Cyber Security Governance

Last Updated: July 22, 2022 At Robert Half Inc. and Protiviti Inc. (collectively, Robert Half), one of our top priorities is maintaining the trust of our clients, candidates and employees by managing the risks associated with maintaining the security, confidentiality and integrity of the data collected from our employees, clients and candidates. Robert Half has implemented security measures at the organizational, architectural, and operational levels which are designed to maintain the security, confidentiality, and integrity of this data. 
Robert Half’s security initiatives are either managed or driven by the Robert Half Enterprise Information Security (EIS) program. Robert Half’s Enterprise Information Security Council Steering, composed of C-Suite and other senior executives representing business functions across Robert Half and chaired by the CISO, is responsible for managing and setting Robert Half’s data and information security direction and strategy. The committee leaders also provide updates to Robert Half’s Board of Directors on the company’s data and information security direction and strategy, including specific cybersecurity risks the company faces and the measures taken to mitigate these risks
Various independent third-party reviews of Robert Half’s security program and controls occur on an annual basis. As a publicly traded company, Robert Half is subject to annual Sarbanes-Oxley (SOX) audits that focus on, among other things, security controls associated with the integrity of Robert Half’s financial reporting. Robert Half has received various independent certifications for different controls or systems, including ISO 27001 certifications and a Service Organization Control (SOC) 2 type 2 attestation. A key strategy for Robert Half is to continue to test and measure its controls and systems through independent third-party reviews and certification of its controls and systems.
Robert Half is committed to implementing information security programs that are designed to protect its data and assets from external and internal threats. Robert Half’s information security strategy focuses on prevention, detection and response based on threat intelligence, risk assessments and proactive monitoring. Robert Half’s goal is to establish and maintain controls designed to protect the information and systems of the company as well as our clients, candidates, and employees. This statement provides an overview of the company’s approach to information security and its practices to secure data, systems, and services.
Risk governance and risk management features are built into Robert Half’s culture, business practices and oversight. The company performs ongoing risk assessments, which include the identification, monitoring and analysis of control performance, and works to track issues to closure.
The company’s information security risk governance employs a three-line defense model, which is designed to promote accountability and oversight. The model organizes risk management activities across the company’s business units that own and manage risk (first line), independent risk oversight functions (second line) and internal audit (third line).
Information security is overseen by our Chief Information Security Officer (CISO), who reports to the company’s Global Privacy Officer. The CISO provides quarterly updates to the Enterprise Information Security Council Steering on relevant risk topics, program status and incidents.
The CISO is responsible for managing the EIS program which conducts security and privacy risk assessments in five modes: 1. Assessments of core business processes and information assets 2. Assessments of internet facing services 3. Assessments integrated into the development lifecycle of technology projects (see Application and Software Security) 4. Assessments integrated with our supplier due diligence process (see Supplier Security) 5. Assessments in response to certain threat or vulnerability intelligence
The company’s internal audit function assesses the company’s overall control environment, raises awareness of control risks, communicates and reports on the effectiveness of the company’s governance, risk management and controls that mitigate current and evolving risks, and monitors the implementation of management’s control measures. Internal audit is independent of EIS and makes reports to the audit committee of the company’s board of directors.
The company’s external auditor independently tests applicable controls as part of their annual audit of the company’s financial statements. A third party auditor also audits certain controls and processes of Robert Half as part of its SOC 2 certification.
Robert Half and its subsidiary, Protiviti, are leading participants in industry initiatives related to data security and data privacy, including Gartner’s CISO Coalition and The FAIR Institute, amongst others.
Robert Half maintains an extensive set of information security policies and standards to document the company's approach to enterprise information security.
Robert Half maintains policies and standards that address data privacy laws and regulations applicable to Robert Half in the jurisdictions in which it operates. Policies and standards are reviewed and approved by the relevant companywide governance bodies. The company’s global information security and cybersecurity policy is reviewed at least annually. Robert Half seeks to align our policies and standards with a range of recognized industry standards, including those established by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Company policies and standards are available to personnel through the company intranet, and cover topics such as: (a) identity and access management, such as entitlement management and production access; (b) applications and software security, such as software change management, open source software and backup and restoration; (c) infrastructure security, such as capacity management, vulnerability management, networks and wireless; (d) mobile security and mobile applications; and (e) data security, such as cryptography and encryption, database security, data erasure and media disposal. Robert Half maintains information security acceptable use policies covering topics such as information security, information protection and acceptable use, computers, laptops, and tablets, email, the internet, the intranet, passwords, remote access, software, telecommunications, removable electronic data storage media, mobile devices, instant messaging, wireless access, social media, awareness and training, and enforcement.
The company has implemented controls designed to authenticate and authorize individuals’ access to the approved systems and information assets, including multi-factor authentication.
The company has well-developed access controls that are based on the general principles of no privilege without identity, no privilege without approval, least privilege, and entitlements commensurate with role or job duties. Employees are prohibited from sharing their individual credential information, such as usernames and passwords.
Robert Half undertakes to require strong password controls and protect access to company.
Company approved authentication and entitlement solutions are used to implement identity and access management and to enable reporting of user entitlements. These solutions are used to manage the access levels of employees throughout the lifecycle of their career at Robert Half.  System entitlements are reviewed by management on a risk-adjusted basis and entitlements are also typically reviewed when a worker transfers to new roles or departments within the company.  Staff access to selected websites and site categories is blocked or limited based on regulatory, information security and internal control requirements.
We keep your Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include (i) for as long as we have an ongoing relationship with you; (ii) as required by a legal obligation to which we are subject to; or (iii) as advisable in light of our legal position (such as in regard of applicable statutes of limitations, litigation, or regulatory investigations). We may delete Personal Information for inactive accounts from our database, subject to any applicable legal or regulatory obligations. Furthermore, we may delete Personal Information from our database at any time and without providing any reason.
The company seeks to track applications in a centralized inventory tool by documenting application, associated hardware, and the type of data the application processes.
Application information security is comprised of many features such as periodic reviews, testing and validation through development and quality assurance environments.
The Sites are controlled and operated by us from the United States and is not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States.
Data is typically encrypted and securely transferred to a secondary location for recovery purposes. The company’s backup and recovery are performed using an industry-standard enterprise system.
The company has enabled logging for key events which may include failed logins, administrative activity and change activity.
The company protects its infrastructure through a tiered network architecture, vulnerability assessment, system hardening and malware protection.
The company maintains asset information for hardware in managed inventories. Each managed inventory has an owner and the attributes required to manage operational risks and the asset lifecycle associated with the asset class. Inventory management comprises of manual and automated processes and controls, including periodic review of inventories, and is governed by policies and procedures.
Hard drives on company-provided laptops are to be encrypted using industry standard encryption software. Special laptop firmware is designed to enable Robert Half to remotely wipe lost or stolen devices. An inactivity screen lock is enforced by a configuration policy on endpoints.
Robert Half employs an endpoint detection and remediation solution. The company also has anti-malware controls in place on our email and internet proxy systems, in addition to filtering for phishing, spam and known-bad website. Anti-malware alerts are sent to the company’s staff. Malware is addressed and runtime checks are performed on specific executables to reduce the possibility of exploit via malware. Application whitelisting is deployed to detect, report, and prevent the execution of malware websites.
External network connections are protected by firewalls that are designed to only allow the required inbound and outbound network ports and services to pass. The company provides external access to selected resources through a tiered network architecture comprising multiple secure zones to create a segmented environment consistent with the defense-in-depth strategy. Secure zones are implemented via a combination of firewalls and virtual local area networks. Intrusion detection systems and intrusion prevention systems are deployed at the network perimeter to monitor for and block malicious activity.
The company has a vulnerability management program that performs vulnerability scans of the internal and external network environments using an industry standard scanner. The company also engages third parties to scan its external facing infrastructure and provide findings on regular basis.
Cloud providers are subject to a supplier management review covering the secure delivery of services, audit provisions, and satisfying the company’s public cloud control requirements.
The company’s mobile solutions allow employees to conduct business activities on certain handheld devices, with security controls designed to secure and protect company systems and Information, including encryption and authentication.
Company approved mobile applications utilize a range of industry-standard security features.
The company has developed mobile applications for clients and candidates to interact with Robert Half. Client mobile applications employ additional industry-standard security controls, which may include prohibited local storage and cache clearing.
The company implements controls designed to safeguard candidate, employee, supplier, company, and client information (collectively, “Information”), which cover secure storage, handling, and transmission of data.
Robert Half encrypts certain data when it is transferred outside of the company’s protected security enclosure. This includes encryption at rest (such as tapes, media, laptops, mobile devices) and encryption in transit (communications). The company uses strong industry standard encryption methods and tools (including commercially available products).
The company has clean desk guidelines which advise employees to keep the workspace clear of paper containing sensitive data which can prevent unauthorized users from gaining access to non-public information. Practices include not leaving documents containing sensitive data visible, unlocked, or unattended. Secure waste bins or on-site document shredders are provided at some offices for secure storage and disposal (via cross-cut shredding) of confidential paper documentation. The company has implemented controls designed to lock company workstations after an idle period.
The company implemented physical security controls on company facilities including office spaces, data centers and storage facilities.
The company aims to have standardized physical security measures in its data centers and offices, including access restrictions, alarms, environmental controls, and visitor management. We maintain video surveillance and on-site security personnel in some locations on a risk-adjusted basis.  The company’s critical data centers are geographically dispersed and on diverse utility and power infrastructure with no direct dependencies. The company’s data centers are protected from environmental hazards and power outages by a number of controls which may include: (a) redundant electrical main service; (b) uninterruptible power supply; (c) generators; (d) air conditioning units; (e) fire detection and suppression systems; (f) water detection systems; and (g) earthquake resistant facilities and seismic designs, where applicable.
Robert Half includes information security risk management into the company’s supplier management process, which covers supplier selection, onboarding, performance monitoring, risk management and for select suppliers, periodic reviews of supplier information security processes and procedures.
Our policies require suppliers that handle Information to go through an initial assessment on a risk-adjusted basis. Subsequently, periodic assessments are conducted based on the supplier information security rating, which is calculated based on factors such as the type of data stored and processed. The assessments are designed to analyze the scope and effectiveness of suppliers’ information security, privacy, and business continuity practices.  Non-disclosure agreements in place with suppliers are intended to protect any sensitive information shared with a supplier.
The company’s security incident management program addresses security threats and incidents that have a potential impact on the confidentiality, integrity or availability of Information and / or the company’s technology environment, including contingencies for providing notifications to affected individuals and governing authorities as required by applicable laws and regulations.
The company has a team responsible for handling information security threats and incidents that have a potential impact on the confidentiality, integrity or availability of the company’s information and technology environment. The team maintains the company’s Cybersecurity Incident Response Plan which contains procedures for identifying and responding to information security incidents and protocols for escalation when clients are impacted by an information security incident, including notification of data breaches where required by applicable laws or regulations. Robert Half has: Procedures for identifying and responding to information security incidents Protocols for escalation when clients are impacted by an information security incident Defined a Crisis Management Team of key company executives that provides leadership in response to a crisis Established a Crisis Communication Team to manage communications with impacted individuals, the public, clients, staff, investors, and suppliers during a crisis The company has established a dedicated threat management center. Security intelligence and threat information are obtained from third party intelligence service providers, industry consortia, internal monitoring, as well as public and government sources. Threat-hunting surveillance is conducted across the company’s infrastructure. We use this data to establish a baseline of normal activity, against which we identify anomalies that require further investigation by specialized personnel. We employ automated monitoring tools to streamline and prioritize this process and also implemented a global security incident preparedness program to support security incident management. The program conducts business focused simulations with business units and regional teams to assess their processes, understanding and readiness as well as the effectiveness of the plan.
Security event logging to a centralized security information and event monitoring system is enabled for forensic analysis and surveillance analytics by our security operations center.
The company has a business continuity program for disaster recovery. The program covers both business and technology resilience. The main features of the program include dispersed capabilities, near site recovery, far site recovery and dispersed recovery.
The company’s business continuity planning and disaster recovery program is comprised of six key elements: crisis management, business continuity requirements, technology resilience, business recovery solutions, assurance and process improvement, and continual assessment. Each business unit by region aims to have a specific business continuity plan (BCP) and assigned BCP coordinator. The company conducts periodic resilience impact analyses. Business managers may at times need to verify the criticality, recovery time objective, dependencies, and recovery strategies of their core processes. These processes determine the type of assurance needed to record completeness, such as people recovery tests, application failover tests, training, and tabletop drills.
Crisis management staff monitor the company environment, execute pre-established crisis management procedures and coordinate responses to incidents worldwide. Training is performed with periodic tests, drills, and tabletop exercises so that our staff are ready to respond in an actual emergency or crisis.
The company has a technology resilience program which aims to: (a) minimize dependencies on a single location or cloud supplier; (b) have multiple points of network and telecommunications redundancy; (c) have regional technology operate independently of critical market applications; (d) have annual testing; and (e) allow for secure remote working capabilities including encrypted tablets or laptops.
Continuous improvement is the goal of Robert Half's Information Security program. As of the Last Updated date on this page, to our knowledge, Robert Half has not had any material data security breaches in the last five (5) years. Clint Maples Chief Information Security Officer