Security of Data and Information
Decision Analyst understands the supreme importance of protecting clients’ confidential information and data. Confidential information and data are located at Decision Analyst’s headquarters in Arlington, Texas, and at a secure cohosting facility offsite. Both facilities are fully protected by multiple layers of safeguards. All data transmitted between the two sites are encrypted at the very highest level. Load-balanced pairs of servers perform all critical functions, and these servers are equipped with redundant components. A summary of security policies, processes, and procedures are outlined below.
Policies, Standards, and Training
- Information security policies and standards are reviewed semiannually by the Security Committee and are documented in Decision Analyst's manuals and in the Employee Handbook.
- References for new employees are carefully checked by Human Resources.
- Security training is provided to employees on a regular basis.
- The information security program is approved by the President/CEO, and it is monitored by the Information Security Officer, Physical Security Manager, Human Resources Manager, and all department managers.
Legal and Compliance
- Decision Analyst is a participant in the Better Business Bureau (BBB) Reliability Seal program.
- Decision Analyst was the first U.S. research company to be approved under the Safe Harbor Agreement between the U.S. and the European Union, and adheres to the terms of the Safe Harbor Agreement. Safe Harbor governs the transfer of personally identifiable data between the European Union and the U.S.
- Decision Analyst is an active and supportive member of CASRO (Council of American Research Survey Organizations) and fully subscribes to CASRO’s quality standards, privacy protection program, and security safeguards.
- Decision Analyst continually works on maintaining email safe listing. This ensures that Decision Analyst's email traffic is not blocked by any ISPs.
ID and Authentication
- Unique IDs and complex passwords are required for employees to log on to the Decision Analyst network. Digital IDs acquired through VeriSign are used to verify identity and to encrypt email, as needed.
Authorization and Access Control
- Access to a client’s confidential information is restricted to employees who have a need to know. No one else is permitted to access this data.
- Access to Decision Analyst’s computer systems is granted or revoked by network administrators in response to requests from Human Resources and/or department managers.
- A Virtual Private Network (VPN) with secure login authentication is provided for employees authorized for remote access to the Decision Analyst network.
- The Information Technology Department sets procedures and policies to ensure that remote computers accessing the Decision Analyst network maintain absolute security.
- All client and respondent information is classified, confidential, and protected.
- All Decision Analyst employees must sign and adhere to ironclad Nondisclosure and Confidentiality agreements to protect clients' data and confidential information, as well as Decision Analyst's confidential information.
- All subcontractors and suppliers to Decision Analyst must sign and adhere to strict Nondisclosure and Confidentiality agreements to protect clients' data and confidential information.
- Network password files are protected with encryption.
- Sensitive fields in SQL databases are protected using encryption.
- Desktop and server-based antivirus and antispyware protection is deployed to all computers on the Decision Analyst network. Additionally, email is protected by separate antispam and antivirus services.
- Decision Analyst uses Secure Sockets Layer (SSL) encryption data storage and transmission security.
- Decision Analyst's data-collection web servers are load-balanced so that surveys remain online, even if one of the servers fails or is taken down for maintenance. The Decision Analyst data warehouse is attached to a secure storage area network (SAN) for improved scalability and is backed up nightly.
- Equipment and data-storage devices are rendered unusable and unreadable at time of disposal. Hard-disk drives are written over and then destroyed. Soft media is shredded.
Firewalls and Intrusion Prevention
- A firewall provides security for servers and the private network at Decision Analyst.
- Network technicians proactively patch and update all servers as new vulnerabilities are discovered and/or announced.
Incident Detection and Response
- Network technicians proactively monitor server event logs, firewall logs, and network activity reports for suspicious events or anomalies.
- Network administrators are formally trained in hacking techniques so that they can better identify threats to the Decision Analyst network.
- Suspicious activity is investigated and reported to senior management.
System Development and Maintenance
- A “best practices” set of standards is maintained by the software development team for internal development of web-based software applications.
- All software is written with error-trapping and question-prompting routines to ensure accuracy. All applications have quality-audit features built into the software to reduce the likelihood of errors.
Software and Systems Processes
- Decision Analyst develops and maintains highly efficient, proprietary, SQL-automated processes for online data collection that include reliable and secure data-transfer processes.
- Client images/concepts displayed online are secured through a proprietary system developed by Decision Analyst.
- The campus at Decision Analyst is protected by a closed-circuit, TV-monitoring system and patrolled by on-site security guards.
- Building entrance doors are always locked, and entry is monitored and logged by electronic access cards.
- Access to the computer facility is restricted to only those persons who have a legitimate need for access.
- The computer center is a hardened facility designed to withstand tornadoes, and it includes a generator to run the center in case of electrical power failure.
- Physical security reviews are conducted annually.
- Decision Analyst actively encourages and provides incentives for all employees to establish and maintain the computer equipment, systems, and software necessary to be able to work from home and other remote sites, so that the company can continue to operate in case of snow storm, fire, flood, or other catastrophe.
- Decision Analyst operates out of two hardened, secure computer facilities, each equipped with backup generators for emergency power.
- The processing and reporting facility is geographically remote from the data-collection facility and is equipped with backup servers that can be brought online for data collection, should the data-collection facility fail.
- Decision Analyst’s Emergency Action Plan is reviewed every six months. The plan addresses all processes, systems, and technologies necessary to resume normal operations in the event of a disaster.
Contact Decision Analyst
Decision Analyst is a leading international marketing research and analytical consulting firm. If you would like more information on our data and information security practices, please contact Jerry W. Thomas, President/CEO, by emailing him at firstname.lastname@example.org, or by calling 1-800-ANALYSIS (262-5974) or 1-817-640-6166.
Contact UsToll Free: 1-800-ANALYSIS (262-5974)