EMC Security

A strategy overview

A Message from the Chief Security Officer As EMC continues to grow and enter into new markets, it faces a constant need to protect its people, facilities, and information assets from a wide range of hazards and risks. This standard of care applies as well to the partners and customers with which EMC does business, and, to a certain extent, the regions and communities in which it operates. Entrusted with this responsibility is the EMC Global Security Organization, which designs, implements and oversees the objectives and initiatives that comprise the EMC global security strategy. From maintaining physical building security, to preparing for natural disasters, to safeguarding confidentiality and integrity of digital information assets, the EMC security strategy is a comprehensive program that is constantly evolving in order to address changing needs and priorities. This brochure provides an overview of the business areas and activities that make up the EMC security strategy. Please use it as a guide to understanding our approach to matters of security and the many ways in which they shape EMC business practices. If you have questions or would like more information, I encourage you to contact my office at 508-435-1000 or 1-866-464-7381, or e-mail me directly at [email protected].

Roland P. Cloutier

Vice President, Chief Security Officer

Protecting information—corporate and customer Like most large enterprises, EMC possesses large repositories of confidential, regulated, and sensitive information that must be made available for business use but, at the same time, kept safe from unauthorized access and distribution. This challenge is made greater by a widespread, remote workforce and an integrated partner ecosystem. While both are essential to knowledge sharing and collaboration, they create additional burdens for maintaining information security. EMC protects sensitive customer and corporate information by:

• Enacting comprehensive procedures that regulate information access • Enforcing strict policy and compliance programs • Guarding at all levels against unauthorized access and distribution • Implementing industry-leading authorization and control systems • Ensuring all customer interactions are efficient, effective, and secure • Constantly educating our employees on information protection best practices

Managing risk based on business knowledge Maintaining a business view of risk is central to the EMC security strategy. Our services align to customer and partner business objectives, enabling them to safely pursue business goals to remain competitive within their given markets. This may mean lower level services for consumer markets and a more comprehensive approach to supporting customers in highly regulated areas, such as government, financial services, and healthcare. Understanding business needs and risk tolerance is essential to supporting each of EMC’s business segments. Some of the ways we maintain this understanding include: • Meeting with organizations to understand their business objectives and security concerns • Building adaptable and scalable security architectures that respond to changing business needs • Addressing the regulatory requirements that impact the organization’s industry or business • Advising about potential security concerns that could affect market position • Being involved early in any merger and acquisition processes

Ensuring secure collaboration and information access To support innovation and maintain leadership, EMC depends on the sharing of insights and ideas from a variety of contributors—both inside and outside of the corporate umbrella. This requires an atmosphere of collaboration and open access to information. It also demands a virtual work environment that is safe from threats, generates community, and encourages a level of participation that leads to great ideas. With such environments, however, come risks. Through its use of industry-leading security technologies, applied in accordance with standards-based protection models and policies, EMC meets the challenge of enabling secure communication. Some of the methods we use include: • Carefully evaluating the tools used to support collaboration • Developing protection models to enable active collaboration • Constantly reviewing, quantifying, and managing risks involved with innovation • Establishing policies and standards for information sharing • Expanding security awareness and training to include innovation concepts

Protecting the workplace The EMC workplace includes hundreds of facilities worldwide, as well as home offices, coffee shops, airports, hotels, and essentially any place where our people can connect to the internet and perform work activities. In this virtual workplace, locks and guard stations can no longer ensure worker safety. To address this, EMC takes extensive precautions to reduce the risk of workplace violence and protect workers wherever they are located. In addition, EMC takes measures to ensure that its employees, when working on customer or partner sites, pose no threat to the host’s assets or facilities. EMC promotes workplace security by: • Ensuring consistent and measurable credentials for all constituents that access EMC facilities, networks, and information assets • Converging physical and information security plans and policies • Providing employee protection programs • Practicing divergent loss management • Providing corporate investigation services and litigation support • Promoting security awareness and protection training

Responding to disruptive events To protect EMC’s ability to operate and serve customers in the event of disruptive natural and manmade events, the Global Security Organization maintains a series of response plans that take into consideration a variety of potential scenarios. Advance planning and training are the keys to ensuring an effective emergency response and to dealing appropriately with threats of any kind. Ensuring continuity of operations and regulatory compliance requires a constant state of preparedness. To do this, EMC: • Ensures that all areas of the company operate in a business-resilient manner • Puts in place plans to respond, manage, and contain crisis situations, including global pandemics, weather events, and international crises. • Develops response programs for network incidents that occur within its perimeter and at customer sites • Works with local, federal, and international authorities to ensure its service organizations are authorized to operate in crisis areas of operation.

Operating economically and efficiently Successful execution of the EMC security strategy requires the talent and experience of a dedicated group of people and constant investment in tools and technology. However, the effective use of capital is also essential to achieving security success. Across the business, EMC promotes the efficient use of resources—from reducing electrical consumption in its products to minimizing paper waste and carbon emissions inside its facilities. It is also a leader in adopting international waste reduction programs and promoting enhanced product efficiency designs. When planning and executing information security initiatives, EMC draws upon its breadth of knowledge and expertise by advancing strategies that are cost-and energy-efficient, and that utilize its own and services.

Final thoughts Across the business, the goal of EMC’s security strategy and the Global Security Organization is to promote confidence and a safe environment for doing business—today and well into the future. Around the world, the risks and threats facing business operations are many and changing daily. For that reason, members of the GSO continually fine-tune EMC’s security strategy and ensure that all constituents are educated, trained, and prepared to the highest degree possible. For EMC, a comprehensive and evolving security strategy is fundamental to deliver the most innovative and secure information infrastructure technologies and services that the industry has to offer.

EMC2, EMC, and where information lives are registered trademarks of EMC Corporation. All other trademarks used herein are the property of their respective owners. © Copyright 2009 EMC Corporation. All rights reserved. Published in the USA. 1/09 H5942