Corporate Information Security

At SUSE, we take information security seriously and it is an important aspect of our daily operations. The following text can provide you with high level information on how we approach this essential topic on the corporate/organizational level.

Governance

At SUSE, we have defined information security roles and responsibilities. We have a dedicated cybersecurity team lead by our CISO responsible for information security within the organization. Members of this team are in several countries. This team closely cooperates with other teams within SUSE, including the legal department, compliance team, privacy team (including the data protection officer), and the team responsible for security of our products. This team has implemented the ISO 27001 and its ISO 27701 in full scope and with all of the clauses and obtained two certifications from NQA certifying our compliance with these ISO standards that span across our entire business in all locations.

Information Security Policy

At SUSE, we have a documented Information Security Policy that defines the security framework, security principles and protected entities, as well as classification scheme for information.

This policy is regularly reviewed, at least once a year. That applies to all of our ISMS related policies.

Asset Management

IT assets at SUSE are managed and documented. The asset repository is regularly updated.

Personnel Security and Awareness

Background checks are conducted in accordance with applicable law. SUSE employees are required to follow the company’s guidelines related to business ethics and confidentiality. Employees are bound by non-disclosure or confidentiality rules. All newly hired employees are required to complete mandatory security training. Awareness is managed on a continuous basis.

Change Management

At SUSE, we control and manage changes to services and associated IT infrastructure components. SUSE established internal bodies to decide on the deployment of changes. Security evaluation is part of this decision-making process.

Third Party Security

At SUSE, we have measures in place to mitigate the risk that our suppliers are not following applicable law or have a low level of information security. We established an internal body and we have documented processes to promote the area of third-party security.

Vulnerability Management and Patch Management

At SUSE, we have a dedicated Vulnerability Management Policy. Vulnerability management helps us to discover previously unpatched and/or unmitigated system and application exploits. We have a formal process to monitor security vulnerabilities. The Vulnerability Management process is initiated and coordinated by the security team and includes 6 stages: preparation, communication, vulnerability assessment in SUSE products and internal SUSE systems, findings evaluation, remediation, and validation.

Security patches and updates to applications, operating systems and network infrastructure are applicable to prevent the introduction of new vulnerabilities. We have a patch management program which includes specific timescales from patching based upon the criticality.

Authentication and Authorization

Access and Password Management Policy enforces requirements for authenticated access, basic password rules, locking-out access (accounts are locked after 5 unsuccessful attempts and an alert is raised), disclosing passwords and password storage, strong authentication (Multi Factor Authentication is used), privileged access, technical access, and system communication. The minimum length of a password must be 14 characters and consist of at least lowercase and uppercase letters. User passwords do not expire.

Software Development Lifecycle

At SUSE, we focus on how to manage development securely and effectively. Security is implemented during the whole software development lifecycle. SUSE has a dedicated security team for our products.

Incident Management

In case of an information security incident, SUSE has a documented Incident Management Process defining the major incident management steps, including identification, evaluation and closure. We also pay attention to communication of security incidents. We have a Crisis Communication team that is responsible for communicating internally and or externally all the security incidences.

Network Security

At SUSE, all entry and exit points are protected by at least one layer of firewalling. Wired LAN is completely isolated with no access to internal SUSE parts or DNS. Guest wireless is segregated by the firewall policies with no access to SUSE internal networks.

Physical Security

We have implemented a Physical Security Policy that enforces requirements for protecting SUSE physical information systems and includes standards for secure and safe operations. The physical security controls are implemented to our Data Center, computer rooms or office space including fire detection systems, access control systems and cameras and CCTV.

Anti-virus and Anti-malware Protection

We utilize a state-of-the-art antivirus solution with automatic updating as well as a multi-layer defense-in-depth model to our anti-malware program across our environment.

Management Systems

We have introduced Information Security Management System and a Privacy Information Management System (ISMS & PIMS). When defining these systems, we relied on the best practices, stated in ISO 27001 and 27701, but also in other standards. As part of these systems, we have prepared following ISMS, PIMS and other related policies and procedures. For security reasons, we do not provide you with their full text here, but only with tables of contents.

The text stated above do not describe information security of our products. Please note that the text stated above does not constitute a legally binding statement. Information security is a continuous process. In order to have the most up to date information, it is necessary to seek confirmation from SUSE representative.