|
6.
Organization
Caliper's IT operates
under a security guideline. All types of IT systems that are utilized by
Caliper to store personal data are housed, maintained and operated in the
central Caliper IT area in Princeton, New Jersey, USA and are managed under
the general security guideline. Systems cannot be operated without compliance
with these rules. The IT department is responsible for enforcing the
necessary measures and for educating staff regarding these measures.
7.
Access control (Entrance)
a)
Server Room protection
The central processing and
data storage servers in Princeton, NJ, USA are maintained in a specific
secured environment with physical security provided in the form of video
surveillance and a keypad lock access with a PIN code controlled by IT
management. Only authorized IT personnel are provided entry to this space.
Any vendors servicing hardware in the server room are required to be
accompanied by Caliper IT personnel. The building, both the main entrances to
the building and those that are utilized to access Caliper's specific
workspaces on specific floors, are protected against burglary and access by
non-authorized personnel with key accessed magnetic locks and video camera
surveillance on all entry doorways and elevators.
b)
System hardware protection
Caliper systems are
protected by firewall hardware and software. The settings are proofed by
penetration tests that check typical risk situations and typical danger
moments for a system. In general the effectiveness of the security settings
are tested on an ongoing basis by Caliper network security personnel. Unique
user identification numbers and passwords are required to access all networks
and subsystems. Caliper does not store customer specific data on laptops or
any mobile devices. All Caliper employees must utilize identification numbers
and passwords to access central processing and storage systems to
subsequently gain entry to sub-systems and databases that house customer specific
and/ or personal data.
c)
System hardware and application
access
Remote access to Caliper's
server environment where relational databases are housed with customer data
and personal information is provided to just for a small number of employees
in the IT-department. All of these permitted individuals are employees of
Caliper Cooperation and subject to the supervision and directive of the
Caliper IT departmental management. Caliper does not provide direct access
rights to any Caliper vendors or customers. The access is established only by
secure connection. To establish a connection and to get access to a device,
the user must be identified and confirmed as having the permissions to gain
access. The identification management is operated utilizing identification numbers,
passwords and certificates. The password procedure adheres to the following
variables: combinations of numerals and letters, appropriate length (between
8 and 20); and use of ordinary words, the individual's name, telephone
number, birth date, or other easily guessed passwords are forbidden.
Periodic modification of users passwords is required, minimum of every 120
calendar days. Only two Caliper IT managers possess the administrative
rights and knowledge to establish permissions and administrative rights for
Caliper employees. A user who forgets a password shall apply to the IT Department
for a new password, which the information systems manager shall issue upon
confirming the identity of the requesting user.
8.
Access control (rights)
Access to the personal
data (e.g. assesses names, month and date of birth, name of employer, and
responses to Caliper Profile questionnaires) are only provided to people with
established permissions to view the information. Rights behind the permission
are determined in light of the individual employee's job function and
relationship to the customer and/or data. Only department supervisors in
the IT and Customer Service departments can make decisions about permissions
for an employee and request that they are expanded or contracted. With this
authorization and directive, rights are then expanded or contracted through
reconfigurations that are performed by Caliper IT department personnel.
Personal data that is gathered for the purpose of doing business are gathered
via encrypted web pages that are completed by customers. The responses are
stored in separate data MS SQL server databases in Caliper, Princeton, NJ, USA. Access to each database requires a separate and unique set of permissions. Simply
stated, Caliper Corporation in Princeton, NJ, USA captures, separates and
stores the following:
1) Basic demographic data
captured and stored for purposes of identification (e.g. First Name, Last
Name, Company Name, Position Applied For, Month of Birth, Date of Birth)
2) The responses, or
keystrokes, that are recorded when an assessee completes a personality questionnaire.
These responses are compiled and are compared to a normative database, and
then reported on in the form of a single page encrypted, encoded proprietary
“score sheet”
The resulting “score
sheets” are then transferred in an encrypted and secure manner to a Client
Relations Consultant in the office that deals with the customer. The Client
Relations Consultant then de-crypt and interpret the coded score sheets and
provide verbal interpretation to the customer, and generate a written, narrative
report for consumption by the customer. This written report is stored in the
local office and is not provided to Caliper Princeton, NJ USA.
9.
Transfer control
Every transfer of personal
data between data subject, or the assessee, and Caliper is submitted via
Caliper's online assessment instrument, which captures the subject's
responses and provides them to Caliper Princeton, NJ, USA in an encrypted
manner. When transferring personal data and storage media containing
information assets between Caliper US and an international office, media is
protected against theft and misuse or defacement either via an encrypted VPN
connection or in a non-electronic manner utilizing mediums such as a courier
service.
10.
Availability control
All information housed on
Caliper servers are incorporated into a corporate data backup policy. This
policy includes a daily backup of all critical and personal data.
All personal data,
customer specific data, individual data and subject-specific data is stored
on a central server (SQL databases, CRM applications) but not mobile devices
so that all data is included in the backup circle.
11.
Input control
The changing of settings
in configurations, the installation, changing and erasing of access rights
for the data bases with personal data is controlled by just two Caliper IT
managers and is recorded. These log files are stored for six months.
|
