Corporate Information Security

At SUSE, we take information security seriously and it is an important aspect of our daily operations. The following text can provide you with high level information on how we approach this essential topic on the corporate/organizational level.

Governance

At SUSE, we have defined information security roles and responsibilities. We have a dedicated cybersecurity team lead by our CISO responsible for information security within the organization. Members of this team are in several countries. This team closely cooperates with other teams within SUSE, including the legal department, compliance team, privacy team (including the data protection officer), and the team responsible for security of our products. This team has implemented the ISO 27001 and its ISO 27701 in full scope and with all of the clauses and obtained two certifications from NQA certifying our compliance with these ISO standards that span across our entire business in all locations.

Information Security Policy

At SUSE, we have a documented Information Security Policy that defines the security framework, security principles and protected entities, as well as classification scheme for information.

This policy is regularly reviewed, at least once a year. That applies to all of our ISMS related policies.

Asset Management

IT assets at SUSE are managed and documented. The asset repository is regularly updated.

Personnel Security and Awareness

Background checks are conducted in accordance with applicable law. SUSE employees are required to follow the company’s guidelines related to business ethics and confidentiality. Employees are bound by non-disclosure or confidentiality rules. All newly hired employees are required to complete mandatory security training. Awareness is managed on a continuous basis.

Change Management

At SUSE, we control and manage changes to services and associated IT infrastructure components. SUSE established internal bodies to decide on the deployment of changes. Security evaluation is part of this decision-making process.

Third Party Security

At SUSE, we have measures in place to mitigate the risk that our suppliers are not following applicable law or have a low level of information security. We established an internal body and we have documented processes to promote the area of third-party security.

Vulnerability Management and Patch Management

At SUSE, we have a dedicated Vulnerability Management Policy. Vulnerability management helps us to discover previously unpatched and/or unmitigated system and application exploits. We have a formal process to monitor security vulnerabilities. The Vulnerability Management process is initiated and coordinated by the security team and includes 6 stages: preparation, communication, vulnerability assessment in SUSE products and internal SUSE systems, findings evaluation, remediation, and validation.

Security patches and updates to applications, operating systems and network infrastructure are applicable to prevent the introduction of new vulnerabilities. We have a patch management program which includes specific timescales from patching based upon the criticality.

Authentication and Authorization

Access and Password Management Policy enforces requirements for authenticated access, basic password rules, locking-out access (accounts are locked after 5 unsuccessful attempts and an alert is raised), disclosing passwords and password storage, strong authentication (Multi Factor Authentication is used), privileged access, technical access, and system communication. The minimum length of a password must be 14 characters and consist of at least lowercase and uppercase letters. User passwords do not expire.

Software Development Lifecycle

At SUSE, we focus on how to manage development securely and effectively. Security is implemented during the whole software development lifecycle. SUSE has a dedicated security team for our products.

Incident Management

In case of an information security incident, SUSE has a documented Incident Management Process defining the major incident management steps, including identification, evaluation and closure. We also pay attention to communication of security incidents. We have a Crisis Communication team that is responsible for communicating internally and or externally all the security incidences.

Network Security

At SUSE, all entry and exit points are protected by at least one layer of firewalling. Wired LAN is completely isolated with no access to internal SUSE parts or DNS. Guest wireless is segregated by the firewall policies with no access to SUSE internal networks.

Physical Security

We have implemented a Physical Security Policy that enforces requirements for protecting SUSE physical information systems and includes standards for secure and safe operations. The physical security controls are implemented to our Data Center, computer rooms or office space including fire detection systems, access control systems and cameras and CCTV.

Anti-virus and Anti-malware Protection

We utilize a state-of-the-art antivirus solution with automatic updating as well as a multi-layer defense-in-depth model to our anti-malware program across our environment.

Management Systems

We have introduced Information Security Management System and a Privacy Information Management System (ISMS & PIMS). When defining these systems, we relied on the best practices, stated in ISO 27001 and 27701, but also in other standards. As part of these systems, we have prepared following ISMS, PIMS and other related policies and procedures. For security reasons, we do not provide you with their full text here, but only with tables of contents.

Acceptable Use Policy

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Version
    • Purpose
    • Scope
    • Definitions
    • Acceptable Use Requirements
      • 4.1 Users
      • 4.2 Administrators
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

Access and Password Management Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.01 User access management
        • 5.01.1 Main Principles
        • 5.01.2 Provisioning of Access
        • 5.01.3 Termination of Access
        • 5.01.4 Periodic Access Rights Review
        • 5.01.5 Privileged Access
      • 5.02 Authentication
        • 5.02.1 User Password Requirements
        • 5.02.2 Technical Access and System to System Communication
    • Roles and Responsibilities
    • Sanctions
    • Exceptions
    • Related Documentation
    • Policy Review

Business Continuity Management Policy

Effective August 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 4.01Business Continuity Management Program
      • 4.02BCM Policy Objectives and Benefits
      • 4.03BCM Policy Requirements
      • 4.04Business Continuity Management System
      • 4.05Event Classification
      • 4.06Enterprise Risks
      • 4.07Disaster Scenarios
      • 4.08Business Continuity Plans (BCPs)
      • 4.08.1Business Continuity (BC) Requirements
      • 4.08.2Critical Services and Dependencies
      • 4.08.3Business Impact Analysis (BIA)
      • 4.08.4Risk Assessment
      • 4.08.5Testing and Rehearsal of Plans
      • 4.09Employee Awareness & Development
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

Consent Collection and Withdrawal Procedure

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Version
    • Purpose
    • Scope
    • Definitions
    • Procedure
      • 4.1 Identification of the Relevant Processes
      • 4.2 Consent Collection Planning
      • 4.3 Consent Collection
      • 4.4 Consent Register
      • 4.5 Changes to Consent Collection
      • 4.6 Consent Withdrawal
      • 4.7 Time-limited Consent
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Procedure Review

Cyber Security and Privacy Incident Response Procedure

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Version
    • Purpose
    • Scope
    • Definitions
    • Roles and Responsibilities
    • Incident Response Procedure
      • 5.1 Preparation
      • 5.2 Detection and Analysis
        • 5.2.1 How to report a Cyber Security Event
        • 5.2.2 How to report Privacy Event
        • 5.2.3 Prioritization of Cyber Security Incidents
        • 5.2.4 Privacy Incident Evaluation
        • 5.2.5 Privacy Supervisory Authority Notification
        • 5.2.6 Communication to Data Subjects
      • 5.3 Containment, Eradication and Recovery
      • 5.4 Past-Incident Activity and Lessons Learned
      • 5.5 Documentation / Evidence
      • 5.6 Communication Process
    • Sanctions
    • Exceptions
    • Related Documentation / Forms
    • Procedure Review
    • Appendix A - RACI matrix
    • Appendix B.1 - Incident Prioritization
    • Appendix B.2 - Incident Prioritization with Examples
    • Appendix C - Privacy Incident Evaluation
    • Appendix D - Ransomware-specific playbook
      • 14.1 Preparation
      • 14.2 Detection and Analysis
      • 14.3 Containment, Eradication and Recovery
      • 14.4 Lessons Learned
    • Appendix E- Crisis Management Team
    • Appendix F- Incident Response Procedure

Data Deletion and Anonymization Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Version
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 4.1 Deletion and Anonymization
        • 4.1.1 Data Identification
        • 4.1.2 Requirements and Methods for Deletion
          • 4.1.2.1 Software - Applications, Databases, SW Infrastructure and Cloud Services
          • 4.1.2.2Hardware - Physical Media, Workstations and Servers
          • 4.1.2.3 Paper media
          • 4.1.2.4 Deletion during the end of employment (or similar relationship)
        • 4.1.3 Requirements and Methods for Anonymization
          • 4.1.3.1 Data Masking
          • 4.1.3.2 Randomization
          • 4.1.3.3 Generalization
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

Data Subjects Rights Policy

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.1 Data Subject Rights
      • 5.2 Data Subject Requests
        • 5.2.1 Communication channels
        • 5.2.2 Documentation of the request
        • 5.2.3 Data Subject verification and request validation
        • 5.2.4 Data Subject Right Timeline
        • 5.2.5 Data Identification
        • 5.2.6 Rectification Request
        • 5.2.7 Erasure Request
        • 5.2.8 Information Request
        • 5.2.9 Processing Restriction Request
        • 5.2.10 Portability Request
        • 5.2.11 Right to object
        • 5.2.12 Automated Decision-Making
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review
    • Annex A-DSR Response Templates
      • 11.1DSR Identity Verification Template
      • 11.2 DSR Erasure Denial Template
      • 11.3 DSR Erasure Denial Template
      • 11.4 DSR General Denial Template
      • 11.5 DSR Resolution Template
      • 11.6 Third Party Consent for Disclosure Template
      • 11.7 Third party Correction Request Notification Template
      • 11.8 DSR Access Requests Approval

Data Transfer Procedure

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Version
    • Purpose
    • Scope
    • Definitions
    • Procedures
      • 4.1 Internal SUSE transfer
      • 4.2 Transfer outside of SUSE
        • 4.2.1 Analysis of the Personal Data flow
        • 4.2.2 Consideration of the transfer mechanisms
        • 4.2.3 Assessment and utilization of the transfer institutes
        • 4.2.4 Monitoring of the Transfer
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Procedure Review

Endpoint Protection Policy

Effective Aug 2021

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.01Modes of operation
      • 5.02 Defense in depth
      • 5.03 General controls
    • Roles and Responsibilities (Required)
    • Exception management
    • Related Documentation (Required)
    • Policy Review (Required)

Enterprise Risk Management Policy

Effective August 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.1Governance
      • 5.2Framework
        • 5.2.1Identifying risk
        • 5.2.2Assessing, Evaluating, and Mitigating
        • 5.2.3Managing Risk
        • 5.2.4Risk Acceptance Criteria
        • 5.2.5Monitoring & Reporting
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review
    • Appendix A – Responsible, Accountable, Consulted, Informed (RACI)
    • Appendix B – Risk Categories
    • Appendix C – Risk Register
    • Appendix D – Risk Ratings
    • Appendix E – Risk Heat Map

Human Resources Security Policy (HR Security Policy)

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Versions
  • Document Reviews
    • Introduction
    • Purpose
    • Scope
    • Definitions (Required)
    • Policy Statement
      • Prior to employment
      • Background checks and screening
      • Non disclosure agreements
      • During employment
      • Responsibilities and access
      • Security Awareness and Training
      • Acceptable Use
      • After employment
    • Roles and Responsibilities (Required)
    • Exceptions (Required)
    • Related Documentation (Required)
    • Policy Review (Required)

Incident Management Policy

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.1 Responsibilities and procedures
      • 5.2 Preparation and planning
      • 5.3 Reporting Events and Incidents
      • 5.4 Assessment of Events and Incidents
      • 5.5 Response to Incidents
      • 5.6 Learning from Incidents
      • 5.7 Documentation of Incident
      • 5.8 Communication
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

Information Security Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Leadership Commitment
    • Information Security Objectives and Principles
    • Policy Statement
      • 7.01ISMS
      • 7.02Security Principles
      • 7.03Protected Assets
      • 7.04Information Classification Scheme
      • 7.09Exception Management Process
    • Reporting a Violation of This Policy or Information Security
    • Sanctions
    • Roles and Responsibilities
    • Related Documentation
    • Policy Review

ISMS & PIMS Glossary (Policy Level Document)

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Versions
    • Purpose
    • General Definitions
    • Entities and Roles
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

ISMS & PIMS Internal Audit Procedure

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Version
    • Purpose
    • Scope
    • Definitions
    • Procedures
      • 4.1 ISMS & PIMS Internal Audit Team Competencies and Responsibilities
      • 4.2 ISMS & PIMS Internal Audit Timeline
      • 4.3 ISMS & PIMS Internal Audit Planning
      • 4.4 Auditing Phase
      • 4.5 Reporting and Categorisation of Non-conformities
      • 4.6 ISMS & PIMS Internal Audit Remediation
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Procedure Review

ISMS & PIMS Operations Procedure

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Version
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Procedure Statement
      • 5.1 Context of the organisation
        • 5.1.1 Context of the organisation and interested parties
        • 5.1.2 Scope and Establishment of ISMS & PIMS
      • 5.2 Leadership
        • 5.2.1 Leadership and Commitment
        • 5.2.2 Policy
      • 5.3 Planning and operating ISMS & PIMS Activities
      • 5.4 Support, Responsibilities and Competencies
        • 5.4.1 Resources
        • 5.4.2 Roles, Responsibilities and Competencies
        • 5.4.3 Communication
        • 5.4.4 Awareness
      • 5.5 Performance evaluation
        • 5.5.1 Monitoring, measurement, analysis and evaluation
        • 5.5.2 Internal Audit
        • 5.5.3 Management Review
      • 5.6 Continual Improvement
        • 5.6.1 Corrective Action
        • 5.6.2 Preventive and Improvement Actions
    • Sanctions
    • Exceptions
    • Related Documentation
    • Policy Review

ISMS & PIMS Roles, Responsibilities and Competencies Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 4.01 ISMS & PIMS Roles and Responsibilities
      • 4.02 ISMS & PIMS Team Competence requirements
      • 4.03 Awareness
    • Sanctions
    • Roles and responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

ISMS & PIMS Scope Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Version
  • Version Control Table
    • Purpose
    • Scope
    • Definition
    • Policy Statement
      • 4.1 Scope Definition of ISMS & PIMS
        • 4.1.1 Organizational Dimension
        • 4.1.2 Service Dimension
        • 4.1.3 Information Dimension
        • 4.1.4 Information System Dimension
        • 4.1.5 Physical Dimension
      • 4.2 Scope Statement
      • 4.3 Final Provisions
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

IT Asset Management Policy

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Version
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.1 IT Asset Ownership
      • 5.2 IT Asset Identification
        • 5.2.1 IT Asset Classification
        • 5.2.2 IT Asset Valuation/Tiering
      • 5.3 IT Asset Acquirement
        • 5.3.1 Planing and Control
        • 5.3.2 Procurement
        • 5.3.3 License Management
      • 5.4 Deployment of IT Assets
        • 5.4.1 Inventory of IT Assets
      • 5.5 Maintenance and Support
        • 5.5.1 Acceptable Use & Media handling
        • 5.5.2 Change Management of IT Assets
        • 5.5.3 Incident Management of IT Assets
      • 5.6 Retirement & Disposal
        • 5.6.1 Return of Assets
        • 5.6.2 IT Asset Disposal
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

IT Change Management Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.1 Change initiation
      • 5.2 Change assessment
      • 5.3 Initial change approvals
      • 5.4 CAB review and approval
      • 5.5 Change categories and required procedures
      • 5.6 Change execution tracking
    • Sanctions
    • Roles and Responsibilities
      • 7.1 Change Requestor
      • 7.2 CAB Chair
      • 7.3 CAB Approvers
    • Exceptions
    • Related Documentation
    • Policy Review

Personal Data Protection and Governance Policy

Effective August 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Purpose
    • Scope
    • Definitions
    • Leadership Commitment
    • Policy Statement
      • 5.01Personal Data Protection Objectives and Principles
      • 5.02PIMS
      • 5.03Lawfulness, Fairness, Transparency
      • 5.04Consent
      • 5.05Legitimate Interest
      • 5.06Transparency (Notifying Data Subjects)
      • 5.07Purpose Limitation
      • 5.08Data Minimization
      • 5.09Accuracy
      • 5.10Storage Limitation
      • 5.11Confidentiality, Integrity and Availability
      • 5.12Reporting a Personal Data Breach
      • 5.13Transfer Limitation
      • 5.14Data Subjects’ Rights and Requests
      • 5.15Accountability
      • 5.16Record Keeping
      • 5.17Training and Audit
      • 5.18Privacy Risk Management
      • 5.19Data Protection Impact Assessment
      • 5.20Privacy by Default and Design
      • 5.21Pseudonymization
      • 5.22Direct Marketing
      • 5.23Sharing Personal Data
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

Physical Security Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.01 General recommendations
      • 5.02 Physical parameters
        • 5.02.1 Tiering/rating
        • 5.02.2 Building
        • 5.02.3 Power
        • 5.02.4 Fire
        • 5.02.5 Environmental
      • 5.03 Access control
        • 5.03.1 Authentication
        • 5.03.2 Authorization
        • 5.03.3 Access systems surveillance and monitoring
        • 5.03.4 Security guards
        • 5.03.5 Cameras and CCTV
      • 5.04 Data Center and Computer Room Operating Procedures
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

Secure Development Lifecycle Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.1 Pre-Development
        • 5.1.1 Requirements Review
        • 5.1.2 Design and Architecture Review
        • 5.1.3 Third Party Component Risk Analysis
      • 5.2 During-Development
        • 5.2.1 Code Analysis
        • 5.2.2 Security Assessments
        • 5.2.3 Secure Development Environment
      • 5.3 Pre-Ship
        • 5.3.1 Vulnerability Assessment/Penetration Test
        • 5.3.2 Final Review
      • 5.4 Post-Ship
        • 5.4.1 Vulnerability Monitoring and Response
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

Security & Privacy Technical Standard

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Version
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.01Cryptography (CR)
      • 5.02Email protection (EP)
      • 5.03Backups and recovery (BR)
      • 5.04Capacity management (CM)
      • 5.05Logging and monitoring (LM)
      • 5.06Configuration and hardening (CG)
      • 5.07Administration(AD)
      • 5.08Network and infrastructure (NT)
      • 5.09Application and information system (AP)
      • 5.10Data Protection (DP)
      • 5.11Vulnerability and Patch Management (VM)
      • 5.12Physical Security (PS)
      • 5.13Endpoint Security (ES)
      • 5.14Asset Management (AM)
      • 5.15Change Management (CH)
      • 5.16Identity and Access (IA)
      • 5.17Incident management (IM)
    • Roles and Responsibilities
    • Sanctions
    • Exceptions
    • Related Documentation
    • Policy Review

Third Party Security & Privacy Policy

Effective July 2022

Table of Contents

  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.1 Third Party Security & Privacy Principles
        • 5.1.1 Contracting and Dealing with Third Parties
      • 5.2 Management of Suppliers
        • 5.2.1 Third Party Areas
        • 5.2.2 Tiering of Suppliers
        • 5.2.3 Criteria of Evaluation
        • 5.2.4 Categories of Evaluation Criteria
        • 5.2.5 Evaluation Matrix
        • 5.2.6 Supplier's Assessment
        • 5.2.7 Agreement with the Suppliers
        • 5.2.8 Monitoring and Review of Supplier Services
        • 5.2.9 Managing Changes to Supplier Services
      • 5.3 Client Interaction
        • 5.3.1 SUSE as a Supplier
    • Sanctions
    • Roles and Responsibilities
    • Exceptions
    • Related Documentation
    • Policy Review

Vulnerability Management Policy

Effective July 2022

Table of Contents

  • Table of Contents
  • Document Management & Control
  • Document Versions
    • Introduction
    • Purpose
    • Scope
    • Definitions
    • Policy Statement
      • 5.01 Organisation-Wide Principles
      • 5.02 Vulnerability Management Process
      • 5.03 Vulnerability Management Responsibilities
      • 5.04 Vulnerability Management Parameters
      • 5.05 Reporting
    • Sanctions
    • Roles and Responsibilities
    • Exceptions Management
    • Related Documentation
    • Policy Review

The text stated above do not describe information security of our products. Please note that the text stated above does not constitute a legally binding statement. Information security is a continuous process. In order to have the most up to date information, it is necessary to seek confirmation from SUSE representative.