WHITE PAPER

WHITE PAPERFICO® Analytic Cloud — Secure by Design

© 2019 Fair Isaac Corporation. All rights reserved.

Table of Contents

Introduction ...........................................................................................................1

The FICO Security Promise ....................................................................................1

FICO’s Total Security Framework ...........................................................................1

Securing Identities .................................................................................................3

Identity & Access Management .......................................................................................... 3

Privilege Access Management (PAM) ................................................................................ 3

Multifactor Authentication (MFA) ........................................................................................ 3

Securing Data & Applications ................................................................................3

Data Security ........................................................................................................................... 3

Securing a Multitenant Environment .................................................................................. 4

Security in the Software Development Lifecycle (SDL) .................................................. 4

Penetration Testing ................................................................................................................ 4

Secure Infrastructure ............................................................................................5

Distributed Denial of Service Protection (DDoS) .............................................................. 5

Patching & Vulnerability Management ............................................................................... 5

Monitoring & Logging ............................................................................................................ 5

Privacy & Compliance Center .................................................................................5

PCI-DSS .................................................................................................................................... 5

ISO 27001 ................................................................................................................................. 6

Data Privacy and the General Data Protection Regulation (GDPR) .............................. 6

Privacy Shield .......................................................................................................................... 7

Third-Party and Customer Verification .............................................................................. 7

Physical Data Centers — Security & Operations .....................................................7

Security Operations Center .................................................................................................. 7

FICO Data Center Security (Private Cloud) ........................................................................ 7

AWS Data Center Security (Public Cloud) ......................................................................... 8

WHITE PAPERFICO® Analytic Cloud — Secure by Design

© 2019 Fair Isaac Corporation. All rights reserved. 1

Introduction

Our cybersecurity mission at FICO is to deliver the very best data security, customer and subscriber protection through innovation, adherence to stringent standards, and a team of world-class professionals.

Security and trust is at the core of everything we do. To keep your data safe and private, we deploy industry-leading safeguards and continuously monitor our systems, so you can rest assured knowing your most sensitive data is protected 24/7. Our secure cloud services protect your data while complying with the most stringent industry, regulatory and regional requirements.

The FICO® Analytic Cloud is a complete, fully managed cloud services platform that provides access to a wide range of data science and advanced analytics tools, application development software, on-demand infrastructure, decision management applications, packaged analytics and managed services. We give you the flexibility to choose the cloud model that works for you — private single-tenant, private multi-tenant, hybrid or public — and the confidence to know that all choices can meet your important security needs, even in highly regulated industries.

The FICO Security Promise

FICO solutions are designed with inherent security in mind and continuously tested for vulnerabilities before, during and after release.

FICO maintains compliance with the most stringent cyber standards.

Sensitive data within the cloud environments is encrypted and access carefully restricted.

FICO utilizes state-of-the-art cyber technologies to continuously secure the environments against emerging threats.

FICO’s Total Security Framework

FICO uses a multifaceted approach to safeguard your data with integrated, defense-in-depth security controls at every layer of the FICO Analytic Cloud. Security is a strategic priority for FICO, and we continually invest in industry-leading tools and best practices to secure identities, applications, data and infrastructure, build redundancy, and satisfy tough privacy and compliance standards.

We take a proactive, risk-based approach to security guided by the principles of “security by design.” To this end, FICO has adopted a DevSecOps model that introduces strict security controls during all phases of the software development and system integration lifecycle, starting at inception. We utilize a variety of testing techniques, including software penetration testing and automated testing tools, to ensure security is continually integrated into our software and infrastructure. We employ a large cybersecurity team, including several leading security experts, and manage a state-of-the-art Operations Center.

WHITE PAPERFICO® Analytic Cloud — Secure by Design

© 2019 Fair Isaac Corporation. All rights reserved. 2

FICO Cyber Program — Security by Design

Confidentiality

Integrity

Availability

Security Practice

Insider

Outsider

Attacker

Cybersecurity Pillars

Cybersecurity Dimensions

Incident Management

Frameworkof Control

Strategy &Governance

Monitoring& Auditing

Risk &ComplianceAssessment

Customer Data

Code & IP Collateral

Privacy

Financial M&A Data

Data Assets

FICO Products

Cloud

Internal Applications

Personal Computing

Servers

Databases

Network

Mobility

Attack Surface

Legal Compliance

Regulatory Compliance

Customer Compliance

Compliance

Training &Awareness

FICO adheres to industry best practices in secure software development, embracing the PCI-DSS and the Open Web Application Project (OWASP) standards for development. All facilities from which FICO operates FICO® Analytic Cloud solutions are compliant with PCI standards and support PCI Data Security Standard (PCI-DSS) certification wherever required.

FICO conducts regular independent third-party audits to assess compliance with security standards. We constantly evolve our security controls through participation in the Cloud Security Alliance and the latest industry best practices.

WHITE PAPERFICO® Analytic Cloud — Secure by Design

© 2019 Fair Isaac Corporation. All rights reserved. 3

Securing Identities

FICO enables you to securely control access on the FICO® Analytic Cloud for your users, even in large organizations with complex organizational models. FICO follows the principle of least privilege, assigning appropriate profile privileges based on roles.

Identity & Access ManagementThe FICO Analytic Cloud is supported by a set of core identity and access management services that regulate how people log in to the FICO Analytic Cloud and associated products through an easy Single Sign-On (SSO) capability. Access management includes the processes and technologies used to create, validate, protect and disable user account passwords. The same login, auditing, roles and permissions are used across the entire FICO Analytic Cloud for all products and solutions. The following techniques are used to protect access:

• Password lockout, timeout and expiration

• Strict password length and complexity requirements

• Granular permissions to allow users to accomplish key tasks within the principle of least access

Privilege Access Management (PAM)FICO uses safeguards to secure, control, manage and monitor privileged access to the FICO Analytic Cloud. FICO uses a PAM system that takes the credentials of privileged accounts, such as admin accounts, and places them inside a secure repository that isolates their use. This approach reduces the risk of these credentials being compromised. Once inside the repository, system administrators use the PAM system to access their credentials, at which point they are authenticated, and their access is logged. When a credential is checked back in, it is reset to ensure administrators must go through the PAM system the next time they use the credential.

Multifactor Authentication (MFA) MFA is an added layer of security used to verify an end user’s identity when they sign into an application, such as a text message confirmation. FICO deploys tools that use a variety of factors for authentication across usability and assurance levels, including knowledge factors, possession factors and biometric factors.

Securing Data & Applications

FICO is committed to securely managing your data and ensuring that it is available to meet your business needs. We continually improve our practices, data and application controls to ensure the security and integrity of your data both in transit and at rest.

Data SecurityFICO uses the latest technology and industry practices for encrypting data in transit and at rest. For data in transit, we use current encryption protocols and hashing algorithms, encrypting data across networks with Certificate Authority (CA) issued certificates. FICO uses a range of industry standard techniques to protect sensitive data at rest, including encryption, redaction and obfuscation.

WHITE PAPERFICO® Analytic Cloud — Secure by Design

© 2019 Fair Isaac Corporation. All rights reserved. 4

Foundational to securing your data in transit and at rest is a FICO Analytic Cloud network that has been designed based on the defense-in-depth concept. We use multiple independent computer networking techniques to provide redundancy and reduce the risk of compromise.

Products and solutions on the FICO Analytic Cloud use an encryption approach that is tailored to your specific solution. If you would like more information about data-at-rest encryption for any specific solution, please visit www.fico.com.

Securing a Multitenant EnvironmentThe FICO Analytic Cloud offers a multitenant (public cloud) option where a single instance of the software is used by multiple customers, i.e., tenants. FICO provides security controls for multitenant infrastructure and applications, including use of industry-leading tools and best practices for authentication and access, data at rest and in transit, and secure infrastructure. In addition, FICO enables dedicated URLs for each tenant and logging separation by tags and entities. It isolates and separates data, memory and networks and provides additional layers of application security to protect sensitive data from cross-customer impact or possible rogue tenants.

Security in the Software Development Lifecycle (SDL) Addressing security threats is a key element of software development. The SDL program requires development teams at FICO to leverage best practices that assure FICO products are secure and developed with appropriate application security controls to ensure confidentiality, integrity and availability. This enables FICO to identify, prevent and remediate security vulnerabilities early in the development cycle.

SDL training and development standards are based on a hybrid risk model guided by the Open Web Application Security Project (OWASP), as well as additional guidelines and requirements for application design, coding and testing practices to avoid vulnerabilities and protect against common

Best practices incorporated into the FICO® Analytic Cloud network include:

• Demilitarized zones (DMZ) for internet-facing services

• Network monitoring/intrusion detection using multiple intrusion detection systems (IDS)

• Denial of service network protections (DDoS)

• Multiple layers of external firewalls

• PCI-DSS specific requirements

threats. This approach ensures that on day one, when a new feature or application becomes available to our customers, it has been carefully designed and extensively tested to meet the highest security and data privacy requirements.

The SSDL includes:

• Computer-based training (CBT)

• Security (peer) code review

• Static application security testing (SAST)

• Dynamic application security testing (DAST)

• Vulnerability assessments

The Secure Software Development Lifecycle program is defined and supported by the FICO Information Security Department and under the guidance of the FICO Secure Software Steering Committee, our Chief Information Security Officer (CISO) and the Chief Technology Officer for Information Security.

Penetration Testing Penetration testing helps quickly find and fix exploitable vulnerabilities in your server-side applications and APIs. Using multiple testing tools and in-depth manual tests focusing on business logic, penetration testing extends dynamic application security testing (DAST) to identify and purposely exploit vulnerabilities so they can be addressed.

As part of Secure-SDLC, FICO performs penetration testing of our applications, and third-party experts perform penetration testing of the FICO Analytic Cloud environment using a spectrum of techniques and approaches. Penetration testing helps improve the security of our environments and allows us to integrate what we learn into development.

WHITE PAPERFICO® Analytic Cloud — Secure by Design

© 2019 Fair Isaac Corporation. All rights reserved. 5

Secure Infrastructure

For all cloud deployments, the core infrastructure is designed for mission-critical applications and processes. This approach is grounded in NIST and industry best practices to take a layered approach to security with sophisticated tools to scan for, manage and remediate vulnerabilities, stop or mitigate attacks, and automatically log audit data.

Distributed Denial of Service Protection (DDoS)The FICO® Analytic Cloud provides end-to-end protection against the largest and most advanced DDoS attacks. We deploy proven tools and strategies that stop or mitigate DDoS attacks and maintain high availability. These tools provide DDoS protection by deflecting network layer attacks and foiling application layer attacks.

Patching & Vulnerability ManagementThe FICO Analytic Cloud uses scanning and penetration testing to identify vulnerabilities. FICO scans all known systems using an industry-leading vulnerability scanner with a PCI-approved option profile for PCI compliance scans.

Internal FICO teams analyze vulnerabilities to determine the underlying cause and methods of exploitation. Vulnerabilities are categorized by the FICO product and security teams based on risk level, and remediated by applying an appropriate patch, by making a configuration change or by other means. In addition, independent third-party experts periodically assist us in vulnerability analysis, identification, remediation and validation.

Monitoring & LoggingFICO monitors the FICO Analytic Cloud 24/7/365, and logs and safeguards audit data for a minimum of one year. These reports are available to our clients upon request. Audit reports contain data for events that include user identification, event type, date and time, success or failure indication, event origination, and identity or name of affected data, system component or resource. All logs are continually monitored to detect anomalous or suspicious activity.

In addition, FICO manages and stores user log files to protect them against any unauthorized modifications. We also:

• Replicate audit trails to a centralized log server, reducing the risk of potential manipulation.

• Use file integrity monitoring and change-detection software on logs to ensure that existing log data cannot be changed without generating alerts.

Privacy & Compliance Center

The FICO Analytic Cloud is specifically designed to provide the most stringent security and privacy controls, including compliance with the standards of GDPR (Article 32), PCI-DSS and ISO27001.

PCI-DSSThe Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for all organizations that process, store, transmit and manage payment card data.

FICO has adopted PCI development standards across its software development function (i.e., for all application development work, regardless of the application’s intended use). PCI-DSS certified applications mean that the solutions as delivered through the FICO Analytic Cloud adhere to or meet all the PCI Security Standards and have been certified by an independent assessment organization. For these applications, a PCI Attestation and Report of Compliance (AOC/ROC) is performed annually by an external, highly qualified security assessor.

WHITE PAPERFICO® Analytic Cloud — Secure by Design

© 2019 Fair Isaac Corporation. All rights reserved. 6

FICO is also a participating organization of the PCI Security Standards Council and a contributor to the PCI compliance standards setting process. To learn more, please visit: www.pcisecuritystandards.org.

ISO 27001The FICO® Analytic Cloud is built and managed to the ISO27001:2013 standard, which provides requirements for establishing, implementing, maintaining and continually improving an information security management system. ISO27001 has been implemented as the structural foundation for FICO’s Information Security policies and program.

• Lawfulness, fairness and transparency — Data is collected and processed lawfully, fairly and in a transparent manner in relation to the data subject.

• Purpose limitation — Personal data has been collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

• Data minimization — Information is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

• Accuracy — Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

• Storage limitation — Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

• Integrity and confidentiality — Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

The FICO Analytic Cloud is designed using these principles, as well as the practice of privacy by design (Article 25). The FICO Data Protection Officer and privacy team oversee our data privacy strategy and works to ensure we meet all requirements in the geographies where our customers operate. Another critical component to ensuring our continued success is incorporating privacy by design and privacy by default in software development as well as in the processes and systems we create. When you use FICO software, you will appreciate the extra steps taken to ensure you are able to meet the data privacy requirements of your regulators wherever your customers are.

Data Privacy and the General Data Protection Regulation (GDPR)The FICO® Analytic Cloud provides a secure environment that enables our customers to comply with the GDPR data privacy and security requirements. The EU’s GDPR assigns different responsibilities to the roles of “controller” and “processor.” When FICO offers a cloud solution, FICO is a processor, processing information on behalf of our clients (controllers). The GDPR requires processors of personal data to follow certain privacy principles (Article 5):

WHITE PAPERFICO® Analytic Cloud — Secure by Design

© 2019 Fair Isaac Corporation. All rights reserved. 7

Further, FICO security complies with the standards of GDPR (Article 32), PCI-DSS and ISO27001. We have implemented technical and organizational measures (TOMs) to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the data. Reports of compliance, certifications and security are available upon client request.

Privacy Shield When transferring personal data from the European Union to the United States, Privacy Shield requires compliance with EU data protection requirements. FICO’s participation in Privacy Shield means that data transfers of personal information from EU countries may be made to locations in the United States

• Physical and electronic safeguards that are regularly updated

• Physical and electronic access based on the principles of need-to-know and least privilege, meaning all access must be granted in a manner that allows only the necessary rights to perform the function of the defined role

• 24/7 monitoring and client-facing support from FICO’s Global Operations Center

• Industry-standard disaster recovery capabilities

• Geographically diverse data centers

in compliance with EU privacy law. FICO has signed up for the Privacy Shield principles of notice; choice; onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement and liability. For more information, please visit: www.privacyshield.gov.

Third-Party and Customer VerificationOur security standards are subject to independent assessment and certification by accredited third parties. In addition, we have undergone customer assessments by many of the most security-sensitive companies in the world, including some of the largest global banks. Reports of compliance, certifications and security are available upon client request from FICO.

Physical Data Centers — Security & Operations

For public cloud deployments, FICO has partnered with Amazon Web Services (AWS) to provide secure data centers. For private cloud deployments, FICO manages these data centers. For certain offerings, an Oracle or other cloud infrastructure may be used. For all cloud deployments, FICO’s Security Operations Center works to ensure that the infrastructure is hardened and monitored to meet our stringent security requirements.

Security Operations CenterFICO has a dedicated, internal team of experts who continuously monitor the FICO® Analytic Cloud and support clients from its Global Operations Center. FICO provides 24/7 support with warning and critical thresholds configured to alert the FICO team of any potential degradation or interruption of service. A dedicated client-facing support organization focuses on providing the highest levels of customer support.

FICO Data Center Security (Private Cloud)The globally dispersed data center infrastructure utilizes industry best practices to minimize downtime, maintain tight security and protect against malware. The best practices of the FICO data center environments include:

NORTH AMERICA +1 888 342 6336 info@fico.com

FOR MORE INFORMATION www.fico.com www.fico.com/blogs

LATIN AMERICA & CARIBBEAN +55 11 5189 8267 LAC_info@fico.com

EUROPE, MIDDLE EAST & AFRICA +44 (0) 207 940 8718 emeainfo@fico.com

ASIA PACIFIC +65 6422 7700 infoasia@fico.com

WHITE PAPERFICO® Analytic Cloud — Secure by Design

FICO is a registered trademark of Fair Isaac Corporation in the United States and in other countries. Other product and company names herein may be trademarks of their respective owners. © 2019 Fair Isaac Corporation. All rights reserved. 4638WP_EN 09/19 PDF

About FICO

FICO (NYSE: FICO) powers decisions that help people and businesses around the world prosper. Founded in 1956 and based in Silicon Valley, the company is a pioneer in the use of predictive analytics and data science to improve operational decisions. FICO holds more than 190 US and foreign patents on technologies that increase profitability, customer satisfaction and growth for businesses in financial services, telecommunications, healthcare, retail and many other industries. Using FICO solutions, businesses in more than 100 countries do everything from protecting 2.6 billion payment cards from fraud to helping people get credit to ensuring that millions of airplanes and rental cars are in the right place at the right time.

AWS Data Center Security (Public Cloud)FICO partners with Amazon Web Services (AWS) to provide high-performance public cloud delivery. In addition to an elastic cloud infrastructure, AWS provides proven security, PCI compliance, and breadth and depth of secure cloud capabilities.

AWS uses redundant and layered controls, continuous validation and testing, and 24/7 monitoring and protection. The FICO® Analytic Cloud managed services are compliant with the AWS Well-Architected Framework, which is designed to help cloud

architects build the most secure, high-performing, resilient and efficient infrastructure. Clients using the public cloud will benefit from data centers and network architecture built to satisfy the most stringent security and privacy requirements.

In addition to AWS security controls, FICO provides additional layers of security on top of this infrastructure, including platform hardening and monitoring and logging. Security requirements and standard configurations are developed and maintained in partnership with the FICO Cybersecurity team.

Additional Questions?

We take security seriously, and if you have questions or need information beyond what we’ve covered in this white paper, please contact your client partner or visit us at www.fico.com.