Hosting Your Survey: Security of Data and Information
Symmetric understands the supreme importance of protecting clients’ confidential information
and data. Confidential information and data are located at Symmetric’s headquarters in
Arlington, Texas, and at a secure cohosting facility in Virginia. Both facilities are fully protected
by multiple layers of safeguards. All data transmitted between the two sites are encrypted at the
very highest level. Load-balanced pairs of servers perform all critical functions, and these servers
are equipped with redundant components. A summary of security policies, processes, and
procedures are outlined below.
Policies, Standards, and Training
-
Information security policies and standards are reviewed semi-annually by the Security
Committee and are documented in Symmetric's manuals and the Employee Handbook.
-
References for new employees are carefully checked by Human Resources.
-
Security training is provided to employees on a regular basis.
-
The information security program is approved by the President/CEO, and it is monitored
by the Information Security Officer, Physical Security Manager, Human Resources
Manager, and all department managers.
Legal and Compliance
-
Symmetric (Decision Analyst) was the first U.S. research company to be approved under
the Safe Harbor Agreement between the U.S. and the European Union, and adheres to the
terms of the Safe Harbor Agreement. Safe Harbor governs the transfer of personally
identifiable data between the European Union and the U.S.
-
Symmetric continually works on maintaining email safe listing. This ensures that
Symmetric's email traffic is not blocked by any ISPs.
ID and Authentication
-
Unique IDs and complex passwords are required for employees to log on to the
Symmetric network. Digital IDs acquired through VeriSign are used to verify identity
and to encrypt email as needed.
Authorization and Access Control
-
Access to a client’s confidential information is restricted to employees who have a need
to know. No one else is permitted to access this data.
-
Access to Symmetric’s computer systems is granted or revoked by network
administrators in response to requests from Human Resources and/or department
managers.
-
A Virtual Private Network (VPN) with secure login authentication is provided for
employees authorized for remote access to the Symmetric network.
-
The Information Technology Department sets procedures and policies to ensure that
remote computers accessing the Symmetric network maintain absolute security.
Confidentiality
-
All client and respondent information is classified, confidential, and protected.
-
All Symmetric employees must sign and adhere to ironclad Nondisclosure and
Confidentiality agreements to protect clients' data and confidential information, and
Symmetric's confidential information.
-
All subcontractors and suppliers to Symmetric must sign and adhere to strict
Nondisclosure and Confidentiality agreements to protect clients' data and confidential
information.
Network Safeguards
-
Network password files are protected with encryption.
-
Sensitive fields in SQL databases are protected using encryption.
-
Desktop and server-based antivirus and antispyware protection is deployed to all
computers on the Symmetric network. Additionally, email is protected by separate
antispam and antivirus services.
-
Symmetric uses Secure Sockets Layer (SSL) encryption data storage and transmission
security.
-
Symmetric's data-collection Web servers are load-balanced so that surveys remain online,
even if one of the servers fails or is taken down for maintenance. The Symmetric data
warehouse is attached to a secure storage area network (SAN) for improved scalability
and is backed up nightly.
-
Equipment and data storage devices are rendered unusable and unreadable at time of
disposal. Hard-disk drives are written over and then destroyed. Soft media is shredded.
Firewalls and Intrusion Prevention
-
A firewall provides security for servers and the private network at Symmetric.
-
Network technicians proactively patch and update all servers as new vulnerabilities are
discovered and/or announced.
Incident Detection and Response
-
Network technicians proactively monitor server event logs, firewall logs, and network
activity reports for suspicious events or anomalies.
-
Network administrators are formally trained in hacking techniques, so that they can better
identify threats to the Symmetric network.
-
Suspicious activity is investigated and reported to senior management.
System Development and Maintenance
-
A “best practices” set of standards is maintained by the software development team for
internal development of Web-based software applications.
-
All software is written with error-trapping and question-prompting routines to ensure
accuracy. All applications have quality-audit features built into the software to reduce the
likelihood of errors.
Software and Systems Processes
-
Symmetric develops and maintains highly efficient, proprietary, SQL-automated
processes for online data collection that include reliable and secure data-transfer
processes.
-
Client images/concepts displayed online are secured through a proprietary system
developed by Symmetric.
Physical Security
-
The campus at Symmetric is protected by a closed-circuit, TV-monitoring system and
patrolled by on-site security guards.
-
Building entrance doors are always locked, and entry is monitored and logged by
electronic access cards.
-
Access to the computer facility is restricted to only those persons who have legitimate
need for access.
-
The computer center is a hardened facility designed to withstand tornadoes and includes a
generator to run the center in case of electrical power failure.
-
Physical security reviews are conducted annually.
Business Continuity
-
Symmetric actively encourages and provides incentives for all employees to establish and
maintain the computer equipment, systems, and software necessary to be able to work
from home and other remote sites, so that the company can continue to operate in case of
snow storm, fire, flood, or other catastrophe.
-
Symmetric operates out of two hardened, secure computer facilities, each equipped with
backup generators for emergency power.
-
The processing and reporting facility is geographically remote from the data-collection
facility and is equipped with backup servers that can be brought online for data-
collection, should the data-collection facility fail.
-
Symmetric’s Emergency Action Plan is reviewed every six months. The plan addresses
all processes, systems, and technologies necessary to resume normal operations in the
event of a disaster.