ERBESSD INSTRUMENTS (EI) systems and data are protected by a comprehensive Information Security program detailed in the ERBESSD INSTRUMENTS Security Management System (EISMS). Dedicated security, privacy, information governance, and compliance professionals maintain the program with oversight provided by the Board of Directors in conjunction with senior leadership. ERBESSD INSTRUMENTS Security team conducts risk assessments, performs regular risk reviews, and tracks risks using a documented risk-register process.
ERBESSD INSTRUMENTS Security program supports the following frameworks; NIST Cybersecurity Framework, NIST SP 800-171 for the Protection of Controlled Unclassified Information in Non-Federal Information Systems and Organizations, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Exponent has established policies that cover:
Acceptable Use Policies
|
|
Security Policies
|
|
Access Controls
Access and processing capabilities are limited to authorized users and authorized devices. A unique user ID with a complex password is assigned to authorized users and is required to login. Passwords are required to be changed frequently. Two-factor authentication is required for remote access and access to cloud systems. Administrative functions are facilitated through separate privileged accounts.
Architecture
EI follows best practice for the deployment and maintenance of its systems and for data maintained within EI datacenters and cloud services. Critical data and systems are replicated and backed up to secondary datacenters. Systems are securely designed and are reviewed by the security team before being put into production.
Audit
EI’s Information Security program is regularly audited both internally and externally on an annual basis. EI monitors and audits its security, privacy and information governance (people, processes and controls) to ensure compliance with policies and applicable security/privacy standards. EI conducts an independent external penetration test annually and regularly scans its external and internal networks for vulnerabilities.
Awareness and Education
EI employees, including contractors with EI system credentials, complete regularly assigned security awareness training and receive phishing training exercises. Security bulletins and announcements are shared throughout the year to give timely reinforcement reminders for awareness and education.
Business Continuity & Disaster Recovery
EI maintains a business continuity & disaster recovery plan that is regularly reviewed and tested. EI continuity and recovery considerations include the use of high availability systems, backup services, data replication, and redundant datacenters.
Data Controls
Data is encrypted at rest and in transit, logically separated, and access is granted to authorized users only. File monitoring systems log and monitor access to data while data loss prevention systems monitor the movement of data inside and outside of EI.
Data Privacy
EI is committed to the protection and privacy of data. The protection and management of data entrusted to us is one of our highest priorities. EI follows a least privilege access model and regularly audits individuals’ access to data. EI respects individuals right to privacy and we are consistently working to remain compliant with privacy regulations. Our Privacy Policy can be viewed here.
Endpoint Security
Workstations and mobile devices are encrypted with whole disk encryption and require password, pin, or biometrics to access. Workstation inventories, software deployment, and security policies are controlled through enterprise configuration management. Workstations, mobile device and servers require registration with EI’s device management system. Workstations and servers are protected with advanced endpoint protection, which uses AI to assist in combating threats. IT equipment in EI offices are physically secured.
Incident Response
EI’s security incident response plan dictates that security events be evaluated and escalated when appropriate. A security information and event management (SIEM) system maintains and analyzes security logs. This system is monitored 24×7. Logs are regularly analyzed for suspicious activity and unusual behavior by dedicated security personnel. Memberships with legal, cyber and peer organizations are in place to facilitate timely intelligence sharing and response activities. EI maintains a close working relationship with its vendors, law enforcement and managed security services providers for additional threat intelligence, analysis and response.
Perimeter Security
EI protects data, servers, and endpoints on EI and public networks using best-of-breed security controls. These controls include next generation firewalls, next generation anti-virus/anti-malware, web security, email security and intrusion detection systems. This allows EI to prevent malicious network attacks, access to suspicious or malicious sites, prevent malicious emails or attachments and mitigate zero-day attacks.
Vendor Management
ERBESSD INSTRUMENTS assesses potential vendors against a series of criteria to ensure appropriate security standards before granting a vendor system access or placing systems into operation. Contracts and data processing agreements are reviewed by the Information Security, Privacy and Legal teams before execution. The security posture of key vendors is reviewed on a regular basis.
