fico® analytic cloud—secure by design · to keep your data safe and private, we deploy...

WHIT

E PAPER

Fraud Protection & ComplianceCybersecurity

Secure by DesignFICO® Analytic Cloud:

© 2020 Fair Isaac Corporation. All rights reserved.

Earning our customers’ trust is a top priority

© 2020 Fair Isaac Corporation. All rights reserved. 2

FICO® Analytic Cloud: Secure by DesignCybersecurity

Fraud Protection & Compliance

Table of Contents

Introduction 3

The FICO Security Promise 3FICO’s Total Security Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Securing Identities 5Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Privilege Access Management (PAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Multifactor Authentication (MFA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Securing Data and Applications 6Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Securing a Multitenant Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Security in the Software Development Lifecycle (SDL) . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Secure Infrastructure 8Denial of Service Protection (DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Web Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Patching and Vulnerability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Monitoring and Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Compliance Center 9PCI-DSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9The Cloud Security Alliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Data Privacy and the General Data Protection Regulation (GDPR) . . . . . . . . . . . . . . . . . . . . 10International Data Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Privacy Shield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10United States Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Third-Party and Customer Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Physical Data Centers—Security and Operations 12Security Operations Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Visitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Professional Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12FICO Data Center Security (Private Cloud) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13AWS Data Center Security (Public Cloud) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Audits and Reviews 14

Operational Management and Continuity Incident Management 14

Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Compliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Managed Services 15Security Consultation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Dedicated Security Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15




IntroductionAt FICO, our cybersecurity mission is to deliver the very best data security, customer, and subscriber protection through innovation, adherence to stringent standards, and a team of world-class professionals.

Security and trust are at the core of everything we do. To keep your data safe and private, we deploy industry-leading safeguards and continuously monitor our systems, so you can rest assured knowing your most sensitive assets are protected 24/7. Our secure cloud services protect your data while complying with the most stringent industry, regulatory, and regional requirements.

The FICO Analytic Cloud is a complete, fully managed cloud services platform that provides access to a wide range of data science and advanced analytics tools, application development software, on-demand infrastructure, decision management applications, packaged analytics, and managed services. We give you the flexibility to choose the cloud model that works for you—on-premises, private cloud, public cloud, or hybrid—and the confidence to know that all choices can meet your important security needs, even in highly regulated industries.

The FICO Security Promise

FICO will be compliant with

the most stringent cyber

standards.

Sensitive data within the

cloud environments will be

encrypted in transit and at

rest and access carefully

restricted.

FICO will utilize state-of-

the-art cyber technologies

to continuously secure the

environments.

FICO applications will be

designed with inherent

security in mind and

continuously tested for

security vulnerabilities prior

to and after release.




CYBERSECURITY PILLARS

Incident Management

Frameworkof Control

Strategy &Governance

Monitoring& Auditing

Risk &ComplianceAssessment

Training &Awareness

ConfidentialityIntegrityAvailability

InsiderOutsider

CYBERSECURITY DIMENSIONS

Customer DataCode & IP CollateralPrivacyFinancial M&A Data

FICO ProductsCloudInternal ApplicationsPersonal ComputingServersDatabasesNetworkMobility

Legal ComplianceRegulatory ComplianceCustomer Compliance

Data Assets

Security Practice Attacker Attack

SurfaceCompli-

ance

FICO uses a multifaceted approach to safeguard your data with integrated, defense-in-depth security controls at every layer of the FICO Analytic Cloud. Security is a strategic priority for FICO, and we continually invest in industry-leading tools and best practices to secure identities, applications, data, and infrastructure, build redundancy, and satisfy tough privacy and compliance standards.

We take a proactive, risk-based approach to security, guided by the principles of “security by design.” To this end, FICO has adopted a DevSecOps model that

introduces strict security controls during all phases of the software development and system integration lifecycle, starting at inception. We utilize a variety of testing techniques, including manual software penetration testing and automated testing tools, to ensure security is continually integrated into our software and infrastructure. We employ a large cybersecurity team, including several leading security experts, and manage a state-of-the-art Operations Center.

FICO adheres to industry best practices in secure software development, embracing the PCI-DSS and the Open

Web Application Project (OWASP) standards for development. All facilities from which FICO operates FICO Analytic Cloud solutions are compliant with PCI standards and support PCI Data Security Standard (PCI-DSS) certification wherever required.

FICO conducts regular independent third-party audits to assess compliance with security standards. We constantly evolve our security controls through participation in the Cloud Security Alliance and the latest industry best practices.

FICO’s Total Security Framework

FICO Cyber Program — Secure by Design




FICO enables you to securely control access on the FICO Analytic Cloud for your users, enable the integration with your identity provider, and leverage multifactor authentication and identity lifecycle management, even in large organizations with complex organizational models. FICO follows the principle of least privilege, assigning appropriate profile privileges based on roles.

Identity and Access ManagementThe FICO Analytic Cloud is supported by a set of core identity and access management services that regulate how people log into the FICO Analytic Cloud and associated products through an easy single sign-on (SSO) capability. Access management includes the processes and technologies used to create, validate, protect, and disable user account passwords. The same login, auditing, roles, and permissions are used across the entire FICO Analytic Cloud for all products and solutions. The following techniques are used to protect access:

• Password lockout, timeout, and expiration

• Strict password length and complexity requirements

• Granular permissions to allow users to accomplish

key tasks within the principle of least access

Privilege Access Management (PAM)FICO uses safeguards to secure, control, manage, and monitor privileged access to the FICO Analytic Cloud. FICO uses a PAM system that takes the credentials of privileged accounts, such as admin accounts, and places them inside a secure repository that isolates their use. This approach reduces the risk of these credentials being compromised and unauthorized personnel gaining access to sensitive assets. Once inside the repository, system administrators use the PAM system to access their credentials, at which point they are authenticated, and their access is logged. When a credential is checked back in, it is reset to ensure administrators must go through the PAM system the next time they use the credential.

Multifactor Authentication (MFA) MFA is an added layer of security used to verify an end user’s identity when they sign into an application, such as a text message confirmation. FICO deploys tools that use a variety of factors for authentication across usability and assurance levels, including knowledge factors, possession factors, and biometric factors.

Securing Identities




FICO is committed to securely managing your data and ensuring it is available to meet your business needs. We continually improve our practices, data, and application controls to ensure the security and integrity of your data both in transit and at rest.

Data SecurityFICO uses the latest technology and industry practices for encrypting data in transit and at rest. For data in transit, we use current encryption protocols and hashing algorithms, encrypting data across networks with Certificate Authority (CA) issued certificates. FICO uses a range of industry standard techniques to protect sensitive data at rest, including encryption, redaction, and obfuscation.

Driven by a need-to-know basis, FICO supports a flexible data model that enables you to design the data ingestion process and create a data structure tailored to your business objectives.

Foundational to securing your data in transit and at rest is a FICO Analytic Cloud network that has been designed based on the defense-in-depth concept. We use multiple independent computer networking techniques to provide redundancy and reduce the risk of compromise.

Best practices incorporated into the FICO Analytic Cloud network include:

• Demilitarized zones (DMZ) for internet-facing services

• Network monitoring/intrusion detection using

multiple intrusion detection systems (IDS)

• Denial of service network protections (DDoS)

• Multiple layers of external network and

webapplicationfirewalls

• PCI-DSSspecificrequirements

Products and solutions on the FICO Analytic Cloud use an encryption approach that is tailored to your specific solution. If you would like more information about data-at-rest encryption for any specific solution, please visit www.fico.com.

Securing a Multitenant EnvironmentThe FICO Analytic Cloud offers a multitenant (public cloud) option where a single instance of the software is used by multiple customers, i.e., tenants, while maintaining full isolation between the different customers. FICO provides security controls for multitenant infrastructure and applications, including use of industry-leading tools and best practices for authentication and access, data at rest and in transit, and secure infrastructure. In addition, FICO enables dedicated URLs for each tenant and logging separation by tags and entities. It isolates and separates data, memory, and networks and provides additional layers of application security to protect sensitive data from cross-customer impact.

Securing Data and Applications




Security in the Software Development Lifecycle (SDL) Addressing security threats is a key element of software development. The SDL program requires development teams at FICO to leverage best practices that assure FICO products are secure and developed with appropriate application security controls to ensure confidentiality, integrity, and availability. This enables FICO to identify, prevent, and remediate security vulnerabilities early in the development cycle.

SDL training and development standards are based on a hybrid risk model guided by the Open Web Application Security Project (OWASP), as well as additional guidelines and requirements for application design, coding, and testing practices to avoid vulnerabilities and protect against common threats. This approach ensures that on day one, when a new feature or application becomes available to our customers, it has been carefully designed and extensively tested to meet the highest security and data privacy requirements.

The SSDL includes:

• Software design review and security

validation prior to development

• Computer-based training (CBT)

• Security (peer) code review

• Static application security testing (SAST)

• Dynamic application security testing (DAST)

• Vulnerability assessments

The Secure Software Development Lifecycle program is defined and supported by the FICO Information Security Department and under the guidance of the FICO Secure Software Steering Committee and our Chief Information Security Officer (CISO) and Chief Technology Officer for Information Security.

Penetration Testing Penetration testing helps quickly find and fix exploitable vulnerabilities in your server-side applications and APIs. Using multiple testing tools and in-depth manual tests focusing on business logic, penetration testing extends dynamic application security testing (DAST) to identify and purposely exploit vulnerabilities so they can be addressed. As part of FICO’s stringent approach to cybersecurity, FICO goes beyond industry standards and does not release any product with any medium or higher severity findings.

On top of FICO’s penetration testing of its own applications, third-party experts perform penetration testing of the FICO Analytic Cloud environment using a spectrum of techniques and approaches. Penetration testing helps improve the security of our environments and allows us to integrate what we learn into development.




For all cloud deployments, the core infrastructure is designed for mission-critical applications and processes. This approach is grounded in NIST and industry best practices to take a layered approach to security with sophisticated tools to scan for, manage, and remediate vulnerabilities, stop or mitigate attacks, and automatically log audit data.

Denial of Service Protection (DDoS)The FICO Analytic Cloud provides end-to-end protection against the largest and most advanced DDoS attacks. We deploy proven tools and strategies that stop or mitigate DDoS attacks and maintain high availability. These tools provide DDoS protection by deflecting network layer attacks and foiling application layer attacks.

Web Application SecurityThe FICO Analytic Cloud leverages the implementation of a market-leading web application firewall solution, protecting the external interfaces from known and unknown web application–driven attacks, including OWASP top 10 and zero-day attacks.

Patching and Vulnerability ManagementThe FICO Analytic Cloud uses scanning and penetration testing to identify vulnerabilities. FICO scans all known systems using an industry-leading vulnerability scanner with a PCI-approved option profile for PCI compliance scans.

Internal FICO teams analyze vulnerabilities to determine the underlying cause and methods of exploitation. Vulnerabilities are categorized by the FICO product and security teams based on risk level and remediated by applying an appropriate patch, making a configuration change or by other means. In addition, independent third-party experts periodically assist us in vulnerability analysis, identification, remediation, and validation.

Monitoring and LoggingFICO monitors the FICO Analytic Cloud 24/7/365, collecting and saving logs, and safeguards audit data for a minimum of one year. Audit reports contain data for events that include user identification, event type, date and time, success or failure indication, event origination, and identity or name of affected data, system component, or resource. Audit reports are available to our clients upon request. All logs are continually monitored to detect anomalous or suspicious activity.

In addition, FICO manages and stores user log files to protect them against any unauthorized modifications. We also:

• Replicate audit trails to a centralized log server,

reducing the risk of potential manipulation.

• Usefileintegritymonitoringandchangedetection

software on logs to ensure that existing log data

cannot be changed without generating alerts.

Secure Infrastructure




The FICO Analytic Cloud is specifically designed to provide the most stringent security and privacy controls, including compliance with the standards of GDPR (Article 32), PCI-DSS, and ISO27001.

ISO27001 has been implemented as the structural foundation for FICO’s Information Security policies and program. This approach assists senior management in their obligations to monitor and control security, thereby minimizing risk to both FICO and FICO customers.

ISO27001 is the internationally recognized best-practice framework for developing an Information Security Management System (ISMS). It helps identify, manage, and minimize the range of threats to which information is regularly subjected. ISMS is designed to select adequate and proportionate security controls to protect information assets and provide confidence to interested parties, including an organization’s customers.

FICO uses ISMS to address the following:

• Formulation of security requirements and objectives

• Cost-effective management of security risks

• Compliance with laws and regulations

• Process framework for the implementation

andmanagementofcontrolstomeetspecific

security objectives of the organization

• Identificationandclarificationofexisting

information security management processes

• Determination of the status of information

security management activities

• Internal and external auditor reference

• Provision of relevant information about information

security policies, directives, standards, and

procedures to appropriate parties

PCI-DSSThe Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for all organizations that process, store, transmit, and manage payment card data.

FICO has adopted PCI development standards across its software development function (i.e., for all application development work, regardless of the applications’ intended use). PCI-DSS certified applications mean that the solutions as delivered through the FICO Analytic Cloud adhere to or meet all the PCI Security Standards and have been certified by an independent assessment organization. For these applications, a PCI Attestation and Report of Compliance (AOC/ROC) is performed annually by an external, highly qualified security assessor.

FICO is also a participating organization of the PCI Security Standards Council and a contributor to the PCI compliance standards setting process. To learn more, please visit: www.pcisecuritystandards.org

The Cloud Security AllianceFICO is a member of the Cloud Security Alliance, a global not-for-profit organization with a mission to promote the use of best practices for providing security assurance for cloud computing and to educate on the uses of cloud computing to help secure all forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders. For more information, please visit: www.cloudsecurityalliance.org

Compliance Center




Data Privacy and the General Data Protection Regulation (GDPR)We continually monitor the regulatory and legislative landscapes for new developments in data privacy laws and deploy sophisticated technical and organizational measures to secure data and ensure privacy.

The FICO Analytic Cloud provides a secure environment that enables our customers to comply with the GDPR data privacy and security requirements. The EU’s GDPR assigns different responsibilities to the roles of “controller” and “processor.” When FICO offers a cloud solution, FICO is a processor, processing information on behalf of our clients (controllers). The GDPR requires processors of personal data to follow certain privacy principles (Article 5):

• Lawfulness, fairness, and transparency—Data is

collected and processed lawfully, fairly, and in a

transparent manner in relation to the data subject.

• Purpose limitation—Personal data has been

collectedforspecified,explicit,andlegitimate

purposes and not further processed in a manner

that is incompatible with those purposes.

• Data minimization—Information is adequate,

relevant, and limited to what is necessary in relation

to the purposes for which they are processed.

• Accuracy—Accurate and, where necessary, kept

up to date; every reasonable step must be taken

to ensure that personal data that are inaccurate,

having regard to the purposes for which they are

processed,areerasedorrectifiedwithoutdelay.

• Storage limitation—Keptinaformthatpermitsidentification

of data subjects for no longer than is necessary for the

purposes for which the personal data are processed;

personal data may be stored for longer periods insofar

as the personal data will be processed solely for

archivingpurposesinthepublicinterest,scientificor

historical research purposes, or statistical purposes.

• Integrityandconfidentiality—Processed in a manner that

ensures appropriate security of the personal data, including

protection against unauthorized or unlawful processing

and against accidental loss, destruction, or damage, using

appropriate technical or organizational measures.

The FICO Analytic Cloud is designed using these principles, as well as the practice of privacy by design (Article 25). The FICO Data Protection Officer and privacy team oversee our data privacy strategy and work to ensure we meet all requirements in the geographies where our customers operate. Another critical component to ensuring our continued success is incorporating privacy by design and privacy by default in software development and in the processes and systems we create. When you use FICO software, you will appreciate the extra steps taken to ensure you are able to meet the data privacy requirements of your regulators wherever your customers are.

Further, FICO security complies with the standards of GDPR (Article 32), PCI-DSS, and ISO27001. We have implemented technical and organizational measures (TOMs) to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the data. Reports of compliance, certification, and security are available upon client request.

International Data Privacy LawsMany countries have passed or drafted data privacy laws that are similar to the GDPR. Common mechanisms we use to conduct business and transfer data internationally include standard contract clauses, model clauses, and the EU-US Privacy Shield. More information, including a complaint resolution contact number, is available in the FICO Privacy Policy.

Privacy Shield When transferring personal data from the European Union to the United States, Privacy Shield requires compliance with EU data protection requirements. FICO’s participation in Privacy Shield means that data transfers of personal information from EU countries may be made to locations in the United States in compliance with EU privacy law. FICO has signed up for the Privacy Shield principles of notice; choice; onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement, and liability. For more information, please visit: www.privacyshield.gov

https://www.fico.com/en/privacy-policy




United States Privacy LawsA comprehensive federal privacy law has not been enacted, but there are many state laws being proposed or pending implementation that are intended to address data privacy rights. If you are a myFICO customer or a FICO Analytic Cloud Community subscriber, please visit the myFICO page or FICO Analytic Cloud.

If you have questions about your data privacy rights under the GDPR, other international privacy laws, or the California Consumer Privacy Act, please contact the FICO privacy team: [email protected]

Third-Party and Customer VerificationOur security standards are subject to independent assessment and certification by accredited third parties. In addition, we have undergone customer assessments by many of the most security-sensitive companies in the world, including some of the largest global banks. Reports of compliance, certifications, and security are available upon client request from FICO.

https://www.myfico.com

https://www.myfico.com

https://www.ficoanalyticcloud.com




For public cloud deployments, FICO has partnered with Amazon Web Services (AWS) to provide secure data centers. For private cloud deployments, FICO manages these data centers. For certain offerings, an Oracle or other cloud infrastructure may be used. For all cloud deployments, FICO’s Security Operations Center works to ensure that the infrastructure is hardened and monitored to meet our stringent security requirements.

Security Operations CenterFICO has a dedicated internal team of experts who continuously monitor the FICO Analytic Cloud and support clients from its Global Operations Center. FICO provides 24/7 support with warning and critical thresholds configured to alert the FICO team of any potential degradation or interruption of service. A dedicated client-facing support organization focuses on providing the highest levels of customer support.

Hilik Kotler is FICO’s CISO. He oversees Governance, Risk, and Compliance; Cyber Operations and Engineering; Application Security; and FICO’s Cybersecurity Center.

Employees To maintain the integrity of the employees, FICO has implemented a recruitment policy and follows a robust recruitment process that ensures not only people with the appropriate skill set are hired, but also following extensive background checks. This process includes, but is not limited to, the following actions:

• Comprehensive interview process.

• Validationtoconfirmthatnewemployees

havethequalificationsrepresented.

• Referenceandworkhistoryverification.

• Criminal background checks and other reviews as

appropriate to job responsibilities or allowable based

oncountry-specificprivacyandemploymentlaws.Also,

in some cases expanded vetting may be undertaken to

addressspecificbusinessorcustomerrequirements.

Awareness Every FICO staff member is required to undergo FICO Security awareness training upon hire and annually thereafter. The training is updated on an annual basis. Participation is required and verified with a knowledge test and minimum passing grade for each individual.

Compliance Non-compliance with the FICO policies by employees or designated agents will be subject to management investigation and disciplinary or other action, which may include termination.

Confidentiality All FICO employees sign non-disclosure and confidentiality agreements, which are binding during employment and after termination to protect information, which states the employee’s responsibility for information security. Temporary staff, vendors, or contractors who need to access FICO information sign a confidentiality agreement prior to any engagement.

Professional Certifications All FICO employees are selected for their experience and knowledge. We have built a team of leaders and subject matter experts of security and risk professionals, who are considered experts in cybersecurity strategy, technology, process, and sustainability.

The group includes approximately 80 dedicated cybersecurity professionals. These professionals hold certifications in risk, information security, compliance and business continuity planning, and disaster recovery, such as CISSP, CISM, CEH, CRISC, CISA, CAMS, NSCP, CBCP, SCSA, CCIE, GAIC, CPISI, ISO Lead Auditor, CIPT, CIPP/US, and PCIP.

Additionally, FICO has a formal training department with funds allocated on a per-employee basis to encourage further growth and career development.

Physical Data Centers—Security and Operations




Visitors Based on FICO’s risk assessment of our data centers, which are mission critical resources, visitors are not allowed in our data centers as it is considered high risk to the environment and data. We will provide an SOC2 report of the data center for verification of controls. FICO’s data centers are almost completely lights-out data centers. Access is granted to named individuals for support and cannot be shared or transferred. The only exception is for emergency personnel, for whom shared access can be granted provided the access credentials (swipe cards/keys) are secured when not in use.

FICO Data Center Security (Private Cloud)The globally dispersed data center infrastructure utilizes industry best practices to minimize downtime, maintain tight security and protect against malware. The best practices of the FICO data center environments include:

• Physical and electronic safeguards,

which are regularly updated.

• Physical and electronic access managed based

on the principles of need-to-know and least privilege,

meaning all access must be granted in a

manner that allows only the necessary rights to

performthefunctionofthedefinedrole.

• 24/7 monitoring and client-facing support

from FICO’s Global Operations Center.

• Industry standard disaster recovery capabilities.

• Geographically diverse data centers with

failover capabilities.

Environmental Control The FICO Data Centers are equipped with air conditioning, fire suppression, UPS, and backup generators, all of which are connected to the building management system (which is monitored 24/7/365 by operations personnel).

AWS Data Center Security (Public Cloud)FICO partners with Amazon Web Services (AWS) to provide high-performance public cloud delivery. In addition to an elastic cloud infrastructure, AWS provides proven security, PCI compliance, and breadth and depth of secure cloud capabilities.

AWS uses redundant and layered controls, continuous validation and testing, and 24/7 monitoring and protection. The FICO Analytic Cloud managed services are compliant with the AWS Well-Architected Framework, which is designed to help cloud architects build the most secure, high-performing, resilient, and efficient infrastructure. Clients using the public cloud will benefit from data centers and network architecture built to satisfy the most stringent security and privacy requirements.

In addition to AWS security controls, FICO provides additional layers of security on top of this infrastructure, including platform hardening and monitoring and logging. Security requirements and standard configurations are developed and maintained in partnership with the FICO Cybersecurity team.




Security-specific incidents are escalated to and handled by specially qualified personnel in a tiered approach varying from first responders to a dedicated forensics team. Coordination with outside agencies is done, if necessary, for resolution of issues under certain circumstances. Emergency contact information, reporting processes, and procedures are posted and readily accessible for all employees on the company intranet.

Change ControlFICO has implemented a Change Policy, which empowers the Change Review Board to approve or reject change requests. There are formal processes in place to ensure that any changes are planned, tested, and executed according to plan, and that there is a back-out plan in the event of the change failing or causing issues.

Business Continuity In today’s global information age, unexpected situations may occur that can impact an organization’s operation and limit its ability to deliver services to end users (e.g., customers, field offices, governmental agencies, and the public). FICO has established recovery approaches to maintain a resilient state for vital FICO infrastructure to provide for the swift recovery of critical FICO functions, with minimal disruption to internal operations.

Compliance Management FICO has a formally designated Compliance Management team to support and facilitate global compliance, including Sarbanes Oxley and SSAE 16 audit programs.

Audits and Reviews

The FICO security framework requires that audits of FICO corporate systems and infrastructure are conducted at least annually. Audit levels and details correspond to the level of risk assessed for each system. Members of the FICO security team may also conduct spot audits whenever new risks are identified, or at any other time deemed necessary.

Security team members may also, if necessary, conduct network- and host- based audits of FICO corporate infrastructure and IT systems as needed to address zero-day or newly discovered exploits without prior notice. Furthermore, FICO leverages an internal red-team responsible for continuously attempting to penetrate environments and work with the blue-team (the cybersecurity operations center) to mitigate any finding found during those exercises.

As previously noted, the FICO Analytic Cloud environment is currently ISO27001:2013 and PCI certified, as well as GDPR compliant.

Operational Management and Continuity Incident Management

FICO is a registered trademark of Fair Isaac Corporation in the United States and in other countries. Other product and company names herein may be trademarks of their respective owners. © 2020 Fair Isaac Corporation. All rights reserved.

4638WP 03/20 PDF

+1 888 342 6336 [email protected]

NORTH AMERICA

www.fico.com www.fico.com/blogs

FOR MORE INFORMATION

+55 11 5189 8267 [email protected]

LATIN AMERICA & CARIBBEAN

+44 (0) 207 940 8718 [email protected]

EUROPE, MIDDLE EAST, & AFRICA

+65 6422 7700 [email protected]

ASIA PACIFIC

More PreciseDecisions


Fraud Protection & Compliancet

Additional Questions?We take security seriously, and if you have questions or need information beyond what we’ve covered in this white paper, please contact your client partner or visit us at www.fico.com

FICO’s Advanced Cybersecurity Services enable customers to take security a step further, and continuously strengthen their security profile while reducing operational complexity. FICO provides value-added services, including security consultation for accelerated deployment, dedicated security monitoring, and more to enhance security and peace of mind.

Security ConsultationFICO’s cyber and cloud security architects provide another layer of verification and best practices to any FICO project. From a secure solution design to data minimization and identity and access support, FICO’s architects help ensure that every customer project is a secure success.

Dedicated Security MonitoringOn top of FICO’s 24/7/365 monitoring, FICO can dedicate security experts to customer monitoring, enforce customer specific security logging requirements, alert and respond to any customer-driven event. FICO’s dedicated experts work hand-in-hand with the customer to tailor the security detections and integrate their expertise into the customer’s existing logging and monitoring practices.

This DocumentThis FICO document is provided to customers under confidentiality restrictions for informational purposes and nothing herein creates any obligation, contractual or otherwise, between the parties. FICO makes no representations that any of the information provided herein satisfies any applicable data security law or industry data security standard. Any information provided herein by FICO is made in good faith on an “AS IS” basis as to its accuracy at the time of disclosure and FICO assumes no liability or responsibility whatsoever regarding same.

Managed Services

About FICOFICO (NYSE: FICO) powers decisions that help people and businesses around the world prosper. Founded in 1956 and based in Silicon Valley, the company is a pioneer in the use of predictive analytics and data science to improve operational decisions. FICO holds more than 195 US and foreign patents on technologies that increase profitability, customer satisfaction, and growth for businesses in financial services, telecommunications, health care, retail, and many other industries. Using FICO solutions, businesses in more than 100 countries do everything from protecting 2.6 billion payment cards from fraud, to helping people get credit, to ensuring that millions of airplanes and rental cars are in the right place at the right time.

fico® analytic cloud—secure by design · to keep your data safe and private, we deploy...

Documents