Disabling the Matched Content Logging functionality will limit the functionality of CES. Please see the CES documentation for more information. 6. IP Addresses in Audit Logs.

5 IP Addresses are stored within CES audit logs for ninety (90) days. CES will purge these IP Addresses after the ninety (90) day retention period expires. For security purposes, Customers cannot request deletion of IP Addresses stored within audit logs. 7. Deletion of Customer s CES Account upon Expiration/Termination of CES Subscription. Once a customer s CES subscription expires or terminates, CES automatically flags the applicable account for decommissioning. All customer data associated with such customer s CES service will be deleted within forty-five (45) days of the decommission flagging, unless a shorter time period is requested by the customer. However, any IP addresses within audit logs will remain in CES until their ninety (90) day retention period expires. B. Data Processed within the TIP and Talos Clouds: Senderbase Network Participation 1. Talos Cloud. If customer does not Opt-out of SBNP telemetry collection within CES, then the IP addresses collected as part of that telemetry data are retained indefinitely in the Talos cloud. Choosing to Opt-out of SBNP may degrade the threat intelligence provided to customer by Cisco as part of CES. A customer may request deletion of a specific IP Address in the Talos cloud by opening a Cisco TAC request. 2. TIP Cloud If customer does not Opt-out of SBNP telemetry collection withn CES, then the IP addresses collected as part of that telemetry data are retained in the TIP cloud for four (4) months. The IP addresses are automatically deleted upon the expiration of such retention period. A customer may also request deletion of a specific IP Address in the TIP cloud by opening a Cisco TAC case. Choosing to Opt-out of SBNP may degrade the threat intelligence provided to customer by Cisco as part of CES. 5. Personal Data Security Table 4: Encryption Personal Data processed by CES Customer account/contact information for product administration Envelope Header Data Header Body IP Address Type of Encryption CES cloud: Talos/TIP clouds: Data in transit only: TLS encryption 6. Third Party Service Providers

6 Cisco utilizes third party cloud hosting providers who can contract to provide the same level of data protection and information security that customers can expect from Cisco. Table 5: Third Party Service Providers. List of Third Parties Purpose of 3rd Party Processing Location Certification Link Equinix CES leverages Equinix data centers to help provide a global service footprint, security assurance, service elasticity and resilience to CES. United Kingdom; Canada; USA: California --CA facilities: - San Jose: ISO 27001, SOC 1 Type II, SOC 2 Type II. - Santa Clara: ISO 27001, SOC 1 Type II, SOC 2 Type II. - Sunnyvale: ISO 27001, SOC 1 Type II, SOC 2 Type II. --UK facility has ISO 27001, SOC 1 Type II, SOC 2 Type II. --CAN facility has ISO 27001, SOC 1 Type II, SOC 2 Type II. Talos leverages Equinix data centers for its global threat intelligence research USA: California, Texas, Virginia --VA facility has NIST /FISMA, ISO 27001, SOC 1 Type II, SOC 2 Type II, PCI DSS and HIPPA. --CA facility (Sunnyvale) has ISO 27001, SOC 1 Type II, SOC 2 Type II. --TX facility has NIST /FISMA, ISO 27001, SOC 1 Type II, SOC 2 Type II, PCI DSS and HIPPA. Amazon Web Services (AWS) CES leverages AWS data centers to help provide a global service footprint, security assurance, service elasticity and resilience to CES. USA: Oregon; Virginia Switch Q9 CES leverages the Switch data center to help provide a global service footprint, security assurance, service elasticity and resilience to CES. CES leverages the Q9 data center to help provide a global service footprint, security assurance, service elasticity and resilience to CES. USA: Nevada, SSAE 18 SOC I Type 2, SOC II Type 2 Canada SSAE 18 SOC I Type 2 KPN CES leverages the KPN data center to help provide a global service footprint, security assurance, service elasticity and resilience to CES. Netherlands ISO27001 Vazata TIP leverages the Vazata data center for its global threat intelligence research. USA: Texas SSAE 18 SOC I Type 2

Privacy Data Sheet. This Privacy Data Sheet describes the processing of personal data (or personal identifiable information) by Cisco Threat Grid.

Privacy Data Sheet. This Privacy Data Sheet describes the processing of personal data (or personal identifiable information) by Cisco Threat Grid. Cisco Privacy Data Sheet This Privacy Data Sheet describes the processing of personal data (or personal identifiable information) by Cisco Threat Grid. Overview of Cisco Capabilities Cisco offers a cloud