COMPLIANCE WITH GLOBAL PRIVACY LAWS, REGULATIONS AND
STANDARDS
Textron, like all businesses, handles data that may include personal, sensitive, confidential or proprietary information about our employees, customers and others. We use this information for valid business purposes only and undertake to collect, process and transfer this information in compliance with all applicable laws and regulations in the U.S. and globally.
GOVERNANCE, ENFORCEMENT AND TRAINING
Textron has in place a governance framework and management system which guide the administration of data privacy and the monitoring of compliance throughout the enterprise.
Compliance is enforced via regular privacy risk assessments and audits and regular security audits on our technologies and practices affecting user data. Textron and each of its businesses also conduct regular employee data privacy and security training sessions.
DATA PROTECTION SAFEGUARDS
Information technology security safeguards have long been in place to protect Textron data, including personal data. Data protection safeguards include technical mechanisms to identify and protect against unauthorized access, use or disclosure, internal restrictions on access and a formal, robust, and auditable IT Risk Assessment process for vetting of new information systems or vendors that may access or process confidential or personal information.
Textron protects information assets and cost-effectively manages risk by creating a culture that designs, communicates and operates securely to reduce the likelihood and impact of security incidents. We achieve this objective by:
TEXTRON’S SECURITY CULTURE
Textron has adopted a “Live Secure” approach to our security programs. With this approach, we remind our employees,
including those within or outside of the IT function, that their conduct is critical to the success of our information security.
Through our robust security awareness program, we keep our employees apprised of threats, risks and the part that they play in protecting both themselves and the company. One of the key components of this program is conducting regular phishing simulations to increase employee awareness on how to spot phishing attempts, and what to do if they suspect an email to be a phishing attack. In addition, educational communications are published on our intranet regularly, employees are required to complete assigned compliance training modules annually, or, depending upon the business, more frequently, and our businesses collaborate each October to execute a campaign to promote National Cybersecurity Awareness Month.
CYBERSECURITY TALENT
Our robust cybersecurity professional talent development program includes a cross-functional, cross-business rotational program to ensure our team is well-rounded and experienced. We invest in regular and frequent training to ensure our team members are up to date on the latest technological advancements and threats.
SECURITY POLICY AND COMPLIANCE
Textron’s centrally defined security policies and processes are based on industry best practices and are revisited regularly to ensure their appropriateness based on risk, threats and current technological capabilities. We monitor compliance with these policies and processes through frequent internal audits and a set of robust metrics that assist in protection of our environment.
As a defense contractor, we are additionally obligated to comply with current Department of Defense regulations such as DFARS and are working towards meeting the Cybersecurity Maturity Model Certification (CMMC) guidelines.
BOARD OVERSIGHT
In addition to oversight by executive management, oversight of information security matters is largely conducted by the Audit Committee which has been delegated this duty by the Board of Directors as reflected in the Audit Committee’s charter. The Audit Committee annually receives a comprehensive presentation on information security and controls from the Chief Information Officer and, as may be necessary for specific topics, follow up occurs at additional Audit Committee meetings during the course of the year.
SECURITY LEADERSHIP, COLLABORATION & SHARING BEST PRACTICES
Collaboration with our industry partners and government customers contributes to the protection of Textron’s computing environment as well as our military stakeholders. Textron is engaged with various industry groups such as Aerospace Industries Association, National Defense Information Sharing & Analysis Center (NDISAC) and our Defense Industrial Base (DIB) colleagues to ensure that we are aware of and addressing the latest adversarial threats. Additionally, we share cyber best practices to make the industry more secure.
SUPPLY CHAIN SECURITY
Textron has a rigorous process, including a formal IT risk assessment, to assess our suppliers prior to allowing Textron information to be processed, stored or transmitted by third parties. Additionally, we include standardized contractual requirements in each contract where appropriate.
INSIDER THREAT
Protections against insider threat is a critical component of our security strategy, particularly within our defense business units. Processes are designed to evaluate potential insider threats so that appropriate protective measures and responses can be implemented.