McAfee Enterprise Information Security Overview
OVERVIEWMcAfee Enterprise InformationSecurity Overview2019
OVERVIEWTable of Contents3445566778899999102The McAfee PledgeIntroductionOffice of the Chief Information Security Officer (OCISO)Information Security Management SystemInformation Security Risk ManagementSecurity Is Everyone’s ResponsibilityWorking on a Secure NetworkCloud SecurityData ProtectionLawful Transfer of Personal DataDeveloping Secure ProductsMaintaining AvailabilityMcAfee Cybersecurity Fusion CenterIncident ResponseReportingLearn MoreAbout McAfeeMcAfee Enterprise Information Security Overview
OVERVIEWThe McAfee PledgeWe are McAfee.We make the world a safer place. This is our pledge. Our cybersecurity expertise is foundationalto how the world views McAfee. The outcomes we drive matter. That’s why each and every daywe use our talent to create technology that safeguards human progress. We consistently, reliably,and effectively protect all that matters through leading-edge cybersecurity, from the workplace tothe home and everywhere in between. But we are known for more than what we do. We also arerevered for who we are. Our integrity informs every action we take and every word we speak. Youare the reason our brand is trusted to protect companies large and small, as well as organizationsand governments around the globe, not to mention hundreds of millions of people connectedthrough the transformational power of technology.How we do business defines us. That’s why we steadfastly draw on our courage to fight cybercrime,even as our adversaries relentlessly turn the promise of technology against all of humanity. Wegladly collaborate with competitors for the higher good. And we partner with the U.S. government,national agencies, and international law enforcement to ensure our deep knowledge andcompelling innovations have the greatest impact in efforts to defend our country and the freeworld.How we treat one another and our stakeholders—from customers and partners to suppliers andthe communities where we work and live—is characterized by our core values. That’s why each ofus is responsible for living our Code of Conduct, which includes deliberate and full compliance withthe letter and spirit of the law as well as ethical behavior. Our Code of Conduct ensures that ourvalues inform every project, every team, every office, and every relationship that we earn aroundthe world. Not only do we make the world a safer place, but by making a personal pledge to acthonestly, ethically, and with full diligence in support of our Code of Conduct, we also make theworld a better place.Chris Young CEO, McAfee3McAfee Enterprise Information Security OverviewConnect With Us
OVERVIEWMcAfee Enterprise InformationSecurity OverviewIntroductionThis document provides an overview of the McAfee Enterprise Information Security Program.Office of the Chief Information Security Officer(OCISO)Information security is at the core of McAfee and hasthe full support and commitment from our CEO and topexecutives.McAfee has implemented a centralized, globalinformation security program led by the Office of theChief Information Security Officer (OCISO). The OCISOorganization is comprised of five main sub-organizationsto support the confidentiality, integrity, and availability ofMcAfee information, assets, products and services, andthose that are entrusted to us. Those sub-organizationsare: Governance and Assurance Security Architecture Security Engineering: Device, Network and Cloud 4The OCISO organization is customer zero at McAfee.We use our own McAfee products throughoutthe enterprise to prevent, detect, and respond tocyberthreats that affect our business. By operatingas customer zero, we are able to provide our productmanagement teams valuable feedback which helpsto ensure that the McAfee products we deliver to ourcustomers are best in class.With CEO and top executive commitment to informationsecurity and a global CISO-led security organization,McAfee engages, trains, and expects the entireworkforce to exercise security in their daily role, assecurity is everyone’s responsibility.Security Intelligence: Fusion Center, Physical Security,and Industrial SecurityProduct Security and Vulnerability ManagementMcAfee Enterprise Information Security OverviewConnect With Us
OVERVIEWInformation Security Management SystemInformation Security Risk ManagementThe McAfee Information Security ManagementSystem (McAfee ISMS) is at the core of the globalinformation security program. It is designed to ensurethat a risk-based approach is taken for the selection,implementation, and monitoring of appropriate securitycontrols throughout the organization.As part of the McAfee ISMS, McAfee InformationSecurity Risk Management (McAfee ISRM) is critical forongoing identification of threats, vulnerabilities and risksto the enterprise.The McAfee ISRM consists of three tiers:The baseline security controls that comprise the McAfeeISMS are based on National Institute of Standardsand Technology (NIST) Special Publication (SP) 800-53revision 4 and are further derived into management,operational, and technical categories. Industrystandards, best practices, and additional securitycontrol frameworks may be used for specific zones andproducts beyond the McAfee baseline, such as PaymentCard Industry Data Security Standards (PCI DSS),FedRAMP, ITGC/SOX, and others.A set of internal policies and procedures govern theimplementation, monitoring, and effectiveness of thesecurity controls.Governance of the McAfee ISMS is maintained bymanagement system reviews and operational reviews,focused on security operational control monitoring.The McAfee ISMS aligns and is certified to ISO/IEC27001:2013.5McAfee Enterprise Information Security OverviewTechnologyThird PartyOrganizationEach tier comprises of four phases to complete theMcAfee ISRM process:IdentifyEvaluateAssessManageEach tier of the McAfee ISRM is built into existingbusiness processes to provide continuous identificationand management of risks. Information security risks arecaptured into a risk register and reported. McAfee ISRMprovides input into the McAfee ISMS baseline securitycontrols.
OVERVIEWSecurity Is Everyone’s ResponsibilityThe high level of security at McAfee relies on a welltrained workforce.Where permitted under applicable law, McAfeeemployees are screened prior to hire, includingundergoing and passing background checks. McAfeepersonnel are required to acknowledge and consent toMcAfee security and privacy policies once onboarded,including confidentiality obligations.Once onboarded, McAfee personnel receive annualsecurity awareness and data protection training as wellas more detailed, role-based training where appropriate.In addition to training, ongoing security awarenessactivities based on identified risks and best practice areconducted throughout the year, such as the McAfee Immersive Phishing Program. As part of this program,McAfee personnel receive, at a minimum, one monthlysimulated phishing email. Those who fall susceptiblereceive targeted training focused on identifying andreporting phishes.Working on a Secure NetworkThe McAfee network is based on a segmentedarchitecture, where certain zones are authorized forcertain types of data processing, which then correspondto specific security controls.6McAfee Enterprise Information Security OverviewChange management and security management enableMcAfee to stay up to date on patches using centrallymanaged tools for deployment. In addition, productionchanges are run through the McAfee Change AdvisoryBoard (McAfee CAB) for documentation and approval asnecessary.Computer systems on the McAfee networks andcomputer systems used for McAfee business purposeshave current, approved security and malware protectionmeasures in place. McAfee implements malwareprotection at a variety of locations, including, but notlimited to the network, data centers, endpoints, servers,and email infrastructure. Logical access means aretested to determine their resistance to attacks and helpto avoid any degradation or unwanted deletion.McAfee performs vulnerability scanning monthly, at aminimum, against the internal infrastructure and at aminimum weekly externally to help ensure the latestcontent operating system and application level updatesare applied.Attack and penetration (A&P) testing is generallyperformed annually and performed quarterly in certainzones with critical data (such as the PCI zone) on existingservices. New services are tested prior to productionimplementation. A&P testing is conducted using acombination of internal McAfee resources and externalservice providers.
OVERVIEWRemediation of vulnerability scans and A&P is prioritizedbased on the severity of the vulnerability.Third parties are not granted access to internal McAfeesystems without appropriate contractual agreementsand security processes in place to appropriately protectMcAfee data and assets.Mobile devices connected to the McAfee networkand information are required to be managed, helpingto ensure that our mobile security controls areimplemented and monitored. Additionally, mobiledevices are not allowed to connect to our segmentedproduction environments where customer data may bestored, processed, or transmitted. It is against companypolicy for McAfee information to be transferred orotherwise copied to a non-managed application orservice.Cloud SecurityMcAfee understands that cloud data security is critical.The security team works closely with our IT, engineering,and legal teams to understand and implement therequired security controls for the relevant frameworksassociated with cloud computing.Cloud management plane access is restricted followingidentity and access management (IAM) best practices,including utilizing multifactor authentication (MFA).7McAfee Enterprise Information Security OverviewAsset discovery tools are implemented, and relevantdata security technologies are used to protect McAfeeinformation, including that of our customers, in McAfeecontrolled environments. Technologies implementedinclude data loss prevention (DLP) and encryption(client-side and server-side), as well as obfuscation,anonymization, tokenization, and masking. Continuousauditing occurs to highlight and help prevent possibledata exposures.External-based perimeter assessments are performedat least weekly to significantly limit the attack vector andreduce the attack surface.Data ProtectionData protection is a high priority for McAfee. Regardlessof whether data is processed (collected, used, retained,disclosed, disposed, or otherwise acted on) on theMcAfee network, on a third-party vetted and approvedcloud network, or on a “bring your own device,” securitycontrols are in place that are designed to ensureprotection.McAfee requires the use of appropriate cryptographiccontrols to protect personal data—also known aspersonally identifiable information (PII) and personalinformation—in transit and at rest on removablemedia. This includes hard disk encryption on endpoints,including laptops.
OVERVIEWMcAfee data protection policies are designed so thataccess to all information assets is granted in a controlledmanner based on the requester’s “need-to-know,”subject to the approval of the designated informationasset owner and consistent with the “least privilege”principle.Lawful Transfer of Personal DataMcAfee has executed internal IntraGroup Agreementsfor lawful transfer of personal data by McAfee and hassubmitted Controller and Processor Binding CorporateRules applications, with Ireland as the lead regulator.The McAfee MVISION Cloud products (formerly SkyhighNetworks) have self-certified compliance with the PrivacyShield Framework. McAfee offers a Data ProcessingAgreement for customers upon their request.Developing Secure ProductsMcAfee applications, whether purchased or developedinternally, are subject to a release-to-production securityreview process.McAfee product software, IT applications, and cloudservices are designed for security and privacy (usingSecurity and Privacy by Design principles), while rigorousprocedures are in place to find and remove securitydefects throughout the software lifecycle. Theseprocedures define the McAfee Security DevelopmentLifecycle (McAfee SDL), which consists of 32 technical,operational, and enterprise-level activities and reinforceour commitment to building secure software.8McAfee Enterprise Information Security OverviewPlease review the McAfee Product Security Practicesdocument for more information. c/ms-productsoftware-security-practices.pdf.A subset of our McAfee products has obtainedindependent third-party validation through SOC 2 TypeII Accreditation, FedRAMP Authorization, and others.Please visit the McAfee Trust site to review securitycompliance certifications for specific McAfee products:trust.mcafee.com.McAfee Public Sector (FIPS 140-2, 186 and CommonCriteria blic-sector/product-certifications-list.aspx.
OVERVIEWMaintaining AvailabilityMcAfee recognizes that business continuitymanagement and disaster recovery are holisticmanagement processes and maintains a comprehensivecorporate framework addressing continuity ofoperations that incudes emergency response, crisismanagement, business continuity, and disaster recovery.McAfee has business continuity plans with respect tosignificant business disruptions of critical operations.Such plans are structured to redirect and supportMcAfee and its customers in the event of anunexpected, harmful, or destructive incident. Corebusiness services are replicated across McAfee officesand data centers. Should one site fail, services areredirected to other sites.McAfee leverages, among other practices, the followingbusiness continuity strategies: Relocating impacted businesses to designatedrecovery locationsUsing redundant processing capacity at otherlocationsRehearsing and testing recovery proceduresMcAfee Cybersecurity Fusion CenterThe McAfee Cybersecurity Fusion Center is wherephysical security and cybersecurity converge. Merginglogical and physical security in the state-of-the-artMcAfee Cybersecurity Fusion Center helps to ensurethat all types of events, incidents, and cyberattacks aredetected and responded to in a timely manner.9McAfee Enterprise Information Security OverviewThe McAfee Cybersecurity Fusion Center’s operationsteam identifies, hunts for, and react to threats. The toolsused for these activities consist primarily of McAfeeproducts supporting the customer zero concept.McAfee facilities utilize cameras and locks/key card/badge access, which are monitored in its physicalsecurity practice. The McAfee Cybersecurity FusionCenter is physically and logically geo-redundant tomaintain continuity.Incident ResponseMcAfee maintains multiple information security incidentresponse teams that follow established procedures forincident response training, testing, handling, monitoring,reporting, and response assistance. These procedureshelp control and minimize the impact of an informationsecurity incident by defining the appropriate team andprocess by which to report and address an incident.ReportingThe OCISO organization holds weekly operationalreviews focused on security operations metrics, suchas number of incidents, time to detect, and time torespond. This is part of overall McAfee ISMS governance.Learn MoreTo learn more about McAfee security practices in ourbusiness and in our products, please visit the McAfee Trust site: trust.mcafee.com.
About McAfeeMcAfee is the device-to-cloud cybersecurity company.Inspired by the power of working together, McAfeecreates business and consumer solutions that makeour world a safer place. By building solutions thatwork with other companies’ products, McAfee helpsbusinesses orchestrate cyber environments that aretruly integrated, where protection, detection, andcorrection of threats happen simultaneously andcollaboratively. By protecting consumers across alltheir devices, McAfee secures their digital lifestyleat home and away. By working with other securityplayers, McAfee is leading the effort to unite againstcybercriminals for the benefit of all.www.mcafee.com.McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or serviceactivation. Learn more at mcafee.com. No computer system or network can be absolutely secure. This document is for informationalpurposes only, may not be incorporated into any contract, and is subject to change at McAfee’s sole discretion. Nothing in this documentwill be interpreted to be a commitment, promise, or legal obligation on the part of McAfee.2821 Mission College Blvd.Santa Clara, CA 95054888.847.8766www.mcafee.com10McAfee Enterprise Information Security OverviewMcAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others. Copyright 2020 McAfee, LLC. 4400 0120JANUARY 2020
3 McAfee Enterprise Information Security Overview We are McAfee. We make the world a safer place. This is our pledge. Our cybersecurity expertise is foundational to how the world views McAfee. The outcomes we drive matter. That’s why each and every day we use our talent to create techn
McAfee Management of Native Encryption (MNE) 4.1.1 McAfee Policy Auditor 6.2.2 McAfee Risk Advisor 2.7.2 McAfee Rogue System Detection (RSD) 5.0.4 and 5.0.5 McAfee SiteAdvisor Enterprise 3.5.5 McAfee Virtual Technician 8.1.0 McAfee VirusScan Enterprise 8.8 Patch 8 and Patch 9 McA
McAfee Firewall Enterprise Control Center Release Notes, version 5.3.1 McAfee Firewall Enterprise Control Center Product Guide, version 5.3.1 McAfee Firewall Enterprise McAfee Firewall Enterprise on CloudShield Installation Guide, version 8.3.0 McAfee Network Integrity Agent Product Guide, version 1.0.0.0
McAfee, Inc. McAfee Firewall Enterprise 4150E Hardware Part Number: NSA-4150-FWEX-E Firmware Versions: 7.0.1.03 and 8.2.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 2 Document Version: 0.6 Prepared for: Prepared by: McAfee, Inc. Corsec Security, Inc. 282
4 From McAfee.com, copy the McAfee ePO software to the virtual McAfee ePO server. 5 From the McAfee ePO server, run the setup utility. 6 Using a remote browser, log on to McAfee
the McAfee Firewall Admin Console client software, the hardware or virtual platform for running the firewall software. Configuration B. comprises: the McAfee Firewall Enterprise software, including its SecureOS operating system, the McAfee Firewal
McAfee Web Gateway WG5000 and WG5500 Appliances deliver comprehensive security for all aspects of Web 2.0 traffic. A front view of the Model WG5000 and WG5500 is shown in Figure 1 below. Figure 1 - McAfee Web Gateway WG5000 (top) and WG5500 (bottom) The McAfee Web Gateway ensures comprehensive web security for networks. It protects networks .
access control with transparent full encryption of storage media to offer effective security for PCs running the Microsoft Windows operating system. Management, deployment and user recovery are handled by a centralised McAfee Endpoint Encryption Manager and communication between the McAfee Endpoint Encryption Client and this administrative
API Services describes functional areas exposed by the API. Audience, Purpose and Required Skills This guide is written for application developers. It assumes that you are a developer, and have a basic understanding of: How applications are developed in your environment. Functional understanding of the HTTP, JSON, and XML. Familiarity with Representational State Transfer (REST) architecture .
