As one of the highest internationally recognized standards for information security, this certification covers every aspect of people, process and systems security. The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting FireEye Email Security Cloud Edition, and is in accordance with the statement of applicability, dated June 11, 2018. The in-scope infrastructure is housed at data centers located in EMEA (Europe) and North America; colocation and cloud hosting services are not included in the scope of the ISMS.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT. This certification includes the expanded boundary of FireEye Email Security (ETP-GOV), which includes the company’s proprietary AVAS module, including antivirus, anti-spam and impersonation detection capabilities.
SOC 2 – Service Organization and Controls
FireEye undergoes annual independent third-party SSAE18 audit using the criteria set forth in the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) and the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles set forth in the Trust Services Principles, TSP session 100A. FireEye can provide its users with business need a report of its compliance (SOC2 Type II report), for the offerings listed below, that includes a description of the FireEye controls environment, and the external audit result and opinion of FireEye’s controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria.
- FireEye Dynamic Threat Intelligence Cloud
- FireEye Email Security Cloud Edition
- FireEye Managed Defense
- FireEye Cloud Multi-Vector Virtual Execution (MVX)
- FireEye Endpoint Security Cloud
PCI DSS V3.2 - Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard, administered by the PCI Security Standards Council, that’s designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.
FireEye engages a Qualified Security Assessor (“QSA”) company to conduct annual audit against the eligible criteria for the PCI Self-Assessment Questionnaire for Service Providers (SAQ-D) and has successfully received an Attestation of Compliance (AoC) covering its FireEye Managed Defense services.
EU-U.S. Privacy Shield, and the Swiss-U.S. Privacy Shield
FireEye complies with the requirements of the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. FireEye adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity and purpose limitation, access and recourse, enforcement and liability with respect to all personal information transferred from the EU or Switzerland to the US within the scope of its Privacy Shield certification.