Webex Compliance—How to Protect Your Data
by Aware
Cisco Webex is designed for hybrid collaboration environments, providing tools for seamless communication between remote individuals across various devices and locations. Enterprises of all sizes can use Webex to accommodate different work styles and industry needs. What’s important to understand is whether Webex offers security and compliance features for businesses in highly regulated industries to safeguard sensitive data and maintain a secure compliance posture. We’ll discuss how Webex’s existing compliance features work and any challenges and solutions within the platform.
Contents:
- Are there compliance challenges to using Webex?
- Regulatory compliance in Cisco Webex
- Is Webex HIPAA compliant?
- Is Webex PCI compliant?
- Is Webex GDPR compliant?
- Other FAQs on Webex compliance
- Does Cisco sign a BAA for Webex users?
- What Webex settings should administrators use for compliance?
- 5 ways Webex protects sensitive information
- What are the security standards of Webex?
- How does Webex ensure data protection and compliance with international privacy laws?
- How does Webex ensure data retention compliance for enterprise users?
- How Aware improves compliance in Webex by Cisco
Are there compliance challenges to using Webex?
As a platform, Cisco offers compliance tools and features within Webex. Still, there are reasons for organizations to remain vigilant and implement their own robust policies and procedures to manage data compliance regarding regulations they’re subject to.
Some of the challenges users of Webex may face include:
- Sensitive data sharing: It’s relatively simple for users to unintentionally share sensitive data through personal messaging on the business platform. However inadvertent, these incidents can lead to data breaches or compliance violations.
- Multiple communications channels: With Webex’s varied communications methods like screen sharing, webcams, whiteboards, and chat, there are specific regulatory requirements that can be a challenge to manage.
- Content retention: Enterprises must ensure all relevant content is captured and retained according to compliance standards.
- Comprehensive monitoring: Webex needs a way for compliance officers to search through conversations and meetings when the need arises, which can be a challenge when there’s a high volume and many data types.
- Data retention policies: Managing data retention across the platform, especially for former users, can be complex and requires careful implementation.
- Ephemeral content: Reactions, emojis, and GIFs are frequent ways people communicate , and these aren’t easily captured for compliance purposes, creating gaps in the record.
- External participants: When collaborating with outside parties, such as contractors and vendors, compliance becomes a challenge as organizations have less control over their devices and data usage.
- Proxy authentication: eDiscovery support for certain proxy authentication methods may be limited, potentially complicating compliance efforts.
- Cross-platform consistency: Consistent compliance across many devices and operating systems is a challenge as features and capabilities vary.
- Regulatory updates: Keeping up with changing regulations and updating compliance measures is an ongoing challenge organizations must face.
Whitepaper: An IT leader's guide to compliance, legal, and infosec in collaboration tools
Regulatory compliance in Cisco Webex
Within Webex, there are features provided by Cisco to help organizations to achieve and maintain regulatory compliance. One of the most powerful features is the Webex eDiscovery Download Manager. As well as supporting legal workflows, this tool enables compliance officers to investigate noncompliance incidents in Webex.
eDiscovery Download Manager
The eDiscovery Download Manager allows legal and compliance offers to access and review content from the Webex App and Meetings. Admins can download and analyze compliance reports which include messages, files, whiteboards, and meeting metadata.
To use the eDiscovery Download Manager, compliance officers must install the application to prepare for creating compliance reports, data holds, and retention policies.
Search and generate reports
After installing the eDiscovery Download Manager, compliance officers can create detailed reports by searching user-generated content within Webex. The process involves:
- Accessing the compliance section in the Webex Control Hub.
- Selecting the data types to search (e.g., Webex App, Meetings, etc.).
- Entering search criteria such as email, space names, and date ranges.
- Naming the report and providing a description.
- Initiating the search and report generation.
Once generated, the officers can review and download the reports using the eDiscovery Download Manager tool.
Creating data holds
Cisco Webex does support data holds, which allow compliance officers to preserve specific user content that may be subject to legal or compliance investigation and prevent it from being purged by retention policies.
- Log into the Webex Control Hub with an administrator account.
- Navigate to the “Compliance” section.
- Locate the “Legal Hold” feature.
- Create a new legal matter.
- Specify the custodians whose content needs to be preserved for the hold.
- Define the scope—what types of content should be included in the hold, (e.g., messages, files, whiteboards, and Meetings content).
- Set the duration for the data hold to remain in effect.
- Activate the hold by confirming it for the selected custodians and content.
Once created, it will preserve all relevant content regardless of the standard retention policies, preserving the data in the event of litigation or regulatory action.
Creating retention policies
Organizations may set custom retention periods for Webex Messaging and Meetings content. Administrators can:
- Define organization-wide data retention policies.
- Set separate retention values for one-on-one and group chat spaces.
- Align retention timeframes with organizational policies.
- Automatically purge data older than the specified retention period.
All of these features enable enterprises to manage risks and align with various regulatory bodies around the globe to some degree. By using these tools, companies can better control their content lifecycle within Webex and maintain data security.
Is Webex HIPAA compliant?
HIPAA is legislation that applies to any covered entity managing protected health information (PHI). HIPAA legislation defines PHI as uniquely sensitive information, and the regulations stipulate how healthcare entities should store, transmit, and access this data.
The HIPAA Privacy Rule outlines parameters for what covered entities may disclose of a patient’s PHI. The Privacy Rule also affirms patients’ rights to their own health records and limits how sharing of those records is conducted.
Cisco has audited the Webex security features already in place to protect sensitive information to ensure they comply with the HIPAA Privacy Rule. However, these are features that must be opted into. Healthcare-focused organizations must enter the settings to enable the correct configurations to achieve HIPAA compliance in Webex.
These settings include securing sensitive data with the safeguards provided by Webex, continuing to train employees to ensure they follow HIPAA guidelines when accessing or disclosing PHI, and signing a Business Associate Agreement (BAA) with Cisco.
The true scale of collaboration data noncompliance—we analyzed 6.6 billion messages to bring you the facts.
Is Webex PCI compliant?
Payment Card Industry Data Security Standards (PCI DSS) are standards that ensure all companies that accept, store, process, or transmit payment card information (PCI) maintain a secure environment for that data. The standards increase security around cardholder data and reduce the risks of credit card fraud.
Webex is PCI compliant with features that help organizations meet PCI DSS requirements surrounding PCI handling.
- Webex Contact Center protects customer organizations from data loss while using voice and digital channels.
- The Webex Calling feature SecureCall delivers PCI-compliant payments by phone to meet PCI DSS requirements.
These features secure customer interactions involving credit card data during the ordinary course of payment transactions. Organizations must still ensure they apply and use these features correctly to maintain PCI compliance.
Is Webex GDPR compliant?
The European Union enacted the General Data Protection Regulation (GDPR) in 2018, a comprehensive data protection law that sets strict standards for the collection, processing, and storage of personal data of EU residents. The aim is to give individuals more control over their personal information and synchronize data privacy laws across Europe.
Webex supports GDPR compliance through these measures:
- Cisco provides documentation on the functionality, technology, and security of Webex to help organizations conduct risk assessments.
- Webex incorporates encryption for data in transit and at rest to align with GDPR data requirements.
- Cisco offers customizable retention policies and legal hold features that provide organizations the ability to manage data in compliance with GDPR minimization and storage limitation principles.
- Administrators can set access controls and security settings to ensure appropriate data protections are in place.
While Webex provides these features to assist with the GDPR, the organizations using Webex are still responsible for adhering to GDPR compliance requirements by properly configuring the settings, managing their user data, and implementing appropriate acceptable use policies.
Discover what compliance risks lurk in your data—get the analysis now!
Other FAQs on Webex compliance
Does Cisco sign a BAA for Webex users?
A BAA, or Business Associate Agreement, is a contract between a covered entity and a business associate that governs the security and usage of PHI. When a healthcare provider (covered entity) and a technology vendor (Cisco Webex) do business, the healthcare organization needs to ensure the technology they’re using has no gaps that leave PHI vulnerable and expose the health provider to a HIPAA violation.
Cisco will sign a BAA with qualified Webex users to demonstrate their commitment to protecting PHI and complying with HIPAA regulations.
What Webex settings should administrators use for compliance?
There are several settings compliance leaders can enable to ensure varying compliance regulations are met.
- Activate eDiscovery capabilities so compliance officers can search and generate reports on user-generated content. Install and configure the eDiscovery Download Manager.
- Configure data retention policies for Webex Messaging and Meetings to align with regulatory requirements.
- Assign the compliance officer role in the Webex Control Hub, granting them access to compliance features and APIs.
- Configure legal holds to preserve relevant content when litigation is anticipated, thereby preserving data regardless of data retention periods.
- Enable comprehensive logging on compliance officer activities for auditing purposes.
- Manage external participant settings to control how contractors or vendors interact with your company’s Webex spaces and maintain compliance boundaries.
- Enable encryption controls and manage encryption keys to protect sensitive data.
- Enable compliance features for Webex Calling so call detail records can be searched and reviewed.
These steps can enhance their organization’s ability to meet regulatory compliance with Webex.
5 ways Webex protects sensitive information
- Granular access controls that allow administrators to define role-based access and permissions to prevent unauthorized access to sensitive data.
- Secure data centers, operated by Cisco, where Webex stores data. These repositories are at the forefront of security standards and submit to regular assessments and audits.
- Secure meeting features, such as password-protected meetings, waiting rooms, and security controls provide moderators with the means to stop unauthorized participants from joining and keep meeting content and attendance private.
- Data loss prevention (DLP): integration with third-party DLP solutions, and built-in features to inform users about potential data loss risks.
- Compliance tools: eDiscovery capabilities, data retention policies, legal hold functionality.
What are the security standards of Webex?
Webex’s security standards include but are not limited to:
- Encryption methods: End-to-end encryption for messages and user-generated content, Zero Trust end-to-end encryption for Meetings, AES 128 and AES256, SHA 1 and SHA256, and RSA encryption.
- Data protection: end-to-end encryption for files, messages, and whiteboards, Zero Trust security for confidential meetings, and option to choose data location for personally identifying information (PII), messages, files, and whiteboard data.
- Compliance and certifications: ISO 9001, ISO 27001, and ISO 27018 certified, SOC 2 Type II and SOC 3, FedRAMP certified, C5 attestation, and Privacy Shield Framework certified.
How does Webex ensure data protection and compliance with international privacy laws?
Many of the above security standards enable Webex to safeguard data for international privacy, in addition to the following features:
- Data residency: Administrators can verify data locations in the Webex Control Hub, and the EU data residency program stores data in data centers in Frankfurt and Amsterdam for Webex’s EU customers.
- GDPR compliance: Webex adheres to the EU code of conduct for cloud providers, the first official EU code under GDPR, and provides functionality and documentation for organizations using Webex to conduct risk assessments.
- Transparency: Cisco provides customers with a way to see where their data is stored and options for usage and data retention in the Control Hub.
- Administrative controls: Administrators have comprehensive auditing and logging capabilities and the option to delete host and usage information.
- Support for local regulations: Webex meets requirements for regional certifications like German C5 and Spanish ENS.
- Designed for privacy: Webex has built-in privacy features to meet industry and regional requirements.
How does Webex ensure data retention compliance for enterprise users?
There are a number of ways that enterprise users can create retention policies for Webex Messaging and Meetings content in alignment with organizational and regulatory requirements. Webex enables compliance officers to implement automated retention policies and secure data with role-based access controls to preserve data and ensure integrity in its management.
Additionally, Webex allows users to search multiple data types, like messages, files, whiteboards, meeting events, call detail records, and content from users who’ve left the organization, and generate reports or place holds on the data as necessary.
You people are the new perimeter of data compliance and security. Learn how to manage these new risks now.
How Aware improves compliance in Webex by Cisco
Cisco provides a range of security features in Webex that can be set up to meet many compliance requirements for organizations in highly regulated industries, but there may be gaps. After all, Webex is built for collaboration, not specifically for compliance. This is where Aware’s purpose-built AI/ML models can help.
Aware’s proprietary natural language processing (NLP) can identify highly sensitive data—such as PCI, PII, PHI, passwords, code, and more—found in collaboration tools in real time, allowing stakeholders to take proactive steps to mitigate the risk on noncompliance with regulatory or company policies.
With Aware, organizations can:
- Use AI/ML-powered compliance monitoring to ensure that sensitive data is not being shared against a company’s acceptable use policies.
- Notify compliance teams if or when sensitive data is shared so admins can handle each instance appropriately to mitigate fines and compliance violations, potentially saving the company thousands per instance.
- Easily define acceptable use policies and automatically enforce them in ways that don’t overtax the compliance team—from a centralized dashboard that organizes collaboration compliance controls in one place.
- Create role-based access controls to provide the appropriate team members with the proper permissions to handle sensitive data and prevent unauthorized data sharing.
- Make data more accessible with federated searches by multiple parameters in real-time, returning results in hours, not days or weeks.
- Comply with HIPAA, HITRUST, FINRA, PCI DSS, GDPR, and more with rule-based enforcement and ongoing employee education.
- Provide continuous employee coaching in real time about appropriate communications standards that adhere to regulations and compliance requirements, as well as company policies.
With Aware, organizations can put compliance at their fingertips with quick, federated searches, granular data retention policies, and flexibility in search and audit capabilities. When transparency builds trust and compliance is complex, Aware can save time, provide peace of mind, surface real-time results, and improve your risk posture.