Last Updated: July 7, 2020
At Robert Half International Inc. and Protiviti Inc. (collectively, Robert Half), one of our top priorities is maintaining the trust of our clients, candidates and employees by managing the risks associated with maintaining the security, confidentiality and integrity of the data collected from our employees, clients and candidates. Robert Half has implemented security measures at the organizational, architectural, and operational levels which are designed to maintain the security, confidentiality, and integrity of this data.
Robert Half’s security initiatives are either managed or driven by the Robert Half Enterprise Information Security (EIS) program.
Robert Half’s Information Protection Plan Steering Committee, composed of C-Suite and other senior executives representing business functions across Robert Half and chaired by the CISO and the company’s Global Privacy Officer, is responsible for managing and setting Robert Half’s data and information security direction and strategy. The committee leaders also provide updates to Robert Half’s Board of Directors on the company’s data and information security direction and strategy, including specific cybersecurity risks the company faces and the measures taken to mitigate these risks.
Various independent third-party reviews of Robert Half’s security program and controls occur on an annual basis. As a publicly traded company, Robert Half is subject to annual Sarbanes-Oxley (SOX) audits that focus on, among other things, security controls associated with the integrity of Robert Half’s financial reporting. Robert Half has received various independent certifications for different controls or systems, including ISO 27001 certifications and a Service Organization Control (SOC) 2 type 2 attestation. A key strategy for Robert Half is to continue to test and measure its controls and systems through independent third-party reviews and certification of its controls and systems.
Information Security Management System
Robert Half is committed to implementing information security programs that are designed to protect its data and assets from external and internal threats. Robert Half’s information security strategy focuses on prevention, detection and response based on threat intelligence, risk assessments and proactive monitoring. Robert Half’s goal is to establish and maintain controls designed to protect the information and systems of the company as well as our clients, candidates, and employees. This statement provides an overview of the company’s approach to information security and its practices to secure data, systems, and services.
1.1 RISK GOVERNANCE
Risk governance and risk management features are built into Robert Half’s culture, business practices and oversight. The company performs ongoing risk assessments, which include the identification, monitoring and analysis of control performance, and works to track issues to closure.
1.1.1 Risk Governance Framework
The company’s information security risk governance employs a three-line defense model, which is designed to promote accountability and oversight. The model organizes risk management activities across the company’s business units that own and manage risk (first line), independent risk oversight functions (second line) and internal audit (third line).
1.1.2 Enterprise Information Security Program
Information security is overseen by our Chief Information Security Officer (CISO), who reports to the company’s Global Privacy Officer. The CISO provides monthly updates to the Information Protection Program Steering Committee on relevant risk topics, program status and incidents.
1.1.3 Technology Risk Management
The CISO is responsible for managing the EIS program which conducts security and privacy risk assessments in five modes:
1. Assessments of core business processes and information assets
2. Assessments of internet facing services
3. Assessments integrated into the development lifecycle of technology projects (see Application and Software Security)
4. Assessments integrated with our supplier due diligence process (see Supplier Security)
5. Assessments in response to certain threat or vulnerability intelligence
1.1.4 Internal Audit
The company’s internal audit function assesses the company’s overall control environment, raises awareness of control risks, communicates and reports on the effectiveness of the company’s governance, risk management and controls that mitigate current and evolving risks, and monitors the implementation of management’s control measures. Internal audit is independent of EIS and makes reports to the audit committee of the company’s board of directors.
1.1.5 External Audit
The company’s external auditor independently tests applicable controls as part of their annual audit of the company’s financial statements. A third party auditor also audits certain controls and processes of Robert Half as part of its SOC 2 certification.
1.1.6 Industry Engagement
Robert Half and its subsidiary, Protiviti, are leading participants in industry initiatives related to data security and data privacy, including Gartner’s CISO Coalition and The FAIR Institute, amongst others.
1.2 INFORMATION SECURITY POLICIES AND STANDARDS
Robert Half maintains an extensive set of information security policies and standards to document the company's approach to enterprise information security.
1.2.1 Policies and Standards
Robert Half maintains policies and standards that address data privacy laws and regulations applicable to Robert Half in the jurisdictions in which it operates.
Policies and standards are reviewed and approved by the relevant companywide governance bodies. The company’s global information security and cybersecurity policy is reviewed at least annually.
Robert Half seeks to align our policies and standards with a range of recognized industry standards, including those established by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Company policies and standards are available to personnel through the company intranet, and cover topics such as: (a) identity and access management, such as entitlement management and production access; (b) applications and software security, such as software change management, open source software and backup and restoration; (c) infrastructure security, such as capacity management, vulnerability management, networks and wireless; (d) mobile security and mobile applications; and (e) data security, such as cryptography and encryption, database security, data erasure and media disposal.
Robert Half maintains information security acceptable use policies covering topics such as information security, information protection and acceptable use, computers, laptops, and tablets, email, the internet, the intranet, passwords, remote access, software, telecommunications, removable electronic data storage media, mobile devices, instant messaging, wireless access, social media, awareness and training, and enforcement.
1.2.2 Training and Education
The company conducts a security awareness campaign focusing on risk prevention to help employees recognize and report cybersecurity concerns. In addition, an engaging, scenario-based security training aims to build knowledge and skills to promote individual accountability.
Robert Half’s goal is to have employees complete the information security training, including cybersecurity and privacy, and pass a test on the content annually.
Specific information security training may be provided based on roles. Topics in the information security curriculum include information and cybersecurity essentials, mobile devices, social engineering and phishing, data risk management, insider threat awareness and escalation, email and other electronic communication security, supplier technology risk, security-conscious application development, and managing application privileges.
1.3 IDENTITY AND ACCESS MANAGEMENT
The company has implemented controls designed to authenticate and authorize individuals’ access to the approved systems and information assets, including multi-factor authentication.
1.3.1 User Identity Management
The company has well-developed access controls that are based on the general principles of no privilege without identity, no privilege without approval, least privilege, and entitlements commensurate with role or job duties.
Employees are prohibited from sharing their individual credential information, such as usernames and passwords.
1.3.2 Access Management
Robert Half undertakes to require strong password controls and protect access to company.
1.3.3 Entitlements Management
Company approved authentication and entitlement solutions are used to implement identity and access management and to enable reporting of user entitlements. These solutions are used to manage the access levels of employees throughout the lifecycle of their career at Robert Half.
System entitlements are reviewed by management on a risk-adjusted basis and entitlements are also typically reviewed when a worker transfers to new roles or departments within the company.
Staff access to selected websites and site categories is blocked or limited based on regulatory, information security and internal control requirements.
1.4 APPLICATIONS AND SOFTWARE SECURITY
The company manages application and software security through its application information security practices, vulnerability testing and logging capabilities.
1.4.1 Centralized Inventory
The company seeks to track applications in a centralized inventory tool by documenting application, associated hardware, and the type of data the application processes.
1.4.2 Application and Software Security
Application information security is comprised of many features such as periodic reviews, testing and validation through development and quality assurance environments.
1.4.3 Security Testing
The company conducts penetration testing on company systems to evaluate the security of the infrastructure. These tests include stress testing to reduce threats of cyberattacks. The penetration testing methodology used by the company internally and by the company’s suppliers is based on several published industry guidelines such as NIST SP 800-115 and the Open Web Application Security Project Testing Guide.
1.4.4 Data Backup and Recovery
Data is typically encrypted and securely transferred to a secondary location for recovery purposes. The company’s backup and recovery are performed using an industry-standard enterprise system.
The company has enabled logging for key events which may include failed logins, administrative activity and change activity.
1.5 INFRASTRUCTURE SECURITY
The company protects its infrastructure through a tiered network architecture, vulnerability assessment, system hardening and malware protection.
1.5.1 Hardware Inventory
The company maintains asset information for hardware in managed inventories. Each managed inventory has an owner and the attributes required to manage operational risks and the asset lifecycle associated with the asset class. Inventory management comprises of manual and automated processes and controls, including periodic review of inventories, and is governed by policies and procedures.
1.5.2 Enhanced System Configurations
Hard drives on company-provided laptops are to be encrypted using industry standard encryption software. Special laptop firmware is designed to enable Robert Half to remotely wipe lost or stolen devices. An inactivity screen lock is enforced by a configuration policy on endpoints.
1.5.3 Malware Protection
Robert Half employs an endpoint detection and remediation solution. The company also has anti-malware controls in place on our email and internet proxy systems, in addition to filtering for phishing, spam and known-bad website. Anti-malware alerts are sent to the company’s staff. Malware is addressed and runtime checks are performed on specific executables to reduce the possibility of exploit via malware. Application whitelisting is deployed to detect, report, and prevent the execution of malware websites.
1.5.4 Perimeter Network Security
External network connections are protected by firewalls that are designed to only allow the required inbound and outbound network ports and services to pass. The company provides external access to selected resources through a tiered network architecture comprising multiple secure zones to create a segmented environment consistent with the defense-in-depth strategy. Secure zones are implemented via a combination of firewalls and virtual local area networks. Intrusion detection systems and intrusion prevention systems are deployed at the network perimeter to monitor for and block malicious activity.
1.5.5 System Monitoring and Vulnerability Management
The company has a vulnerability management program that performs vulnerability scans of the internal and external network environments using an industry standard scanner. The company also engages third parties to scan its external facing infrastructure and provide findings on regular basis.
1.5.6 Cloud Infrastructure
Cloud providers are subject to a supplier management review covering the secure delivery of services, audit provisions, and satisfying the company’s public cloud control requirements.
1.6 MOBILE SECURITY
The company’s mobile solutions allow employees to conduct business activities on certain handheld devices, with security controls designed to secure and protect company systems and Information, including encryption and authentication.
1.6.1 Secure Mobile Access Solutions for Employees
Company approved mobile applications utilize a range of industry-standard security features.
1.6.2 Client Mobile Applications
The company has developed mobile applications for clients and candidates to interact with Robert Half. Client mobile applications employ additional industry-standard security controls, which may include prohibited local storage and cache clearing.
1.7 DATA SECURITY
The company implements controls designed to safeguard candidate, employee, supplier, company, and client information (collectively, “Information”), which cover secure storage, handling, and transmission of data.
Robert Half encrypts certain data when it is transferred outside of the company’s protected security enclosure. This includes encryption at rest (such as tapes, media, laptops, mobile devices) and encryption in transit (communications). The company uses strong industry standard encryption methods and tools (including commercially available products).
1.7.2 Data Security
The company has clean desk guidelines which advise employees to keep the workspace clear of paper containing sensitive data which can prevent unauthorized users from gaining access to non-public information. Practices include not leaving documents containing sensitive data visible, unlocked, or unattended. Secure waste bins or on-site document shredders are provided at some offices for secure storage and disposal (via cross-cut shredding) of confidential paper documentation. The company has implemented controls designed to lock company workstations after an idle period.
Secure data destruction controls are designed to protect Information at the end of the storage device’s useful life.
1.8 PHYSICAL SECURITY
The company implemented physical security controls on company facilities including office spaces, data centers and storage facilities.
1.8.1 Physical Security
The company aims to have standardized physical security measures in its data centers and offices, including access restrictions, alarms, environmental controls, and visitor management. We maintain video surveillance and on-site security personnel in some locations on a risk-adjusted basis.
The company’s critical data centers are geographically dispersed and on diverse utility and power infrastructure with no direct dependencies. The company’s data centers are protected from environmental hazards and power outages by a number of controls which may include: (a) redundant electrical main service; (b) uninterruptible power supply; (c) generators; (d) air conditioning units; (e) fire detection and suppression systems; (f) water detection systems; and (g) earthquake resistant facilities and seismic designs, where applicable.
1.9 SUPPLIER SECURITY
Robert Half includes information security risk management into the company’s supplier management process, which covers supplier selection, onboarding, performance monitoring, risk management and for select suppliers, periodic reviews of supplier information security processes and procedures.
1.9.1 Supplier Security
Our policies require suppliers that handle Information to go through an initial assessment on a risk-adjusted basis. Subsequently, periodic assessments are conducted based on the supplier information security rating, which is calculated based on factors such as the type of data stored and processed. The assessments are designed to analyze the scope and effectiveness of suppliers’ information security, privacy, and business continuity practices.
Non-disclosure agreements in place with suppliers are intended to protect any sensitive information shared with a supplier.
1.10 SECURITY INCIDENT MANAGEMENT
The company’s security incident management program addresses security threats and incidents that have a potential impact on the confidentiality, integrity or availability of Information and / or the company’s technology environment, including contingencies for providing notifications to affected individuals and governing authorities as required by applicable laws and regulations.
1.10.1 Security Incident Management
The company has a team responsible for handling information security threats and incidents that have a potential impact on the confidentiality, integrity or availability of the company’s information and technology environment. The team maintains the company’s Cybersecurity Incident Response Plan which contains procedures for identifying and responding to information security incidents and protocols for escalation when clients are impacted by an information security incident, including notification of data breaches where required by applicable laws or regulations. Robert Half has:
- Procedures for identifying and responding to information security incidents
- Protocols for escalation when clients are impacted by an information security incident
- Defined a Crisis Management Team of key company executives that provides leadership in response to a crisis
- Established a Crisis Communication Team to manage communications with impacted individuals, the public, clients, staff, investors, and suppliers during a crisis
The company has established a dedicated threat management center. Security intelligence and threat information are obtained from third party intelligence service providers, industry consortia, internal monitoring, as well as public and government sources. Threat-hunting surveillance is conducted across the company’s infrastructure. We use this data to establish a baseline of normal activity, against which we identify anomalies that require further investigation by specialized personnel. We employ automated monitoring tools to streamline and prioritize this process and also implemented a global security incident preparedness program to support security incident management. The program conducts business focused simulations with business units and regional teams to assess their processes, understanding and readiness as well as the effectiveness of the plan.
Security event logging to a centralized security information and event monitoring system is enabled for forensic analysis and surveillance analytics by our security operations center.
1.11 BUSINESS CONTINUITY AND TECHNOLOGY RESILIENCE
The company has a business continuity program for disaster recovery. The program covers both business and technology resilience. The main features of the program include dispersed capabilities, near site recovery, far site recovery and dispersed recovery.
1.11.1 Business Continuity
The company’s business continuity planning and disaster recovery program is comprised of six key elements: crisis management, business continuity requirements, technology resilience, business recovery solutions, assurance and process improvement, and continual assessment. Each business unit by region aims to have a specific business continuity plan (BCP) and assigned BCP coordinator. The company conducts periodic resilience impact analyses. Business managers may at times need to verify the criticality, recovery time objective, dependencies, and recovery strategies of their core processes. These processes determine the type of assurance needed to record completeness, such as people recovery tests, application failover tests, training, and tabletop drills.
1.11.2 Crisis Management and Emergency Response
Crisis management staff monitor the company environment, execute pre-established crisis management procedures and coordinate responses to incidents worldwide. Training is performed with periodic tests, drills, and tabletop exercises so that our staff are ready to respond in an actual emergency or crisis.
1.11.3 Technology Resilience
The company has a technology resilience program which aims to: (a) minimize dependencies on a single location or cloud supplier; (b) have multiple points of network and telecommunications redundancy; (c) have regional technology operate independently of critical market applications; (d) have annual testing; and (e) allow for secure remote working capabilities including encrypted tablets or laptops.
Continuous improvement is the goal of Robert Half's Information Security program. As of the Last Updated date on this page, to our knowledge, Robert Half has not had any material data security breaches in the last five (5) years.
Chief Information Security Officer