U.S. government program providing a standard approach to security, authorization and monitoringThe Federal Risk and Authorization Management Program (FedRAMP) is a U.S Federal Government Program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). The FedRAMP program has helped accelerate the adoption of secure cloud solutions, through the reuse of assessment and authorizations across other government agencies. FedRAMP leverages a standardized set of requirements established in accordance with the Federal Information Security Management Act (FISMA), and utilizing the Security Assessment Framework (SAF) and NIST Risk Management Framework (RMF) to continuously monitor, and improve the confidence and process maturity with the various baselines of security controls implemented by the Cloud Service Providers. In-order to support on-going operations with U.S Government customers to process, store or transmit U.S Government data; they are responsible for complying with the requirements established by the FedRAMP Program.

• McAfee's MVision Cloud achieved FedRAMP Moderate Agency Authorization in Nov of 2017, and has since maintained the Authority To Operate (ATO). For more information visit:
  https://marketplace.fedramp.gov/#/products?sort=productName&productNameSearch=mcafee
• McAfee's MVision Cloud has been selected and is currently 'In-Process' of pursuing a Joint Authorization Board (JAB) ATO at the FedRAMP High Authorization Level.
• McAfee's MVision Cloud achieved DoD Impact Level 2 and completed their latest renewal in June 2019. DoD Impact Level 2 for MVision Cloud is granted through FedRAMP Reciprocity. The Department of Defense Memorandum of Reciprocity for FedRAMP can be found here: https://www.doncio.navy.mil/FileHandler.ashx?id=13641
• McAfee's MVision for Endpoint is currently 'In-Process' of pursuing FedRAMP Moderate Authorization Level. This effort is sponsored by the US Department of Homeland Security, Immigration Customs Enforcement (DHS/ICE) and is expected to complete mid 2020.

European Union General Data Protection Regulation (GDPR)The General Data Protection Rgulation (GDPR) came into force on May 25, 2018 and is an EU regulation which provides individuals more control over their personal data. The GDPR was designed to harmonize data protection rules across the European Union. It provides rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data of data subjects in the European Union. The GDPR requires companies to implement appropriate technical and organizational measure to protect personal data.

For more information visit:
https://www.mcafee.com/enterprise/en-us/about/gdpr.html

How McAfee helps support financial service organizations with their regulatory complianceFinancial services organizations endure changing regulations which require more transparency and stricter data protection, usage, and security requirements. McAfee technology can help prevent malicious attacks of data, identify and isolate attacks, initiate automated incident responses to negate an attack, and assist in financial services compliance obligations around securing and protecting data.

For more information visit:
https://www.mcafee.com/enterprise/en-us/solutions/financial-services.html

Information Technology - Security Techniques - Information Security Management Systems - RequirementsISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO 27001 Certificate

Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud servicesISO/IEC 27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

• additional implementation guidance for relevant controls specified in ISO/IEC 27002
• additional controls with implementation guidance that specifically relate to cloud services

ISO 27017 Certificate

Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processorsThis document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

ISO 27018 Certificate

Disaster Recovery & Business ContinuityMcAfee focuses on comprehensive Continuity of Operations by integrating risk management, emergency response, crisis management, business continuity, and disaster recovery processes designed to maintain a state of readiness to bounce back from business disruptions should they occur. We proactively assess and mitigate potential disruptions through dynamic development of business continuity plans. McAfee's Business Continuity Management (BCM) program includes conducting necessary tests against these plans to ensuring they are effective and up-to-date. We leverage periodic Business Impact Analysis of our core business processes and functional groups to prioritize planning and risk mitigation investments.

• McAfee's Business Continuity Management Plans are designed to ensure our critical operations will continue to function with little or no disruption, that our customers' accounts will be secure and accessible, and that our customers will be able to reach us regardless of the scope of the situation or event.
• Recovery Plans (BRPs), Technical Recovery Plans (TRP), and our Business Impact Analysis (BIAs) are reviewed on a regularly scheduled basis, to occur at least annually or where there is an impactful change to the technology or process. This includes ensuring we have an established application Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and needed periodic failover testing for our applications and services which McAfee has identified as "mission critical" or "business critical." Outcomes from all failover testing can result in process/procedure updates and problem records action items which are tracked until successful resolution.

Disaster Recovery & BCP

Health Insurance Portability and Accountability Act (HIPPA) is United States legislation that provides data privacy and security provisions for safeguarding medial information.HIPPA provides federal protections for personal health information held by covered entities and gives patients rights with respect to that information - including controlling access to, use of, and security of this data. McAfee technology helps heathcare providers and processors of HIPPA protected personal health information comply with their data protection obligations under the Act.

McAfee HIPAA Compliance Content Pack

PCI DSS v3.2.1 - PCI Data Security Standard Requirements and Security Assessment ProceduresThe Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

PCI Certificate

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five "trust service principles"-security, availability, processing integrity, confidentiality and privacySOC 2 Type II report is an attestation for the management of MVISION Cloud organization assertion that certain controls are in place to meet the AICPA's SOC 2 Trust Services Criteria (TSC).

The Trust Services Criteria are noted below:

• Security - The system is protected against unauthorized access (both physical and logical).
• Availability - The system is available for operation and use as committed or agreed.
• Processing Integrity - System processing is complete, accurate, and authorized.
• Confidentiality - Information that is designated "confidential" is protected according to policy or agreement.
• Privacy - Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.

The report contains an opinion from a CPA firm that states whether the CPA firm agrees with management's assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report).

TISAX (Trusted Information Security Assessment Exchange) certification enables mutual acceptance of Information Security Assessments in the automotive industryThe VDA Information Security Committee of the VDA (German Association of the Automotive Industry) was established more than 10 years ago, and has ever since developed a catalogue of assessment criteria on information security based on key aspects of the international ISO/IEC 27001 and 27002 standards: VDA ISA (VDA Information Security Assessment).

This instrument is used by VDA member companies both for internal purposes and for assessments at suppliers and service providers processing sensitive information of their respective partners.

Assessments according to VDA ISA, particularly at service providers and suppliers, are being handled individually by each requiring company so far. Therefore, it is possible that a partner is assessed several times at short intervals.

The VDA Information Security Committee establishes a common assessment and exchange mechanism (TISAX = Trusted Information Security Assessment Exchange) in the automotive industry and beyond, to avoid such multiple effort in the future.

The TISAX system is operated by ENX Association which has been entrusted with the implementation as a neutral instance by the VDA.

TISAX creates competition among the accredited audit providers and allows for common acceptance of assessment results within the circle of TISAX Participants. The audit providers perform the assessments based on this set of information security management controls

Continually providing customers with independently tested, validated, and certified productsGovernments worldwide need to ensure that products they use meet their affiliated security criteria, perform to expectations, and integrate with their existing technology. As a global leader in providing evaluated and certified information security products to the worldwide marketplace, McAfee delivers on these requirements by maintaining a continually active and robust product evaluation and certification program to serve its global government customers.

Public Sector Product Certifications

The Cloud Security Alliance Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standardsMcAfee MVISION Cloud, the world's leading Cloud Access Security Broker (CASB), enables enterprises to safely adopt SaaS, PaaS and IaaS cloud services as well as Containers, while meeting their security, compliance and governance requirements. With more than 1200 enterprise customers globally, MVISION Cloud provides organizations the visibility and management for all their cloud services, including enforcement of data loss prevention policies; detecting and preventing internal and external threats; encrypting data with customer-controlled keys; and implementing access-control policies.

For more information visti:
https://cloudsecurityalliance.org/star/registry/mcafee/