Trust Center

Articles in this section

CYBER SECURITY PROGRAM OVERVIEW

  • Updated

IMlogo.png

CSPOicon1.png Compliance, Regulations, Standards and Certifications

Ingram Micro, being a globally operated organization, complies with different data privacy laws and regulations. We incorporate the required technical and organizational security measures and safeguard the protection of the rights of the data subject.

  • ISO/IEC 27001 Certified
  • PCI-DSS Payment Card Industry (PCI) Data Security Standards (DSS)
  • GDPR General Data Protection Regulation
  • CSA STAR Cloud Security Alliance (CSA Security, Trust, and Assurance Registry (STAR)
  • California Consumer Privacy Act (CCPA)
  • NIST Cyber Security Framework National Institute of Standards and Technology

 

CSPOicon2.png

Information Security Training

 Our associates and contractors are trained in information protection, data privacy, and compliance with our information security policy.

 

CSPOicon3.png  Information Assets

All company assets (including company networks) are provided for business use. We define acceptable uses of our data and assets.

 

CSPOicon4.png Regulatory Compliance & Data

All users must comply with laws, regulations, and compliance programs regarding the use of data, network, and computer systems. personal data should only be stored in approved company applications, it should be collected and processed only for lawful and legitimate business purposes.

 

CSPOicon5.png Software Development Security

To bring enhanced security into the newly developed features of our digital ecosystem, our Software Development Life Cycle (SDLC) follows the Software Assurance Maturity Model (SAMM) methodology and CIS benchmarks. Our Secure SDLC ensures all security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort.

  • “Secure by design” model
  • Adherence to Open Web Application Security Project (OWASP)
  • Secure Software Development Lifecycle (S-SDLC)
  • Pen Testing performed on a yearly basis

As a part of the SAMM Education and Guidance practice, R&D associates participating in SDLC are trained on how to develop and deploy secure software. Our DevSecOps methodology focuses on embedded security in all phases of Ingram Micro’s Secure-SDLC.

 

CSPOicon6.png Penetration Testing

 Ingram Micro IT assets undergo internal penetration testing covering internet-facing applications and business critical services. Our penetration testing methodology aligns with industry standards and common testing frameworks, such as OWASP, and in accordance with ISO 27001.

 

CSPOicon7.png Bug Bounty Program

Ingram Micro recognizes the power of security as a community. As a result, we reward security researchers who discover and report vulnerabilities in our applications and ecosystem. These are awarded based on several factors including severity and impact of the vulnerability reported. Researchers can report their findings via the Bug Bounty Submission Form.

 

CSPOicon8.png Access and Authentication

All user requests for access privileges adhere to a formal process for access request and approval following the least privilege principle.

  • Strong password management controls and use of a password manager to store encrypted passwords online.
  • Password expiration
  • Role-based access
  • Granular roles and rights management
  • Hierarchical and relational entities
  • Multiple directory integration Strong authentication including MFA (Multi-factor Authentication) enforcement for privileged access.
  • Periodical access reviews performed to ensure Zero Trust is always considered: Never trust, always verify!

 

CSPOicon9.png Cryptography Policy

Outlines the requirements for the proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information.

  • Special process for SSL certificates management
  • Key rotation process management
  • Key generation process management
  • Advanced Encryption Standard (AES) algorithm to encrypt data at rest 1All data at the storage level is encrypted with AES256 by default. Traffic is encrypted in transit using Transport Layer Security 1.2 (TLS) with an industry-standard AES-256 cipher.

 

CSPOicon10.png Operational Procedures and Policies

Ensure that operational procedures reflecting the Company’s position on security must be implemented to reduce the daily risks to the Company’s information systems and assets including but not limited to:

  • Change Management Formal Change Advisory Board (CAB)
  • Process follows ITIL/ITSM guidelines
  • CAB assesses, prioritizes, approves, and logs changes
  • Patch and vulnerability continuous scan
  • Backup management
  • Separation of development, testing, and operational environments
  • Continuous audits and improvement process
  • Business Continuity and Disaster Recovery

 

Related articles