Select a language
Red Hat business continuity for customer confidence
Red Hat maintains a comprehensive business continuity plan down to the business functional level. We have designed our systems and support to keep both Red Hat running and our customers and partners supported, secure, and stable when using our products and technologies.
Red Hat is here for you 24x7
We may be in a unique situation now, but we are using the same business continuity, security, and support processes that have helped our customers survive and thrive during other crises, such as natural disasters, nuclear accidents, industry challenges, or periods of financial distress. At all times, we regularly test business resiliency across our core functions to enable us to serve our customers and partners.
Business Continuity Management policy
The underlying principle of Red Hat’s Business Resilience policies, standards, and guidelines is understanding the impact of any disruption to critical business functions and establishing the necessary procedures to safeguard effective resumption plans for those functions. The policy establishes roles and responsibilities, scope, objectives, and a framework for recovery management—from interruptions to critical business functions.
Red Hat business continuity plans
Critical business functions and processes that support both internal and external customers have implemented business continuity plans with recovery strategies, so that critical business functions will not exceed maximum tolerable downtime (MTD).
Plans are regularly tested and maintained both after use and when significant changes are made to business processes, managed sites, and technology. Plan testing, both scheduled and in response to disruptive events, has successfully demonstrated the effectiveness of the plans and the ability to transfer critical business processes and services to unaffected regions with little to no impact to customers.
Business Continuity Management governance
Red Hat has established Business Continuity Management (BCM) under the sponsorship of the Senior VP of Finance and an executive-level advisory council. The cross-enterprise advisory council regularly reviews business continuity policy, business continuity objectives, and progress.
The business continuity program is supported by full-time, dedicated, certified resources in business continuity, IT disaster recovery, and security. The program includes provisions stated in policy for Business Impact Analysis (BIA), risk assessment, and the creation of response plans with regular training, maintenance, testing and exercises, and updates from lessons learned and management reviews.
Pandemic and third-party planning
Among the scenarios addressed in Red Hat's functional-level business continuity plans are the widespread reduction of critical staff, loss of access to Red Hat’s physical facilities, and loss of critical third-party service providers. The business functions responsible for the critical business processes are geographically dispersed. Plans exist and are exercised to shift critical business services to other regions in the event of a regional disaster, including widespread illness. Business functions identify and annually review critical third parties to establish contingencies and work-arounds should the third party fail.
During this pandemic, we enacted these plans under the cross-organizational, coordinated guidance of our corporate Critical Incident Management Team (CIMT) in support of the business continuity and local site response teams.
Information and product security
The Red Hat® Information Risk and Security Team continuously assesses information risk, and our systems and processes are designed for resilience and security with a view toward global industry expectations and regulations, guided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and are regularly tested. This includes:
- Confidentiality of information - meaning sensitive information and access to data and systems is only available to those who are authorized.
- Integrity of information - meaning that systems and data include protections against tampering and are authentic and genuine.
- Availability of information - meaning that access to systems and data are accessible as needed by those who are authorized to use them.
The life cycle associated with a Red Hat product identifies the various levels of maintenance for each release of that product over a period from initial release—or general availability (GA)—to the end of maintenance.
Because Red Hat's products have longer life cycles, you benefit by having more choice and flexibility in planning your IT initiatives. By knowing what to expect and by eliminating vendor lock in, you can reduce costs and uncertainty. For more information on the life cycles and support policies of specific Red Hat products, follow these related links.
Life-cycle and update policies for all products can be found here: https://access.redhat.com/support/policy/update_policies/
Red Hat Product Security provides the guidance, stability, and security needed to confidently deploy enterprise solutions. Any large-scale security vulnerability receives special attention from Red Hat Product Security.
To create the best experience possible for our customers during these critical moments, a specialized vulnerability page is created within the Red Hat Product Security Center that aggregates information, diagnostic tools, and updates in an easy-to-use interface.
Red Hat's Product Security team continues to monitor, investigate, track, and explain security issues relevant to Red Hat products for our customers. We have robust business continuity plans and strategies designed to ensure we continue to work as we always have—to protect customers from meaningful security concerns when using Red Hat products and services.
Our Product Security team continues to be available to address customer concerns, respond timely to researchers, and coordinate with other open source vendors and projects to remediate issues of significant risk.
Red Hat conducts a series of tests during our product development process, including static and dynamic code analysis. As issues are found, they are reviewed and prioritized by Engineering to be addressed, deferred, or designated as "not applicable." Red Hat does not share the results of our internal tests.
Red Hat has a dedicated Product Security team that maintains an inventory of software packages used across Red Hat software offerings. During software package review, the team will note packages it deems to be of increased risk. These risk assessments consider the history of the open source community project in which the software package was developed and the maturity of the package’s vulnerability handling. For those packages identified to be of greater risk, the team works more closely with the applicable open source community on the application with the aim of introducing additional safeguards.
The Product Security team performs triage on vulnerabilities reported in components used in Red Hat’s software offerings, and such triage is used in the prioritization of mitigations and fixes.
Importantly, any secure coding issue Red Hat discovers and fixes is provided back to the relevant open source community for inclusion in a future release.
Platform security credentials
Red Hat has earned some of the highest security credentials, including those from the U.S. Department of Defense and the National Institute of Standards and Technology. This secure foundation starts with Red Hat Enterprise Linux® with SELinux military-grade security technologies to prevent intrusions and protect data when running on-premise or in public or private clouds.
Red Hat OpenStack® Platform and Red Hat OpenShift® Container Platform are co-engineered with Red Hat Enterprise Linux and inherit all security benefits from it.
Operational risk & compliance
Red Hat managed services
Information Technology (IT) Disaster Recovery (DR) plans include recovery strategies and procedures for the recovery of critical infrastructure, applications, and data.
Red Hat maintains a comprehensive business continuity and disaster recovery (BC/DR) capability, plan, and global team for its managed services offerings, including Red Hat OpenShift Dedicated and Red Hat Managed Integration.
The Red Hat corporate BC/DR plan covers physical assets and personnel protection and safety.
The scope of the BC/DR plan is the continuity and/or recovery of the Red Hat managed services in the event of a natural or man-made interruption of that service. The plan encompasses specific processes and definitions for the recovery point objective (RPO), recovery time objective (RTO), and recovery service level (RSL) of the managed service, as well as the application and system criticality, which also includes the max down time (MDT), RPO, and RTO given the different criticality levels of the application or system.
Red Hat facility security
Each Red Hat managed facility has a Site Emergency Response Plan (SERP) in place to safeguard the health and human safety of associates and guests.
Red Hat provides software support in accordance with the client's subscribed service levels as described in the Production Support Scope of Coverage and Service-Level Agreements.
Red Hat’s Customer Experience and Engagement (CEE) operational support function has established business continuity plans and strategies to enable customer support operations to continue during a disruptive event. Support in this instance includes the telephonic and customer portal availability of Red Hat technical support associates to our client base and the unfettered client access to electronic downloads.
Red Hat CEE deploys support processes pursuant to a “follow the sun” policy in which a geographic region provides regional support and emergency global support during its corresponding normal business or “daylight” hours. Upon each sundown, regional and emergency global support transfers to other geographic regions. Should natural or man-made disasters occur making it impossible for a geographic region to provide support during its appointed schedule, the prior and subsequent geographic regions provide extended coverage until the affected region comes back online.
Data security & privacy
Red Hat restricts access to crucial systems and networks by two-factor authentication and other proven security practice standards. These are not limited to least privilege access and records and retention standards.
Red Hat Services engagement for business continuity & virtual engagement
Red Hat Consulting has plans in place for engagement continuity, including remote work and onsite at our customers in the event of critical situations. Our existing and in-progress Red Hat Open Innovation Labs residencies continue to enable customers to build their own innovation and applications the Red Hat way, virtually. We now offer a Virtual Open Innovation Labs residency that can help develop digital solutions and accelerate business value while teams are working at home and distributed from each other.
Red Hat Training and Certification has expanded and scaled up our ability to deliver live virtual training classes as a replacement for in-person training events. This expansion includes the addition of courses to our virtual training catalog. Red Hat virtual training is real-time training conducted by live Red Hat-certified instructors in an interactive, virtual environment, giving you the same industry-respected content and hands-on labs as the corresponding classroom-based courses, including virtual lab machines that run actual products. Open source, by design, is based on the contribution of distributed communities. Working virtually is not new to Red Hat Consulting and Training.
Request for proposal (RFP) rapid response
Red Hat has a dedicated team to work with its global sales organization and partner ecosystem for any RFP responses. You can be assured that each request for a proposal or project will be managed by a dedicated account person with a team supporting him/her from across Red Hat, and, if necessary, IBM. We welcome your questions and requirements.