2015 Corporate Responsibility Report

Download PDF
Governance

Data Privacy and Security

At Northrop Grumman, our objective with data privacy and information security is clear: safeguarding our computing environments, products and the data our customers, business partners and employees entrust to us. Information security and data privacy are critical components of our corporate risk management processes.

The Corporate Privacy Office is charged with implementing our corporate commitment to respect the privacy of individuals, including employees, whose personal information we possess. We employ a Privacy Governance Framework designed to implement a comprehensive set of personal information protections including privacy training and awareness initiatives, access controls, internal and third-party supplier risk assessments, and other risk mitigation measures.

Vital to Northrop Grumman's business operations is the successful protection from cyber threats of our products and computing environments. Our comprehensive Information Security Governance framework includes policies and standards governing computing environments and company-wide services that enhance our overall security posture. It focuses on identifying, avoiding and mitigating evolving cyber threats. Key elements of our information security program include:
Maintaining and Retaining Information Security Talent: We are passionate about investing in our highly talented information security workforce to ensure these dedicated employees, including incoming cyber professionals, have access to the necessary information, tools and training to perform their jobs.
Investment in Technology: We deploy multilayered defenses, including our own leading-edge technologies and innovative solutions, in an effort to protect our computing environment and products from cyber threats. Focused on the evolving threat landscape and associated risks, we regularly evaluate new technologies to maintain our security posture.
Third-party Risk Assessments: Before hosting sensitive data in a computing environment managed by a third party, we conduct an information security assessment and implement contractual provisions.
Training and Awareness Program: We understand that our employees' ability to identify, avoid and mitigate cyber threats is a crucial element of our information security program. Among the elements of our training and awareness program are mandatory annual training and email spear phishing exercises.
Information Sharing and Collaboration: As a developer of innovative solutions to complex global security challenges, we know the value of collaborating with government, customer, industry and supplier partners. Information sharing and engaging with other organizations enhances our ability to protect our own networks and can substantively contribute to the overall security posture of others. We participate in multiple cybersecurity-related, information-sharing programs and are committed to continuing our work with government and other private entities, including our business partners, to address cyber threats.