Product Security Program Governance
Underpinning its Product Security Program, Lenovo has in place a governance system with checks and balances to ensure processes and practices are consistently followed across the business. This governance system puts in place controls to ensure that security reviews are part of the product development and supply chain lifecycle processes. This governance system is outlined in the Lenovo Product Security Governance Documentation illustrated below:
(Promotes Product Security & Authorizes CPSO position)
Product Security Program Document
(Identifies CPSO, Introduces Product Security Office and Intiatives)
Specific Programs, Standards, and Processes
The Policy document is signed by the CEO, and stresses the importance of Product Security to all employees. The Program document is from the Chief Product Security Officer (CPSO) and introduces the work that implements Product Security processes. Finally, the actual Program, Standards, and Process documents relate to the specific work being done.
To ensure the effectiveness of the governance process, a training curriculum has been developed to educate and broaden employees’ understanding and knowledge regarding Lenovo’s approach to product security. The curriculum starts with a basic awareness of product security concepts and consists of three levels, with a certification achieved at the completion of each level: Security Basics, Software Security Associate, and Professional. The curriculum can be tailored to meet the needs of individual employees, dependent upon their job requirements. Security Basics are courses that can be taken by anyone to gain a good understanding of Product Security. The Associate and Professional levels are geared toward those with a software background, and lead to advanced secure software design concepts. There are additional courses beyond these that are available to further learning.
Lenovo’s work to ensure the security of its products and supply chain has been recognized by Chain Security, LLC, one of the leading security firms in the United States. This conclusion came after almost three years of detailed study into Lenovo’s security processes, corporate governance and supplier programs. The result of this analysis is a 20-page Letter of Attestation in which Chain Security details their work with Lenovo, the changes and improvements Lenovo implemented during the study, and Chain Security’s conclusion that Lenovo “is likely ahead of the industry” in terms of these security processes.
Questions regarding implementation of these processes can be directed to the Product Security Office.