Nozomi Networks トラストセンター

当社は、幅広いトピックをカバーする包括的なセキュリティポリシーを策定しています。これらのポリシーは、Nozomi Networks情報資産にアクセスできるすべての従業員および請負業者と共有され、利用できるようになっています。

Nozomi Networks 人材セキュリティの重要な構成要素のひとつに、セキュリティ教育があります。全従業員には、入社時およびその後毎年、このトレーニングの受講が義務付けられています。さらに、セキュリティチームは様々なチャネルを通じて、セキュリティ意識のアップデートを定期的に提供しています。

従業員の身元調査は、Nozomi Networks人事セキュリティの実践において、もう一つの重要な側面である。同社は現地の法律に従い、すべての新入社員の身元調査を実施しています。これらのチェックは請負業者にも義務付けられており、犯罪、学歴、雇用の確認が含まれます。

すべての新入社員は、機密情報を保護するため、秘密保持契約および守秘義務契約に署名することが義務付けられています。

Nozomi Networks 、情報資産への適切なアクセス（および失効）を確保するため、オンボーディングおよびオフボーディングの要件を厳格に定めています。

Nozomi Networksシステムに接続されるエンドポイント、特に機密情報にアクセスできるエンドポイントには厳格な管理が適用されます。これは全体的なITセキュリティフレームワークの不可欠な部分です。

継続的な監視により、すべてのデータベースアクセスがログに記録され、そのログが集中管理システムに送信されます。管理者アクセス、特権コマンドの使用、およびその他のアクセス活動はログに記録され、保持されます。ログ情報は改ざんや不正アクセスから保護されます。

サーバーやラップトップ、デスクトップなどのエンドポイントデバイスは、一連の保護ツールを導入することで、マルウェア、悪意のあるコード、安全でないアプリケーションから保護され、監視されます。

オフィス、コンピュータールーム、機密情報を含む作業場へのアクセスは、物理的に制限され、許可された者のみがアクセスできる。従業員はアクセスカードを使ってオフィスに入室し、訪問者記録を管理する。建物を監視するための監視カメラとセキュリティ対策が実施されています。物理的なセキュリティ監査が実施されています。

The Acceptable Use of Technology Policy outlines the guidelines for using technology resources at Nozomi Networks. It emphasizes responsible and diligent conduct to protect company assets from loss, compromise, or harm. The policy covers various aspects such as data management, use of email, computers, software installations, mobile phones, internet access, public Wi-Fi, VPN, communication services, phishing/scam emails, Dropbox, removable media, accounts and secrets, passwords, cloud services, and generational AI models. Non-compliance with the policy may lead to disciplinary actions, including termination of employment.

The Access Control Policy establishes requirements for authentication, authorization, and accounting (AAA) to ensure the security of Nozomi’s assets and information processing facilities. It mandates that access is limited to authorized personnel only, based on the principles of least privilege and need-to-know. The policy covers user access management, system and application, access control, and access to networks and hosted services. It also includes provisions for audit controls, user registration and de-registration, privileged access rights management, and periodic reviews of access rights. The policy applies to all Nozomi employees, contractors, and anyone with access to Nozomi’s resources and network.

The AI Policy document outlines guidelines for the development, implementation, use, and monitoring of AI and machine learning (ML) technologies within Nozomi Networks. It emphasizes responsible and ethical AI/ML system development, ensuring compliance with regulatory standards like the EU AI Act. The policy covers all AI/ML systems embedded in Nozomi Networks’ software and services, as well as third-party AI tools used within the organization. Key principles include fairness, transparency, data privacy, and security. The policy applies to all employees, contractors, and third-party vendors, aiming to enable innovation while adhering to legal and regulatory requirements.

The Business Continuity Policy outlines the framework and requirements for Nozomi Networks’ Business Continuity Plan (BCP), ensuring consistent availability and delivery for products, operations, and services, while maintaining the safety of personnel during disasters or disruptions. The policy emphasizes leadership commitment, roles and responsibilities, risk assessment, communications plan, continuity and recovery objectives, disaster recovery plan, functional business continuity plan, exercise and testing, performance evaluation, continual improvement, and adherence to legal and contractual obligations.

The Change Management Policy outlines the responsibilities and procedures for managing changes to Nozomi Networks’ information assets, including physical and virtual network devices, software products, internal information systems, and customer-deployed applications. It emphasizes the importance of identifying, tracking, planning testing, and approving changes while assessing potential risks and communicating details to relevant stakeholders. The policy also includes fallback procedures for aborting and recovering from unsuccessful changes and mandates that all exceptions involving security reviewed and approved by the appropriate manager. This policy applies to all employees and contractors involved with the development, management, and support of these assets.

The data handling policy outlines the guidelines for managing and protecting data at Nozomi Networks. It covers data classification, disposal, and retention, ensuring that all data, whether stored physically or virtually, is handled securely. The policy mandates encryption for sensitive data, regular audits, and proper labeling. It also specifies the retention periods for different types of data and the secure disposal of records and storage media. The policy applies to all Nozomi Networks employees and contractors, emphasizing the importance of protecting data to prevent unauthorized access or breaches.

The Encryption Policy outlines the cryptographic controls and key management practices for protecting sensitive information at Nozomi Networks. It mandates the use of state-of-the-art cryptographic solutions for data-at-rest and in transit, based on international standards like NIST SP 800-131a and approved algorithms such as AES for confidentiality and SHA-256 for integrity. The policy covers various types of information, including customer data, PII, passwords, intellectual property, and compliance records. It also specifies that encryption mechanisms must meet regulatory and legal requirements and be approved by IT or the CTO.

The Human Resources Security Policy outlines the procedures and guidelines for managing the hiring, training, and termination of employees and contractors at Nozomi Networks. It includes background verification checks, contractual agreements, and mandatory information security training for all staff members. The policy also details the responsibilities of employees, managers, compliance, and IT in ensuring timely completion of training and enforcing access restrictions for non-compliance. Additionally, it addresses the termination process, including the immediate disabling of access to company information and facilities, and the return of company property. The policy is classified and confidential.

The Information Security Policy outlines Nozomi Networks’ commitment to developing, delivering, and operating cybersecurity and visibility solutions for industrial control systems with the highest level of security, integrity, and availability. The policy aims to protect corporate information, personal information, and customer data against loss, unauthorized access, and disclosure. To achieve this, Nozomi Networks has implemented an Information Security Management System (ISMS) according to the ISO 27001:2022 standard. The ISMS includes applicable policies, processes, and measurable controls relevant to business functions, and it takes input from customer requirements, contractual agreements, and the needs of interested parties. The policy emphasizes leadership commitment, periodic risk assessments, and continual improvement to maintain stakeholder trust and support business objectives.

The Office Management Procedure document outlines the requirements for guest access, badge issuance, and access control to the computer room at Nozomi Networks. It specifies that all guests must report to the Office Manager upon arrival, and their visit details are recorded in a visitor log. The Office Manager is responsible for managing access to the offices and issuing badge access cards to employees and multi-day visitors. The IT Manager controls physical access to the computer room, ensuring that only authorized personnel are allowed entry. The document also includes references to the Office Security – Badge Issuance procedure and emphasizes the importance of maintaining a secure access control system.

The Operations Security Policy outlines the measures to ensure the security, availability, and integrity of Nozomi Networks’ information assets. It covers control of critical systems, system environment control, monitoring and logging, backup and recovery, vulnerability management, and secure configuration. The policy mandates that all personnel involved with system operations adhere to documented procedures for changes, software installations, and patching. It also emphasizes the importance of segregating operational environments, enabling logging and monitoring functions, regular backups, vulnerability assessments, and implementing robust access control and network security measures. The policy is applicable to all employees and contractors.

The Physical Security Policy ensures the physical of all Nozomi Networks offices and information processing centers. It covers designated restricted areas, physical access records, access control, equipment control, visitor control, clear desk policy, and incident management. The policy mandates that access controls are implemented and maintained, access records are kept, equipment is safeguarded, visitors are escorted, and incidents are promptly investigated and resolved. The policy is applicable to all Nozomi Networks employees and contractors.

The Privacy Policy outlines Nozomi Networks’ commitment to protecting personal information and ensuring compliance with relevant privacy laws. It covers the collection, use, and safeguarding of personal data, emphasizing principles such as data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. The policy also details the rights of individuals, including the right to be informed, access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automation decision-making and profiling. Overall, the policy aims to maintain transparency and build trust with stakeholders by adhering to internationally recognized standards for data protection privacy.

The Quality Policy of Nozomi Networks aims to establish the company as a global leader in providing advanced solutions for protecting operational technology (OT) and industrial control systems (ICS) from cyber threats. To achieve this, Nozomi Networks has implemented a Quality Management System (QMS) in accordance with ISO 9001:2015 standards. This system ensures that processes are managed to meet the requirements of customers and stakeholders, regardless of the company’s size and footprint. All employees and contractors are responsible for adhering to the QMS and applicable laws and regulations. The company is committed to continuous improvement by setting objectives, verifying results, and applying corrective actions when necessary.

The Security Incident Management Policy outlines the procedures for handling information security incidents at Nozomi Networks. It applies to all employees, contractors, systems, products, services, and any information managed by the company. The policy emphasizes the responsibility of employees and contractors to protect confidential information, report cyber threats, and participate in containment efforts. Incident management involves detections, containment, investigation, eradication, recovery, and lessons learned. The response to incidents follows documented procedures and reporting methods adhering to the NIST 800-61 standard. Confidentiality is maintained throughout the process, with senior management authorized to disclose specific information to third parties.

The System Development, Acquisition, and Maintenance Policy outlines the procedures and standards for developing, acquiring, and maintaining systems, software, and application services at Nozomi Networks. It emphasizes the inclusion of information security requirements throughout the planning, development, and deployment phases of new products, services, or systems. The policy mandates a formal development methodology aligned with industry standards such as ITIL, DevOps, and Agile, and includes phases like requirements gathering, system design, implementation, testing, deployment, operation, and maintenance. Additionally, it covers the end-of-life process for IT applications and the criteria for system acquisition, ensuring security and compliance with regulations and industry standards.

The Teleworking Policy outlines the guidelines for employees and contractors who work from locations other than a designated Nozomi Networks office. It covers eligibility criteria, types of telework arrangements, readiness evaluation, teleworking guidelines, equipment provisions, security measures, and workers’ compensation insurance. The policy emphasizes the importance of maintaining a secure and distraction-free work environment, protecting company assets and information, and adhering to specific security protocols. It also specifies that teleworking employees are covered by workers’ compensation insurance for job-related injuries.

まず、リスクを特定し、それがNozomi Networksサービスや企業とどのように関連しているかを理解することから始めます。

そして、組織全体に対する潜在的なエクスポージャーを全体的に把握するために、リスクの評価やランク付けを行う。

評価に基づき、適切なリスク処理プロセスに従ってリスクを処理する。

最後に、あらゆるリスク要因を注視するため、継続的にリスクを監視し、見直しています。