For decades, Arm has been working with researchers and other technology companies to secure devices from chip to cloud. Arm continues to build on that history with the recent expansion of our end-to-end security offerings that address market requirements for developer-friendly, deterministic, real-time embedded and IoT applications. At Arm, security is never an afterthought.
Our commitment to security extends beyond continuously improving and innovating security in our technology and is reflected in how we respond to vulnerabilities, engage with our partners, and even train our staff.
Security Vulnerability Reporting
Security is a top priority at Arm, and we welcome feedback from researchers and the security community to improve the security of products and services. We operate a coordinated disclosure policy for managing vulnerabilities and other security issues, and quickly providing advice and mitigation.
The Importance of Security
Any time a device is connected to the internet, it’s likely to be hacked. If the device has value or can be repurposed, for example to support a denial of service attack, people spend time and money looking for exploitable vulnerabilities. While Arm IP is used as the base technology for many types of devices, the collaborative design enhancement process that results in the final product can introduce security flaws. These poorly designed products can end up causing reputational and financial damage to companies.
Arm’s Approach to Security
A key goal of security is to make attacks on a system uneconomic. By increasing the cost, time and difficulty of attacks it is likely that fewer will succeed.
Arm has developed the Platform Security Architecture (PSA) which recommends that a security analysis of a system considers the assets that need to be protected and the likely threats that are considered in scope. This threat analysis informs a set of security requirements for parts of the system to be protected in confidentiality, integrity or availability. For example, cryptokeys might need to be kept secret, an identity might need to be protected against modification, or software must prove that it is the genuine version from the OEM.
More information on Arm’s approach to security can be found in the Arm Security Manifesto, an annual report published by Arm detailing security threats, trends, and solutions.
Security Management at Arm
Arm established its internal security management system (ISMS) to manage security within a defined scope.
Arm makes security decisions by identifying the risks to the confidentiality, integrity, and availability of its information assets. Arm then mitigates risks to an acceptable level determined by the customer and organization’s business needs.
The level of protection imposed by Arm is commensurate with the sensitivity of the confidential information protected by the ISMS. Arm’s management system is based upon ISO 9001:2015 (Quality Management Systems).
Arm monitors and assesses the effectiveness of its security controls on an ongoing basis.
Monitoring provides the feedback necessary to identify deficiencies and to continually improve Arm’s ISMS.
Commitment to Confidentiality
Arm is committed to protecting the security of non-public information. More specifically, Arm will maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of Non-Public Information; protect against reasonably anticipated threats to the security of Non-Public Information; and protect against reasonably anticipated loss, misuse and unauthorized access, disclosure, alteration, or destruction of Non-Public Information consistent with applicable law. The level of security protection will be commensurate with the sensitivity of the information protected and will align with the strategic direction of the company.
Information Security Policy at Arm
Arm maintains an enterprise information security policy based upon the NIST Cyber Security Framework and ISO 27001:2013. The Security Policy is the highest-level policy document used to implement the Arm ISMS. All other security documentation (other than this ISMS Policy) is subordinate to the Security Policy. The Chief Information Security Officer, Security Council and the Compliance Committee must approve any major revisions and substantive amendments to the Information Security Policy.
Employee Security Training
All Arm employees are trained on relevant security topics including reporting security incidents and annual security memos are sent to all employees. Pursuant to the Security Awareness and Training Management Plan, Arm conducts refresher training at least annually for members of its workforce.
Arm assess its information security posture and its ISMS on a regular basis or under certain circumstances requiring a re-evaluation due to changed circumstances. This document, as well as other security documentation, is reviewed at least annually.
Security Management Team
Arm has established an Enterprise Security team, experts on security and risk management charged with overseeing all internal security practices. Focus areas include training and guidance, risk management, vulnerability management, security controls, and monitoring and response.