ISO 27001

    Our entire security program is underpinned by ISO 27001 that is supplemented by multiple organizational, regional and functional security assurance certifications for our environments and our products.

    ISO 27001 is one of the most widely recognized and internationally accepted information security standards. It identifies requirements for a comprehensive Information Security Management System (ISMS), and defines how organizations should manage and handle information in a secure manner, including appropriate security controls.

    Our entire organization is certified to ISO 27001:2015. In order to achieve the certification, Entrust's compliance was validated by an independent audit firm after demonstrating an ongoing and systematic approach to managing and protecting company and customer data. This certification guarantees that Entrust meets an exacting framework of policies and procedures that includes legal, physical and technical controls involved in an organization’s risk management system. Achieving this certification is an exacting task, considering that it covers no less than 14 specific control objectives:

    • Information Security Policies
    • Organization of Information Security
    • Human Resources Security
    • Asset Management
    • Access Control
    • Cryptography
    • Physical and Environmental Security
    • Operations Security
    • Communications SecuritySystems acquisition, development and maintenance
    • Systems acquisition, development and maintenance
    • Supplier Relationships
    • Information Security Incident Management
    • Information Security aspects of Business Continuity Management
    • Compliance

    Our ISO 27001 certification for Entrust builds on our long-standing compliance with multiple security assurance certifications that are recognized around the globe.

    Organizational, Regional, and Functional Certifications

    Common Criteria (CC): Common Criteria is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments.

    Our certified products include:

    • Security Manager
    • nShield HSMs
    • KeyOne
    • TrustedX

    FIPS – 140-2: The Federal Processing Standard (FIPS) Publication 140-2 is a US government computer security standard used to approve cryptographic modules FIPS provides four security levels, each adding functions to the previous level.

    Our certified products include:

    • nShield HSMs
    • FIPS 140-2 Level 2 and Level 3

    ICP Brazil: ICP Brazil is a PKI certification supporting National Basic Infrastructure for Electronic Identification projects in Brazil.

    Our certified products include:

    • nShield HMSs ICP

    FIPS – 201 (PIV): FIPS 201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.

    Our certified products include:

    • Identity Guard

    NATO Information Assurance Product Catalogue: The NATO Information Assurance Product Catalogue (NIAPC) established under Directive AC/322-D(2010)0042 (22-09-2010), provides NATO nations, and NATO civil and military bodies with a catalogue of Information Assurance (IA) products, Protection Profiles and Packages that are in use or available for procurement to meet NATO operational requirements.

    Our certified products include:

    • KeyOne

    AIS 31: Application Notes and Interpretation of the Scheme (AIS) 31 – Functionality Classes and Evaluation Methodology for Physical Random Number Generators, Version 1 (25.09.2001.

    Our certified products include:

    • Solo XC

    QSCD (Qualified Signature Creation Device): QSCD eIDAS certification according to the article 30.3.b) of the eIDAS Regulation.

    Our certified products include:

    Environmental, Enclave, or System Certifications

    PCI Card Production (CP) – Our Financial Instance Issuance Managed Services Offering (FII MSO), being a Payment Card Industry (PCI) Card Production and Provisioning Security Requirements, may perform Data Preparation activities in our approved facilities. Data preparation is the process by which credit card issuer and cardholder data are manipulated and configured for subsequent personalization by the issuer or different certified facility.

    US Federal Approval to Operate - Our EDC US Federal environment is certified to NIST 800-53 (r4). NIST 800-53 is a catalog of security and privacy control for federal information systems and organizations for selecting controls to protect organization operations, organizational assets, individual, other organization, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. (https://www.idmanagement.gov/want-to/buy/trust-services/#ssp)

    Tscheme - tScheme is the self-regulatory body for electronic trust service approval in the UK. https://www.tscheme.org/certificate-factory-entrust-datacard-europe-ltd

    ETSI 1 - The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the telecommunications industry (equipment makers and network operators) in Europe, headquartered in Sophia-Antipolis, France, with worldwide projection. Our “ETSI 1” addresses eIDAS EN 319 401 v2.1.1 General TSP requirements and EIDAS EN 319 411 pt 1 v.1.1.1 eIDAS policy for Cas.

    ETSI 2 - The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the telecommunications industry (equipment makers and network operators) in Europe, headquartered in Sophia-Antipolis, France, with worldwide projection. Our “ETIS 2” addresses Electronic Signatures and Infrastructures (ESI);Trust Service Provider Conformity Assessment -Requirements for conformity assessment bodies assessing Trust Service Providers. of the European Parliament and Council). The certificate has been issued by the A-SIT Certification Body (Austrian Secure Information Technology Center), as the eIDAS conformity assessment body, according to the article 20.2) of the eIDAS Regulation. Based on this certification, the TrustedX eIDAS product can be used with total guarantees for the generation of qualified remote signature, with legal validity in all member states of the European Union. The mentioned certificate can be found in the following site: https://www.a-sit.at/downloads/1071 .

    ISO/IEC 5504 – We are granted level 3 of ISO/IEC 5504 Certification by AENOR (www.aenor.es): body accredited by the Spanish National Accreditation Body (ENAC) for certifying products and services. This certification provides a solid base for the evaluation and improvement of the Quality Systems involved in developing software.

    UNE 166002 and standard CEN / TC 166555-1 – This is a certification for the activities of Research, Development and Innovation of security software for the areas of identity and trust, by AENOR (www.aenor.es): body accredited by the Spanish National Accreditation Body (ENAC) for certifying products and services. This certification ensures an R+D+I management system highly effective and efficient, resulting this in a differential factor of competitiveness and excellence of the products of the Company. On the basis on this certification, Aenor has issued a certificate of compliance with the European Standard CEN/TC 16555-1:2013 Innovation Management. Part 1: Innovation Management System.

    PrivacyMark – PrivacyMark System is a system set up to assess private enterprises that take appropriate measures to protect personal information. Such private enterprises are granted the right to display "PrivacyMark" in the course of their business activities. The System is in compliance with Japan Industrial Standards (JIS Q 15001: [Personal Information Protection Management System - Requirements]).

    Responsible Disclosure

    The Entrust Responsible Disclosure Program is committed to resolving security vulnerabilities in our products in a careful and timely manner. We take appropriate and necessary steps to minimize the risk to customers and aim to provide accurate information and resolution to address security threats in our products.

    Entrust follows responsible disclosure guidelines to ensure its customers can address potential vulnerabilities as quickly as possible to mitigate associated risks.

    We understand that you are taking your personal time and effort to report these issues.

    Our asks of you include:

    1. All testing must be legal.
    2. Respect the privacy of others.
    3. You will make reasonable efforts to contact us.
    4. Provide sufficient details of the vulnerabilities that enable us to verify and reproduce.

    Our promise to you include:

    1. Provide a method for researchers to securely report vulnerabilities.
    2. Promise to respond to reports in a reasonable manner.
    3. Strive for open communication with researchers.
    4. Publish security advisories.

    Report a Vulnerability

    We recommend that security researchers contact the Entrust Product Security Team by sending an email to [email protected]

    Finders are encouraged to utilize Entrust Product Security PGP key to encrypt sensitive information sent to this address.

    PGP / GPG key Fingerprint:
    8015 7C02 BBDB 2BA9 BFC0 68E2 C6A7 3905 B449 2509

    When creating the report please provide as much of the following information as possible:

    • Product Name, version, and operating environment.
    • Type and impact of the issue.
    • The configuration/state required to reproduce the issue.
    • A compressed archive file containing proof of concept code, scripts, or other data which facilitates the reproduction of the issue.
    • Name and additional contact details (optional).

    In order to protect our existing customers and yourselves we strongly recommend that you:

    • Do not take advantage of the vulnerability or problem you have discovered. For example: by downloading more data than necessary to demonstrate the vulnerability, or deleting/modifying other system data.
    • Do not reveal the problem to others until it has been resolved.
    • Do not leverage the vulnerabilities to initiate new attacks.

    We will handle all reports with strict confidentiality, and will not disclose your personal data to third parties without your permission.

    We strive to resolve all issues as quickly as possible. After it is resolved, we would like to remain in an active role for any publication of the issue.

    Vulnerability Handling Process

    Security vulnerabilities in Entrust Security products are actively managed through our vulnerability management process and covers four stages:

    1. Reporting: The process begins when the Entrust Product Security Team is made aware of a potential security vulnerability in an existing product. The reporter receives an acknowledgment and updates throughout the handling process.
    2. Triage: The Entrust Product Security Team investigates the issue and confirms the potential vulnerability, assesses the risk, and determines the impact and assigns a processing priority. The outcome is communicated to the Reporter.
    3. Resolution: The product engineering team works with the Product Security Team to develop a fix that mitigates the reported vulnerability.
    4. Disclosure: If the vulnerability is deemed to be of sufficient severity, a product advisory is created to provide all affected customers with information to accurately assess their risk, and informs of possible remediation and workaround advice as well as availability of any patches. Following disclosure, customer questions are handled by the Support Team in the usual manner.

    Entrust's disclosure policy ensures all customers receive the same information at the same time to avoid introducing further risk.

    Entrust also provide software and firmware updates as part of the Support Services offered during the Support Period of the product. Specifically:

    Entrust will provide, during the Support Period, the following support to customers:

    (i) Use commercially reasonable efforts to investigate and find a resolution to failures reported by customers, and confirmed by Entrust, in accordance with the priority level assigned to the failure by Entrust in its reasonable discretion.

    (ii) Updating of the documentation as and when necessary.

    (iii) The provision of generally available maintenance software and software release notes.

    (iv) The provision, free of charge, during the Support Period, of generally available maintenance updates to the supported versions of the software as and when available.

    Note: Some software updates may require a Hardware upgrade to function properly.