About Lenovo Product Security
Lenovo: Taking Action on Product Security
With the fast pace of product
development and the constant threat from hackers, no manufacturer can guarantee that its
products will be 100% free from vulnerabilities . However, Lenovo understands that
it must deliver products and solutions that not only have the functionality that
customers want, but also provide the technology required to protect the confidentiality,
integrity, and availability of their data. To meet this challenge, Lenovo is
working to protect our customers against constantly evolving security threats.
Accordingly, Lenovo has built a dedicated team of security professionals with expertise in the following areas:
- Security Architecture - Drive technical compliance on product design and strategy
- BIOS/Firmware/Application Security - Code review and authentication
- Ethical Hacking - "White Hat" vulnerability testing
- Supply Chain - Thorough security review of each supplier that provides components, assemblies, firmware, software and customer configuration
- Customer Support - Address customer concerns and questions
- Incident Response - Risk mitigation, and issue remediation
- Project Management - Oversight of contract vendors, and managing implementation of programs
- Customer Awareness - Communications of security incidents and strategy
We use this expertise to address security concerns across our products and services and are continually looking for potential risks and how to resolve them. See how our team is structured here:
Lenovo’s product security management system is set up to drive security throughout the product life cycle, from development and manufacturing, to customer support - striving to ensure security is "built into" our products, not "bolted on."
- Product security oversight, or governance, is integrated into this process to help ensure product development is following proper, secure processes, especially in the areas of BIOS and firmware creation and distribution.
- From the initial planning of our products, we strive to incorporate the critical security features our customers need.
- Throughout the development and test process, Lenovo’s ethical hacking program provides insight into potential customer issues so they can be fixed before shipment.
- Ongoing training programs help ensure that key personnel are up to date on critical security issues and how to address them on specific products.
There is a stringent process for qualifying product suppliers,
including supply capability and quality standards. Lenovo also evaluates each supplier’s
full development and manufacturing process to help them identify and mitigate security
risks. Suppliers are contractually obligated to meet Lenovo’s security requirements.
Once qualified, suppliers are re-evaluated on a regular basis, requiring an ongoing
effort to keep up to date with security technology and practices.
Lenovo aims to protect products throughout the supply chain. Key components are labeled to address the risk of counterfeiting. Critical parts are controlled by suppliers and are traceable throughout the assembly process. The
suppliers’ processes for loading firmware and software are thoroughly evaluated to minimize the possibility of malware being introduced into the product. Finally, Lenovo uses secure packaging and product tracking techniques from shipment through delivery.
Lenovo’s work to ensure the security of its products and supply chain has been recognized by Chain Security, LLC, one of the leading security firms in the United States. This conclusion comes after almost three years of detailed study into Lenovo’s security processes, corporate governance and supplier programs. The result of this analysis is a 20-page Letter of Attestation in which Chain Security details their work with Lenovo, the changes and improvements Lenovo has made in the last two years and Chain Security’s conclusion that Lenovo “is likely ahead of the industry” in terms of these security processes.
To read the full letter, click here.
Lenovo provides post-sale security support that includes: 1) software or firmware security updates, and 2) Replacement of designated parts. These processes are designed to protect the customer and help keep their products secure.
A critical part of the Lenovo Product Security Office is the
Product Security Incident Response Team (PSIRT). No product is 100% immune to security
threats and vulnerabilities, so Lenovo is committed to minimizing any risks or
vulnerabilities that impact our products. Lenovo PSIRT works with others in the industry to discover and understand the latest vulnerabilities or threats that could pose a risk to Lenovo products, and then pushes fixes to address them. Lenovo product security advisories can be seen here: https://support.lenovo.com/product. New vulnerabilities can be reported by contacting the Product Security Incident Response Team at firstname.lastname@example.org.
The technology in our products has made Lenovo an industry leader. Lenovo knows and understands that it must continually earn the trust and confidence of our customers and those in the security community. We recognize that we can always do better and are committed to pursuing and following industry best practices.