Last updated: March 1, 2019
At Robert Half International Inc. (Robert Half), one of our top priorities is managing the risks associated with maintaining the confidentiality and integrity of the data collected from clients and candidates. Robert Half has implemented industry-standard security measures at the organizational, architectural and operational levels.
Security and data privacy governance
Robert Half’s security and data privacy initiatives are either managed or driven by the Robert Half Enterprise Information Security (EIS) program or the Data Privacy program. Both of these programs cover not only Robert Half but also Robert Half’s wholly owned subsidiary, Protiviti Inc. (Protiviti).
Managing the EIS program is one of many responsibilities of the Chief Information Officer (CIO) but the main focus of the Chief Information Security Officer (CISO). The CISO is part of Robert Half’s Information Technology department and reports directly to the CIO.
To govern the strategic direction and investments of the EIS program, Robert Half formed an Enterprise Information Security Steering Committee composed of senior executives representing business functions across Robert Half. Given the critical nature of information security, committee leaders provide periodic updates to Robert Half’s Board of Directors on cybersecurity risks the company faces and the measures taken to mitigate these risks.
The EIS program also partners closely with the Data Privacy program, a global initiative focused on compliance with data privacy laws, including the EU’s General Data Protection Regulation (GDPR). This program is governed by the Data Privacy Executive Governance Board, composed of senior executives representing business functions across Robert Half, to align efforts across the entire organization.
Security and data privacy reviews
Various independent third-party reviews of Robert Half’s security program and controls occur on an annual basis. As a publicly traded company, Robert Half is subject to annual Sarbanes-Oxley (SOX) audits that focus on, among other things, security controls associated with the integrity of Robert Half’s financial reporting. Robert Half recently obtained ISO 27001 certification and is working toward the first global SOC 2 attestation.
Additionally, Robert Half periodically engages experts from our Protiviti consulting practice to perform both security and privacy assessments on a variety of systems used to service our clients and candidates.
Robert Half’s IT Risk Privacy and Compliance (RPC) department also falls under the EIS program. RPC facilitates both internal and external IT audits and manages the controls associated with various security risks, including new controls required by evolving regulations. It is RPC’s responsibility to map Robert Half’s security and privacy controls to various risk assessment frameworks, such as NIST 800-53, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), International Organization for Standardization (ISO) and payment card industry (PCI) standards, GDPR, and the Health Insurance Portability and Accountability Act (HIPAA).
Information security management system
Under the EIS program, Robert Half has established an Information Security Management System structured and aligned under the following sections:
- Information security policies — Various security policies are developed, reviewed and updated as necessary on at least an annual basis.
- Organization of information security — The CISO reports to the CIO and provides updates to various internal executive committees and the Robert Half Audit Committee.
- Human resources security — Information security responsibilities are an important part of our employees' job duties and responsibilities.
- Asset management — Asset management includes an implementation of a configuration management database that keeps track of ownership of each asset within Robert Half.
- Access controls — Access to information aspires to the principle of least privilege.
- Cryptography — Encryption standards and guidelines address encryption requirements for data at rest (stored data) and in transit (sent over the internet or between offices).
- Physical and environmental security — Controls are in place for secured areas that include offices, storage rooms and data centers, as well as controls to address environmental protections against fires, floods and earthquakes where necessary.
- Operations security — An expansive approach is in place to manage the security of Robert Half’s data, inclusive of, but not limited to, phishing simulations, 24x7 monitoring, penetration testing, incident response and vulnerability management.
- System acquisition, development and maintenance — EIS participates in initiatives that implement, modify and/or enhance Robert Half’s information systems to address security controls and measures. Ongoing security assessments occur with a frequency related to the associated risk.
- Supplier relationships — EIS performs initial and ongoing vendor risk assessments.
- Information security incident management — EIS has both policies and procedures to manage all information security incidents.
- Information security aspects of business continuity management — Security requirements associated with service disruptions have been planned and implemented, as well as N+1 redundant architecture, to satisfy Robert Half’s business requirements.
- Compliance — Robert Half engages third parties and Protiviti to perform independent and internal audits to address compliance and contractual requirements.
- Security awareness and training — Cyberthreats are becoming more common and sophisticated. Robert Half requires annual security awareness training of employees and reminds our employees to be on the lookout for intrusions.
Information security and data privacy are critical components of our business. As a result, Robert Half is making information security a top priority and is continually working to improve its security program and institutionalize best practices.
Chief Information Security Officer