As we expand data sharing and collaborative capabilities in our products and services, they become targets for increasingly sophisticated cyber adversaries. Our information technology (IT) systems and company information are routinely targeted by hacktivists, cyber criminals, insider threats, nation-state actors and advanced persistent threats. With thousands of our scientists and engineers developing cutting edge and patented products and services, the health of our business and mission success depends on protecting our employee information, intellectual property (IP) and customer sensitive data.
Lockheed Martin maintains an enterprise ISO 27001 certification that undergoes annual surveillance auditing and recertification every three years. In 2020, the annual ISO 27001 Surveillance Audit of the Lockheed Martin Enterprise Information Technology (EIT) focused on several Continental United States and International sites and locations across the corporation. The audit was successfully completed with zero findings.
The Classified Business and Security Committee of our Board of Directors reviews the Lockheed Martin procedures for maintaining data and information security for our customers and our own business operations. Employee privacy and data protection is managed by three business functions. The Corporate Information Security (CIS) team detects cyber intrusion risks and devises technical defenses. The Counterintelligence Operations and Corporate Investigations (CO/CI) team works with federal agencies to understand and mitigate external intelligence threats and identifies and investigates concerns of insider threat activity. The Privacy team, which is part of the Legal department, determines methods and governance for the proper use of personal data. Together, these functions secure our corporate and employee data.
The CIS team manages Lockheed Martin’s computer network defense system to continuously build our resilience against an evolving ecosystem of cyber risks and external threats, including nation-state threats. CIS has a dedicated Computer Incident Response Team (LM-CIRT) which is composed of security analysts with expertise across numerous technical disciplines. Leveraging Lockheed Martin Intelligence Driven Defense® methodology, LM-CIRT is the corporations first line of defense against both network and host-based threats. CIS additionally operates Security Intelligence Centers (SIC) worldwide that are managed by LM-CIRT. These centers bring together three primary capabilities: pervasive sensors, data management and analyst collaboration. Each SIC is staffed with cyber intel analysts who deeply understand our adversaries in terms of motivations, tactics, techniques and their objectives. LM-CIRT leverage the Lockheed Martin Cyber Kill Chain® to analyze threats and attacks not only at a micro level, reviewing the full details and conduct triage based on the suspected threat, but they also at the macro level, examining how a series of attacks can link together to represent a persistent campaign. Studying the patterns in these campaigns and fusing together various pieces of information, LM-CIRT can successfully pre-empt and block additional attacks from the adversary, including zero-day attacks. The CO/CI and CIS teams work together to address risks associated with insider threats and develop data-driven initiatives to improve our ability to prevent, detect, respond to and mitigate threats. CIS also collaborates with our supply chain and program management organizations to enhance our supply chain cyber risk mitigation strategies. These strategies include engaging with the suppliers who handle the most sensitive Lockheed Martin information to increase their awareness and enhance their cyber defense capabilities.
Lockheed Martin’s cybersecurity policies, as well as our Corporate Insider Threat policy, direct our compliance with global privacy laws and regulations. We integrate privacy considerations into new business opportunities, contracts, systems and acquisitions. We instill in our employees a respect for data protection and privacy through outreach, education, training and awareness. Education and awareness are vital to maintaining an environment where our employees, customers and partners trust us to use and protect personal information responsibly. Lockheed Martin provides multiple privacy-related courses, ranging from a mandatory new-hire Privacy Awareness training to a Privacy Professional Certification class.
In 2020, the Security Leadership Team was pleased to launch the Lockheed Martin Fusion Center. The Fusion Center offers a central location for integrated functional Classified Security resources to more effectively collect, analyze and share actionable intelligence aimed at safeguarding personnel, assets and information. New tools for data and link analysis, combined with resources for vendor due diligence and supply chain disruption monitoring, will create a strong foundation in our efforts to ensure the integrity of Lockheed Martin technologies.
Also in 2020, the annual Cybersecurity Awareness Month hosted in October switched to a virtual format. The team used immersive training experiences, like virtual escape rooms, to introduce newly hired employees to cybersecurity and our secure culture at Lockheed Martin.