{{search ? 'Schließen':'Suchen'}}

Information Security Practices

The policies, procedures and physical and technical safeguards we have implemented to protect customer data.

I. Security by Design

a. Secure Code Development

All CA developers are required to follow CA’s Product Securability Policy and Procedure which provides for securability standards, strategies and tactics for each phase of the product development lifecycle informed and consistent with industry best practices. The procedure requires product classification based on risk rankings determined by use cases, application of static code analysis tools and penetration testing.

b. Secure Code Release

Prior to release of any product to CA’s Customers, antivirus/antimalware scanning is performed, and based on the risk profile additional penetration testing may be performed. Any identified vulnerabilities are tracked in the central CA defect tracking system together with an associated risk rating and are not approved by the Securability Center of Excellence unless remediated. Vulnerabilities are ranked using the Common Vulnerability Scoring System (CVSS) in accordance with the NIST Framework to determine their severity and response.

II. How a Customer’s Data Comes into CA and Its Protection

a. Access to Customer Data

CA may obtain Customer data in a number of ways, including through a support ticket, services engagement or the use of a CA SaaS offering. All files submitted by our customers, regardless of how acquired, is categorized as “Highly Confidential Data” requiring the highest degree of protection. In the event CA’s professional services team is required to be at a Customer’s facility, such individuals are prohibited from downloading any Customer data to their devices and removing them from the Customer’s facility.

b. Physical Security

CA maintains and administers the following physical access controls:

  • Employees and contractors are subject to background checks prior to being offered employment or given access to CA’s facilities and systems.
  • All facilities require badge access for employees and contractors and intrusion detection alarms at ingress and egress points. Visitor access must be logged in a physical access log and visitors are escorted through restricted areas in the facility.
  • All data centers where Customer data is processed or stored are further protected by security guards and monitoring cameras (e.g. CCTVs) 24/7.

c. CA Authorized User Names, Passwords and Authentication

CA monitors access rights to ensure access adheres to the least privilege principle commensurate with the CA user’s job responsibilities, logs all access and security events and uses software that enables rapid analysis of user activities.

CA’s passwords are administered in the following manner:

  • Passwords are communicated separately from user IDs
  • Passwords are not shared
  • Initial password generation is random
  • Initial password change is required
  • Passwords must have minimum length and complexity and must be changed on a regular interval without reuse of recent previous passwords
  • CA passwords are encrypted and passwords are never recoverable and can only be securely reset

III. Enterprise Role-Based Access

The logical access procedures define the request, approval, access provisioning and de-provisioning processes. The logical access procedures restrict user access (local or remote) based on user job function (role/profile-based appropriate access) for applications, databases and systems to ensure segregation of duties and are reviewed, administered and documented based on on-boarding, resource re-assignment or separation. User access reviews are performed to ensure access is appropriate throughout the year.

All CA system administrators are authenticated using multi-factor authentication for system access through privileged access management. In addition, the use of privileged access management enables all system admin sessions and console access to be recorded and CA records all such sessions and access for audit and forensic purposes.

For Customer data entered via a CA SaaS offering, CA database administrators (DBAs) may be required to access Customer data in the course of various technical operations. Default DBA accounts in the database are expired and locked except when the account is required to be used by the DBA to complete their job. Database access is granted upon formal authorization through a ticket and access is granted only to authorized personnel based on job responsibilities registered in Active Directory. Where it is not feasible to lock the DBA account, passwords are changed for each access request. All database accesses are logged. Employees’ user access accounts are reviewed on a quarterly basis. Access account reports are generated by a Security Analyst and sent to managers for review and approval. This review and approval are documented in a CA support ticket where discrepancies and resolutions, if any, are listed.

IV. How Is Data Transmitted? Network Security Management

a. Network Controls

CA utilizes firewalls for access control between CA’s networks and the Internet. Firewall access is restricted to a small set of super users/administrators with appropriate approvals. Firewalls are established with minimum rights necessary to accomplish tasks by role and access is authorized on a “deny by default” policy.

Periodic network vulnerability scans are performed and any critical vulnerabilities identified are promptly remediated. In addition, penetration tests are also performed by security professionals, both CA employees and third parties.

b. Network/Communication Security Policy/Encryption

Defined Access Control Lists (ACLs) to restrict traffic on routers and/or firewalls are reviewed and approved by network administrators. IP addresses in the ACLs are specific and anonymous connections are prohibited.

Customer data is encrypted while in transit over any public network or wireless network (wireless networks are not used in SaaS Offerings) via CA’s Secure File Transfer Protocol (SFTP) to transmit flat files.

CA utilizes an information protection and control solution that is designed and administered to minimize the accidental, negligent and malicious misuse of data through email and other communications aimed outside of CA’s firewalls (e.g. a data loss prevention [DLP] solution).

c. Remote Access Administration

The following remote access settings are applicable:

  • Unauthorized remote connections from devices (e.g. modems) are disabled as part of standard configuration.
  • The data flow in the remote connection is encrypted and multi-factor authentication is utilized during the login process.
  • Remote connection settings limit the ability of remote users to access both initiating network and remote network simultaneously (no split tunneling).

d. Third Party Remote Access

Dependent third party service provider (i.e. subcontractor) remote access adheres to the same or similar controls and any subcontractor remote access has valid business justification.

e. Removable Media

Removable media is not in use for the delivery of CA Technologies SaaS offerings. In addition, all laptops and other removable media on which Customer data is stored, such as backup tapes, are encrypted.

V. Audits of Controls and Certifications

The respective audit criteria (e.g. PCI, SSAE 16 SOC 1, TYPE 2) followed by third party auditors inspecting CA’s security practices with regard to SaaS offerings along with summary reports of the auditors can be found here. In addition, CA’s internal data centers, those which may house Customer data received through support or services interactions, are ISO/IEC 20000 for IT service management and ISO/IEC 27001 for security controls certified.

VI. Security Incidents

CA maintains a highly confidential cybersecurity Incident Response Plan designed to identify, categorize, remove and remediate cybersecurity incidents. The Plan is reviewed bi-monthly with annual tabletop exercises. The mission of the CA Technologies Cybersecurity Operations is to prepare the organization to identify and respond to information security threats and incidents while containing and restoring normal service operations as quickly and effectively as possible.

In the event CA discovers a security incident, CA has the following target response and remediation timelines:

Severity Level

Description

Examples

Target Response

Target Remediation/Escalation

1

Incidents that have a severe impact on CA Technologies or its customers’ business or services

  • Malicious code attacks
  • Unauthorized access
  • Denial of Service (DoS) affecting an entire campus
  • Compromise of host with sensitive data, including Sensitive Personal Data

1 hour

2 hours

2

Incidents that have a significant impact or the potential to have a severe impact on CA Technologies or its customers’ business or services

  • Attempts to gain unauthorized access
  • DoS attack affecting a building or department
  • Open mail relay

4 hours

1 business day

3

Incidents that have a minimal impact with the potential for significant or severe impact on CA Technologies or its customers’ business or services

  • Unauthorized network probes or system scans
  • Isolated virus infections

1 business day

2 business days

4

Incidents that have a minimal impact with no potential for significant or severe impact on CA Technologies or its customers’ business or services

  • Improper usage
  • Unauthorized software (non-malicious)
  • Policy violations

2+ business days

2+ business days

VII. Compliance with Data Privacy Laws

CA Technologies’ Privacy Notice is posted on our website here and local websites in other countries and described how CA Technologies uses personally identifiable information that it collects on the website as well as data collected offline.

CA Technologies implements processes designed to ensure that we comply with all applicable data privacy and security laws in the US and in all countries in which we do business, including breach notification laws, state and federal privacy-related legislation and HIPAA/HITECH, where applicable.

CA Technologies has several internal Privacy Policies, including an HR Privacy Policy and a Privacy and Data Protection Policy and Procedure, which mirror the EU Data Privacy Directive.

CA Technologies also maintains a Written Information Security Plan (WISP) in compliance with the Massachusetts information security regulations and other US laws.

Prior to the European Court of Justice decision of 6 October 2015 invalidating the Safe Harbor framework, CA maintained self-certified to the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework. On September 26, 2016, CA self-certified to the Privacy Shield Framework. The EU-US Privacy Shield Framework was designed by the US Department of Commerce and European Union to the United States in support of transatlantic commerce. CA’s participation in the Privacy Shield means that CA and its US subsidiaries have agreed to comply with the EU-US Privacy Shield Framework regarding the collection, use and retention of EU personal data that it uses as a data processor. To learn more about the Privacy Shield Framework and to view CA’s certification page, please visit https://www.privacyshield.gov/. CA still adheres to the US-Swiss Safe Harbor Framework.

CA Technologies also holds Binding Corporate Rules for Controllers and this is our method for transferring data globally as a data controller: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm.

In addition, CA Technologies has prepared a downloadable data processing agreement (DPA) setting out CA’s commitment to privacy and data protection when processing customer data in connection with the provision of products and services to our customers and partners. This DPA also covers with the transfer of personal data outside of the European Economic Area and Switzerland in connection with the provision of such products and services. The DPA can be found on our Data Transfers page. If you have any questions, you can send an email to datatransfers@ca.com.