F-Secure Elements Vulnerability Management is a vulnerability scanning and management service operated by F-Secure Corporation. F-Secure Elements Vulnerability Management is available either as a cloud-based service (SaaS) solution or as an on-site solution. Elements Vulnerability Management consists of the following components:
- Radar scan nodes
- The Elements Security Center
The scan nodes perform the actual scanning. The Elements Security Center manages and coordinates the scan nodes, collects the results and provides reports of findings.
The purpose of this document is to describe the high-level security controls that F-Secure uses in Elements Vulnerability Management, and to describe the handling of customer data.
- Data ownership
- All data submitted for analysis by a customer is owned by the customer. For European customers, F-Secure uses data centers within the EU.
- Encryption of transferred data
- All metadata, files, and other content are transferred securely using TLS 1.2 encryption.
- Access to data
- F-Secure access to customer data is limited to authorized security personnel to perform quality assurance, customer support, or enhanced security analysis. Anonymized customer data might also be used for statistical purposes.
F-Secure follows recommended, industry-standard best practices in controlling access to all company networks, and updates access controls according to the prevalent industry recommendations.
Information Security Management System
F-Secure has an ISO 27001 certified Information Security Management System. The Elements Vulnerability Management service is currently not included in the scope of certification, meaning there are no regular independent third-party audits conducted on the Elements Vulnerability Management service regarding ISO 27001 conformity. However, Elements Vulnerability Management follows the same ISMS polices, processes, and procedures as the operations within the scope of ISO 27001 certification.
- Information security policies
- F-Secure maintains a security policy framework compliant with ISO 27001. Our top-level policy, Cyber Security Principles, is a PUBLIC document and Elements Vulnerability Management customers can request it for review. The policies are reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness.
- Organization of information security
- F-Secure security policies define the responsibilities for information security in the organization, and F-Secure has a CISO Office tasked to lead and coordinate internal cyber security.
Managers are responsible for ensuring that information security is properly executed, identifying key information assets and systems that are essential to the continuous operation of their service, information security planning, management, and reporting.
- Asset management
- The F-Secure Acceptable Use and Information Security Classification Policies set the rules for the use of assets under F-Secure control during the entire lifespan of information assets.
Security controls include rules for, among others: responsibility for assets, prohibited activities, taking assets off-site, use of removable media and mobile devices, remote and mobile work, information storage, use of personal devices, return of assets, user account and password guidance, clear desk and clear screen policy; and rules for email, internet use, and social media.
- Human resources security
- F-Secure maintains a procedure for background checks for staff. Employees sign confidentiality agreements as part of their employment contracts. We have defined procedures covering the lifecycle of employment from onboarding to the end of employment. All employees are required to complete mandatory security training during their onboarding. F-Secure has a standard process for managing the creation of new accounts, changes in responsibilities, and the termination of employment. Employees who need to access production systems are required to participate in mandatory training, which includes training in security controls and procedures. F-Secure has defined a disciplinary procedure, which is utilized in cases of security violations.
- Access control
- Access to services
Access to F-Secure hosted services is restricted to the F-Secure Elements Vulnerability Management team. The SOC team has only limited access rights allowing around-the-clock monitoring services.
Service operating roles and service accounts have the minimum possible set of Identity and Access Management (IAM) permissions enabled.
Access to data
Access to customer data is restricted to selected Elements Vulnerability Management team members. The access is primarily used for maintenance purposes and for handling support cases. When a support case has been completed, the access is revoked.
Elements Vulnerability Management comes with detailed audit trail capabilities that record every single event such as data or configuration changes and the starting, stopping, and completion of scan jobs. These events contain timestamps, user IDs, and details about the actions performed. These event logs are all available from the Elements Vulnerability Management user interface.
- Cryptographic controls
- F-Secure maintains an Encryption Standard, which defines the requirements for cryptographic algorithms and key lengths.
We also maintain guidelines for recommended configurations for TLS, and obtain public server certificates from reputable approved Certificate Authorities. Applications for public certificates are controlled and managed according to defined procedures. Private keys are handled with care and access to private keys is restricted to authorized personnel only. All Elements Vulnerability Management internal traffic is encrypted, and data at rest is also encrypted.
- Physical security
- F-Secure has a physical security policy, which defines the control requirements related to physical security for different types of facilities. The physical security of ISO 27001 certified offices is periodically audited by the certification body.
The production infrastructure for F-Secure Elements Vulnerability Management is running in Amazon Web Services (AWS). For information on the physical security controls of AWS data centers, see the AWS Compliance site.
- Operations security
- F-Secure maintains a baseline security policy, which identifies the relevant security requirements based on the risk level of the system or component.
Operating procedures are documented. Development, test, and production environments are separated to reduce the risk of unauthorized or uncontrolled changes to production systems.
The health of service is monitored around the clock by the F-Secure Service Operations Center (SOC) using multiple monitoring systems. Alerts are escalated when needed according to pre-defined criteria, based on alert severity and potential security impact, supported by expert on-call availability. We also gather monitoring data for the purpose of predictive analysis.
The F-Secure Elements Vulnerability Management team uses a DevOps approach in development work and service deployment. Changes follow the F-Secure change management process and all changes in the service code are peer-reviewed. All changes in the code and infrastructure are recorded in F-Secure version control systems.
Software updates for scan nodes are delivered through automatic updates, assuming the scan nodes have internet access to the Radar Update Service. Alternatively, updates can be performed manually by using a software installation package (exe). Updating an on-premise installation of the Elements Security Center is currently only possible by using a software installation package. These installation packages are delivered by F-Secure. On-premise Elements Security Center customers are automatically notified as soon as a new version is available.
The Elements Vulnerability Management team review unexpected events detected in the service regularly. If incidents are detected, a root cause analysis (RCA) is conducted to work out a plan for preventing similar issues in the future. RCA findings are documented for future reference.
The availability of F-Secure Elements Vulnerability Management cannot exceed that promised for the services that it depends on or is built on. The cloud-based scanning engines hosted by F-Secure are clustered to decrease downtime. The expected availability for the core Elements Vulnerability Management components is 99%:
- The Elements Security Center (portal.radar.f-secure.com)
- Radar update service (updates.radar.f-secure.com)
- Radar Cloud scan nodes
The resilience of the Elements Vulnerability Management cloud service is improved by using Content Delivery Network (CDN) services.
For the components hosted by customers, F-Secure is unable to provide other than best-effort availability.
Any excess, large-scale downtime is treated as a high-priority issue that requires immediate attention. The F-Secure Service Operations Center monitors the health and condition of the Elements Vulnerability Management service around the clock and alerts the service team of any potential issues at once. F-Secure support services respond to any reported customer issues within two business days.
All updates to the services are planned so that they should not cause any unscheduled downtime. There may not be any separate notification of upcoming updates in cases where the updates do not deprecate existing functionality.
- Communications security
- Service components are segregated to separate network segments, allowing only pre-defined traffic between segments. All unexpected requests are dropped and logged. All outbound traffic is blocked, unless explicitly approved.
Access to network security gateways is strictly controlled.
Information retrieved from external systems is protected in transit, and the correctness of the information received is verified using digital signatures where applicable.
Elements Vulnerability Management network security
The public scan nodes hosted by F-Secure perform the scans over the public internet. We advise that you inform your Security Operations Center and personnel that are responsible for your upstream network connectivity about planned scanning activity to avoid triggering unnecessary alerts.
For scan targets that are behind a filtering device such as a firewall and are not accessible from the internet, one or more on-site scan nodes need to be placed in a customer-controlled network segment that has access to the target networks. The private scan nodes need to have HTTPS access to an update server and the Elements Security Center to get software updates, coordinate the scans, and collect results.
In a cloud-based configuration, F-Secure hosts the update server and the Elements Security Center. In a private configuration, the Elements Security Center will be a host within the customer’s network.
F-Secure protects the hosted components with firewalls and intrusion detection systems. Only components that need to be accessed from the internet are placed on public networks.
- System development security
- Architectural threat modelling is a mandatory software engineering practice. Threat modelling activities are triggered by changes that are either big enough or have an identified security impact.
Security testing is performed based on threats and attack surfaces identified during threat modelling. For selected subcomponents identified as critical to security, automated security testing is performed.
F-Secure is continuously developing its lifecycle security policy and software security engineering practices.
If software development subcontracting is used, contractors are required to follow applicable F-Secure security policies and standards.
At the moment, F-Secure Elements Vulnerability Management is not included in the F-Secure public Vulnerability Reward Program (“bug bounty”). Nonetheless, F-Secure welcomes vulnerability reports and commits to investigate them. Vulnerability findings can be sent either via normal support channels or to [email protected]
- Supplier relationships
- Supplier agreements include security requirements to address potential risks identified in relation to the supplier relationship. Depending on the risk, arrangements may include clauses for the following:
- method of identification of the other party
- authorizations to access information
- technical standards for data transfer
- incident response
- labelling and handling sensitive information
Service owners are responsible for ensuring that the services, reports, and records provided by the third party are regularly monitored and reviewed, and audits are carried out when necessary. Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures, and controls, is managed.
- Information security incident management
- F-Secure maintains a standard procedure for security incident management, involving the assessment of the severity of a security event and responsibilities for responding to a suspected security incident. In addition, we maintain around-the-clock readiness to respond to any suspected major security incidents, including the ability to collect potential forensic evidence. Analysis of lessons learned is a mandatory part of the major security incident procedure.
Staff is instructed to report suspicious observations or activities to management.
- Security in business continuity
- Information security is embedded in the business continuity process, including planning for sufficient redundancy to meet availability requirements.
- F-Secure monitors relevant statutory, regulatory, and contractual requirements to ensure the ability to meet these requirements.
Managers are responsible for regularly reviewing compliance within their area of responsibility with the appropriate security policies, standards, and any other security requirements.
Actions set out in this description may be subject to limitations by applicable laws.
Information security reviews
We also conduct security audits and process reviews regularly to monitor and improve our internal network security and access controls. Elements Vulnerability Management is included in the F-Secure Internal Bug Bounty Program.
F-Secure utilizes Elements Vulnerability Management for vulnerability scanning internally. F-Secure Consulting is PCI ASV (Approved Scanning Vendor) using F-Secure Elements Vulnerability Management.