Cisco Cisco WebEx Meeting Center WBS29.13 Libro bianco

Web Conferencing: Unleash the Power of Secure Real-Time Collaboration

White Paper

Cisco Public

Administrative data: Information about employees

or representatives of a customer or other third

party that is collected and used by Cisco in order to

administer or manage Cisco’s delivery of products or

services, or to administer or manage the customer’s

or third party’s account for Cisco’s own business

purposes. Administrative data may include the

name, address, phone number, email address, and

information about the contractual commitments

between Cisco and a third party, whether collected

at the time of the initial registration or later in

connection with the management or administration

of Cisco’s products or services.

Administrative data may also include the meeting

title, time, and other attributes of the meetings

conducted on Cisco WebEx by employees or

representatives of a customer. Other examples

of Administrative Data may include meeting title,

meeting time and other attributes of the meetings

hosted on Cisco WebEx.

Customer data: All data (including text, audio,

video, image files, and recordings) that is either

provided to Cisco by a customer in connection with

the customer’s use of Cisco products or services,

or developed by Cisco at the specific request of

a customer pursuant to a statement of work or

contract. Customer data includes log, configuration,

or firmware files, and core dumps. It is data taken

from a product or service and provided to Cisco to

help us troubleshoot an issue in connection with a

support request. Customer data does not include

administrative data, support data, or telemetry data.

Support data: Information that Cisco collects when

a customer submits a request for support services

or other troubleshooting, including information about

hardware or software. It includes details related

to the support incident, such as authentication

information, information about the condition of the

product, system and registry data about software

installations and hardware configurations, and

error-tracking files. Support data does not include

log, configuration, or firmware files, or core dumps

taken from a product and provided to us to help us

troubleshoot an issue in connection with a support

request, all of which are examples of customer data.

Telemetry data: Information generated by

instrumentation and logging systems created through

the use and operation of the product or service.

All data collected in Cisco WebEx Cloud is protected

by several layers of robust security technologies and

processes. Below are examples of controls placed in

different layers of Cisco WebEx operations to protect

customer data:

•

Physical access control: Physical access is

controlled through biometrics, badges, and video

surveillance. Access to the data center requires

approvals and is managed through an electronic

ticketing system.

•

Network access control: The Cisco WebEx

network perimeter is protected by firewalls. Any

network traffic entering or leaving the Cisco WebEx

data center is continuously monitored using an

intrusion detection system (IDS).

The Cisco WebEx network is also segmented into

separate security zones. Traffic between the

zones is controlled by firewalls and access control

lists (ACLs).

•

Infrastructure monitoring and management

controls: Every component of infrastructure,

including network devices, application servers,

and databases, is hardened to stringent guidelines.

They are also subject to regular scans to

identify and address any security concerns.

•

Cryptographic controls: As noted earlier, all

data to and from the Cisco WebEx data center

to Cisco WebEx clients is encrypted, except for

unencrypted video devices in a CMR Cloud–

enabled meeting. Additionally, critical data stored

in Cisco WebEx, such as passwords, is encrypted.

Cisco employees do not access customer data

unless access is requested by the customer for

support reasons. Access to systems in this case

is allowed by the manager only in accordance with

the “segregation of duties” principle. It is granted

only on a need-to-know basis and with only the

level of access required to do the job. Employee

access to these systems is also regularly reviewed

for compliance. Employees with such access are

required to take annual International Organization for

Standardization (ISO) 27001 Information Security

Awareness training.

In addition to these specialized controls, every Cisco

employee undergoes a background check, signs

an NDA (nondisclosure agreement), and completes

COBC (Code of Business Ethics) training.