This policy describes the information security measures (this “Policy”) taken by Check Point Software Technologies Ltd, including all of its affiliates worldwide (collectively, “Check Point,” “we,” “us,” or “our”) when processing Personal Data.
This policy describes the security measures we take to protect Personal Data processed by us. Our approach to information security is risk-based. Accordingly, this policy is not meant to be exhaustive, and in some cases we may take additional or other measures we deem appropriate given the circumstances.
Absent an authorized exception from this policy, we may take disciplinary sanctions for failure to comply with this policy, where we deem that required given the circumstances of the failure.
1. Security Management
Check Point maintains an internal framework security policy managed, overseen and implemented by a senior employee of Check Point, which includes various administrative, technical and physical safeguards aimed at effectively protecting the confidentiality, availability and integrity of our systems and Personal Data. The foregoing includes safeguards aimed at preventing the unauthorized loss of Personal Data, whether intentional or not, and designation of information security tasks and responsibilities to the appropriate persons within the Check Point organization. The foregoing policy is reviewed from time to time to ensure that it remains adequate at all times.
In accordance with ISO 27001, Check Point has developed an information security management system (ISMS) focused on information security management and cybersecurity-related risks. The governing principles behind Check Point’s Information Security Program are security by design and continuous development and enhancement.
Check Point’s security strategy and documents are based on OWASP, NIST 800-53 for control selection, and ISO 27001 for its information security management system (ISMS).
2. Personnel Security
We understand that our employees must be aware of and understand their part in our organization’s information security. As part of our procedures, we may perform background check subject to applicable law, provide periodical security training to our employees based on their tasks and position within the Check Point organization, and require them to sign confidentiality agreements upon the commencement of their employ.
3. Security Awareness
Check Point employees undergo ongoing security awareness training throughout their employment to learn about their responsibilities over data security and privacy.
As well as performing progressive social engineering tests, Check Point’s security team runs awareness campaigns to foster a security-oriented environment.
4. Internal Access Controls
Check Point employs access control mechanisms aimed at preventing unauthorized access to and processing of Personal Data, limiting access to Personal Data to those persons with a “need to know” and restricting their access based on the principle of least privilege (PoLP) to the information and data necessary for them to perform their tasks. These mechanisms include technologies aimed at the detection, logging and reporting of access to our systems and networks and of security incidents. Check Point assesses access authorization upon hire and thereafter, and revokes these persons’ access to systems and applications processing or storing Personal Data promptly following the need to such access having passed.
Our employees each have an individual account authenticating that persons’ access to Personal Data. We do not allow account sharing. We protect these accounts, inter alia, by passwords configured in accordance with industry standards and best practices. Where remote access is required to networks storing or transmitting Personal Data, we require multi-factor authentication.
Our processes include a review of controls, which we perform at least once a year, for all Check point systems that process, transmit and store Personal Data.
5. Password Policy
Check Point enforces strong password configuration settings for any system processing personal data or sensitive data, including: (1) forced password change at defined intervals, (2) a minimum password length, (3) a limit on the number of attempts to enter a password before the user ID is suspended, and (4) password complexity.
Two-factor authentication is used by Check Point in addition to the password for access to the production environment.
6. Physical Security Measures
Physical security measures remain essential also in the digital age. Check Point restricts access to all physical areas where our products and/or services process Personal Data, monitors such areas and maintains various security controls and measures intended to eliminate unauthorized access to Personal Data. These measures include, at all times:
7. Network Security Measures
We segregate our corporate enterprise network from the facilities hosting Personal Data of our customers. Within the hosting facilities, we separate among development, staging and production environments, with multiple access layers.
We also deploy multiple technologies to secure our network and telecommunications, including:
We perform internal and external network vulnerability scans at least quarterly and after any material change in network configurations. Vulnerabilities are identified, rated, and remediated or mitigated based on their threat level within the timeframes we have set forth for each threat level. Vulnerabilities we have identified as critical are remedied promptly.
8. Encryption of Electronic Form Data
Personal Data transmitted in electronic form over public wired networks and all wireless networks is encrypted through industry standard encryption algorithms and strength keys, such as 256-bit AES encryption technique at rest and TLS 1.2+ protocol in transit.
9. Protection Against Malware
Check Point’s servers any systems are protected by industry standard antivirus software with the most recent updates. We update virus definitions promptly after they become available by the software provider and within twenty four hours thereof. These software perform both real-time scanning and full system scan on scheduled intervals to detect viruses, Trojan horses, malicious code and other malware. This includes scanning of inbound and outbound content on all gateways to public networks, such as email and proxy servers.
We do not allow our employees to alter or disable without authorization the antivirus software or their security configurations or otherwise disable protective measures we’ve implemented to protect Personal Data.
10. Application Security
We conduct industry standard application security assessments either by ourselves or through third parties. Security assessments on mobile applications processing Personal Data are aimed at identifying and remediating industry-recognized vulnerabilities specific to these applications. Security Assessments on internet-facing applications are performed annually, and for all major releases if earlier, and aimed at identifying and remediating common security vulnerabilities identified by OWASP, CWE/SANS and/or similar organizations recognized in the industry. This may include penetration testing (PT) and review of code.
11. Software Development
Information security starts at the design stage and is embedded in the lifecycle of systems, products and services. This is why follow “security by design” principles at all times at the design and architecture level, and conduct design and other reviews based on the STRIDE method. We implement a change management program regarding our products and services including maintaining development and testing environments separately from production.
We evaluate and track vulnerabilities of open source and third party libraries used in our products and services, including by performing static code analysis and manual code review where we deemed required after risk analysis. Threat researchers, red teams and designated service providers carry out security verifications, such as penetration testing (PT) and multiple analysis tools.
12. Destruction of Data
We have in place policies regarding data retention and back-up. When time comes to sanitize electronic media, we do so in accordance with industry practices, such as NIST 800-88, in order to eliminate to the extent reasonably possible any retrieval of Personal Data that was destroyed. We also take appropriate measures to ensure that any physical materials containing Personal Data are that may have been prepared, are adequately destroyed.
We understand that information security does not stop with us, which is why we take various steps to ensure any sub-contractors we use adhere to appropriate security measures as well. We perform a due diligence exercise on our sub-contractors before engaging them, require them to adhere to our relevant information security policies and standards consistent with this and other policies of ours, and periodically asses their capabilities to meet our security policies and standards.
14. Availability Monitoring
Check Point uses a suite of monitoring tools to monitor its products, service and systems. Alerts are sent to relevant stakeholders based on pre-defined rules. The notifications are reviewed and processed according to the applicable level of urgency. Metrics produced from these tools are used to identify the strengths and achievements and the weaknesses, inefficiencies, or potential performance issues concerning a particular process. The Check Point Management team monitors the progress of Check Point internal controls regularly. Analysis of root cause is performed through various tools, and corrective measures are communicated to relevant groups. Operating systems and Applications (web servers, databases, etc.) are kept up to date.
15. Business Continuity
Sometimes, despite best efforts, things go south. In preparation for those unlikely scenarios, Check Point implements and maintains business continuity and disaster recovery plans.
Our business continuity and disaster plans were prepared in view of our and our partners and customers’ needs, and address, inter alia, preparation for and identification of disruptions, impact level analysis, crisis management and containment, disaster recovery and business continuity. They cover, among others, our infrastructure, technology, systems, essential personnel required for the carrying out of recovery activities, and actions and resources required to secure our continued operations and adequate provision of products and services to our clients even in times of extended disruptions. We perform periodic tests on our plan in view of our operations, and assess our business functions, processes, cooperation, potential impact of disruptions, and recovery time objectives.
16. Security Incident Response and Notification
In the event of a security incident, Check Point’s security team is responsible for investigating and responding. Check Point has clear risk and damage assessment procedures to define the SLA required to solve any security incident. Check Point’s Chief Information Security Office (CISO), SOC Team Leader and other managers, will coordinate security response, which would include containment, investigation, infrastructure securing, reporting, closure and follow up. Check Point will respond using the appropriate management and technical resources in order to promptly restore operations impacted by any incident. Check Point will adhere to applicable laws and industry standards in this process, including following any required notifications to a customer upon confirmation facts of an incident involving that customer’s data, as soon as reasonably practicable as required by law, and provide updates to the customer’s security point of contact.