Security and Privacy Documentation for Cloud Services

Our Commitment to Information Security and Data Privacy

HBR Consulting (“HBR”) recognizes the importance of protecting our information systems and networks, and the client data thereon, from unauthorized access, processing, or disclosure. Accordingly, HBR has implemented and maintains an information security and data privacy program (“Security Program”) that is designed to protect the confidentiality, integrity and availability of our clients’ data. We focus our security operations on our mission-critical information and telecommunication networks, systems, assets, source code, software, and applications that are used to retain, transmit, or process client data.

Our Security Program is designed to align with common and accepted information security criteria, standards, and guidelines. Our information security policies and procedures address technical, physical, and administrative security controls and impose obligations on key personnel, such as employees and third-party contractors. Our data privacy guidelines are designed to protect the privacy of client data and ensure clients can adhere to their own data protection obligations.

TECHNICAL SECURITY

Least Privilege

HBR requires that access to its IT environment, including client data, be controlled based on business and operational requirements. Accordingly, HBR shall restrict access to the client data to employees and contractors on a need-to-know basis and shall revoke access where appropriate, including from those employees whose employment is terminated. In addition, code changes and system and network maintenance responsibilities are divided between multiple teams, which ensures multiple employees are required to deploy any code into production. In all cases, administrative access is based on the concept of least privilege; users are limited to the minimum set of privileges required to perform their required job functions.

IT System Passwords

HBR prevents information processing systems from being used without authorization by implementing and maintaining a comprehensive password policy (e.g., special characters, minimum length, frequent change of passwords); automatic blocking (e.g. password or timeout); and the creation of one master password per user.

Transmission Control

HBR implements commercially reasonable measures designed to prevent client data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. For instance, HBR uses Transport Layer Security (TLS) cryptographic protocols to encrypt network data transmissions between the clients and HBR. Moreover, HBR implements secure routing and traffic flow policies designed to ensure that customer-related traffic entering HBR’s environment is encrypted.

Input control and integrity

HBR shall employ measures to ensure the integrity and accuracy of client data by implementing IT environment monitoring systems designed to ascertain whether client data has been accessed, altered, or removed from data processing systems, and if so, by whom.

Malware Prevention and Antivirus Protection

HBR implements several measures to prevent, detect, and eradicate malware and other malicious code and viruses. For example, on mission-critical systems HBR deploys commercially available antivirus/malware software that includes 24×7 monitoring and alerts. This software is configured to automatically remove or quarantine any virus or malware that is detected. HBR and third-party service providers frequently update virus and malware definitions, and certain systems are configured to perform definition updates and real-time scans. HBR may notify clients of any credible virus or malware threats when security updates are available.

Security Incident Response

HBR evaluates and responds to incidents that create suspicions of unauthorized access to or handling of client data, whether the data is held on HBR hardware assets or on the personal hardware assets of HBR employees and contractors. HBR staff operators provide 24 hour, 365 days coverage to detect and manage security incidents within IT environments that HBR controls. Upon notification of a security incident, HBR’s Incident Response Team (IRT) defines escalation paths and priorities to address those incidents, depending on the type of activity. The IRT will work with the customer, the appropriate technical teams, and law enforcement when necessary, to respond to the incident. The goal of the Incident Response Team is to restore the confidentiality, integrity, and availability of client data, and to establish root causes and remediation steps. HBR has documented incident response procedures to identify and address incidents where handling of data may have been unauthorized, including prompt and reasonable reporting, escalation procedures, and chain-of-custody practices.

PHYSICAL AND ENVIRONMENT SECURITY

Physical Access Controls

HBR implements physical access control to limit access to mission-critical IT assets that retain, transmit, or otherwise process client data, including the following: requiring identification credentials and keys to access such IT assets; implementing industry standard electronic and other physical locks on the entry and exit points to our IT assets; retaining professional staff to monitor security controls; and implementing surveillance technologies, such as alarm system and CCTV monitor.

Data Disposal

When HBR or client terminates the provision of HBR services or at a client’s request, HBR will delete client data in a manner designed to ensure that it cannot reasonably be accessed or read, unless there is a legal obligation imposed on HBR that prevents us from deleting all or part of the client data. This disposal process aligns with industry standards.

Data and Co-Location Centers

In certain circumstances, HBR stores client data within third-party data and co-location centers. Generally, HBR requires that all hardware within such data centers be separated by concrete walls from other data-center tenants and that racks inside any applicable server rooms be secured with locked cabinets that only authorized personnel can access. For co-location data centers, third-party personnel do not have network or log-on access to the HBR environment, and co-location personnel only have physical access to the HBR server rooms during emergencies.

Environmental Safeguards

HBR has an established process to ensure its IT assets are maintained in locations that have robust critical infrastructure, including the following: temperature and humidity controls; redundant heating and cooling systems; underground utility power feed; redundant CPS/UPS systems; diesel generators; concrete vaults for fiber entry; redundant internal networks; high bandwidth capacity; and fire detection and suppression capabilities.

Business Continuity

For cloud service offerings, HBR seeks to prevent loss of, and ensure accessibility to, client data in the event of a catastrophic event. HBR has a comprehensive data back-up and business continuity plan to ensure client data is accessible and recoverable, and the RPO and RTO timelines vary by services and jurisdictional requirements.

ORGANIZATIONAL SECURITY

Key Stakeholders

HBR has appointed a Chief Information Security Officer (CISO) to be responsible for the overall development, management, and enforcement of our Security Program. The CISO is also responsible for the overall integrity of client data, including any amendments made thereto at the request of the client, so that client data is accurate, complete or up-to-date. HBR also has a team of legal, ethics, and IT professionals who are responsible for addressing data protection matters, including receiving, processing, and responding to client, regulatory, or data subject requests.

Security Awareness Training

HBR recognizes that our Security Program is only as strong as the employees, contractors, and agents that are responsible for processing client data. Upon being hired, all employees, contractors, and agents participate in an onboarding training process that includes an overview of our Employee Handbook and the HBR rules governing confidentiality obligations and that also includes security awareness training designed to help new hires understand their security responsibilities. After the hiring and onboarding process is complete, HBR mandates that its employees continue security training to stay abreast to current cybersecurity trends, tactics, and industry standards.

Social Engineering Tests

HBR’s information security team periodically performs complex social engineering tests to build a better understanding of cyber threat tactics, trends, and procedures and to bolster our awareness campaigns to build security into HBR’s culture.

Background Checks

All HBR employees, contractors, and agents who have access to mission-critical IT networks, systems, and infrastructure are subject to a comprehensive background check during the hiring process, and are subject to recurrent vetting during the term of their employment or engagement with HBR, to the extent permitted by law.