With the fast pace of product
development and the constant threat from hackers, no manufacturer can guarantee that its
products will be 100% free from vulnerabilities . However, Lenovo understands that
it must deliver products and solutions that not only have the functionality that
customers want, but also provide the technology required to protect the confidentiality,
integrity, and availability of their data. To meet this challenge, Lenovo is
working to protect our customers against constantly evolving security threats.
Accordingly, Lenovo has built a dedicated team of security professionals with
expertise in the following areas:
- Security Architecture - Drive technical compliance on product design and strategy
- BIOS/Firmware/Application Security - Code review and authentication
- Ethical Hacking - "White Hat" vulnerability testing
- Supply Chain - Thorough security review of each supplier that provides components,
assemblies, firmware, software and customer configuration
- Customer Support - Address customer concerns and questions
- Incident Response - Risk mitigation, and issue remediation
- Project Management - Oversight of contract vendors, and managing implementation of
- Customer Awareness - Communications of security incidents and strategy
We use this expertise to
address security concerns across our products and services and are continually looking
for potential risks and how to resolve them. See how our team is structured here:
Lenovo’s product security management system is set up to drive
security throughout the product life cycle, from development and manufacturing, to
customer support - striving to ensure security is "built into" our products, not "bolted
- Product security oversight, or governance, is integrated into this process to help
ensure product development is following proper, secure processes, especially in the
areas of BIOS and firmware creation and distribution.
- From the initial planning of our products, we strive to incorporate the critical
security features our customers need.
- Throughout the development and test process, Lenovo’s ethical hacking program
provides insight into potential customer issues so they can be fixed before
- Ongoing training programs help ensure that key personnel are up to date on critical
security issues and how to address them on specific products.
There is a stringent process for qualifying product suppliers,
including supply capability and quality standards. Lenovo also evaluates each supplier’s
full development and manufacturing process to help them identify and mitigate security
risks. Suppliers are contractually obligated to meet Lenovo’s security requirements.
Once qualified, suppliers are re-evaluated on a regular basis, requiring an ongoing
effort to keep up to date with security technology and practices.
Lenovo aims to protect products throughout the supply chain. Key components are
labeled to address the risk of counterfeiting. Critical parts are controlled by
suppliers and are traceable throughout the assembly process. The
suppliers’ processes for loading firmware and software are thoroughly evaluated to
minimize the possibility of malware being introduced into the product. Finally,
Lenovo uses secure packaging and product tracking techniques from shipment through
Lenovo’s work to ensure the security of its products and supply chain has been
recognized by Chain Security, LLC, one of the leading security firms in the United States.
This conclusion comes after almost three years of detailed study into Lenovo’s security
processes, corporate governance and supplier programs. The result of this analysis is a
20-page Letter of Attestation in which Chain Security details their work with Lenovo, the
changes and improvements Lenovo has made in the last two years and Chain Security’s
conclusion that Lenovo “is likely ahead of the industry” in terms of these security processes.
To read the full letter, click here.
Lenovo provides post-sale security support that includes:
1) software or firmware security updates, and 2) Replacement of designated parts. These
processes are designed to protect the customer and help keep their products secure.
A critical part of the Lenovo Product Security Office is the
Product Security Incident Response Team (PSIRT). No product is 100% immune to security
threats and vulnerabilities, so Lenovo is committed to minimizing any risks or
vulnerabilities that impact our products. Lenovo PSIRT works with others in the
industry to discover and understand the latest vulnerabilities or threats that could
pose a risk to Lenovo products, and then pushes fixes to address them. Lenovo
product security advisories can be seen here: https://support.lenovo.com/product.
New vulnerabilities can be reported by contacting the Product Security Incident
Response Team at firstname.lastname@example.org.
The technology in our products has made Lenovo an industry
leader. Lenovo knows and understands that it must continually earn the trust and
confidence of our customers and those in the security community. We recognize that
we can always do better and are committed to pursuing and following industry best