- Anti bribery and corruption
- Code of Business Ethics
- Compliance Charter
- Cookie Usage Policy
- Open Azure Day Sweepstakes
- Privacy Policy
- Supplier code of business ethics
- SUSE Open Source Policy
- SUSE Product Export List
- Terms of Use
- Corporate Information Security
- Speaking Up Policy
- Environmental Policy
- SUSE S.A – Group Tax Strategy
Corporate Information Security
At SUSE, we take information security seriously and it is an important aspect of our daily operations. The following text can provide you with high level information on how we approach this essential topic on the corporate/organizational level.
Governance
At SUSE, we have defined information security roles and responsibilities. We have a dedicated cybersecurity team lead by our CISO responsible for information security within the organization. Members of this team are in several countries. This team closely cooperates with other teams within SUSE, including the legal department, compliance team, privacy team (including the data protection officer), and the team responsible for security of our products. This team has implemented the ISO 27001 and its ISO 27701 in full scope and with all of the clauses and obtained two certifications from NQA certifying our compliance with these ISO standards that span across our entire business in all locations.
Information Security Policy
At SUSE, we have a documented Information Security Policy that defines the security framework, security principles and protected entities, as well as classification scheme for information.
This policy is regularly reviewed, at least once a year. That applies to all of our ISMS related policies.
Asset Management
IT assets at SUSE are managed and documented. The asset repository is regularly updated.
Personnel Security and Awareness
Background checks are conducted in accordance with applicable law. SUSE employees are required to follow the company’s guidelines related to business ethics and confidentiality. Employees are bound by non-disclosure or confidentiality rules. All newly hired employees are required to complete mandatory security training. Awareness is managed on a continuous basis.
Change Management
At SUSE, we control and manage changes to services and associated IT infrastructure components. SUSE established internal bodies to decide on the deployment of changes. Security evaluation is part of this decision-making process.
Third Party Security
At SUSE, we have measures in place to mitigate the risk that our suppliers are not following applicable law or have a low level of information security. We established an internal body and we have documented processes to promote the area of third-party security.
Vulnerability Management and Patch Management
At SUSE, we have a dedicated Vulnerability Management Policy. Vulnerability management helps us to discover previously unpatched and/or unmitigated system and application exploits. We have a formal process to monitor security vulnerabilities. The Vulnerability Management process is initiated and coordinated by the security team and includes 6 stages: preparation, communication, vulnerability assessment in SUSE products and internal SUSE systems, findings evaluation, remediation, and validation.
Security patches and updates to applications, operating systems and network infrastructure are applicable to prevent the introduction of new vulnerabilities. We have a patch management program which includes specific timescales from patching based upon the criticality.
Authentication and Authorization
Access and Password Management Policy enforces requirements for authenticated access, basic password rules, locking-out access (accounts are locked after 5 unsuccessful attempts and an alert is raised), disclosing passwords and password storage, strong authentication (Multi Factor Authentication is used), privileged access, technical access, and system communication. The minimum length of a password must be 14 characters and consist of at least lowercase and uppercase letters. User passwords do not expire.
Software Development Lifecycle
At SUSE, we focus on how to manage development securely and effectively. Security is implemented during the whole software development lifecycle. SUSE has a dedicated security team for our products.
Incident Management
In case of an information security incident, SUSE has a documented Incident Management Process defining the major incident management steps, including identification, evaluation and closure. We also pay attention to communication of security incidents. We have a Crisis Communication team that is responsible for communicating internally and or externally all the security incidences.
Network Security
At SUSE, all entry and exit points are protected by at least one layer of firewalling. Wired LAN is completely isolated with no access to internal SUSE parts or DNS. Guest wireless is segregated by the firewall policies with no access to SUSE internal networks.
Physical Security
We have implemented a Physical Security Policy that enforces requirements for protecting SUSE physical information systems and includes standards for secure and safe operations. The physical security controls are implemented to our Data Center, computer rooms or office space including fire detection systems, access control systems and cameras and CCTV.
Anti-virus and Anti-malware Protection
We utilize a state-of-the-art antivirus solution with automatic updating as well as a multi-layer defense-in-depth model to our anti-malware program across our environment.
Management Systems
We have introduced Information Security Management System and a Privacy Information Management System (ISMS & PIMS). When defining these systems, we relied on the best practices, stated in ISO 27001 and 27701, but also in other standards. As part of these systems, we have prepared following ISMS, PIMS and other related policies and procedures. For security reasons, we do not provide you with their full text here, but only with tables of contents.
Acceptable Use Policy
- Table of Contents
Document Management & Control - Document Version
- Purpose
- Scope
- Definitions
- Acceptable Use Requirements
- 4.1 Users
- 4.2 Administrators
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
Access and Password Management Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.01 User access management
- 5.01.1 Main Principles
- 5.01.2 Provisioning of Access
- 5.01.3 Termination of Access
- 5.01.4 Periodic Access Rights Review
- 5.01.5 Privileged Access
- 5.02 Authentication
- 5.02.1 User Password Requirements
- 5.02.2 Technical Access and System to System Communication
- 5.01 User access management
- Roles and Responsibilities
- Sanctions
- Exceptions
- Related Documentation
- Policy Review
Business Continuity Management Policy
- Table of Contents
- Document Management & Control
- Purpose
- Scope
- Definitions
- Policy Statement
- 4.01Business Continuity Management Program
- 4.02BCM Policy Objectives and Benefits
- 4.03BCM Policy Requirements
- 4.04Business Continuity Management System
- 4.05Event Classification
- 4.06Enterprise Risks
- 4.07Disaster Scenarios
- 4.08Business Continuity Plans (BCPs)
- 4.08.1Business Continuity (BC) Requirements
- 4.08.2Critical Services and Dependencies
- 4.08.3Business Impact Analysis (BIA)
- 4.08.4Risk Assessment
- 4.08.5Testing and Rehearsal of Plans
- 4.09Employee Awareness & Development
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
Consent Collection and Withdrawal Procedure
- Table of Contents
- Document Management & Control
- Document Version
- Purpose
- Scope
- Definitions
- Procedure
- 4.1 Identification of the Relevant Processes
- 4.2 Consent Collection Planning
- 4.3 Consent Collection
- 4.4 Consent Register
- 4.5 Changes to Consent Collection
- 4.6 Consent Withdrawal
- 4.7 Time-limited Consent
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Procedure Review
Cyber Security and Privacy Incident Response Procedure
- Table of Contents
Document Management & Control - Document Version
- Purpose
- Scope
- Definitions
- Roles and Responsibilities
- Incident Response Procedure
- 5.1 Preparation
- 5.2 Detection and Analysis
- 5.2.1 How to report a Cyber Security Event
- 5.2.2 How to report Privacy Event
- 5.2.3 Prioritization of Cyber Security Incidents
- 5.2.4 Privacy Incident Evaluation
- 5.2.5 Privacy Supervisory Authority Notification
- 5.2.6 Communication to Data Subjects
- 5.3 Containment, Eradication and Recovery
- 5.4 Past-Incident Activity and Lessons Learned
- 5.5 Documentation / Evidence
- 5.6 Communication Process
- Sanctions
- Exceptions
- Related Documentation / Forms
- Procedure Review
- Appendix A - RACI matrix
- Appendix B.1 - Incident Prioritization
- Appendix B.2 - Incident Prioritization with Examples
- Appendix C - Privacy Incident Evaluation
- Appendix D - Ransomware-specific playbook
- 14.1 Preparation
- 14.2 Detection and Analysis
- 14.3 Containment, Eradication and Recovery
- 14.4 Lessons Learned
- Appendix E- Crisis Management Team
- Appendix F- Incident Response Procedure
Data Deletion and Anonymization Policy
- Table of Contents
- Document Management & Control
- Document Version
- Purpose
- Scope
- Definitions
- Policy Statement
- 4.1 Deletion and Anonymization
- 4.1.1 Data Identification
- 4.1.2 Requirements and Methods for Deletion
- 4.1.2.1 Software - Applications, Databases, SW Infrastructure and Cloud Services
- 4.1.2.2Hardware - Physical Media, Workstations and Servers
- 4.1.2.3 Paper media
- 4.1.2.4 Deletion during the end of employment (or similar relationship)
- 4.1.3 Requirements and Methods for Anonymization
- 4.1.3.1 Data Masking
- 4.1.3.2 Randomization
- 4.1.3.3 Generalization
- 4.1 Deletion and Anonymization
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
Data Subjects Rights Policy
- Table of Contents
Document Management & Control - Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.1 Data Subject Rights
- 5.2 Data Subject Requests
- 5.2.1 Communication channels
- 5.2.2 Documentation of the request
- 5.2.3 Data Subject verification and request validation
- 5.2.4 Data Subject Right Timeline
- 5.2.5 Data Identification
- 5.2.6 Rectification Request
- 5.2.7 Erasure Request
- 5.2.8 Information Request
- 5.2.9 Processing Restriction Request
- 5.2.10 Portability Request
- 5.2.11 Right to object
- 5.2.12 Automated Decision-Making
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
- Annex A-DSR Response Templates
- 11.1DSR Identity Verification Template
- 11.2 DSR Erasure Denial Template
- 11.3 DSR Erasure Denial Template
- 11.4 DSR General Denial Template
- 11.5 DSR Resolution Template
- 11.6 Third Party Consent for Disclosure Template
- 11.7 Third party Correction Request Notification Template
- 11.8 DSR Access Requests Approval
Data Transfer Procedure
- Table of Contents
Document Management & Control - Document Version
- Purpose
- Scope
- Definitions
- Procedures
- 4.1 Internal SUSE transfer
- 4.2 Transfer outside of SUSE
- 4.2.1 Analysis of the Personal Data flow
- 4.2.2 Consideration of the transfer mechanisms
- 4.2.3 Assessment and utilization of the transfer institutes
- 4.2.4 Monitoring of the Transfer
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Annex 1 - International transfer decision tree
- Procedure Review
Endpoint Protection Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.01Modes of operation
- 5.02 Defense in depth
- 5.03 General controls
- Roles and Responsibilities
- Exception management
- Related Documentation
- Policy Review
Enterprise Risk Management Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.1Governance
- 5.2Framework
- 5.2.1Identifying risk
- 5.2.2Assessing, Evaluating, and Mitigating
- 5.2.3Managing Risk
- 5.2.4Risk Acceptance Criteria
- 5.2.5Monitoring & Reporting
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
- Appendix A – Responsible, Accountable, Consulted, Informed (RACI)
- Appendix B – Risk Categories
- Appendix C – Risk Register
- Appendix D – Risk Ratings
- Appendix E – Risk Heat Map
Human Resources Security Policy (HR Security Policy)
- Table of Contents
Document Management & Control - Document Versions
- Document Reviews
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.1 Prior to employment
- Background checks and screening
Non disclosure agreements
- Background checks and screening
- 5.2 During employment
- Responsibilities and access
- Security Awareness and Training
- Acceptable use
- 5.3 After employment
- 5.1 Prior to employment
- Roles and Responsibilities
- Sanctions
- Exceptions
- Related Documentation
- Policy Review
Incident Management Policy
- Table of Contents
Document Management & Control - Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.1 Responsibilities and procedures
- 5.2 Preparation and planning
- 5.3 Reporting Events and Incidents
- 5.4 Assessment of Events and Incidents
- 5.5 Response to Incidents
- 5.6 Learning from Incidents
- 5.7 Documentation of Incident
- 5.8 Communication
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
Information Security Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Leadership Commitment
- Information Security Objectives and Principles
- Policy Statement
- 7.01ISMS
- 7.02Security Principles
- 7.03Protected Assets
- 7.04Data/Information Classification Scheme
- 7.05Exception Management Process
- Reporting a Violation of This Policy or Information Security
- Sanctions
- Roles and Responsibilities
- Related Documentation
- Policy Review
- Annex 1
- Annex 2
ISMS & PIMS Glossary (Policy Level Document)
- Table of Contents
Document Management & Control - Document Versions
- Purpose
- General Definitions
- Entities and Roles
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
ISMS & PIMS Internal Audit Procedure
- Table of Contents
Document Management & Control - Document Version
- Purpose
- Scope
- Definitions
- Procedures
- 4.1 ISMS & PIMS Internal Audit Team Competencies and Responsibilities
- 4.2 ISMS & PIMS Internal Audit Timeline
- 4.3 ISMS & PIMS Internal Audit Planning
- 4.4 Auditing Phase
- 4.5 Reporting and Categorisation of Non-conformities
- 4.6 ISMS & PIMS Internal Audit Remediation
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Procedure Review
ISMS & PIMS Operations Procedure
- Table of Contents
- Document Management & Control
- Document Version
- Introduction
- Purpose
- Scope
- Definitions
- Procedure Statement
- 5.1 Context of the organization
- 5.1.1 Context of the organization and interested parties
- 5.1.2 Scope and Establishment of ISMS & PIMS
- 5.2 Leadership
- 5.2.1 Leadership and Commitment
- 5.2.2 Policy
- 5.3 Planning and operating ISMS & PIMS Activities
- 5.4 Support, Responsibilities and Competencies
- 5.4.1 Resources
- 5.4.2 Roles, Responsibilities and Competencies
- 5.4.3 Communication
- 5.4.4 Awareness
- 5.5 Performance evaluation
- 5.5.1 Monitoring, measurement, analysis and evaluation
- 5.5.2 Internal Audit
- 5.5.3 Management Review
- 5.5.3.1 Review Inputs
- 5.5.3.2 Review Outputs
- 5.6 Continual Improvement
- 5.6.1 Corrective Action
- 5.6.2 Preventive and Improvement Actions
- 5.1 Context of the organization
- Sanctions
8. Related Documentation
9. Policy Review
ISMS & PIMS Roles, Responsibilities and Competencies Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.01 ISMS & PIMS Roles and Responsibilities
- 5.02 ISMS & PIMS Team Competence requirements
5.03 Awareness
- Sanctions
- Roles and responsibilities
- Exceptions
- Related Documentation
- Policy Review
ISMS & PIMS Scope Policy
- Table of Contents
- Document Management & Control
- Document Version
- Version Control Table
- Purpose
- Scope
- Definition
- Policy Statement
- 4.1 Scope Statement
- 4.2 Scope Definition of ISMS & PIMS
- 4.1.1 Organizational Dimension
- 4.1.2 Service Dimension
- 4.1.3 Information Dimension
- 4.1.4 Information System Dimension
- 4.1.5 Physical Dimension
- 4.3 Final Provisions
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
IT Asset Management Policy
- Document Management & Control
- Document Version
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.1 IT Asset Ownership
- 5.2 IT Asset Identification
- 5.2.1 IT Asset Classification
- 5.2.2 IT Asset Valuation/Tiering
- 5.3 IT Asset Acquirement
- 5.3.1 Planing and Control
- 5.3.2 Procurement
- 5.3.3 License Management
- 5.4 Deployment of IT Assets
- 5.4.1 Inventory of IT Assets
- 5.5 Maintenance and Support
- 5.5.1 Acceptable Use & Media handling
- 5.5.2 Change Management of IT Assets
- 5.5.3 Incident Management of IT Assets
- 5.6 Retirement & Disposal
- 5.6.1 Return of Assets
- 5.6.2 IT Asset Disposal
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
IT Change Management Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.1 Change initiation
- 5.2 Change assessment
- 5.3 Initial change approvals
- 5.4 CAB review and approval
- 5.5 Change categories and required procedures
- 5.6 Change execution tracking
- Sanctions
- Roles and Responsibilities
- 7.1 Change Requestor
- 7.2 CAB Chair
- 7.3 CAB Approvers
- Exceptions
- Related Documentation
- Policy Review
Personal Data Protection and Governance Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Purpose
- Scope
- Definitions
- Leadership Commitment
- Policy Statement
- 5.01Personal Data Protection Objectives and Principles
- 5.02PIMS
- 5.03Lawfulness, Fairness, Transparency
- 5.04Consent
- 5.05Legitimate Interest
- 5.06Transparency (Notifying Data Subjects)
- 5.07Purpose Limitation
- 5.08Data Minimization
- 5.09Accuracy
- 5.10Storage Limitation
- 5.11Confidentiality, Integrity and Availability
- 5.12Reporting a Personal Data Breach
- 5.13Transfer Limitation
- 5.14Data Subjects’ Rights and Requests
- 5.15Accountability
- 5.16Record Keeping
- 5.17Training and Audit
- 5.18Privacy Risk Management
- 5.19Data Protection Impact Assessment
- 5.20Privacy by Default and Design
- 5.21Pseudonymization
- 5.22Direct Marketing
- 5.23Sharing Personal Data
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
Physical Security Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.01 General Requirements
- 5.02 Physical parameters
- 5.02.1 Tiering/rating
- 5.02.2 Building
- 5.02.3 Power
- 5.02.4 Fire
- 5.02.5 Environmental
- 5.03 Access control
- 5.03.1 Authentication
- 5.03.2 Authorization
- 5.03.3 Access systems surveillance and monitoring
- 5.03.4 Security guards
- 5.03.5 Cameras and CCTV
- 5.04 Data Center and Computer Room Operating Procedures
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
Secure Development Lifecycle Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.1 Pre-Development
- 5.1.1 Requirements Review
- 5.1.2 Design and Architecture Review
- 5.1.3 Third Party Component Risk Analysis
- 5.2 During-Development
- 5.2.1 Code Analysis
- 5.2.2 Security Assessments
- 5.2.3 Secure Development Environment
- 5.3 Pre-Ship
- 5.3.1 Vulnerability Assessment/Penetration Test
- 5.3.2 Final Review
- 5.4 Post-Ship
- 5.4.1 Vulnerability Monitoring and Response
- 5.1 Pre-Development
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
Security & Privacy Technical Standard
- Table of Contents
- Document Management & Control
- Document Version
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.01Cryptography (CR)
- 5.02Email protection (EP)
- 5.03Backups and recovery (BR)
- 5.04Capacity management (CM)
- 5.05Logging and monitoring (LM)
- 5.06Configuration and hardening (CG)
- 5.07Administration(AD)
- 5.08Network and infrastructure (NT)
- 5.09Application and information system (AP)
- 5.10Data Protection (DP)
- 5.11Vulnerability and Patch Management (VM)
- 5.12Physical Security (PS)
- 5.13Endpoint Security (ES)
- 5.14Asset Management (AM)
- 5.15Change Management (CH)
- 5.16Identity and Access (IA)
- 5.17Incident management (IM)
- Roles and Responsibilities
- Sanctions
- Exceptions
- Related Documentation
- Policy Review
Third Party Security & Privacy Policy
- Table of Contents
Document Management & Control - Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.1 Third Party Security & Privacy Principles
- 5.1.1 Contracting and Dealing with Third Parties
- 5.2 Management of Suppliers
- 5.2.1 Applicable Third Parties
- 5.2.2 Tiering of Suppliers
- 5.2.3 Evaluation Criteria
- 5.2.4 Impact Categories
- 5.2.4.1 Business Impact
5.2.4.2. Information Classification
5.2.4.3. Privacy Impact
- 5.2.4.1 Business Impact
- 5.2.5 Evaluation Matrix
- 5.2.6 Supplier Assessment
- 5.2.7 Supplier Contracts
- 5.2.8 Monitoring and Review of Supplier Services
- 5.2.9 Managing Changes to Supplier Services
- 5.3 Customer Interaction
- 5.3.1 SUSE as Supplier
- 5.1 Third Party Security & Privacy Principles
- Sanctions
- Roles and Responsibilities
- Exceptions
- Related Documentation
- Policy Review
Vulnerability Management Policy
- Table of Contents
- Document Management & Control
- Document Versions
- Introduction
- Purpose
- Scope
- Definitions
- Policy Statement
- 5.01 Organisation-Wide Principles
- 5.02 Vulnerability Management Process
- 5.03 Vulnerability Management Responsibilities
- 5.04 Vulnerability Management Parameters
- 5.05 Reporting
- Sanctions
- Roles and Responsibilities
- Exceptions Management
- Related Documentation
- Policy Review
The text stated above do not describe information security of our products. Please note that the text stated above does not constitute a legally binding statement. Information security is a continuous process. In order to have the most up to date information, it is necessary to seek confirmation from SUSE representative.