91³Ô¹ÏÍø

Security Commitments


As an organization dedicated to protecting and securing our customers¡¯ applications, Synopsys is equally committed to our customers¡¯ data security and privacy. This statement is meant to provide Synopsys¡¯ customers and prospects with the latest information about our systems, compliance certifications, processes, and other security-related activities.

Information Security Policy

Synopsys has defined and published a set of information security policies which is:

  • Based on ISO 27001, ISO 27002, NIST SP 800-53, NIST SP 800-171, and NIST CSF
  • Approved by management
  • Communicated to all employees and relevant external parties
  • Reviewed annually by stakeholders

Product Security Assessments

Synopsys regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:

  • Product-on-product (PoP) testing¡ªeach release of a product is scanned for security vulnerabilities.
  • In-depth internal security assessments¡ªfor major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
  • Threat modeling¡ªfor major new releases, Synopsys creates and/or updates threat models that provide a baseline for other security testing activities.

Security for Software as a Service

  • Our SaaS offerings utilize industry leading cloud service providers, known for their security and protections; and must meet or exceed a set of rigorous security assessments, and security control requirements at Synopsys.
  • In addition to the security provided by our cloud service provider (CSP), Synopsys uses real-time monitoring tools for cloud configuration and container integrity, a web application firewall, and other security controls.

Privacy

Please see our Privacy at Synopsys page here containing our Data Privacy and Protection Statement and our Website Privacy Policy.

Incident Management

  • Synopsys has established policy, process, and procedure to ensure a quick, effective, and orderly response to information security incidents.
  • The Information Security Incident Management Standard and Incident Response Plan are reviewed, tested, and updated (as appropriate) at a minimum, annually.
  • Synopsys will notify customers consistent with the Data Privacy and Protection Statement referenced by our Privacy Policy.

Network Security

  • Synopsys has deployed IDS/IPS, WAFs, Firewalls, and related technologies to protect against external threats.
  • Network environments are physically and logically segregated; customer data are logically segregated.
  • Security alerts are monitored 24x7 by a dedicated security team with a 5-min SLA for initial triage of critical alerts.
  • Vulnerability scans are performed daily.

Encryption

  • All customer data are encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.
  • All traffic is encrypted in transit by default via HTTPS/TLS (Transport Layer Security) 1.2 or better.
  • All persistent data are encrypted at rest in the CSPs using AES 256-bit encryption or better.

Availability, Backup, and Disaster Recovery

  • High availability is achieved using the native cloud orchestration capabilities of Azure.
  • If individual VM containers fail within a CSP availability zone, they will recover automatically due to the cloud-native architecture. If there is an outage for a complete CSP availability zone or region, there is a process that will create a new instance in a different availability zone or region.
  • In general, across all types of disaster situations, including failures beyond core infrastructure, Synopsys¡¯ recovery time objective (RTO) is one (1) business day and the recovery point objective (RPO) is 24 hours.
  • Synopsys maintains a certification for Business Continuity Management System, ISO 22301:2019.

Access Management

  • Only the customer has access to their own data. If Synopsys employees need access to customer data for troubleshooting or support purposes, customer permission is required to grant access.
  • Multi-factor authentication (MFA) capability is provided to customers for accessing Synopsys applications.

Logging and Monitoring

  • User and system administrator activities are logged and:
  • Routed to a centralized SIEM for monitoring, analysis, and alerting
  • Protected from tampering
  • Retained for at least one year

Change Management

  • Changes to the organization, business processes, cloud infrastructure, and systems affecting information security are performed per a defined change management policy, process, and procedure.
  • All changes are logged via a ticketing system, and approvals are required and tracked. 
  • The technical review includes a risk assessment and all other technical aspects of the change. 

Compliance


ISO 22301 Business Continuity Management Certified

SOC 2 Type 1 / SOC 2 Type 2

Covering security, availability, and confidentiality

TISAX certification

Synopsys has completed a Trusted Information Security Assessment Exchange (TISAX) assessment. This standard provides the European automotive industry a consistent, standardized approach to information security systems.

Scope: EDA Level3 with Prototype - 2024 | S6NMKN
Scope: Information with High Protection, PikeTec - Europe ¨C 2024 | SWH934 | AP9W24-1


Inquiries


Please contact securityassessment@synopsys.com for further inquiries regarding security at Synopsys.