Menu

Data Security Policy and Procedures

Security is the foundation on which privacy and compliance are built.

Purple cubes stacked on top of each other on a purple background
Table of Contents

March 2021

Security is the foundation on which privacy and compliance are built. In the Trust Center, we clarify the data security policies and procedures that govern how we manage the security of our own systems and the data our customers have entrusted to us.

NetApp follows the requirements of global data security laws that require reasonable security measures for storing, transmitting, and processing data. We take measures broadly recognized as integral to reasonable security that include encryption, authentication and authorization controls, breach reporting, data loss prevention, and patch management.

NetApp offers an array of encryption solutions as well as encryption key management; a wide range of strategies and tools to help your organization stay resilient against ransomware threats; and strict data retention and deletion policies that support data minimization. NetApp security researchers work diligently to detect and respond to/to develop patches against software bugs or security vulnerabilities.

NetApp not only implements these safeguards to protect its information systems and the data there, but, following the model of shared responsibility, offers strategies, tools, and services to empower our customers to do the same.

NetApp is committed to creating a secure and agile platform designed to empower customers to confidently thrive.

Bill Miller, SVP and Chief Information Officer, NetApp

Sharing responsibility in a data-driven world

When an organization transforms itself from an on-premises infrastructure to a hybrid, private, or public cloud infrastructure, sharing responsibility with the cloud service provider for the security of data is key to this fundamental shift. 

The shared responsibility model addresses which parties are responsible for how the security of data—its confidentiality, integrity, and availability—is managed in the cloud computing environment.

NetApp, as the service provider, is responsible for the secure operations of the cloud, such as the physical security of datacenters or patching vulnerabilities. You, our customer, may be responsible for secure operations in the cloud, including ensuring that corporate policies such as password complexity are enabled and followed in the cloud just as they were on premises.

Learn more

Secure data processing for privacy compliance

Global privacy and data security laws require reasonable security measures for storing, transmitting, and processing personal information. In the United States, reasonable security is a legal requirement for specific classifications of information such as financial, health, and other personal data, and it underpins laws governing fair business practices as well as privacy laws outside the United States, such as the EU GDPR. 

While there is no defined standard or engineering control set attached to it, regulators and courts recognize the following measures as integral to reasonable security: encryption, authentication and authorization controls, breach reporting, data loss prevention, and patch management.

NetApp not only implements these safeguards to protect its information systems and the data there, but also builds products and services to empower our customers to do the same.

Learn more

Ransomware mitigation

Ransomware attacks, a threat to organizational security, cost far more than the ransom price demanded. There are also the costs of recovery, operational disruption and lost revenue, potential legal implications, and even loss of brand value. 

Ransomware response strategies are vital to preparing for such attacks, and business continuity plans that include data backup and recovery can be instrumental in reducing the impact to security. Viable backups, isolated from a ransomware attack loop, are a key component, and streamlining recovery point objectives to uninfected data points help protect against reinfecting systems.

As a global leader in data storage, NetApp offers a broad range of strategies, tools, and services to help your organization stay resilient against ransomware threats, mitigate recovery efforts, and reduce recovery time.

Learn more

Vulnerabilities and patch management with NetApp

Patches are typically released to address known issues in software or data, such as a software bug or a security vulnerability. NetApp security researchers work diligently to protect our products and services, participating in security communities that track published vulnerabilities as well as maintaining a program whereby customers and researchers outside these communities submit information about potential vulnerabilities. NetApp scores and tracks these security vulnerabilities according to our vulnerability handling policy and regularly releases patches through Security Advisories.

Your management of these patches will be an integral part of the reasonable security measures your organization can take to secure your networks and data.

Learn more

Encryption

Encryption is widely acknowledged to be a fundamental aspect of the reasonable security necessary to protect personal information. Some regulations, such as U.S. IRS Publication 1075, require certain types of information to be encrypted using specified technology while the data is at rest or in transit. Other regulations, such as the EU GDPR and California Consumer Privacy Act (CCPA), don’t require encryption, but do recognize the important role it plays in securing personal information. 

NetApp offers an array of encryption solutions that include both hardware and software encryption, at either the volume or disk level, as well as encryption key management for administering the keys used to encrypt and decrypt data.

Learn more

Data deletion and disposal

A fundamental principle of data security is that organizations should not keep any more personal information than is necessary, and that data should be deleted when it’s no longer needed for authorized purposes. This data minimization principle reduces compliance risk and protects data against unnecessary harm in the event of a security breach. 

The most common data minimization method is to enact and enforce data retention and data deletion policies, which direct operations about which information the company should retain, delete, or retain for a period and then delete.

NetApp’s own data deletion policies support data minimization for data stored on drives that customers return: Customers are instructed to delete, encrypt, or render irrecoverable all data stored on returned media before it is returned.

Learn more
Back To Top