DigiCert keeps, reviews annually at minimum, and tests an Information Security Policy, Business Continuity Plan, Disaster Recovery Plan, and Incident Response Process. An annual comprehensive risk assessment is done that identifies all of the reasonably foreseeable internal and external threats to security, confidentiality, and integrity.
DigiCert's System Administrators ensure that publicly accessible information system components (e.g. public web servers) reside on separate sub-networks with separate physical network interfaces. DigiCert's System Administrators also ensure that controlled interfaces protecting the network perimeter filter certain types of packets to protect devices on DigiCert's internal network from being directly affected by denial of service attacks. Firewalls and boundary control devices are configured to allow access only by the addresses, ports, protocols, and commands necessary to perform DigiCert's operations.
All access (via system or directly by personnel) to DigiCert databases is logged and monitored for unauthorized changes. Sensitive data is encrypted in the database using an industry-recommended cipher, and direct access is limited to roles as specified by DigiCert's Information Security Policy and Certification Practices Statement.
Access to every office, computer room, and work area containing sensitive information is physically restricted. All office doors have a lock, and all entrance doors to the facility are always locked. These doors are accessible by an Access Card, which is issued upon confirmation of a clean background check. DigiCert Data Centers, cage, and offices are monitored by CCTV. The secured cage requires biometric and dual custodian personnel for access. All access is logged.
Roles are defined by DigiCert's Information Security Policy. All user interactions with DigiCert systems are traceable to the individual performing such actions. All users must be positively identified prior to being able to interact with DigiCert systems. DigiCert personnel must first authenticate themselves to DigiCert systems before they are allowed access to any components of the system necessary to perform their trusted roles. User accounts and other types of access to DigiCert computer systems must be approved in accordance with the User Access Policy.
Monthly scans are performed on all DigiCert assets. Systems requiring remediation are required to be patched within timelines defined by Global Security Operations. Timelines are based on the assigned CVSS score. Critical vulnerabilities are patched within 96 hours, high/medium vulnerabilities are patched within 30 days, and low/information vulnerabilities are patched at DigiCert's discretion (typically within 180 days).
At least one third-party penetration assessment is conducted each year. DigiCert typically performs multiple penetration tests on code, infrastructure, and systems as well as completing red team assessments.