Security Practices at Webex Events

Last Revised: March 18, 2022

Trust. It is the foundation of our security objectives at Webex Events. Our clients trust that we will protect their information with the same level of care and concern that they do. Our clients also trust that our applications will be available when they need them. We only achieve that trust through transparency. We are proud to tell our security and privacy story, so if you have questions, please let us know at privacy@socio.events.

Solution Overview

The heart of Webex Events is its platform, where event planners configure and operate their events. The Webex Events platform, along with its other web applications are Software-as-a-Service (SaaS) offerings hosted from hybrid Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). Webex Events operates from a private tenant in the AWS public cloud. Webex Events offerings are provided from a multitenant, multi-tier architecture. Client data separation is maintained at the application layer through rigorous access controls.

Encryption

We believe that unless the data is being used, it needs to be encrypted. That is why we encrypt data-in-transit on both the internal and external networks using HTTPS (TLS 1.2+). All data-at-rest is encrypted using AES-256 with keys managed from our AWS key management service (KMS). Those keys are generated in the KMS, rotated within the KMS, and destroyed in the KMS. After all, the security provided through encryption is only as good as the security of the keys.

Intrusion Detection and Prevention

We are all for support from the Internet community, but not when it comes to administering our systems. Webex Events has adopted a walled-city security model that layers perimeter security controls. Everything from AWS security groups and cloud-native analogs, to traditional firewalls, are deployed and managed at the network perimeter and around internal system resources. All application traffic must also traverse our web application firewall, configured to prevent attacks targeting web applications. High walls are great, but they are not perfect, so we also have intrusion monitoring and alerting utilities to let the Webex security team know if a barbarian has made it past the gate.

Incident Response

Our incident management program is comprised of policies and procedures informed by the NIST 800-61 guidelines. While our goal is to never need it (other than for annual program testing, of course), the program entails notifying impacted clients without undue delay when a security incident affects their data or use of applications. In most cases, notification would occur via email. For prolonged outages or incidents, a web conference bridge will be availed. Clients can always monitor the status of our applications at https://status.socio.events.

Logging and Monitoring

Your event needs to be secure – that is table stakes – but it also needs to be available. In this age of virtual and hybrid events, even a short disruption can ruin the event. In addition to

standard system security logs, we maintain extensive telemetry logs. At Webex Events, the availability security pillar is treated with the same criticality as the confidentiality pillar.

Data Lifecycle

For some clients, prior and on-going events tell the history of their community. For other clients, the value of the event contents begins to decay at the conclusion of the event. Accordingly, event planners can delete event data in order to support their own retention requirements. By default, Webex Events retains event data for a maximum of five years. While we hate to see any client leave, we understand that all good things must eventually end. Upon contract termination, if a client requests, event data can be extracted and provided – of course, the event planner can also download anything that they want to keep. Within six months of the contract termination, all client data will be deleted, preserving block-level encryption to make sure that the data is permanently unavailable. We can then provide a certificate of destruction, if requested.

Data Access

Our employees only access client data when necessary for support. We limit access to only those personnel with a business justification to see client data. Once an access request has been approved, specialized security training is required before access is provisioned. Then multi-factor authentication is required and their activities are monitored.

Personnel Security

Webex Events is only as trustworthy as its personnel. Cisco conducts background checks on all employees prior to employment. Upon hire, and annually thereafter, employees must complete Code of Business Conduct, Security Awareness, and Privacy training. Upon hire and annually thereafter, all employees must also acknowledge security and confidentiality policies.

Secure Development

Training requirements are expanded for employees in development roles, who also must annually complete specialized security training. The application security development program is interwoven with the system development lifecycle. Static code analysis, peer review, and security testing are all part of the CI / CD pipeline.

Security Validation

Secure today may not be secure tomorrow. We are constantly re-evaluating our security posture. Network and web application vulnerability scans are performed weekly. Cisco performs multiple network, web application, and mobile application penetration tests on Webex Events each year. An independent third-party is also engaged at least annually to also perform these tests, as well.

Sub-Processor Management

Webex Events has integrated several best-of-breed partners to deliver our feature-rich solutions. Client trust must extend to those providers as well, so Webex Events maintains a robust vendor risk management program. We rely on the same tools that our clients do to monitor us – ISO certifications, SOC 2 Type II reports, questionnaires, and more to make sure that treatment of client assets are managed with at least as much rigor as Webex Events.

Like all modern software providers, we also integrate open-source and third-party libraries, modules, and utilities within our offerings. To monitor the assurance of these aspects, several tools are integrated within our development environment to monitor for vulnerabilities, changes in versioning, and changes in licensing.

Privacy

Like the global policy landscape, the Webex Events privacy program is constantly evolving. A good place to start to learn about our privacy program is the Privacy Data Sheet. You can find it here:

https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/collaboration/cisco-webex-events-socio-privacy-data-sheet.pdf

Our privacy policy can always be viewed here: https://socio.events/privacy-policy

Our Data Privacy Agreement and its companion Security Appendix cover all of the GDPR basics:

https://socio.events/docs/dpa

Assurance Collateral

Webex Events shares its assurance collateral documentation on the Cisco Trust Portal:

https://trustportal.cisco.com/c/r/ctp/home.html There you can find all of our available security, data privacy, and compliance documents.