IV. How Is Data Transmitted? Network Security Management
a. Network Controls
CA utilizes firewalls for access control between CA’s networks and the Internet. Firewall access is restricted to a small set of super users/administrators with appropriate approvals. Firewalls are established with minimum rights necessary to accomplish tasks by role and access is authorized on a “deny by default” policy.
Periodic network vulnerability scans are performed and any critical vulnerabilities identified are promptly remediated. In addition, penetration tests are also performed by security professionals, both CA employees and third parties.
b. Network/Communication Security Policy/Encryption
Defined Access Control Lists (ACLs) to restrict traffic on routers and/or firewalls are reviewed and approved by network administrators. IP addresses in the ACLs are specific and anonymous connections are prohibited.
Customer data is encrypted while in transit over any public network or wireless network (wireless networks are not used in SaaS Offerings) via CA’s Secure File Transfer Protocol (SFTP) to transmit flat files.
CA utilizes an information protection and control solution that is designed and administered to minimize the accidental, negligent and malicious misuse of data through email and other communications aimed outside of CA’s firewalls (e.g. a data loss prevention [DLP] solution).
c. Remote Access Administration
The following remote access settings are applicable:
- Unauthorized remote connections from devices (e.g. modems) are disabled as part of standard configuration.
- The data flow in the remote connection is encrypted and multi-factor authentication is utilized during the login process.
- Remote connection settings limit the ability of remote users to access both initiating network and remote network simultaneously (no split tunneling).
d. Third Party Remote Access
Dependent third party service provider (i.e. subcontractor) remote access adheres to the same or similar controls and any subcontractor remote access has valid business justification.
e. Removable Media
Removable media is not in use for the delivery of CA Technologies SaaS offerings. In addition, all laptops and other removable media on which Customer data is stored, such as backup tapes, are encrypted.