Cyber Security at Xerox
The Cyber Security organisation at Xerox has the global responsibility of securing Xerox’s infrastructure and protecting Xerox’s information assets. It is led by the Xerox CISO and includes a global team of cyber professionals located across our offices in North America, Europe and Asia.
The top priorities of our Cyber Security organisation include:
Establishing appropriate security policies, safeguards and controls to prevent, detect and respond to cyber attacks
Managing cyber risks in a manner that meets regulatory and compliance requirements and aligns with customer expectations
Securing Xerox intellectual property, products & services and supply chain in collaboration with Xerox business, product and IT teams
The Xerox Cyber Security organisation is comprised of the following teams and capabilities:
Responsible for protecting, detecting and responding to cyber-attacks on Xerox information assets. Some of the key activities/capabilities provided by this team include:
Security Operations Center (SOC): delivers continuous (24/7) monitoring of Xerox’s information systems and performs appropriate action to contain and respond to cyber events
Vulnerability Management: performs vulnerability scanning, prioritisation, reporting and remediation tracking of security vulnerabilities with the goal of improving system hardening and minimizing attack surface
Offensive Security: continuously evaluates our infrastructure, applications, products and services using the same tactics, techniques and procedures of an adversary to identify and remediate security issues before being identified or exploited by an adversary
Cyber Security Incident Response: performs triage, analysis, containment, and recovery of Xerox information systems from cyber security events
Cyber Threat Intelligence and Threat Hunting: gathers cyber threat intelligence data, analyses for relevancy to Xerox information systems and performs threat hunting
Governance, Risk and Compliance
Responsible for managing Xerox Cyber Security policy and standards, risk and compliance programs. Some of the key activities/ capabilities provided by this team include:
Security Policy Management: manages Xerox security policy and standards and reviews their enforcement across Xerox
Security Awareness and Training: manages security training during employee and contractor onboarding and then on an ongoing basis to raise awareness about their security responsibilities and key cyber threats
Disaster Recovery: governs the enterprise disaster recovery program and periodic testing of recovery plan and resiliency capabilities
Third-Party Risk Management: performs due-diligence review of third-party supplier engagements at the time of initial procurement and subsequently during renewal depending on the engagement risk
Compliance Management: manages certification and compliance programs including PCI, SOC 1, SOC 2, ISO 27001, FedRAMP, etc.
Security Architecture & Testing
Responsible for incorporating security throughout the SDLC in collaboration with Xerox business, product and IT teams. Some of the key activities/ capabilities provided by this team include:
Security Architecture Review: implements security-by-design into new applications and services through technical security design/ architecture reviews
Security Testing: performs automated application scanning and manual penetration testing prior to go-live
Identity & Access Management
Responsible for managing the technologies and processes for managing identities and their access across Xerox systems, services and applications. Some of the key activities/ capabilities provided by this team include:
Identity Governance & Administration: manages technology and processes for identity provisioning, de-provisioning and life cycle management of Xerox identities and governs their access to various Xerox systems, services and applications
Access Management: manages the suite of technologies for authentication, single sign-on, multi-factor authentication and privileged access to various Xerox systems, services and applications.
Responsible for managing customer trust in Xerox products and services through collaboration with various Xerox business and product teams. Some of the key activities/capabilities provided by this team include:
Customer Security Assessments: responds to customer inquiries and questionnaires regarding the security posture of Xerox products and services
Customer Contract Compliance: reviews security terms and conditions in customer contracts prior to execution and ensures our security program complies with applicable laws, regulations and customer expectations
In addition to the above, we work with our internal and external partners to evaluate and continuously improve our cyber security posture through:
External Penetration Testing: We engage external specialist cyber security consulting firms to perform penetration testing of high-risk enterprise infrastructure and customer-facing services.
Security Audits: We perform comprehensive audits of our Cyber Security program through reputable external consulting firms. Additionally, internal audits are performed in areas deemed to be high risk. The results of external and internal audits are reported to the Audit Committee and fed into the continuous improvement cycle to continue to mature our Cyber Security program.