Information Security and Data Privacy
Our Approach to Information Security and Data Privacy
Overview
Ribbon is a leading, publicly traded, global provider of communications technology, employing thousands of individuals operating in more than 100 countries. Using our trusted solutions, our customers can offer services that improve the quality of life for billions of people around the world, support digital inclusion across markets and lower global greenhouse emissions through efficient bandwidth utilization and cloud-based applications.
As a technology company, we deal in information flows and processes. Our customers trust Ribbon to manage their information with the greatest of integrity and the strictest of controls. We design security features into our products at every stage of the product lifecycle. Similarly, protecting the privacy of customers, employees and all those whose information is entrusted to Ribbon are hallmarks of our responsible business practice.
Our Approach
At Ribbon, we are committed to protecting the personal data of our customers, partners, suppliers, affiliates and employees wherever we conduct business around the globe. We apply industry best practices for information security and data protection controls and maintain an information security architecture that includes data risk assessments, vendor risk assessments, contract reviews for both customers and vendors and a regular program of data privacy training for Ribbon employees.
Certification: Certain Ribbon operations are certified to ISO 27001 Information Security Management Quality Standard and undergo annual self-assessments and external audits. Generally, we maintain levels of adherence to this standard with no major non-conformances being identified at such assessments and audits.
Product Security: Product security considerations, risk assessments, hazard identification and protection measures are built into Ribbon processes at every state of our product lifecycle through concept, planning design validation, maintenance and end-of-life. Ribbon Research & Development department supports an active program to ensure that our products are as secure as possible, based on working with leading frameworks and standards over several years. We incorporate learnings from:
- The Open Web Application Security Project ® (OWASP)
- The CERT Coordination Center (CERT/CC)
- Most Dangerous Software Errors (CWE/SANS)
- Center for Internet Security (CIS)
Our product security program also manages a set of processes and policies that support maintaining highest possible levels of security such as: Vulnerability Resolution Policy, Incident Response Process, and other processes. We utilize a variety of tools to help manage and maintain product security. Tests are also run with an AddressSanitizer (ASan) instrumented load. Ribbon engineers receive mandatory annual security training that combines commercial security training along with proprietary training content.
Data Protection: Ribbon maintains an active data protection program which continuously monitors compliance to applicable data protection laws and the evolving data protection landscape. Our program focuses on compliance with the EU General Data Protection Regulation (GDPR) through robust data protection policies and practices. We apply these policies across the company, beyond the specific compliance needs in Europe, to create a common standard of privacy supporting Ribbon’s compliance with applicable data protection laws around the globe. We pay particular attention in our relationships and interactions with our customers to ensure we have the right systems in place to assure their data privacy across countries. In our product development, we design our systems to enable troubleshooting without compromising privacy or facilitating unauthorized access to data.
The following Key Performance Indicators are regularly reviewed by the Ribbon Data Privacy program manager and executive leadership in order to measure program effectiveness:
- Privacy incidents
- Data protection assessments executed
- Data protection risks identified and addressed
- Training and awareness delivered
- Data Subject Rights (DSR) events
Credentials: Ribbon is a corporate member of the International Association of Privacy Professionals (IAPP), the largest and most comprehensive global information privacy community and resource. Some members of Ribbon’s internal Privacy Network maintain IAPP certifications including Certified Information Privacy Manager (CIPM) as well as Certified Information Privacy Professional for Europe (CIPP/E), U.S. Private Sector (CIPP/US) and Canada (CIPP/C). Ribbon and several of its affiliated U.S. companies remain self-certified under the EU-US Privacy Shield and Swiss-US Privacy Shield programs. For more insight regarding Ribbon’s approach to data protection and the personal data processed by Ribbon, please see our Privacy Policy.
Supporting Global Sustainable Development
Our Approach to Information Security and Data Privacy directly supports UN Sustainable Development Goal (SDG) 9 which calls to build resilient infrastructure, promote inclusive and sustainable industrialization and foster innovation.
- Target 9.1: Develop sustainable resilient and inclusive infrastructures
- Target 9.4: Upgrade industries and infrastructures for sustainability
- Target 9.5: Enhance research and upgrade industrial technologies
- Target 9-C: Universal access to information and communications technology
Governance
Overall executive direction of our information security and data protection program is led by Ribbon’s Executive Vice President and General Manager of Cloud & Edge Business Unit. Ribbon’s Executive Vice President and Chief Legal Officer is the nominated Data Protection Officer (DPO) for certain Ribbon entities. Both executives collaborate to ensure effective protection across the organization and regularly report status and progress to our executive leadership.
Disclosure
We report transparently to our stakeholders on information security and data privacy progress and performance in our annual Sustainability Report.
Version 2: April 2022