Introduction
This document provides a brief overview to L&E Research clients of the information security policies and procedures we currently have in place.
Our Information Security Program uses NIST publications as the framework, and we are currently pursuing a SOC II certification.
Company Background
L&E Research is a marketing research firm that provides primarily recruitment and facility services. Established in 1984, L&E has 9 facilities in Charlotte, NC, Chicago, IL, Cincinnati, OH, Columbus, OH, Denver, CO, New York City, NY, Orlando, FL, Raleigh, NC, and Tampa, FL. We offer recruiting, screener development, project management, and complimentary consultation with our Research Design Engineers. We assist with qualitative research, both in-person and online, as well as quantitative research including telephone interviews, taste tests, CLTs, in home testing, Usability testing, Eye Tracking, Mock Juries and more. We recruit to our facility (virtual or physical), your location, or elsewhere.
How do we protect your data?
L&E Research has processes in place to protect your data including:
ACCESS CONTROLS
- Maintains a formal process to grant, revoke, or change user systems access.
- Actively manages (inventory, track, review and correct) the network and file access of all users so that only authorized users are given network access.
- Actively manages access to client data on a strictly “need to know” basis (principle of least privilege).
- Restricts the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
- Maintains and enforces a complex password policy.
ASSESSMENTS, VULNERABILITIES, PENETRATION TESTING
- Conducts annual 3rd party penetration testing, where the summary report is available upon request
- Continuously identify, assess, and remediate vulnerabilities.
- Applies patches to operating systems, hardware devices, and applications to address known vulnerabilities
ASSET & INFORMATION MANAGEMENT
- Actively manages all hardware and software assets so that only authorized devices are given access to the network.
- Establishes, implements, and actively manages the security configuration of network and employee devices along with a process to manage changes to the configuration.
- Enables the auditing capability on network devices, when possible; monitor and retain system logs for one year.
- Maintains endpoint protection software on all computing devices
- Maintains a hardware firewall between our networks and internet
BACKUPS
- Backs up project artifacts and critical systems daily
- Encrypts all backups
- Maintains documentation on how to restore data in a timely manner
BUSINESS CONTINUITY PLAN
- Maintains a Business Continuity Plan (BCP) to ensure continued operations in the occurrence of unforeseen events.
- Tests the BCP at least annually and updates it when changes are made.
THIRD PARTY PROVIDERS
- Only uses third party providers for:
- Security Audits
- Design Services
- Reviews and assesses vendors’ adherence to security requirements periodically.
- Requires third party providers to sign non-disclosure agreements.
DATA SUBJECT ACCESS REQUESTS
- Notifies clients immediately if access to client data, or data itself, is compromised.
- Provides clients with reasonable cooperation and assistance in relation to data subject access requests.
CLIENT SECURITY REVIEWS
- Cooperates with reviews and assessments of our security controls, safeguards and procedures in all locations to ensure a secure processing environment.
- Promptly develops remediation plans to address critical or high-risk security issues identified by third-party or client reviews.
DATA RETENTION
- Destroys any hosted data at the request of the data subject.
DATA STORAGE & TRANSMISSION
- Encrypts all data at rest and in transit using industry standard encryption technology.
DATA EXFILTRATION CONTROLS
- Prohibits the use of storage of PII on any workstations.
- Maintains and enforces web traffic filters to block certain categories of sites.
- Maintains the capability to filter email traffic to block the sending of files with sensitive data. (DLP)
STAFF
- Maintains an Information Security Officer position that reports to senior management.
- Conducts appropriate security awareness training and regular updates.
- Requires 100% of staff to complete security training and sign a Security Confidentiality Agreement.
PHYSICAL SECURITY
- Does not allow data to be stored on end user devices or on site.
- Restricts access to AV/Networking rooms to employees only.
PROVISIONING/DEPROVISIONING
- Provisions users using role-based access control.
- Grants access upon onboarding and removes access to all systems upon termination.
- Retains user accounts for 60 days after termination.