Ä¢¹½tv systems and data are protected by a comprehensive Information Security and Data Privacy program detailed in the Ä¢¹½tv Information Security Management System (ISMS) and Privacy Information Management System (PIMS). These programs are operated by dedicated security, privacy, information governance, and compliance professionals. Oversight is provided by the Board of Directors in conjunction with senior leadership. Ä¢¹½tvs Information Security team conducts risk assessments, performs regular risk reviews, and tracks risks using a documented risk-management process.
Ä¢¹½tv's Information Security and Data Privacy programs are certified to the ISO 27001 and ISO 27701 standards. These programs are also aligned with frame works including: NIST Cybersecurity Framework, NIST SP 800-171 for the Protection of Controlled Unclassified Information in Non-Federal Information Systems and Organizations, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Ä¢¹½tv's ISO certificates can be accessed here.
Ä¢¹½tv has established policies that cover:
Acceptable Use Policies
- Remote Access
- Passwords
- Digital Systems Use
- Mobile Device
- Wireless Communication
- Privacy Policy Ä¢¹½tv
Security Policies
- Information Security
- Security Incident Reporting
- Data Backup
- Information Sensitivity
- Physical Security and Data Center Operations
- Cloud Services
- Systems Acquisition and Deployment
- Change Management
- Supplier and Third-Party Relations
Access Controls
Access and processing capabilities are limited to authorized users and authorized devices. A unique user ID with a complex password is assigned to authorized users and is required to login. Passwords are required to be changed frequently. Two-factor authentication is required for remote access and access to cloud systems. Administrative functions are facilitated through separate privileged accounts.
Architecture
Ä¢¹½tv follows best practice for the deployment and maintenance of its systems and for data maintained within Ä¢¹½tv datacenters and cloud services. Critical data and systems are replicated and backed up to secondary datacenters. Systems are securely designed and are reviewed by the security team before being put into production.
Audit
Ä¢¹½tv's Information Security program is regularly audited both internally and externally on an annual basis. Ä¢¹½tv monitors and audits its security, privacy and information governance (people, processes and controls) to ensure compliance with policies and applicable security/privacy standards. Ä¢¹½tv conducts an independent external penetration test annually and regularly scans its external and internal networks for vulnerabilities.
Awareness and Education
Ä¢¹½tv employees, including contractors with Ä¢¹½tv system credentials, complete regularly assigned security awareness training and receive phishing training exercises. Security bulletins and announcements are shared throughout the year to give timely reinforcement reminders for awareness and education.
Business Continuity & Disaster Recovery
Ä¢¹½tv maintains a business continuity & disaster recovery plan that is regularly reviewed and tested. Ä¢¹½tv continuity and recovery considerations include the use of high availability systems, backup services, data replication, and redundant datacenters.
Data Controls
Data is encrypted at rest and in transit, logically separated, and access is granted to authorized users only. File monitoring systems log and monitor access to data while data loss prevention systems monitor the movement of data inside and outside of Ä¢¹½tv.
Data Privacy
Ä¢¹½tv is committed to the protection and privacy of data. The protection and management of data entrusted to us is one of our highest priorities. Ä¢¹½tv follows a least privilege access model and regularly audits individuals' access to data. Ä¢¹½tv respects individuals right to privacy and we are consistently working to remain compliant with privacy regulations. Our can be viewed here.
Endpoint Security
Workstations and mobile devices are encrypted with whole disk encryption and require password, pin, or biometrics to access. Workstation inventories, software deployment, and security policies are controlled through enterprise configuration management. Workstations, mobile device and servers require registration with Ä¢¹½tv's device management system. Workstations and servers are protected with advanced endpoint protection, which uses AI to assist in combating threats. IT equipment in Ä¢¹½tv offices are physically secured.
Incident Response
Ä¢¹½tv's security incident response plan dictates that security events be evaluated and escalated when appropriate. A security information and event management (SIEM) system maintains and analyzes security logs. This system is monitored 24x7. Logs are regularly analyzed for suspicious activity and unusual behavior by dedicated security personnel. Memberships with legal, cyber and peer organizations are in place to facilitate timely intelligence sharing and response activities. Ä¢¹½tv maintains a close working relationship with its vendors, law enforcement and managed security services providers for additional threat intelligence, analysis and response.
Perimeter Security
Ä¢¹½tv protects data, servers, and endpoints on Ä¢¹½tv and public networks using best-of-breed security controls. These controls include next generation firewalls, next generation anti-virus/anti-malware, web security, email security and intrusion detection systems. This allows Ä¢¹½tv to prevent malicious network attacks, access to suspicious or malicious sites, prevent malicious emails or attachments and mitigate zero-day attacks.
Vendor Management
Ä¢¹½tv assesses potential vendors against a series of criteria to ensure appropriate security standards before granting a vendor system access or placing systems into operation. Contracts and data processing agreements are reviewed by the Information Security, Privacy and Legal teams before execution. The security posture of key vendors is reviewed on a regular basis.