Securing Catalyst Center: ISO Certified

New security standards conformance for Catalyst Center highlights our team's dedication to protecting your network and your data.

As our customers continue their digital transformation, the security and trustworthiness of Cisco software solutions are critical - especially in the financial sector. Protecting against vulnerabilities in our software is part of our technology, our training, and our culture. Our recent certification for ISO 27001 and attestation for SOC 2 Type 2 compliance are shining examples.

In today's digital age, the security and trustworthiness of enterprise software are paramount. Data breaches and cyber threats are constantly evolving, so safeguarding sensitive information and preventing unauthorized access to network infrastructure continue to be a major focus for concern from our customers. For years Cisco has followed an internal process called Cisco Secure Development Lifecycle (CSDL) for all development teams. This Cisco policy provides the cultural environment for internal awareness of threats as well as a platform for security education, threat modeling, and vulnerability testing. Cisco Catalyst Center product team has used this security blueprint as a springboard for even more rigorous levels of security and threat mitigation. I am proud to announce that our team's focus on product security and processes has led to our certification for ISO 27001 and compliance attestation for SOC 2 Type 2.

Cisco Secure Development Lifecycle (SDL) is designed to introduce security and privacy throughout the development process. Its guidance, best practices, tools, and processes help us build secure and compliant products and offers. These capabilities allow our engineers to continually assess and improve Cisco offerings as we strive to earn and maintain customer trust.

Figure 1: Cisco Secure Development Lifecycle (SDL)

Cisco Secure Development Lifecycle

Cisco software developers must strictly follow Secure Development Lifecycle guidelines for coding the network management systems with a combination of tools, processes, and awareness training that provides a holistic approach to product resiliency and establishes a culture of security awareness. From a trust perspective, the SDL process includes:

• Engineer training and education: Our engineers are trained on their role in secure software development. From the tools they use, to the methods of storage and retrieval and the importance of the principle of least privilege to unnecessary code.
• Product security requirements: Since Catalyst Center is deployed on premises and in cloud-based virtual appliances the product must support secure endpoint access in these environments.
• Management of third-party software, including open-source code: Open-source platforms like Ubuntu and Kubernetes bring a lot of value to our solution, but they require careful vetting and meticulous version control.
• Secure design processes: This involves implementing continuous security practices, tools, and controls from the beginning of the software development lifecycle, ensuring that products are inherently secure
• Secure coding practices and common libraries: Engineers learn to code in a high-level language that follows strict principles and meticulous attention to syntax.
• Static analysis: Code is compared against rigid set of rules for conformance to quality.
• Vulnerability testing: Unmasking exposure to active, passive, network, and distributed vulnerabilities in the completed solution. This includes API connectors and Virtual Appliance platform touch points.

This rigorous Cisco process is foundational for rigorous external certifications that are internationally recognized, such as ISO 27001 and SOC 2 Type 2.

ISO/IEC 27001:2022

In June this year, the Cisco Catalyst Center engineering team received certification for ISO/IEC 27001:2002. The ISO 27001 is an international standard designed to help organizations keep information assts secure. It specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). The required ISMS has a series of requirements that are similar to the Cisco SDL process outlined above. However, it includes three important additional steps be followed:

1. Conduct regular risk assessments: Regularly assess risks to identify new threats and vulnerabilities. This reinforces engineer education and awareness and enables the organization to adapt its security measures proactively. - It makes the team more agile in the face of increasing threats.

Figure 2: ISO/IEC 27001:2022 certification

2. Monitor and Review: Organizations must continuously monitor and review the effectiveness of their ISMS. Internal teams are assigned to audit security reviews and report to management with recommendations for improving and ensuring continual compliance with ISO 27001 requirements.

3. Engage external auditors: Organizations must contract with accredited external auditors to conduct periodic assessments and verify compliance with ISO 27001 standards. This external auditor provides validation and a certificate for ISO 27001 compliance that customers and stakeholders can see for peace of mind.

P&C SOC 2 Type 2

SOC 2, or Service Organization Control 2, is a framework designed to provide a platform for specific North American security requirements for sectors like healthcare, finance, and e-commerce where data-security is of the utmost importance. Many of the requirements are similar to those in ISO 27001, but the external auditing process is a full four months long with a focus on verifying mitigation to threats that are common in the North American market. SOC 2 demonstrates trustworthiness to North American customers and many industry verticals, but it also can be an important validation to additional and broader security conformance.

The certificate for SOC 2 Type 2 can be downloaded from the ISO/SOC section of the Cisco Trust Portal, for customers that require documentation.

Building a software development culture for security

The certifications we have received are a clear reflection of the security minded culture in Catalyst Center engineering. We design our solutions with built-in trustworthy technologies, train our teams on secure development processes, provide the tools to create and store software securely, and implement internal and external audits to provide verification of these steps. We use a secure development lifecycle to make security a primary design consideration and this is key to delivering a trustworthy software solution.

For more information on Catalyst Center visit: cisco.com/go/catalystcenter

Public link

Please use the above public link if you want to share this noodl on another website.