Westcon International, Ltd. (Westcon) Information Security
Westcon, its subsidiaries and affiliates, take protection of customer data very seriously. Westcon is committed to protecting the confidentiality, integrity and availability of its customer’s information. Westcon understands its obligations to its customers along with today’s regulatory requirements and is well prepared to meet them.
Westcon addresses its data protection obligations by protecting and managing customer information in a secure and consistent manner. To accomplish this, Westcon employs a comprehensive information security program that involves: people, process and technology.
Security by design is not an option, it’s a must in today’s business world. This includes making everyone aware of information security, its implications and individual responsibilities in safeguarding customer data. As individual involvement and responsibilities vary amongst our personnel, training and awareness is tailored based on role. General cyber/information security training and awareness is mandatory for all, while more in-depth training and awareness is given to those who deal directly with sensitive data. Training is conducted on an on-going basis. Pointed focus is given to new and evolving laws and regulations. For example, with the introduction of General Data Protection Regulation (GDPR), Westcon appointed a Data Privacy Officer (DPO). Additionally, Westcon evaluates its service providers to ensure the same level of data protection is given throughout the data life cycle. A dedicated team of information security professionals address the day-to-day information security activities. In the event of an information security incident, our Computer Security Incident Response Team (CSIRT) is capable and ready to be engaged.
Comprehensive governance has been put in place to address an emphasis on accountability and transparency. These measures help minimize the risk of breaches and uphold the protection of customer data. Privacy Impact Assessments (PIAs) are an integral part of Westcon’s security by design approach. Legacy applications are placed through the PIA process to identify and address any privacy risk. New applications are placed though the PIA process while in their design stages to enable security by design cost effectively.
- Types of personal information we collect;
- How we use the information;
- With whom we share it;
- Rights you may have about the use of your personal information;
- Security measures we implement to protect the security of your information; and
- How you can contact us about our privacy practices.
As new laws and regulations impact how data is to be protected, Westcon reviews provider contracts. Provider contracts are reviewed, updated and agreed upon to include specific terms designed to ensure that processing, carried out by a processor, meets information security standards and requirements.
Westcon’s Incident Response plan details processes and procedures to minimize damage and reduce recovery time and costs in the event of an information security incident. Incidents are recorded under one of eight incident categories for granular reporting and metrics purposes. A Root Cause Analysis (RCA) is performed on each incident.
Connectivity to our applications occur over a secure TLS (HTTPS) connection. Application servers access the databases through restricted Access Control Lists (ACLs). Access is granted on least-privileged and a need-to-know basis. Access is reviewed on a regular cycle.
Our data centers are SOC 2 Type I and Type II compliant and they comply with ISO/IEC 27001. Our data center facilities are strictly controlled with various levels of defense including (but not limited to): alarms, CCTV, locked cages, biometric scanners, and guard stations that are manned 24/7. Redundant firewalls with load balancers disperse the traffic across multiple servers. Information is replicated real-time between data centers over an encrypted channel and backups are performed regularly for business continuity purposes. All replicated/backup data is stored in an encrypted format. Data is retained as per Westcon’s documented retention management schedule.
Westcon has an Information Security Management System (ISMS) used to facilitate the storage, organization and retrieval of information. Westcon’s Information Security Polices are based on controls defined in ISO/IEC 27002. In addition to fields such as Data Classification and Business Criticality, Westcon’s inventory database captures specific fields for data privacy management purposes.
Numerous proactive measures are taken to protect systems and data. Along with the aforementioned firewalls and backups, other technologies such as anti-virus, anti-malware, encryption (at disk and file level), and automated patching are deployed. Two-factor authentication (2FA) is required for all remote access. Our systems are scanned for vulnerabilities on a monthly basis and compliance audits are performed regularly.
Frequently Asked Questions (FAQs)
Q: Does Westcon have a dedicated security team.
A: Yes, Westcon has dedicated security team that takes a proactive focus on cybersecurity along with management of Westcon’s security technologies.
Q: Does Westcon have an Information Security Management System (ISMS)?
A: Yes, Westcon has an Information Security Management System.
Q: Does Westcon have a documented and management supported security Policy?
A: Yes, Westcon’s Information Security Policies are based on controls defined in ISO/IEC 27002:2013.
Q: Does Westcon have mandatory information security and privacy training program available to staff?
A: Yes, mandatory information security and privacy training is given to new hires and on a yearly basis.
Q: What internal processes does Westcon have for taking action in the event of a security violation?
A: Westcon’s Security Incident Response process details security incident process flow along with identifying its CISRT lead and other key personnel roles and responsibilities.
Q: Does Westcon enforce 2-Factor Authentication (2FA) for remote connectivity?
A: Yes, a 2FA is in place and enforced for all remote access.
Q: How does Westcon handle backups and are they encrypted?
A: Backups are encrypted and stored to an off-site location.
Q: Are Westcon data centers appropriately protected?
A: Westcon two (2) data centers are SOC2 Type I and Type II compliant.
Q: Where is the data Westcon holds physically stored and is data encrypted when stored?
A: Our data centers are located in the United States. Sensitive data is encrypted at rest.
Q: Is data encrypted in transit?
A: Yes, data is transferred via secured TLS (HTTPS).
Q: What governance procedures are in place for the disposal of data?
A: Westcon has procedures that specify both handling and disposal of electronic and physical data.
Q: Do Westcon processes cover scenarios for staff joining, moving and/or leaving the company?
A: Yes, joiners/leavers are orchestrated through Westcon’s Service Management System.
Q; Do Westcon IT systems have contingency arrangements and resilience?
A: Yes, Westcon data centers are located in two geographically remote locations.
Q: Are independent audits conducted on Westcon?
A: Yes, independent audits are conducted on a yearly basis.
Q: Does Westcon have a Vulnerability Management program in place?
A: Yes, vulnerability scanning is performed on a monthly basis. Any/all finding are recorded, prioritized and managed.
Q: Does Westcon separate environments for production and development?
A: Yes, Westcon maintains separate production, development and quality assurance environments. Movement between environments is tightly controlled through Westcon’s Change Management process.
Q: How does Westcon address system/application patches?
A: Westcon has a defined patch management schedule that is coordinated through its Change Management process.