Kaspersky has expanded the scope of its cyberthreat-related data relocation, which now covers users in Latin America and the Middle East. The company’s commitment to following the best data security practices has been reaffirmed by TÜV AUSTRIA’s re-certification of Kaspersky’s data services with an expanded scope. In addition, the company publicly shared information on the requests for data and technical expertise received from government and law enforcement agencies as well as from users in H2 2021.
These measures reflect the company’s continuous commitment to move toward greater transparency undertaken as part of the Global Transparency Initiative (GTI). By launching GTI in 2017, Kaspersky set a benchmark for digital trust and became the first cybersecurity vendor to make its source code available for review. Committed to being a trusted partner for its users, to date, Kaspersky remains one of few international IT vendors that seek to turn transparency into an industry standard and take steps toward greater accountability.
Since March 2022, Kaspersky has been processing and storing malicious and suspicious files received from users in Latin America and the Middle East, which used to be processed by facilities in Russia, in data-centers in Zurich, Switzerland. Prior to that, the relocation of such data storage had been completed for Europe, North America and a number of Asia-Pacific countries. Swiss data centers provide world-class facilities in compliance with leading industry standards so the company’s users can be confident in the security of their data.
Moreover, Kaspersky has renewed its ISO 27001* certification issued by independent certification body TÜV AUSTRIA, an internationally recognized applicable security standard. In addition to the audit passed in 2020, this time the scope of the certification was even extended and now covers not only the Kaspersky Security Network (KSN) system for the safe storage and access to malicious and suspicious files (called KLDFS), but also KSN systems for processing statistics (called KSNBuffer database).
Conformity with ISO/IEC 27001:2013 – internationally recognized as the best practice industry and applicable security standard – lies at the core of Kaspersky’s approach to implementing and managing information security. The certification – granted by the third-party accredited certification body, TÜV AUSTRIA – demonstrates the company’s commitment to strong information security and its Data Service’s compliance with industry leading practices.
The document can be found in the TÜV AUSTRIA Certificate Directory and is also publicly available on the Kaspersky website here.
Andrey Efremov, Kaspersky’s Chief Business Development Officer, said: “We have relocated the cyberthreat-related data processing and storage from a number of additional countries and territories to facilities in Switzerland – a country renowned for its strict data protection legislation. These steps form just part of our Global Transparency Initiative, which also includes independent assessments of our company’s data service and engineering practice integrity, and the provision of our products’ source code for open review. Together, these measures further underline our commitment to ensuring that the way we treat our user data is as open and transparent as possible, and that we continue to provide our customers and partners with the most reliable and trustworthy solutions and services.”
The new edition of the Transparency report
Kaspersky has developed an enduring practice of disclosing information on the company’s approach to dealing with data requests and releases its regular “Law Enforcement and Government Requests” report, uncovering data in two categories: user data and technical expertise**. The latest report looks at this data during the second half of 2021.
In particular, during the second half of 2021, Kaspersky received 109 requests from governments and law enforcement agencies (LEAs) from 12 countries. At least 36% of those were rejected due to an absence of data or to not meeting legal verification requirements. In total, 92 of the requests received during the second half of the last year were for technical expertise.
In total, throughout 2021, Kaspersky received 214 requests, (compared to 160 requests in 2020), from governments and LEAs from 17 countries. A total of 181 of those were for technical expertise (compared to 132 in 2020). Further information on the steps for processing such requests can be found here.
At the same time, the number of user requests for details on what and where user data is stored and its provision or removal increased, reaching 2,252 in total.
To promote accountability and transparency of cybersecurity industry standards, Kaspersky seeks to share its expertise with a broader community. Thus, as part of its Global Transparency Initiative, Kaspersky further expanded its Cyber Capacity Building Program (CCBP), which aims to help organizations worldwide develop practical tools and knowledge for security assessments by launching a relevant online course — “Digital Cyber Capacity Building Program.” The online training, which is now available for an even greater audience, will ensure that more organizations and individuals will have a chance to boost their cyber-resilience by learning how to properly carry out product security assessments and evaluations.
To learn more about the Kaspersky Global Transparency Initiative, please visit the website here.
* ISO/IEC 27001 is the most widely used information security standard, prepared and published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards.
**User data includes information provided by users to Kaspersky when they use the company’s products and services. It depends on the services, products and features users use and is protected as described in the Kaspersky Privacy Policy.
Requests for technical expertise include non-personal technical information produced and provided by Kaspersky security researchers and machine learning algorithms. This may include the MD5 hashes of malware, indicators of compromise (IoCs), information about the modus operandi of cyberattacks, output of malware reverse engineering, statistical information and other results of investigations and research.