BigFix Patch
BigFix Patch delivers 98%+ first pass patch success rate, remediating vulnerabilities at speed. Patch is delivered in BigFix Lifecycle and BigFix Compliance.
BigFix Trust Center
Built upon Trust.
BigFix delivers the reliability and security our clients depend upon.
BigFix Trust Center
Software security is critically important to HCL and our valued clients. It is also central to the way BigFix is developed. The HCL security strategy covers all aspects of our business, including corporate and organizational security policies, incident management and response, business continuity and disaster recovery, secure software development processes, and privacy.
This web page specifically addresses the BigFix secure development process, as well as our company and product certifications important to our commercial and government customers. It conveys how the BigFix solution helps IT and Security teams secure their endpoint fleet.
“As the executive responsible for HCL Software security, I have a global responsibility in securing our systems and data, defining our security vision and strategy, and building and executing our risk and compliance programs. Most importantly, I oversee our secure development lifecycle that delivers a systematic approach to eliminating software risk. Security policies and checkpoints govern each step of our development lifecycle from design to coding, testing, and deployment. Our internal security team also employs independent external security researchers to validate the security across our entire software portfolio.”
- Joseph Rubino, Vice President & Global Chief Information Security Officer (CISO) at HCL Software
Secure Product Development
HCL Software adheres to stringent development processes to protect the code we develop and provide to both our commercial and government customers.
Additionally, BigFix content is protected in several ways. First, the BigFix Content Servers are running in secure data centers. Second, file access control lists (FACL) limiting access and changes to authorized users. And lastly, BigFix content itself is cryptographically signed during the secure build process. Content that is not signed correctly is rejected by BigFix servers and logged as an error. As a result, content downloaded by our customers from the BigFix Content Servers is protected and secure.
Secure Product Support
Our Product Support teams protect our customer data and information by collecting only vital information, limiting access to customer contact information and case data to only those who are actively working to troubleshoot the reported problem, and encrypting customer sensitive information making it unreadable to anyone other than the intended party. Our data protection policy includes:
- Collecting only vital company and contact information.
- Communicating customer information and data via HTTPS and Transport Layer Security (TLS) protocols.
- Sending diagnostic data via SFTP or HTTPS using TLS protocols and encrypting stored data using the AES algorithm.
The HCL Software Support organization has achieved ISO27001 certification. External auditors have reviewed HCL Software’s practices, policies, and procedures and found that our Information Security Management System (ISMS) meets the requirements of the standard. ISO 27001 compliance demonstrates our ability to protect our client’s data and information.
BigFix Security Bulletins
The HCL Product Security Incident Response Team (PSIRT) manages the receipt, investigation and internal coordination of reported security vulnerabilities for HCL Software product offerings. The PSIRT coordinates with product development teams who investigate reported security vulnerabilities and identify the appropriate response plan. Once a response plan is identified, the product teams communicate with internal and external parties in the execution of our vulnerability response process. For more information, visit the HCL Software PSIRT page.
The HCL PSIRT publishes Security Bulletins to our customers and partners. Each Security Bulletin describes the CVE and points to additional details and remediation. A list of BigFix Security Bulletins can be on the HCL Software Community Forum.
Product Certifications
HCL collaborates with a variety of organizations who evaluate our compliance to industry security so that our customers and partners can be assured of our product integrity. For more information about HCL Software corporate compliance, visit the HCL Software Compliance page. The following HCL and BigFix certifications have been obtained or are in progress as indicated below).
ISO-20243 certification is an Open Trusted Technology Provider™ Standard (O-TTPS) for mitigating maliciously tainted and counterfeit products. It is a set of guidelines, recommendations and requirements that help assure integrity in technology development and to prevent maliciously tainted and counterfeit products from entering the global supply chain. The standard is focused on verifiable processes and implementation proof points to address the concerns of customers, integrators, suppliers, auditing, regulatory organizations, as well as best practices for implementation throughout all phases of a product’s life cycle: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.
ISO-20243 certification for Secure Supply Chain
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the context of the organization. In adherence to ISO/IEC 27001, the HCL Software Security and Compliance Team was formed to protect the critical information assets by implementing and continually improving an ISMS to help ensure that its applicable information security objectives are met, and the ISMS is able to adapt to internal and external changes. The goal of the ISMS is to protect HCL Software and its customers information assets from threats identified, whether internal or external, deliberate or accidental.
ISO/IEC 27001 Certifications
Common Criteria (or CC) is an international standard for computer security certification. It provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner at a level that corresponds with its target use environment.
The OSCI has completed the evaluation of HCL BigFix V10. OCSI manages the assessment and certification of IT security systems and products.
Common Criteria Certification
BigFix Compliance adheres to the Security Content Automation Protocol (SCAP) V1.3. The SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans.
BigFix Compliance V9.2 has obtained SCAP v1.2 certification and BigFix Compliance V10 is in process for SCAP v1.3 certification.
Security Content Automation Protocol (SCAP) Certification
Link to Certification document to be provided when available
CIS Benchmarks are provided as best practices to secure operating systems and software to eliminate any configuration related vulnerabilities for cyber-attacks.
BigFix Compliance V10 is the latest to receive the CIS Security Software Certification for CIS Benchmarks.
CIS Security Software Certification
US Federal Government Considerations
US Federal Government Customers should
visit BigFix for the US Federal Government to learn more.
Your Privacy
We are committed to protecting the privacy of visitors to our websites, individuals who register to use the products and services, individuals who register to attend our corporate events and webinars, and our business partners. For more information, see the HCL Privacy Statement.
BigFix helps IT and Security teams improve security compliance
BigFix secures workstations and servers, regardless of location, connection or status. BigFix delivers a set of effective solutions that enhances our client’s ability to secure their organization’s endpoints against cyberattacks and threats.
BigFix Inventory
BigFix Inventory identifies unknown and unauthorized software that could pose a security risk. Once identified, risky software can be removed or uninstalled.
BigFix Compliance
BigFix Compliance continually monitors endpoints, ensuring they adhere to organizational security policies and security benchmarks published by CIS, DISA STIG, and PCI DSS.
BigFix integrations
HCL and our partners deliver integrations with leading solutions that help identify, prioritize and speed remediation of vulnerabilities.
Summary
Our valued clients can rest assured that we keep security foremost in our minds as we develop, test and deliver effective and secure endpoint management solutions to our commercial and government customers. For more information, please contact us.
