There are two basic categories for security certification/compliance:

  • Solution Level Certifications/Compliance
  • Product Level Certifications/Compliance

 

Solution Level

ESRI customers have successfully deployed ArcGIS products into environments requiring the following solution level security certifications/compliance:

  • International Standards
    • ISO 2700X, ISO 17799, BS 7799, Common Criteria (CC)
  • Federal Standards
    • FISMA (NIST), DITSCAP/DIACAP
  • Industry Regulations
    • HIPAA, SOX, PCI

Other Notewothy items concerning Solution Level security:

  • ESRI hosts FISMA certified and accredited low risk category environments
  • The GIS Security Patterns are not a guarantee of NIST/FISMA guidance for your solution, but serve as an excellent starting point for an organization and ease alignment with certification requirements
  • Software vendors such as ESRI do not perform solution level security certification/compliance for software product as they are unique to each deployment and dependent on all components within a solution, such as hardware, administrative policies and physical procedures

Product Level

  • FDCC (Federal Desktop Core Configuration)
    • ESRI incorporates product level FDCC security compliance checks
    • Starting with version 9.2 of ArcGIS Desktop based clients, ESRI fully supports and tests product compatibility with FDCC (Federal Desktop Core Configuration) security settings http://nvd.nist.gov/fdcc/fdcc_faq.cfm
    • Starting with version 9.3.1 ArcGIS Desktop clients, ESRI utilizes SCAP-validated tools to self-certify products and ensure FDCC compliance.
  • FIPS (Federal Information Processing Standards)
    • ESRI’s GIS products provide basic security functions that meet the needs of many customers.  To address specific needs like FIPS 140-2 compliance ESRI products can be supplemented with 3rd party FIPS 140-2 compliant security algorithms
    • ESRI products are compatible with enabling the “Use FIPS compliant algorithms for encryption, hashing, and signing” security setting in Windows XP and later versions of Windows

As always, ESRI continues to evaluate the need for compliance and/or additional certifications based on customer input.

Filed under: