Responsible data security practices
In what other ways do we live into this commitment? It starts with continually monitoring data security and privacy trends and threats. We use this information to enhance our enterprise information security program, security operations center and a vendor management program, which assesses third-party information security controls. Our responsible security practices are overseen by our Chief Information Security Officer and Information Security Council. They’re responsible for information asset and technology protection, directing critical incident response planning and testing, and advising on information security initiatives, projects and policies.
We routinely test our industry-compliant procedures for customer identification authentication and how to help contain or prevent data loss if a breach were to occur. Every year, the internal audit team evaluates the effectiveness of our cybersecurity controls in adherence to the Institute of Internal Auditors’ Mandatory Guidance, which includes the International Standards for the Professional Practice of Internal Auditing, Core Principles for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing — as published and promulgated by the Institute of Internal Auditors. In addition, our information security risk assessment processes are aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework, combined with fundamentals and concepts from the Factor Analysis of Information Risk (FAIR) methodology.
Employees are trained on information security policies, standards and the appropriate handling of customer data when hired, quarterly and annually. Employees in high-risk roles receive additional advanced training.