FireEye Stories

Email Security in the Cloud: Why ISO 27001 and FedRAMP Reauthorization Matter

Customers rely on and expect FireEye cloud-based email security solutions to be fully functioning security information management systems (ISMS). This includes having the necessary controls and documentation in place to protect sensitive data and manage risk. Today, we reinforce customer confidence that their email data is secure in the cloud with the news that FireEye has received International Organization for Standardization (ISO) 27001 certification, SOC 2 Type 2 recertification and Federal Risk and Authorization Management Program (FedRAMP) reauthorization for these solutions.

Risk management is an extremely important consideration of every information security management system (ISMS). By implementing and maintaining an ISMS, an organization protects sensitive data from being leaked and exposed to harm, and limits the impact of a data security breach.

ISO Certification – The Global Standard of Information Security

FireEye Email Security Cloud Edition has received ISO 27001 certification. As one of the highest internationally recognized standards for information security, this certification covers every aspect of people, process and systems security.

The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting FireEye Email Security Cloud Edition, and is in accordance with the statement of applicability, dated June 11, 2018. The in-scope infrastructure is housed at data centers located in EMEA (Europe) and North America; colocation and cloud hosting services are not included in the scope of the ISMS.

Email Security Cloud Edition also complies with the American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC 2) Type 2 Certification for Security and Confidentiality. FireEye received the certification and the SOC 2 Type 2 recertification from Schellman & Company, LLC, a leading national provider of attestation and compliance services.

To acquire ISO 27001 certification is not a one-and-done activity. The success of reaching ISO certification is attributable to the pre-work that goes into the program ahead of audit time, including understanding the requirements of the Standard, and modifying our current risk assessment/internal audit process to adhere to the requirements of ISO.

Email Security FedRAMP Reauthorization Before Competitors Achieve Authorization

The FireEye Email Threat Prevention (ETP) Security Service, which is the instance of FireEye Email Security Cloud Edition for government organizations, received FedRAMP reauthorization. This latest authorization includes the expanded boundary of FireEye’s proprietary AVAS module, including antivirus, anti-spam and impersonation detection capabilities.

FireEye continues to lead the way in the email security industry and with the public sector. We were the first email security vendor to receive FedRAMP authorization for advanced threat protection, and now, over a year later, we are authorized for our second year while others are still undergoing the evaluation process. This is one more example of how FireEye continues to innovate and add new value to our government email security service.

FireEye ETP Security Service is designed around the unique needs of federal, state and local government agencies, as well as public education entities. This fully-featured secure Email Gateway (SEG) protects against commodity threats in the cloud, while saving the public sector time and money.

FedRAMP authorization is one of the most rigid compliance levels to achieve for many reasons, including adherence to more than 300 requirements, and the coordination and consolidated effort across multiple diverse teams within FireEye was critical to the success.

About FireEye Email Security Cloud Edition

To reduce the risk of a breach, organizations need to protect their employees’ email, which is the gateway to most cyber attacks. FireEye Email Security leverages FireEye’s extensive first-hand knowledge of attacks to stop email-borne threats. The solution is designed to block not only malware and suspicious URLs, but also phishing and impersonation techniques, to prevent attackers from having an opportunity to take advantage of email users.