Hosting Your Survey: Security of Data and Information

Symmetric understands the supreme importance of protecting clients’ confidential information and data. Confidential information and data are located at Symmetric’s headquarters in Arlington, Texas, and at a secure cohosting facility in Virginia. Both facilities are fully protected by multiple layers of safeguards. All data transmitted between the two sites are encrypted at the very highest level. Load-balanced pairs of servers perform all critical functions, and these servers are equipped with redundant components. A summary of security policies, processes, and procedures are outlined below.

Policies, Standards, and Training

• Information security policies and standards are reviewed semi-annually by the Security Committee and are documented in Symmetric's manuals and the Employee Handbook.
• References for new employees are carefully checked by Human Resources.
• Security training is provided to employees on a regular basis.
• The information security program is approved by the President/CEO, and it is monitored by the Information Security Officer, Physical Security Manager, Human Resources Manager, and all department managers.

Legal and Compliance

• Symmetric (Decision Analyst) was the first U.S. research company to be approved under the Safe Harbor Agreement between the U.S. and the European Union, and adheres to the terms of the Safe Harbor Agreement. Safe Harbor governs the transfer of personally identifiable data between the European Union and the U.S.
• Symmetric continually works on maintaining email safe listing. This ensures that Symmetric's email traffic is not blocked by any ISPs.

ID and Authentication

• Unique IDs and complex passwords are required for employees to log on to the Symmetric network. Digital IDs acquired through VeriSign are used to verify identity and to encrypt email as needed.

Authorization and Access Control

• Access to a client’s confidential information is restricted to employees who have a need to know. No one else is permitted to access this data.
• Access to Symmetric’s computer systems is granted or revoked by network administrators in response to requests from Human Resources and/or department managers.
• A Virtual Private Network (VPN) with secure login authentication is provided for employees authorized for remote access to the Symmetric network.
• The Information Technology Department sets procedures and policies to ensure that remote computers accessing the Symmetric network maintain absolute security.

Confidentiality

• All client and respondent information is classified, confidential, and protected.
• All Symmetric employees must sign and adhere to ironclad Nondisclosure and Confidentiality agreements to protect clients' data and confidential information, and Symmetric's confidential information.
• All subcontractors and suppliers to Symmetric must sign and adhere to strict Nondisclosure and Confidentiality agreements to protect clients' data and confidential information.

Network Safeguards

• Network password files are protected with encryption.
• Sensitive fields in SQL databases are protected using encryption.
• Desktop and server-based antivirus and antispyware protection is deployed to all computers on the Symmetric network. Additionally, email is protected by separate antispam and antivirus services.
• Symmetric uses Secure Sockets Layer (SSL) encryption data storage and transmission security.
• Symmetric's data-collection Web servers are load-balanced so that surveys remain online, even if one of the servers fails or is taken down for maintenance. The Symmetric data warehouse is attached to a secure storage area network (SAN) for improved scalability and is backed up nightly.
• Equipment and data storage devices are rendered unusable and unreadable at time of disposal. Hard-disk drives are written over and then destroyed. Soft media is shredded.

Firewalls and Intrusion Prevention

• A firewall provides security for servers and the private network at Symmetric.
• Network technicians proactively patch and update all servers as new vulnerabilities are discovered and/or announced.

Incident Detection and Response

• Network technicians proactively monitor server event logs, firewall logs, and network activity reports for suspicious events or anomalies.
• Network administrators are formally trained in hacking techniques, so that they can better identify threats to the Symmetric network.
• Suspicious activity is investigated and reported to senior management.

System Development and Maintenance

• A “best practices” set of standards is maintained by the software development team for internal development of Web-based software applications.
• All software is written with error-trapping and question-prompting routines to ensure accuracy. All applications have quality-audit features built into the software to reduce the likelihood of errors.

Software and Systems Processes

• Symmetric develops and maintains highly efficient, proprietary, SQL-automated processes for online data collection that include reliable and secure data-transfer processes.
• Client images/concepts displayed online are secured through a proprietary system developed by Symmetric.

Physical Security

• The campus at Symmetric is protected by a closed-circuit, TV-monitoring system and patrolled by on-site security guards.
• Building entrance doors are always locked, and entry is monitored and logged by electronic access cards.
• Access to the computer facility is restricted to only those persons who have legitimate need for access.
• The computer center is a hardened facility designed to withstand tornadoes and includes a generator to run the center in case of electrical power failure.
• Physical security reviews are conducted annually.

Business Continuity

• Symmetric actively encourages and provides incentives for all employees to establish and maintain the computer equipment, systems, and software necessary to be able to work from home and other remote sites, so that the company can continue to operate in case of snow storm, fire, flood, or other catastrophe.
• Symmetric operates out of two hardened, secure computer facilities, each equipped with backup generators for emergency power.
• The processing and reporting facility is geographically remote from the data-collection facility and is equipped with backup servers that can be brought online for data- collection, should the data-collection facility fail.
• Symmetric’s Emergency Action Plan is reviewed every six months. The plan addresses all processes, systems, and technologies necessary to resume normal operations in the event of a disaster.