Kaspersky passes key product audit
Cybersecurity firm successfully completes SOC 2 Type 1 audit
The development and release of Kaspersky’s threat detection rules databases (AV databases) are protected from unauthorised changes by strong security controls, an audit confirms.
The final report, issued by one of the Big Four accounting firms, confirms that Kaspersky has successfully completed the Service Organisation Control for Service Organisations (SOC 2) Type 1 audit.
The Service Organisation Controls (SOC) Reporting Framework is a globally recognised report for cybersecurity risk management controls, developed by the American Institute of Certified Public Accountants (AICPA) to inform customers about effective design and implementation of security controls.
By fulfilling the standard, Kaspersky seeks to demonstrate the trustworthiness of its product and its commitment to the AICPA Trust Service Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
“The security of our products is certainly one of our top priorities. We are proud to have completed this independent assessment which provides our customers with assurance of the security of our products, and confidence in our R&D processes and controls. This audit marks one more step in our efforts to demonstrate the company’s transparency,” noted Andrey Efremov, chief technology officer at Kaspersky.
The examination completed under the SSAE 18 standard (Statement of Standards for Attestation Engagements) includes internal controls over regular automatic updates of antivirus databases, created and distributed by Kaspersky for its products operating on Windows and Unix Servers. In its final report, the Big Four independent auditor identified suitability of the abovementioned controls and their appropriate operation on a specified date.
Following the terms of the contract, Kaspersky cannot disclose the name of the third-party Big Four auditor. Although the company can disclose the principal information about its abovementioned commitments and requirements in the SOC 2 Type 1 report upon request.
The audit was done as part of the Global Transparency Initiative, which Kaspersky announced in 2017 to assure customers of the integrity and trustworthiness of its products following bans imposed by the US government last year on alleged ties to Russian intelligence and the Kremlin—charges that the company denies.
Further developments of the Global Transparency Initiative
In addition, Kaspersky is announcing new developments of its Global Transparency Initiative.
As part of the initiative, Kaspersky committed to relocating to Switzerland its data storage and processing for customers. As of today, the company has completed the second stage of its relocation for European users and plans to finalise this change by the end of 2019.
Kaspersky’s bug bounty program continues to expand. Recently the company paid a $23,000 bounty – the biggest reward in the history of the program to date - to researchers from the Imaginary team for the discovery of a security issue in Kaspersky that could potentially allow third-parties to remotely execute arbitrary code on a user's PC with system privileges.
The company now supports the Disclose.io framework which provides Safe Harbor for vulnerability researchers concerned about negative legal consequences of their discoveries.
Kaspersky also continues expand its Transparency Centres: The recently announced Transparency Centre in Madrid is officially open to Kaspersky’s customers and partners, as well as government stakeholders, starting from June. As is the case at the Zurich facility, the company offers source-code reviews and tailored security briefings on the company’s data processing practices and functioning of its products.
The company has also increased threat intelligence support for law enforcement agencies. Kaspersky recently announced a free service for Law Enforcement Agencies (LEAs), aimed at helping authorities tackle borderless cybercrime. It consists of three components, threat intelligence reporting; threat data feeds, and; Automated Security Awareness Platform (Kaspersky ASAP).