HCL BigFix Trust Center
Software security is critically important to HCL and our valued clients. It is also central to the way HCL BigFix is developed. The HCL security strategy covers all aspects of our business, including corporate and organizational security policies, incident management and response, business continuity and disaster recovery, secure software development processes, and privacy.
This web page specifically addresses the HCL BigFix secure development process, as well as our company and product certifications important to our commercial and government customers. It conveys how the HCL BigFix solution helps IT and Security teams secure their endpoint fleet.
Secure Product Development
HCLSoftware adheres to stringent development processes to protect the code we develop and provide to both our commercial and government customers.
Additionally, BigFix content is protected in several ways. First, the BigFix Content Servers are running in secure data centers. Second, file access control lists (FACL) limiting access and changes to authorized users. And lastly, BigFix content itself is cryptographically signed during the secure build process. Content that is not signed correctly is rejected by BigFix servers and logged as an error. As a result, content downloaded by our customers from the BigFix Content Servers is protected and secure.
Secure Product Support
Our Product Support teams protect our customer data and information by collecting only vital information, limiting access to customer contact information and case data to only those who are actively working to troubleshoot the reported problem, and encrypting customer sensitive information making it unreadable to anyone other than the intended party. Our data protection policy includes:
- Collecting only vital company and contact information.
- Communicating customer information and data via HTTPS and Transport Layer Security (TLS) protocols.
- Sending diagnostic data via SFTP or HTTPS using TLS protocols and encrypting stored data using the AES algorithm.
The HCLSoftware Support organization has achieved ISO27001 certification. External auditors have reviewed HCLSoftware’s practices, policies, and procedures and found that our Information Security Management System (ISMS) meets the requirements of the standard. ISO 27001 compliance demonstrates our ability to protect our client’s data and information.
HCL BigFix Security Bulletins
The HCL Product Security Incident Response Team (PSIRT) manages the receipt, investigation and internal coordination of reported security vulnerabilities for HCLSoftware product offerings. The PSIRT coordinates with product development teams who investigate reported security vulnerabilities and identify the appropriate response plan. Once a response plan is identified, the product teams communicate with internal and external parties in the execution of our vulnerability response process. For more information, visit the HCLSoftware PSIRT page.
The HCL PSIRT publishes Security Bulletins to our customers and partners. Each Security Bulletin describes the CVE and points to additional details and remediation. A list of HCL BigFix Security Bulletins can be on the HCLSoftware Community Forum.
Product Certifications
HCL collaborates with a variety of organizations who evaluate our compliance to industry security so that our customers and partners can be assured of our product integrity. For more information about HCLSoftware corporate compliance, visit the HCLSoftware Compliance page. The following HCL and BigFix certifications have been obtained or are in progress as indicated below).
ISO-20243 certification is an Open Trusted Technology Provider™ Standard (O-TTPS) for mitigating maliciously tainted and counterfeit products. It is a set of guidelines, recommendations and requirements that help assure integrity in technology development and to prevent maliciously tainted and counterfeit products from entering the global supply chain. The standard is focused on verifiable processes and implementation proof points to address the concerns of customers, integrators, suppliers, auditing, regulatory organizations, as well as best practices for implementation throughout all phases of a product’s life cycle: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.
ISO-20243 certification for Secure Supply Chain
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the context of the organization. In adherence to ISO/IEC 27001, the HCLSoftware Security and Compliance Team was formed to protect the critical information assets by implementing and continually improving an ISMS to help ensure that its applicable information security objectives are met, and the ISMS is able to adapt to internal and external changes. The goal of the ISMS is to protect HCLSoftware and its customers information assets from threats identified, whether internal or external, deliberate or accidental.
ISO/IEC 27001 Certifications
Common Criteria (or CC) is an international standard for computer security certification. It provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner at a level that corresponds with its target use environment.
The OSCI has completed the evaluation of HCL BigFix V10. OCSI manages the assessment and certification of IT security systems and products.
Common Criteria Certification
This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
FIPS crypto module embedded in BigFix v11 has received
BigFix Compliance adheres to the Security Content Automation Protocol (SCAP) V1.3. The SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans.
BigFix Compliance V9.2 has obtained SCAP v1.2 certification and BigFix Compliance V10 is in process for SCAP v1.3 certification.
Security Content Automation Protocol (SCAP) Certification
Link to Certification document to be provided when available
CIS Benchmarks are provided as best practices to secure operating systems and software to eliminate any configuration related vulnerabilities for cyber-attacks.
BigFix Compliance V10 is the latest to receive the CIS Security Software Certification for CIS Benchmarks.
CIS Security Software Certification
US Federal Government Considerations
US Federal Government Customers should
visit HCL BigFix for the US Federal Government to learn more.
Your Privacy
We are committed to protecting the privacy of visitors to our websites, individuals who register to use the products and services, individuals who register to attend our corporate events and webinars, and our business partners. For more information, see the HCL Privacy Statement.
Summary
Our valued clients can rest assured that we keep security foremost in our minds as we develop, test and deliver effective and secure endpoint management solutions to our commercial and government customers. For more information, please contact us.
