Nozomi Networks 트러스트 센터

회사는 광범위한 주제를 다루는 포괄적인 보안 정책을 개발했습니다. 이러한 정책은 Nozomi Networks 정보 자산에 액세스할 수 있는 모든 직원 및 계약업체와 공유되고 제공됩니다.

Nozomi Networks 인력 보안의 핵심 요소 중 하나는 보안 인식 교육 프로그램입니다. 모든 직원은 채용 시와 그 이후에도 매년 이 교육에 의무적으로 참석해야 합니다. 또한 보안팀은 다양한 채널을 통해 정기적으로 보안 인식 업데이트를 제공합니다.

직원 신원조회는 Nozomi Networks 인사 보안 관행의 또 다른 중요한 측면입니다. 회사는 현지 법률에 따라 모든 신입 직원에 대해 신원 조회를 실시합니다. 이러한 신원 조회는 계약자에게도 요구되며 범죄, 교육 및 고용 확인을 포함합니다.

모든 신규 채용자는 민감한 정보를 보호하기 위해 기밀 유지 및 기밀 유지 계약서에 서명해야 합니다.

Nozomi Networks 정보 자산에 대한 적절한 액세스(및 해지)를 보장하기 위해 엄격한 온보딩 및 오프보딩 요건을 갖추고 있습니다.

Nozomi Networks 시스템에 연결된 엔드포인트, 특히 민감한 정보에 액세스할 수 있는 엔드포인트에는 엄격한 제어가 적용됩니다. 이는 전체 IT 보안 프레임워크의 필수적인 부분입니다.

지속적인 모니터링은 모든 데이터베이스 액세스를 기록하고 중앙 집중식 시스템으로 로그를 전송합니다. 관리 액세스, 권한 있는 명령의 사용 및 기타 액세스 활동이 기록 및 보관됩니다. 로그 정보는 변조 및 무단 액세스로부터 보호됩니다.

일련의 보호 도구를 배포하여 멀웨어, 악성 코드, 안전하지 않은 애플리케이션으로부터 서버와 노트북 및 데스크톱과 같은 엔드포인트 디바이스를 보호하고 모니터링합니다.

민감한 정보가 포함된 사무실, 컴퓨터실 및 작업 공간에 대한 접근은 승인된 직원만 물리적으로 제한됩니다. 직원들은 출입 카드를 사용하여 사무실에 출입하고 방문자 로그를 관리합니다. 건물을 모니터링하기 위해 감시 카메라와 보안 조치가 마련되어 있습니다. 물리적 보안 감사를 실시합니다.

The Acceptable Use of Technology Policy outlines the guidelines for using technology resources at Nozomi Networks. It emphasizes responsible and diligent conduct to protect company assets from loss, compromise, or harm. The policy covers various aspects such as data management, use of email, computers, software installations, mobile phones, internet access, public Wi-Fi, VPN, communication services, phishing/scam emails, Dropbox, removable media, accounts and secrets, passwords, cloud services, and generational AI models. Non-compliance with the policy may lead to disciplinary actions, including termination of employment.

The Access Control Policy establishes requirements for authentication, authorization, and accounting (AAA) to ensure the security of Nozomi’s assets and information processing facilities. It mandates that access is limited to authorized personnel only, based on the principles of least privilege and need-to-know. The policy covers user access management, system and application, access control, and access to networks and hosted services. It also includes provisions for audit controls, user registration and de-registration, privileged access rights management, and periodic reviews of access rights. The policy applies to all Nozomi employees, contractors, and anyone with access to Nozomi’s resources and network.

The AI Policy document outlines guidelines for the development, implementation, use, and monitoring of AI and machine learning (ML) technologies within Nozomi Networks. It emphasizes responsible and ethical AI/ML system development, ensuring compliance with regulatory standards like the EU AI Act. The policy covers all AI/ML systems embedded in Nozomi Networks’ software and services, as well as third-party AI tools used within the organization. Key principles include fairness, transparency, data privacy, and security. The policy applies to all employees, contractors, and third-party vendors, aiming to enable innovation while adhering to legal and regulatory requirements.

The Business Continuity Policy outlines the framework and requirements for Nozomi Networks’ Business Continuity Plan (BCP), ensuring consistent availability and delivery for products, operations, and services, while maintaining the safety of personnel during disasters or disruptions. The policy emphasizes leadership commitment, roles and responsibilities, risk assessment, communications plan, continuity and recovery objectives, disaster recovery plan, functional business continuity plan, exercise and testing, performance evaluation, continual improvement, and adherence to legal and contractual obligations.

The Change Management Policy outlines the responsibilities and procedures for managing changes to Nozomi Networks’ information assets, including physical and virtual network devices, software products, internal information systems, and customer-deployed applications. It emphasizes the importance of identifying, tracking, planning testing, and approving changes while assessing potential risks and communicating details to relevant stakeholders. The policy also includes fallback procedures for aborting and recovering from unsuccessful changes and mandates that all exceptions involving security reviewed and approved by the appropriate manager. This policy applies to all employees and contractors involved with the development, management, and support of these assets.

The data handling policy outlines the guidelines for managing and protecting data at Nozomi Networks. It covers data classification, disposal, and retention, ensuring that all data, whether stored physically or virtually, is handled securely. The policy mandates encryption for sensitive data, regular audits, and proper labeling. It also specifies the retention periods for different types of data and the secure disposal of records and storage media. The policy applies to all Nozomi Networks employees and contractors, emphasizing the importance of protecting data to prevent unauthorized access or breaches.

The Encryption Policy outlines the cryptographic controls and key management practices for protecting sensitive information at Nozomi Networks. It mandates the use of state-of-the-art cryptographic solutions for data-at-rest and in transit, based on international standards like NIST SP 800-131a and approved algorithms such as AES for confidentiality and SHA-256 for integrity. The policy covers various types of information, including customer data, PII, passwords, intellectual property, and compliance records. It also specifies that encryption mechanisms must meet regulatory and legal requirements and be approved by IT or the CTO.

The Human Resources Security Policy outlines the procedures and guidelines for managing the hiring, training, and termination of employees and contractors at Nozomi Networks. It includes background verification checks, contractual agreements, and mandatory information security training for all staff members. The policy also details the responsibilities of employees, managers, compliance, and IT in ensuring timely completion of training and enforcing access restrictions for non-compliance. Additionally, it addresses the termination process, including the immediate disabling of access to company information and facilities, and the return of company property. The policy is classified and confidential.

The Information Security Policy outlines Nozomi Networks’ commitment to developing, delivering, and operating cybersecurity and visibility solutions for industrial control systems with the highest level of security, integrity, and availability. The policy aims to protect corporate information, personal information, and customer data against loss, unauthorized access, and disclosure. To achieve this, Nozomi Networks has implemented an Information Security Management System (ISMS) according to the ISO 27001:2022 standard. The ISMS includes applicable policies, processes, and measurable controls relevant to business functions, and it takes input from customer requirements, contractual agreements, and the needs of interested parties. The policy emphasizes leadership commitment, periodic risk assessments, and continual improvement to maintain stakeholder trust and support business objectives.

The Office Management Procedure document outlines the requirements for guest access, badge issuance, and access control to the computer room at Nozomi Networks. It specifies that all guests must report to the Office Manager upon arrival, and their visit details are recorded in a visitor log. The Office Manager is responsible for managing access to the offices and issuing badge access cards to employees and multi-day visitors. The IT Manager controls physical access to the computer room, ensuring that only authorized personnel are allowed entry. The document also includes references to the Office Security – Badge Issuance procedure and emphasizes the importance of maintaining a secure access control system.

The Operations Security Policy outlines the measures to ensure the security, availability, and integrity of Nozomi Networks’ information assets. It covers control of critical systems, system environment control, monitoring and logging, backup and recovery, vulnerability management, and secure configuration. The policy mandates that all personnel involved with system operations adhere to documented procedures for changes, software installations, and patching. It also emphasizes the importance of segregating operational environments, enabling logging and monitoring functions, regular backups, vulnerability assessments, and implementing robust access control and network security measures. The policy is applicable to all employees and contractors.

The Physical Security Policy ensures the physical of all Nozomi Networks offices and information processing centers. It covers designated restricted areas, physical access records, access control, equipment control, visitor control, clear desk policy, and incident management. The policy mandates that access controls are implemented and maintained, access records are kept, equipment is safeguarded, visitors are escorted, and incidents are promptly investigated and resolved. The policy is applicable to all Nozomi Networks employees and contractors.

The Privacy Policy outlines Nozomi Networks’ commitment to protecting personal information and ensuring compliance with relevant privacy laws. It covers the collection, use, and safeguarding of personal data, emphasizing principles such as data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. The policy also details the rights of individuals, including the right to be informed, access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automation decision-making and profiling. Overall, the policy aims to maintain transparency and build trust with stakeholders by adhering to internationally recognized standards for data protection privacy.

The Quality Policy of Nozomi Networks aims to establish the company as a global leader in providing advanced solutions for protecting operational technology (OT) and industrial control systems (ICS) from cyber threats. To achieve this, Nozomi Networks has implemented a Quality Management System (QMS) in accordance with ISO 9001:2015 standards. This system ensures that processes are managed to meet the requirements of customers and stakeholders, regardless of the company’s size and footprint. All employees and contractors are responsible for adhering to the QMS and applicable laws and regulations. The company is committed to continuous improvement by setting objectives, verifying results, and applying corrective actions when necessary.

The Security Incident Management Policy outlines the procedures for handling information security incidents at Nozomi Networks. It applies to all employees, contractors, systems, products, services, and any information managed by the company. The policy emphasizes the responsibility of employees and contractors to protect confidential information, report cyber threats, and participate in containment efforts. Incident management involves detections, containment, investigation, eradication, recovery, and lessons learned. The response to incidents follows documented procedures and reporting methods adhering to the NIST 800-61 standard. Confidentiality is maintained throughout the process, with senior management authorized to disclose specific information to third parties.

The System Development, Acquisition, and Maintenance Policy outlines the procedures and standards for developing, acquiring, and maintaining systems, software, and application services at Nozomi Networks. It emphasizes the inclusion of information security requirements throughout the planning, development, and deployment phases of new products, services, or systems. The policy mandates a formal development methodology aligned with industry standards such as ITIL, DevOps, and Agile, and includes phases like requirements gathering, system design, implementation, testing, deployment, operation, and maintenance. Additionally, it covers the end-of-life process for IT applications and the criteria for system acquisition, ensuring security and compliance with regulations and industry standards.

The Teleworking Policy outlines the guidelines for employees and contractors who work from locations other than a designated Nozomi Networks office. It covers eligibility criteria, types of telework arrangements, readiness evaluation, teleworking guidelines, equipment provisions, security measures, and workers’ compensation insurance. The policy emphasizes the importance of maintaining a secure and distraction-free work environment, protecting company assets and information, and adhering to specific security protocols. It also specifies that teleworking employees are covered by workers’ compensation insurance for job-related injuries.

먼저 위험을 파악하고 그 위험이 Nozomi Networks 서비스 및 회사와 어떤 관련이 있는지 이해하는 것부터 시작합니다.

그런 다음 위험을 평가하거나 순위를 매겨 전체 조직에 대한 잠재적 노출에 대한 전체적인 관점을 확보합니다.

평가 결과에 따라 적절한 위험 처리 프로세스에 따라 위험을 처리합니다.

마지막으로, 모든 위험 요소를 면밀히 주시하기 위해 지속적으로 위험을 모니터링하고 검토합니다.