Security & Compliance
To ensure the requirements of customers and regulators are met, Retail Insights completes multiple audits, assessments and compliance requirements—including rigorous third party network and system penetration tests.
Why SOC 2 Type II Compliance Matters
SOC 2 is a technical audit that requires companies to establish and follow strict information security policies and procedures.
A SOC II Type 2 compliant service must follow these five “trust service principles” when managing customer data:
Security
System resources must be protected from unauthorized access or improper disclosure of information. To secure access, organizations can implement security tools such as two-factor authentication, web application firewalls (WAFs), Cloud VPNs and Software-Defined Perimeters (SDPs).
Confidentiality
Confidential data must be hidden from unauthorized persons or organizations. Network and application firewalls along with access controls are essential for safeguarding sensitive data. Additionally, encryption can be used to protect confidentiality during transmission.
Availability
Accessibility of the system is determined by a contract or service level agreement (SLA). While this doesn’t apply to system functionality, it does require network performance to be monitored, including security incidents, site failover and other security-related issues that may affect availability.
Privacy
Organizations must meet privacy standards that address the collection, use, retention, disclosure and disposal of personal information in accordance with the AICPA’s Generally Accepted Privacy Principles (GAPP).
Process Integrity
To achieve processing integrity, the system must provide efficient data processing by delivering complete and valid information to the right place at the right time. By monitoring data and implementing quality assurance, organizations can begin to ensure processing integrity.
Retail Insights takes threats to the availability, integrity, and confidentiality of our clients' information seriously. As such, Retail Insights is an ISO/IEC 27001:2013 certified provider whose Information Security Management System (ISMS) has received third-party accreditation from the International Standards Organization.
ISO/IEC 27001:2013 is an information security management system standard published in October 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO is recognized worldwide.
ISO 27001 Certified
A-LIGN, an independent, third-party auditor, found Retail Insights to have technical controls in place and formalized IT Security policies and procedures. A-LIGN is an ISO / IEC 27001 certification body accredited by the ANSI National Accreditation Board (ANAB) to perform ISMS 27001 certifications. Retail Insights has implemented several security measures and countermeasures that protect it from unauthorized access or compromise and IT personnel were found to be conscientious and knowledgeable in best practices.
Some of the things we do to protect your data:
Enterprise Cybersecurity Program
Retail Insight’s cybersecurity program includes, but is not limited to the following:
-
Installation and updates of anti-malicious software on all devices and systems
-
Multi-factor authentication for all software applications and systems
-
VPN protection for all systems and data
-
Procedures for workforce members to report suspected or confirmed malware
-
Plans for recovering from cyberattacks in accordance with our Disaster Recovery Plan
-
Software that examines electronic mail attachments and downloads before they can be used on internal devices and systems
-
Annual Penetration testing and quarterly vulnerability testing for all networks, servers and software
-
Real time monitoring that includes 24 / 7 / 365 server, network and endpoint detection and response monitoring to prevent, detect and mitigate cyberattacks.
Cybersecurity Training and Awareness
According to the FBI, phishing was the most common type of cybercrime in 2020, with more than 11 times as many phishing complaints in 2020 as compared to 2016. 74% of organizations in the US experienced a successful phishing attack in 2020. To mitigate the risk of malware, ransomware gaining access to Retail Insights IT environment, RI provides training and awareness to its workforce members as to how to detect malicious software.
Quarterly awareness training for workforce members includes the following topics:
-
how to identify phishing emails
-
how to report potentially dangerous software
-
how to discover malicious software fraud
-
how to handle email attachments that may contain malware or ransomware
-
how to use anti-virus software appropriately
Security Reporting and Response
All workforce members undergo training in Incident Response and Reporting procedures. If a workforce member observes or suspects any type of suspicious, abnormal, or unauthorized activity that threatens the confidentiality, integrity, or availability of our information, or any activity that compromises, or is likely to compromise customer or employee personal information, especially Sensitive Information, whether through unauthorized disclosure, access, or destruction, the workforce member are trained on the appropriate response.
External Testing of Security Controls
To ensure that Retail Insight's cybersecurity controls program governance is consistently performing optimally, each year Retail Insights reviews the effectiveness of its controls over security, availability, processing integrity, confidentiality, and privacy via SOC reports based on the principles in the American Institute of Certified Public Accountants (AICPA) TSP Section 100, Trust Services Principles for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Retail Insights SOC 2 Type 2 Report is current and is available to current and prospective customers upon request and NDA.
Contact
Like what you see? Get in touch to learn more.