HSD Metrics Security Statement

Last Updated January 2023

HSD Metrics believes the security of our clients’ sensitive data is paramount. We understand that you have entrusted us with highly important information. Part of our commitment to you is that we will make sure it is protected. To ensure that the sensitive data of our clients is protected, HSD Metrics has undertaken several programs and implemented a wide variety of best practices and security controls.

In our approach to information security, we have divided our security landscape into two broad areas: platform security (i.e., the security of HSD Metrics’ platforms, including StartOffRight, SurveyRight, StayRight, 360°Right and ExitRight) and organizational security (i.e., the security of HSD Metrics as a company, our infrastructure, our employees, and our systems).

To ensure these controls are effective in helping secure the security of client data, HSD Metrics employes a Virtual Chief Information Security Officer (vCISO) and Virtual Security Team (VST) to oversee and help implement these security features, via a formal Information Security Management System (ISMS).

We are happy to meet with any current clients or potential clients to discuss our information security. Our controls and systems in place include:

Platform Security

  • Utilization of the numerous security controls and features provided by Amazon Web Services (AWS) as a cloud provider.
  • Transport Layer Security (TLS) encryption of data in transit.
  • Advanced Encryption Standard 256-bit (AES 256) encryption of data at rest.
  • Geographically separated primary and recovery facilities, providing redundancy and continuity.
  • Backup and recovery testing, with a Recovery Time Objective (RTO) of 4 hours.
  • IP address filtering for access to AWS resources.
  • A robust patch management process, requiring testing and risk-rating of patches for priority. Critical patches are tested, reviewed, and installed within 72 hours of identification.
  • Annual penetration testing of our applications, by a highly qualified CREST-certified security firm.
  • Snapshot backups of all production systems daily.
  • Monthly testing of snapshot backups.
  • Multifactor authentication required for elevated-privilege access to HSD Metrics systems.
  • Robust antimalware protection on all servers.
  • Regular performance of vulnerability scanning of all Internet-facing systems.
  • Regular performance of Open-Source Intelligence (OSINT) scanning.
  • Robust log management systems, including log retention for at least 180 days.
  • All server systems are baselined and secured to the Center for Internet Security (CIS) Level I benchmark.
  • Internal black and white hat testing at least quarterly, and for all major releases.

Organizational Security

  • Deployment of a Virtual Chief Information Security Officer and Virtual Security Team, consisting of multiple highly qualified and certified information security professionals.
  • A comprehensive set of information security policies and procedures that are reviewed and updated annually and required to be followed by all staff.
  • All systems require complex passwords and time out after a period of inactivity.
  • All access rights to all critical systems are periodically reviewed and approved by senior management.
  • Industry-standard antimalware protection is installed on all user endpoints.
  • Regular information security meetings with senior management, business-line leaders, and technology management.
  • Background checks and Acceptable Use Policy for all staff.
  • Initial and recurrent information security training for all staff.
  • Formal Risk Assessment Framework.
  • Annual formal risk assessment.
  • Use of an enterprise Governance Risk and Compliance (GRC) software platform.
  • Annual Incident Response and Business Continuity Plan (IR/BCP) test.
  • Comprehensive Information Security Management System (ISMS).
  • Annual review of all information security controls.
  • Formal onboarding and offboarding of employees.
  • Documented Privacy Policy.
  • Regular monitoring of legal, regulatory, and other external requirements for jurisdictions in which our clients operate.

HSD Metrics strives to continuously improve our information security. If you have any questions about our information security, have any concerns, or notice any security vulnerabilities or issues, please contact us at Security@HSDMetrics.com.