In 2017, we launched our Global Transparency Initiative (GTI). Under this project, we moved part of our data infrastructure to Switzerland and opened Transparency Centers where our partners and customers can review the source code of our products. We also have our data services and engineering practices evaluated by third-party independent accredited organizations on a continuous basis. In addition, we now regularly disclose information regarding requests from government agencies for data and technical expertise which Kaspersky receives in the context of cybercrime investigations. Today, we will talk about new steps in this initiative.
What has been done as part of the Global Transparency Initiative
In the five years since we launched the program, we have opened four Transparency Centers where our customers and partners can review our products’ source code, software updates to make sure there are no hidden features or undocumented capabilities in our solutions. In addition, we also provide our engineering and data management practices for external examination. Kaspersky Transparency Centers operate in Europe, Latin America and Asia. For those unable to visit our Centers in person we offer remote visits.
As a technology and cybersecurity company, we process data which our products use to increase the effectiveness of the cyber-protection provided to users. This data includes information about cyberthreats — for example suspicious and malicious files which our products send, if users agree, for automated cloud-based malware analysis. The data helps us identify new and unknown threats, continually improve our solutions, and offer users better ways to protect themselves.
Since November 2018, such cyberthreat-related data of our users in Europe has been stored and processed in our data centers in Switzerland. A short while later, we also relocated to Switzerland processing and storage of such data for users in North America, Latin America, the Middle East, and a number of countries in the Asia-Pacific region.
We also received ISO 27001 compliance certification from the TÜV AUSTRIA independent certification body. It confirmed that our company has an effective information security management system in place. Our users can be confident that the data processed by Kaspersky is under the highest level of protection.
Besides, we launched Cyber Capacity Building Program training for companies, government organizations, and academia to help them develop the skills needed to protect their IT systems. More recently, we extended opportunities and launched a digital version of training, which can now be accessed by both organizations and individual users.
New steps to transparency
Kaspersky has done a lot of work on the road to greater transparency, and does not plan to stop there. We have recently taken new steps as part of the Global Transparency Initiative (GTI).
Three new Transparency Centers
Committed to providing its customers and partners with security assurance on its products and practices, on June 16, 2022 Kaspersky has opened three additional Transparency Centers worldwide — in Japan, Singapore, and the United States. The new facilities expand opportunities for customers and partners to learn more about Kaspersky’s engineering and data processing practices, and review the company’s source code and other areas of the business.
The newly opened Transparency Centers will welcome the company’s enterprise partners and customers, including state agencies and regulators, responsible for cybersecurity. Two more facilities in APAC — in Tokyo and Singapore — ensure the company’s greater proximity to stakeholders in this region, while the center in Woburn, MA in the United States, will serve as a new venue for the company’s North American Transparency Center, which used to be located in New Brunswick, Canada.
Data center expansion in Zurich
Since the beginning of 2022, we have significantly increased the capacity of our data centers in Zurich, where we now process malicious and suspicious files from users in Latin America and the Middle East. We have also relocated the processing and storage of such cyberthreat-related data for North American countries that weren’t previously included: Mexico, Panama, Jamaica, and other island nations.
Switzerland was chosen for a reason: the country has one of the stringent data protection regulations. Our two data centers in Zurich also operate with world-class equipment that meets the highest industry standards.
ISO 27001 recertification
Kaspersky data systems were recertified by TÜV AUSTRIA in accordance with the requirements of ISO 27001. And it’s not just certification renewal; this time the scope of the audit was significantly expanded. The certification now covers both data systems for processing cyberthreat-related data (Kaspersky Distributed File System, KLDFS) and statistics (KSNBuffer database).
TÜV AUSTRIA is an independent certification body. We are proud that Kaspersky’s approach to data security has once again been recognized.
SOC 2 audit successful renewal
In 2022, Kaspersky once again completed a Service Organization Control for Service Organizations (SOC 2) Type 1 audit, which the company first underwent in 2019. The independent assessment was carried out by an international Big Four accounting firm.
Launched in late January 2022, the reassessment was successfully completed in late April and confirmed that the development and release process of Kaspersky’s antivirus bases are protected against unauthorized changes by security controls. During the examination, Big Four auditors among other things checked the company’s policies and procedures related to the development and release of antivirus (AV) bases, the network and physical security of the infrastructure involved in this process and the monitoring tools used by the Kaspersky team.
The scope of the current audit has been expanded compared to the 2019 assessment, as Kaspersky has since introduced new security tools and controls. The full report can be provided to our customers upon request.
To learn more about what is an SOC 2 audit, check out our blog post.
Working with requests from government and law enforcement agencies
Alright, you say, user data is secure, but what about information requests from law enforcement agencies? In fact, Kaspersky regularly shares about its approach toward working with such requests and since last year, the company has been issuing reports on requests from law enforcement and government agencies, In addition, we’ve just recently published a report for the second half of 2021. Here are some key figures:
- Our experts received 109 requests from government and law enforcement agencies from 12 countries.
- 92 requests referred to technical expertise, and 17 contained a request for access to user data.
- All 17 requests to hand over user data were rejected. Some of them did not meet legal requirements, while others asked for data that the company simply did not have.
Users too ask us where and how their personal data is stored. Some people request to download or delete it. In 2021, we handled 2,252 requests of this kind.
New level of education program
Kaspersky is always ready to share its experience with the global community. We have expanded our Cyber Capacity Building Program by launching a similar online course. Now even more partners and customers can take part in the program. The training will help organizations and individuals assess the security of the software they use and reduce the risk and potential consequences of cyberattacks.
The trust of users, customers, and partners, is our top priority. We continue to refine our security practices and develop the Global Transparency Initiative, and hope that it will one day become the international standard for cybersecurity industry.
As for the quality of protection that our security solutions provide, we have good news here as well. We’ve recently summarized the results of dozens of tests and reviews by leading independent laboratories that included our products in 2021. You can check out the results here.