Cyber attacks pose a threat to our customers, our employees, and our partners — in short, our very business. That’s why we’re always on the alert, working to stop hackers who would deface our website or gain access to sensitive information. We have comprehensive plans to deal with sophisticated threats, such as organized cyber criminals, cyber-espionage groups and even state-sponsored intrusion.
Our cybersecurity strategy has five major components:
We use data segregation, encryption and data-loss-prevention technologies to ensure safe and secure processing and sharing of critical information. In addition, all data is classified according to its sensitivity. This data classification process enables us to understand the relative importance of securing each dataset and to make an informed business decision about the level and allocation of resources required.
By following industry-standard cybersecurity guidelines, we ensure our processes are repeatable, predictable and easily understandable.
Of the numerous cybersecurity control frameworks, we chose to implement both ISO 27000 and the National Institute of Standards & Technology Cybersecurity Framework:
- ISO 27000 Information Security Management System — this international standard defines “requirements for establishing, implementing, maintaining and continually improving an information security management system.” We incorporate ISO 27000 as a normal part of our business processes. Independent auditors have certified many of our systems and data centers as ISO 27000-compliant.
- National Institute of Standards & Technology Cybersecurity Framework — created through collaboration between industry and government, this framework protects networks and infrastructure. The prioritized, flexible and scalable approach helps us manage cybersecurity-related risk in a cost-effective manner. This framework already has proven useful to predict, detect, disrupt or deter, respond and recover valuable data.
Capability maturity assessments performed by independent parties and benchmarking with other companies find our implementation to be sound, relevant and aligned with industry standards.
We utilize a combination of evidence-based assessments, vulnerability scanning and penetration tests to validate that our data protection is effective and to ensure controls are operating properly on an ongoing basis.
Cybersecurity incident response
We have emergency response procedures in place throughout our business. If we were to encounter an attempted cybersecurity attack, we would take the following actions:
- Identify whom to notify internally
- Establish a multidiscipline virtual response team
- Implement monitoring protocols and egress prevention
- Estimate the extent of the compromise
- Coordinate with legal counsel and insurance carriers
- If necessary, notify legal authorities
These steps provide a general framework; business units have detailed plans tailored to their needs. We perform tests to assess our operational and managerial readiness on a regular basis.
Cyber risk management
Recent high-profile breaches in the media demonstrate that any organization can suffer a cyber attack. When this occurs, there may be costly consequences — such as regulatory fines or purchasing identity-theft monitoring for affected parties. Many companies invest in Errors & Omissions or Cyber Liability Insurance to mitigate this risk.
Many insurance carriers and underwriters assess the level of risk when determining insurance rates. Xerox, as well as other companies, has received reduced premiums and/or more favorable policy limits by implementing effective cybersecurity management.
Cybersecurity is not solely the responsibility of the IT Department. By collaborating across our company, we effectively manage risk, reduce the likelihood, limit the impact of exposure and enable quick recovery from any attack on our infrastructure, networks and systems.