The security of data is important to us. This document is intended to answer as many questions as possible about the security, reliability, and availability of DDI’s applications and data processing systems. This document outlines the flow of data for DDI technology-based solutions and address the security measures that we have taken to protect each part of the process.
DDI: Who We Are, What We Do
Founded in 1970, Development Dimensions International (DDI), a global human resource consulting firm, helps organizations close the gap between today’s talent capability and future talent needs. DDI’s expertise includes designing and implementing selection systems and identifying and developing front-line to executive leadership talent. For more information about DDI visit http://www.ddiworld.com.
DDI’s Approach to Data Security
Today’s talent management environment requires the processing of electronic records. Application functionality depends on information storage and transfer across DDI networks and the Internet. Appropriate security is essential and is fully integrated with application functionality and processes. DDI maintains a consistent security framework with appropriate privacy standards within which system applications and user populations leverage information within various business contexts. DDI employs a multi-layered approach to Information Security as it relates to the protection of user data (including candidate, participant, learner, administrator, and customer information) and prevention from unauthorized access, alteration, or destruction. Our policies and processes are designed to:
- Establish DDI’s approach to information security
- Define mechanisms to protect data and prevent its misuse
- Educate DDI associates on the importance of safe data management and recognizing potential security threats
- Provide a communication channel for external queries about this policy and associated systems
DDI is committed to operating our businesses in a manner that fosters confidence and trust, which includes the proper use and management of personal data provided to us by our colleagues, customers, and suppliers.
To ensure data integrity, DDI has resources, policies, and processes dedicated to data protection, including a Data Security and Compliance Office and Data Protection Officer, who routinely monitor global standards.
DDI’s Data Protection Officer (DPO) sets and enforces the vision and strategy for the company’s security and compliance program, with the goal of global consistency, ascertaining that risks are managed appropriately, and objectives are achieved.
Security in Partnership
The security and confidentiality of our customers’ data is a shared responsibility between DDI and our customers. DDI provides a secure platform on which customers can access and leverage their data. In addition, DDI provides tools, services, support, and resources that enable our customers to ensure the security of their data throughout the lifecycle of the engagement. See DDI’s Privacy Statement.
Customers are jointly responsible for the security of their data during and after their engagement with DDI. Customers must understand what data is being collected and held within DDI systems and define the appropriate data sharing policy to ensure that data is shared with only those who are authorized to access it. The data sharing policy should align with risk and compliance requirements that correlate to the importance and classification of that data.
DDI’s Role as a Data Processor
DDI clients operate as a “Data Controller” pursuant to the European Union (EU) Privacy Model Clauses. DDI functions as a “Data Processor” pursuant to EU Model Clauses and the General Data Protection Regulation (GDPR). See DDI’s Privacy Statement.
EU Data Protection Regulations
DDI is headquartered in the United States and serves customers globally and has employed mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, including Privacy Shield (a replacement to Safe Harbor), EU Model Contract clauses and end user consent. DDI’s certification under the Privacy Shield program may be viewed at the Privacy Shield site: https://www.privacyshield.gov/
EU Model Clauses
The EU Model Clause is a standard contract addendum between service providers such as DDI and its customers, designed to ensure that any personal data leaving the EEA will be transferred in compliance with EU data- protection law and meets the requirements of the EU Data Protection Directive 95/46/EC.
On May 25, 2018, a privacy mandate called the General Data Protection Regulation (GDPR) came into effect. The GDPR expands the privacy rights of residents of the European Union and places new obligations on service providers like DDI that control and process personal data from the EU. DDI views GDPR as an opportunity to deepen our commitment to privacy and data protection internally and with all our global clients.
As the new era of data privacy unfolds, it goes beyond policies and system settings, requiring both organizational and cultural shifts. Compliance with the GDPR demands a partnership between DDI, its sub-processors, and our customers. DDI is committed to GDPR compliance throughout our operations and in the delivery of service to our clients. DDI is also dedicated to helping our customers comply throughout our partnership. DDI closely analyzed requirements of the GDPR and implemented enhancements to our products, contracts, and documentation assure compliance with the regulations.
Third Party Providers
DDI utilizes third party providers for the provisioning of our Services to you as described in our agreements. All third-party providers are required to comply with DDI’s data processing, protection, and security standards.
For a list of our current sub-processors please see https://www.ddiworld.com/thirdpartyproviders
DDI classifies personal data we collect and process into four categories, each requiring specific actions to ensure security. Data collected is reviewed on a periodic basis and classified according to its use, sensitivity, and importance. See the Confidential Information Policy for details.
Technical and Organizational Measures
Many of our key Technical and Organizational Measures (TOMs) data security and integrity are listed below. Additional details for these and other controls are described in detail later in this document.
|Cloud||DDI utilizes a variety of cloud-based, GDPR compliant platforms|
|Data Privacy and Security Awareness Training||Regular training for DDI associates to learn about data privacy, confidentiality, and security best practices. Teach end users to recognize and avoid phishing attacks, social engineering traps, malicious links, and downloads|
|Physical Security||DDI hosts client facing applications at redundant data centers that are ISO-27001, SOC 2 and SSAE-18 certified|
|Internal Business Applications||DDI uses sub-processors for general business operations including Microsoft Office 365, Microsoft Dynamics for customer relationship management, Oracle for accounting and invoicing, and Oracle Taleo Cloud for online recruitment services. These sub-processors only process business contact information. |
|Network Security||Managed anti-virus on all components. Application-layer firewall. Dual redundant multi-segmented network-layer firewalls. Physical and logical network separation of each tier.|
|Infrastructure Redundancies||Redundant power with Uninterruptible Power Systems (UPS). Connections to multiple Internet provider networks. Redundant component infrastructure. Clustered high availability systems. SAN storage technology for storage redundancy. Load balancing for application redundancy. “Hot-spares” for all essential network production equipment.|
|Monitoring and Intrusion Detection||Intrusion detection on all network segments. 7x24 monitoring, detection, and alert of malicious activity. 7x24 monitoring, detection, and alert of system anomalies. Regular log review.|
|Infrastructure Access Controls||Least-Rights-Necessary access model. Configurable session inactivity timeouts. Encrypted passwords. Strong password policy for privileged accounts and servers.|
|Independent Audit||Annual data processing and financial systems audit. Third party certification of controls and processes including ISO27001:2013.|
|QA & Testing||Separate QA & testing platforms. Gated code promotion strategy. Automated and “white box” QA testing processes.|
|Authentication & Authorization||Role-based. Fully HTTPS/SSL compliant. Supports SAML Single Sign-On (SSO).|
|Platform Availability, Stability & Performance (ASP)||Highly scalable virtualized platforms. End-user experience monitors for application performance.|
|Vulnerability Assessment||Annual infrastructure vulnerability scans. Annual Application Penetration Assessment (APA). Quarterly Managed Application Scans (MASs).|
DDI hosts client facing applications at redundant SSAE18, SOC 2 Type II, ISO / IEC 27001:2013, HIPAA/HITECH, PCI DSS 3.1 certified data centers.
DDI’s server infrastructure is located in a dedicated 8’ x 8’ enclosed caged area. Access to this area is limited to the DDI staff responsible for managing the application servers and network components. The data center facility has implemented extensive systems to provide security and physical plant protection. These systems include physical security, fire prevention, security and fire alarms, video surveillance, multiple levels of card access, 24-hour staffing and detailed access and visitor logs. Only data center facility authorized engineers can open and lock equipment cabinets. Additionally, there are no customer names on the cabinets and no cabinet floor plans to associate cabinets with customers. Inside the facility, closed circuit television (CCTV) cameras mounted above each cabinet row monitor all activity.
All DDI equipment is monitored in a temperature-controlled environment. DDI’s hosted solutions operate at an average temperature between 65 and 75 degrees Fahrenheit and average relative humidity between 30% and 45%. All equipment is protected by a fire suppression system with a built-in early warning detection system. The Very Early Smoke Detection Apparatus (VESDA) system detects abnormal particulate matter in the air. A pre-activation fire detection system verifies a fire before activating the suppression system. Heat detectors above and below both the floor and ceiling are controlled in the NOC (Network Operations Center) and monitored off-site.
Physical access to DDI’s application and network systems is highly controlled. All points of entry have badge readers to permit or deny access and video surveillance that is monitored 24x7 by data center facility personnel. Access to this facility is protected 24x7 by security personnel and limited to authorized individuals with a need to manage DDI systems. All approved DDI resources are issued a photo ID for access. Upon an access request, data center facility personnel will verify name and photo matches name and photo in their secure system. Logs of such access are monitored electronically via the badge access system and are reviewed quarterly.
The data center facility’s hot sync parallel/redundant systems provide redundant power supply through Uninterruptible Power Systems (UPS) and backup generators. In the event of power failure, an on-site diesel generator system automatically generates power to both AC and DC systems, powering the internal data center facility network without interruption to service. There are connections to multiple telecommunications companies’ networks for redundant internet access and connectivity is load-balanced and provided by more than one ISP. In addition, DDI automatically replicates all production services to a geographically diverse secondary datacenter facility which ensures rapid service recovery in the event of failures at the primary site. SAN and RAID technology solutions are used for storage redundancy and secondary “hot-spare” hardware for core network infrastructure and production application server components is available for production systems. DDI IT maintains the Service Restoration plans for all services, systems, and applications.
DDI maintains a detailed Disaster Recovery plan for restoring business service in the event of a large-scale system failure. This plan is updated as any changes are made to the system infrastructure or production web farm configuration and is tested on an annual basis.
DDI only stores data in data centers that have received unbiased favorable annual SAS 70 Type II audits. Note that the SAS 70 has been replaced by the Statement on Standards for Attestation Engagements (SSAE) No. 18 and our data centers are certified to that standard.
DDI only uses data centers that have demonstrated their adherence by periodic assessments and annual certification.
DDI also maintains its own ISO27001 certification and is audited annually.
SOC 1/ SOC 2
DDI is neither SOC 1 nor SOC 2 certified. However, DDI’s data hosting provider does keep current SOC 2 certifications.
DDI’s servers provide a wide variety of services to both internal and external users, and some servers store or process information that may be considered sensitive or confidential in nature. Given the fact that servers can be targeted for attack, it is critical that DDI servers are secured appropriately. DDI’s process of enhancing server security includes the following measures:
- The disablement or removal of unnecessary services, applications, and network protocols.
- The disablement of unneeded user accounts and renaming of default accounts.
- Password requirements configured to comply with the DDI Password Policy (see Appendix I).
- Activation of server logging and audit trails.
- Installation of anti-virus / anti-malware software with current definition files.
- Configured with current security patches.
For security reasons, we cannot provide all details of our server security controls.
High impact patches are defined as patches that will protect against a security risk that has the potential to significantly impact our network on or before the date of the patch. DDI’s IT team immediately distributes these patches to all devices after testing of the patch on our test platforms. Distribution will occur no later than 24 hours after identification.
Medium or Low impact patches are defined as patches that will protect against a future security risk. DDI distributes these patches to all devices after testing of the patch on our test platforms and testing with a control group of users. Distribution will occur no later than 2 weeks after testing is complete.
Backup, Retention and Archiving Procedures
Data is incrementally backed up on a nightly basis to ensure that all applications and client data is preserved and available to be restored in the event of any loss of data or catastrophic event. Hot back- ups are made to disk and transferred to tape. These backup tapes are rotated, with 30 days of daily backups being maintained. Monthly and yearly 128bit AES encrypted backup tapes are archived offsite.
In accordance with the DDI rotation schedule, authorized datacenter personnel log the tapes into the Iron Mountain web portal, and then physically place the tapes in a "lock box" for pickup by Iron Mountain. Authorized Iron Mountain personnel then store the tapes, in the DDI dedicated and secured cage within Iron Mountain.
If a system recovery is necessary, DDI system engineers will retrieve the file, data, or system state if it is less than 24 hours from an on-line backup system. In this event, system or database recovery can be completed in a matter of minutes or possibly several hours. If the file, data, or system state is greater than 24 hours old, DDI system engineers will contact its’ data center facility to retrieve the necessary tape. This retrieval can take several hours or possibly up to one day. After the tape is loaded into the library, DDI system engineers will recover the file, data, or system state immediately.
Backup Schedules and Data Retention
- Physical File Servers and DB Server Backups: (Retained for 35 days on disk)
- Production VMs: (Retained for 35 days on disk)
- SharePoint Sites: (Retained for 35 days on disk)
- Monthly Copy to Tape: (Retained for 1 year on tape at secure offsite facility)
- Yearly Copy to Tape: (Retained for 5 years on tape at secure offsite facility)
Asset Recovery, Recycling and Disposal
Hardware Recycling/Disposal Procedure
- When Hardware has reached its end of life cycle, the hardware is stored in a locked asset room and retained for disposal.
- Retired equipment is recycled through an R2 Certified Recycling vendor
- DDI receives a Detailed Destruction report of the assets that were recycled for record keeping.
Hard Drive Disposal Procedure
- All Hard drives, tape media, Optical drives, etc.… are removed from the hardware and retained for secure bulk destruction at a later date.
- For secure data destruction, DDI has contracted the services of recycling vendors who employ Low level, Department of Defense Approved, 7 pass wipe (DoD 5220.22-M(ECE)).
- This process is compliant with HIPPA, FACTA, GLB, and unclassified government material
- Non-functional hard drives will be degaussed.
- All data is purged as set forth in NIST Special Publication 800-88
- DDI receives and retains a Certificate of Destruction for record keeping.
DDI’s Network Infrastructure consists of dual HA pair of devices providing load-balancing and acceleration capabilities that listens for requests coming via HTTP (redirected to HTTPS) or HTTPS to a web site’s external IP address. The hardware load-balancer translates this to an internal IP of web/application servers and routes the request appropriately. Application servers are maintained in a perimeter, web-facing DMZ. Database and file servers are protected behind additional firewalls with very limited access rules that are only for application traffic. Strong passwords protect Server and service accounts.
Firewall protection is provided by devices functioning as high as Layer 7 of the OSI Model. All hardware is in a redundant passive-active configuration.
Intrusion Detection and Monitoring
DDI uses a comprehensive set of tools that provide continuous real-time monitoring of every component to enable security monitoring, patch management and other remote administration functions. DDI employs a managed services security company for security monitoring, firewall management and intrusion detection systems (systems designed to detect potential threats real time) and response processes.
DDI employs both host-based and network-based detection systems that are monitored and responded to on a 24x7 basis. DDI IT is notified immediately upon the detection of any anomalies via cell phone. Weekly reports are provided to DDI for review. Penetration tests are conducted quarterly.
Malware and Anti-Virus Protection
DDI utilizes several monitoring products to monitor network, servers, databases, and web sites. All application and system event logs are monitored as well. The monitoring environment is configured to automatically send alerts to appropriate staff that are on call 24x7. Specific escalation paths to appropriate DDI System Engineers and DBAs exist to help resolve the issue as quickly as possible.
In addition, DDI network monitoring systems periodically conduct complete scans of every active node on the network to ensure that these nodes are properly configured and are running the most current version(s) of the anti-virus and other security-impacting (ex: Hotfixes; service packs; etc.) code.
All appropriate systems – PCs, servers, gateways systems etc. - are protected by Microsoft’s endpoint protection anti- virus and “zero-day protection” software that is centrally managed and updated.
All gateways are protected by anti-virus software that is centrally managed and updated and the email and browsing infrastructure employs content scanning and heuristic scanning techniques to ensure data is virus-free.
Secure Data Transmission and Encryption
DDI uses SSL/TLS 1.2 for secure HTTPS application data access. SSL technology is provided as standard for all DDI applications and all backup tapes are encrypted using 256bit AES encryption. Encryption is used for passwords stored in application databases.
All files (regardless of confidentiality) remain encrypted when copied from a DDI laptop to an external storage device. If the external device is not encrypted, DDI’s Enterprise Encryption Software will automatically encrypt and password-protect the external device. In addition, DDI utilizes hyperconverged infrastructure that encrypts data at rest utilizing storage controller-based encryption.
Email is not considered to be a secure form of communication however, DDI does offer the ability to encrypt individual messages when explicitly requested.
When using DDI applications, data typically flows between three important parties—end users, client associates/candidates, and DDI.
When an end-user accesses a DDI application, the information they provide is submitted via secure encrypted (HTTPS) methods. Web data is delivered to the end-user in the form of test/assessment questions, surveys, graphics, and other content included in the DDI application. The data is processed by the application servers and submitted to database servers for storage. Web/application and database servers are located on separate logical and physical networks protected by firewalls.
DDI uses SSL/TLS 1.2 for secure HTTPS application data access. SSL technology is provided as standard for all DDI applications and all backup tapes are encrypted using 256bit AES encryption. Encryption is used for passwords stored in application databases. All data (regardless of confidentiality) remains encrypted in transmission and at rest.
Least Rights Access
Access to all data (irrespective of classification) is provided using a “Least Rights Necessary” security model, i.e., granted to those with a legitimate business need such as end-users, client administrators, and various DDI and client support teams.
Applications use a role-based security model to determine access rights. Client data is segregated logically based on site, document, user, and other criteria. System changes are controlled through the change management process (detailed in later sections) addressing quality assurance, testing, documentation, change scheduling, and other such IT operational “best practices”.
Account Administration and Access
All infrastructure component administration and account management are strictly controlled by DDI. User accounts are automatically locked/disabled after excessive failure to login correctly. Server and service accounts are required to have strong passwords containing alpha, numeric, and special characters. DDI uses a global remote direct access solution that includes authentication and encryption at an industry standard level.
End-users are granted ‘least privileged access’ permissions to effectively and efficiently do their jobs. All administration and account management are strictly controlled by DDI. User accounts are required to have strong passwords and password-protected screen savers. Account access will be automatically disabled after excessive logon failures or termination of employment.
Direct Database Access
Only very select members of DDI’s engineering team have access at a database level. This access is used for creating off-site backups and performing data restorations. This is all done without viewing data. See Appendix II for additional information.
As part of DDI's Privileged Identity Management (PIM) process, DDI uses the Azure AD Entitlement Management and Azure Identity Governance tools for the administration and monitoring of privileged accounts and their access to sensitive information. In support of this process, all database access requests must be formally justified and approved. If approved, access is only granted for a limited duration.
Access to Data Centers or Backups
Physical access to Data Centers is restricted to a named list of associates. Physical access does not mean access to data. The physical media resides on servers in a locked cabinet. Off-site backups are stored in a fire safe in a secure room. Access to this room is restricted and logged.
Access to Applications
Applications use a role-based security model to determine access rights. Client data is segregated logically based on site, document, user, and other criteria. System changes are controlled through a best practice change management process.
Access to Application Data
End user Participants are either client or DDI associates who input personal information to a DDI application system in the context of completing an online diagnostic or learning activity (such as an assessment, test, survey, or learning journey). End user Administrators are system end-users who manage accounts and workflow processes within a DDI application system. Administrators may be either client associates or DDI associates who input personal information on behalf of clients or applicants and may progress them through different process phases. Examples include hiring managers, staff development professionals, and other Human Resources roles.
When a user requests technical support from DDI’s Product Support team, they may grant a support representative temporary access to the account. The support team may need to view an individual user’s data as part of the support incident resolution.
Application Penetration Testing
DDI employs a managed services security company to test for “dynamic vulnerabilities” such as logic flaw problems, unpublished exploits, and other risks specific to the application environment, which also tests for known and published or “static vulnerabilities”.
Performed annually is the Application Penetration Assessments (APAs) which includes application scanning followed by intensive manual testing to identify application vulnerabilities. Reporting is fully customized and includes both positive and negative findings.
Quarterly Managed Application Scans
Performed quarterly is the Managed Application Scanning (MASs) which includes application level scanning, false positive validation, and automated reporting.
- Detailed report received from third party security vendor.
- Findings reviewed by the Data Protection Officer, Director of Global Technology Services and Director of Product Development.
Findings Risk Analysis
- For critical and high ratings, a problem ticket is created in the service management system and assigned for immediate action.
- For medium and low ratings, entries are added to the application backlog and prioritized against other development work.
- All findings and prioritization details are shared and vetted at the DDI Data Security Office’s Risk Analysis meeting. If the severity of any finding is deemed to be changed, this decision is documented and shared with application development partners.
Vulnerabilities are classified using the CVSS scale per the CVSS v3.0 specification (https://www.first.org/cvss/specification-document) and can be calculated on a per-vulnerability basis using the CVSS Calculator (https://www.first.org/cvss/calculator/3.0).
Vulnerability remediation is to be completed as soon as possible once identified using the following table:
|Critical||Critical vulnerabilities have a CVSS score of 9.0 or higher. They can be readily compromised with publicly available malware or exploits||2 days|
|High||High-severity vulnerabilities have a CVSS score of 7.0-8.9. There is no known public malware or exploit available||30 days|
|Medium||Medium-severity vulnerabilities have a CVSS score of 4.0 to 6.9 and can be mitigated within an extended time frame||90 days|
|Low||Low-severity vulnerabilities are defined with a CVSS score of 0.1 to 3.9. Not all low vulnerabilities can be mitigated easily due to applications and normal operating system operations. These should be documented and properly excluded if they can’t be remediated||180 days|
|None||Information vulnerabilities have a CVSS score of 0.0. These are considered potential risks but are generally reference information for the state and configuration of an asset||Not required|
DDI Associate Policies
DDI employs rigorous processes and controls over access and permissions for all infrastructure components, networks, firewalls, servers, databases, etc. This is strictly controlled within the Global Technology Group who has final authority on all administrative user access, system monitoring/notifications, as well as OS, security, and application updates.
All computers are configured to have a password-enabled screen saver. DDI’s policy for screen lockout is 15 minutes. After 15 minutes of inactivity the screen saver will be invoked. The user must then reenter their password to gain access to the computer.
Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of DDI's resources. To view DDI’s full Password Policy, please reference Appendix I.
As soon as administrative access to DDI systems and application platforms is no longer required for job responsibilities, it is revoked. This includes termination of employment as well as changes to roles or responsibilities in the company.
This process is completed within 24 hours of a role change, or immediately in the event of involuntary employment termination. In addition, we regularly review which associates have these permissions and make changes as needed.
Data Privacy and Security Awareness Training
All DDI associates receive regular training and best practice guidance on data privacy, security, and confidentiality. Completion of training is monitored to promote the highest level of compliance.
Product Development Process and Code Management
Development Release Cycle
DDI employs an agile development model. Agile is an iterative approach to software development and provides a very nimble capability that allows DDI to rapidly respond to the needs of our clients. We have a planned new code release cycle – typically a weekly cycle.
This means that approximately every week DDI releases new features and upgrades. It also gives us frequent windows for releasing fixes to features that do not work as desired. Outside of this cycle we can make “emergency” releases as urgency dictates.
DDI uses separate application instances for testing updated code and have separate instances for early candidate code, and release candidate software. This protects data from ever being controlled or accessed by code still in development. All development code runs against “dummy databases”.
Programmers work individually or in teams developing new code. As the end of each cycle approaches, code is peer-reviewed and tested in a QA environment separate from the production environment. This testing period allows us to eliminate most bugs before they are ever introduced to production. Code is also programmatically inspected for known vulnerabilities.
Git is used to manage the software development process and serves as the source-code repository. The tool and related processes ensure that no changes are overwritten due to multiple developers making changes to the same module. Change control processes exist at many different levels within application development, QA and implementation including:
- Change Request documentation and ownership that includes review, approval, and documentation of all changes by the application owner
- A gated approval process for code promotion from: Development to QA; QA to Staging; and Staging to Production
- Software testing and QA is a multi-phased (unit test followed by system test, followed by user acceptance test) process. Development and unit testing is done on separate development systems by software developers, before being released for system and user acceptance testing on the separate QA systems.
Global People Services (Human Resource Policies)
Upon hire, all DDI associates are required to sign a confidentiality agreement that specifically addresses the concerns and risks of dealing with confidential information. Any associate found to have violated this policy is subject to immediate termination or any applicable legal action.
Background Check Policy and Procedure
DDI believes that hiring qualified individuals to fill positions contributes to the overall strategic success of the company. Background checks serve as an important part of the selection process at DDI. This type of information is collected as a means of promoting successful candidate matches for the position, as well as a safe and secure work environment for current and future employees. Background checks help DDI obtain additional applicant related information that helps determine the applicant's overall employability, ensuring the protection of the current people, property, and information of the organization. See Appendix II to review the full Background Check Policy and Procedure.
DDI’s pre-employment checks are designed to ensure that all associates are confirmed to have the degrees and certifications that they purport and/or are required to have. All prospective associates have their stated employment histories and integrity references verified.
All US-based associates are verified legal US workers, and Social Security Numbers or work authorizations are verified.
Security Incident Response
DDI enforces a comprehensive security incident detection and response plan including intrusion detection, scans, and other methods deemed effective and appropriate. While computer-related incidents are most common, non-computer-related incidents can also be reported through the Incident Hotline or by contacting DDI’s DPO or Corporate Counsel.
The purpose of the Security Incident Response and Notification Policy is to provide general guidance to DDI’s Technical and Managerial staff to enable quick and efficient recovery from physical or logical security incidents including the reporting of, responding to and managing unauthorized access to and/or loss of Confidential Information. DDI shall report any security incidents to affected or potentially affected clients within 48 hours of discovering a security breach.
In the event of a security breach, or suspected security breach the following actions must occur.
- Immediate notification of the following DDI personnel:
- Data Protection Officer
- DDI General Counsel
- Data Security Office
- Proper incident identification and documentation (must include):
- Description of the relevant incident
- Time and date on which occurred and was detected
- The person who reported it, and to whom it was reported
- Description of Personal Data that may have been compromised
- Incident containment activities.
- Incident eradication activities or processes.
- Incident recovery and review.
Appendix I - DDI Password Policy
Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of DDI's resources. All users, including contractors and vendors with access to DDI systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, the frequency of password changes, and lockout policy for invalid attempts.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any DDI facility, has access to the DDI network, or stores any non-public DDI information.
- All system/server-level passwords (e.g., root, Windows Administrator, application administration accounts, etc.) and user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 90 days.
- All system/server-level and user-level passwords must conform to the guidelines described below.
- Microsoft’s multi-factor authentication is required for all mobile devices.
Guidelines / Standards
System/server-level and user-level passwords have the following requirements:
- Contain at least eight (8) alphanumeric characters.
- Contain at least three of the four following character classes:
- Lower case characters
- Upper case characters
- Special characters/symbols
- Passwords can’t contain the user name or parts of the user’s full name, such as first name
The following password types should be avoided:
- Names of family, pets, friends, etc.
- Birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, 12345678, 123321, etc.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Password Protection Standards
- Always use different passwords for DDI accounts from other non-DDI access (e.g., personal ISP account, non-work email, benefits, etc.).
- Always use different passwords for various DDI access needs whenever possible. For example, select one password for systems that use directory services (Active Directory) for authentication and another for locally authenticated access.
- Do not share DDI passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential DDI information.
- Passwords should never be written down or stored on-line without encryption.
- Do not reveal a password in email, chat, or other electronic communication.
- If someone demands a password, refer them to this document and direct them to the Information Security Department.
- Always decline the use of the "Remember Password" feature of applications.
If an account or password compromise is suspected, report the incident to DDI Data Security Office.
Password History, Age, and Lockout Standards
- Password History
- Password must not equal past 15 passwords used.
- Password Age
- Maximum password age equals 90 days.
- Minimum password age equals 1 day.
- Account Lockout threshold equals 3 invalid attempts for system/server-level accounts
- Account Lockout threshold equals 6 invalid attempts for user-level accounts
- Lockout counter resets after 30 minutes
Appendix II - Background Check Policy and Procedure
DDI believes that hiring qualified individuals to fill positions contributes to the overall strategic success of our company. Background checks serve as an important part of the selection process at DDI. This type of information is collected as a means of promoting successful candidate matches for the position, as well as a safe and secure work environment for current and future employees. Background checks help DDI obtain additional applicant related information that helps determine the applicant's overall employability, ensuring the protection of the current people, property, and information of the organization.
At DDI, background checks are conducted on job applicants in the offer stage of the selection process. DDI will generally use a third-party agency to conduct background checks. The type of information that may be collected by this agency includes, but is not limited to, that pertaining to an individual’s past employment, education, character, finances, reputation, etc.
All background checks are to be done in compliance with applicable federal and state law, such as the federal Fair Credit Reporting Act. For example, the Americans with Disabilities Act prohibits organizations from collecting non- job-related health information from previous employers or other sources. Therefore, the only pre-job offer information that can be collected from a prior employer is that pertaining to the quality and quantity of work performed by the applicant, the applicant's attendance record, education, and other issues that can impact the workplace.
DDI may make inquiries regarding criminal records during the pre-employment stage. Consistent with state and federal law we will use this information for job-related issues/purposes. However, if an applicant attempts to withhold information or falsify information, the individual will be disqualified from further employment consideration in any position with the company due to falsification of an application (including termination if this is discovered during employment rather than in the pre-employment process).
DDI can collect credit information on applicants consistent with the guidelines set forth by the federal Fair Credit Reporting Act (FCRA). The Fair Credit Reporting Act requires organizations to obtain a candidate's written authorization before obtaining a credit report. When doing this, the employer must:
- Certify to the consumer-reporting agency that the employer is in compliance with the FCRA and will not misuse the information it receives.
- Disclose to the applicant or employee, on a separate form, its plans to obtain a consumer or investigative consumer report and that the information received will be used solely for employment purposes.
- Obtain written authorization from the applicant or employee.
- Inform the individual of his or her right to request additional information on the nature of the report and the means through which such information may be obtained.
- Inform the applicant that the report will include information about the individual's character, general reputation, personal characteristics, etc.
- Provide the individual with a summary of his or her rights under the FCRA.
If the results of the credit check are negative, DDI will inform the applicant that it plans on taking adverse action, provide the applicant with a copy of “A Summary of Your Rights Under the Fair Credit Reporting Act” from the FTC before taking adverse action, provide the applicant the opportunity to review a copy of the credit report (providing the name, address & phone number of the consumer reporting company), a statement that the supplier of the report did not make the adverse employment action decision, and advise the applicant of their rights to dispute inaccurate information furnished by the consumer reporting company. Applicants will be granted reasonable time to contest the information (approximately 5 business days).
Background checks may be done at various times for existing employees, such as upon job changes or assignments. Employees are to update/advise us of any notable changes regarding their situation, such as driving license restrictions or loss. It also includes felony criminal convictions and, as covered/permitted under state or local law, misdemeanor convictions that may be job related.
The information from the background check reports will be maintained in a separate confidential file, with actions regarding such information controlled by the Vice President of Global People Services.
Learn about DDI's Data Regulation Compliance
Submit a data request
Visit this page to select the type of marketing emails you'd like to receive from us or to unsubscribe.