In order to maintain the security and privacy of data we hold, DigiCert (and its affiliated group companies, hereafter “DigiCert”) has implemented and maintains a set of controls (e.g., policies, practices, procedures, and mechanisms) that minimize vulnerabilities against threats of unauthorized and inadvertent observation, disclosure, use, modification, endangerment and destruction. Having these controls in place and adhering to them ensures that we can adequately address and mitigate security and privacy risks.
DigiCert’s technical and organizational controls align with industry standards and business needs to achieve appropriate levels of privacy and security. The following list of controls outline DigiCert’s minimum baseline of standard practices to safeguard data.
- Policy and Document Management – DigiCert keeps, reviews annually at minimum, and tests an Information Security Policy, Business Continuity Plan, Disaster Recovery Plan, and Incident Response Process. DigiCert maintains and updates as necessary an intra-group data sharing agreement and appropriate vendor Data Processing Agreements. In addition to publicly posted privacy notices applicable to DigiCert products and services, DigiCert also maintains and reviews/updates on an annual basis an internal Framework Privacy Policy, governing privacy standards and processes applicable to DigiCert.
- Network Security Controls – DigiCert’s System Administrators ensure that publicly accessible information system components (e.g., public web servers) reside on separate sub-networks with separate physical network interfaces. DigiCert’s System Administrators also ensure that controlled interfaces protecting the network perimeter filter certain types of packets to protect devices on DigiCert’s internal network. Firewalls and boundary control devices are configured to allow access only to what is necessary to perform DigiCert’s operations.
- Database Security Controls – All access (via system or directly by personnel) to DigiCert databases is logged and monitored for unauthorized changes. Data is encrypted in databases using an industry-recommended cipher, and direct access is limited to roles as specified by DigiCert’s Information Security Policy and Certification Practices Statement.
- Access Controls and Authentication – All user interactions with DigiCert systems are traceable to the individual performing such actions and all users must be positively identified prior to being able to interact with DigiCert systems. DigiCert personnel must first authenticate themselves to DigiCert systems before they are allowed access to any components of the system necessary to perform their trusted roles and roles are defined by DigiCert’s Certification Practices Statement and Information Security Policy. User accounts and other types of access to DigiCert computer systems must be approved in accordance with the User Access Policy. Both physical and logical controls, as outlined in applicable policies, to authorized individuals are reviewed periodically and, at minimum, yearly.
- Personnel Controls – All DigiCert employees and other workers with access to DigiCert data and/or systems are subject to confidentiality agreements and are required to pass background checks and have specific, role-based trainings. DigiCert maintains and enforces policies and procedures for trusted roles, identification and authentication for each role, sanctions for unauthorized actions, separation of duties, employee badging, and immediate removal of system access for terminated employees/workers.
- Physical Security Controls – Access to every office, computer room, and work area containing sensitive information is physically restricted. All office doors have a lock, and all entrance doors to DigiCert facilities are always locked. These doors are accessible by an Access Card or other access control device, which is issued upon confirmation of a clean background check. DigiCert data centers, cage, and offices are monitored by CCTV. The secured cage requires biometric and dual custodian personnel for access. All access is logged.
- Vulnerability Management/Patching – Monthly scans are performed on all DigiCert assets using vulnerability detection tools. Systems requiring remediation are required to be patched within timelines defined by Global Security Operations. Timelines are based on the assigned Common Vulnerability Scoring System (CVSS) score. Critical and high vulnerabilities are patched within 72 hours or have a plan of action created, medium vulnerabilities are patched or have a plan of action created within 30 days, and low/information vulnerabilities are patched at DigiCert’s discretion.
- Comprehensive Internal Assessment – DigiCert performs an annual comprehensive risk assessment to identify all of the reasonably foreseeable internal and external threats to security, privacy, confidentiality, and integrity.
- Penetration Assessment/External Assessment – At least one third-party penetration assessment is conducted each year. DigiCert typically performs multiple penetration tests per year on code, infrastructure, and systems as well as completing red team assessments.
- Training and Awareness – All employees and other workers are required to undergo annual privacy, security, and compliance trainings. Employees or others handling personally identifiable information and sensitive information receive additional training. All workers with access to DigiCert systems and/or data are required to adhere to policies and procedures for proper data handling, such as DigiCert’s Information Security Policy, Code of Conduct, and Acceptable Use Policy.
- Third-Party Access Controls – DigiCert’s contracts with third parties who may access DigiCert systems or data adequately address security and privacy requirements. These third parties are also subject to a privacy and security impact assessment and risks are mitigated prior to access.
- Data Protection in Storage and Transmission – All data stored in DigiCert systems is encrypted using an industry-recommended cipher. Likewise all data transmitted within DigiCert systems worldwide is encrypted in transit using an industry-recommended cipher.
- Storage, Retention, and Deletion – Information stored physically or electronically have the appropriate technical controls determined by the level of data classification. Information is deleted in accordance with our CP/CPS and applicable privacy notices.