Overviews

INFORMATION SECURITY

Built to Pass the Most Strict Audits

The world’s most demanding enterprise clients trust us as their information intelligence partner—and that trust depends on our industry-leading security systems and protocols. Our data security measures include physical, logical, and process controls designed to protect our clients’ most sensitive data, and pass their most strict security audits.

 

Physical data security and facility access

DiscoverReady tightly controls access to our physical facilities. Only authorized persons may enter our operations centers, data storage locations, and review rooms—entry is controlled by a dual card-key and biometric system. We require employees to always wear their photo ID badge, and visitors must be escorted at all times. We deploy CCTV video surveillance at all our locations, and maintain the video recordings for at least 90 days. Security guards with a 24x7x365 presence patrol our facilities. We routinely review physical access audit trails and surveillance video. In our data and review centers, DiscoverReady takes a number of precautions to ensure a controlled environment and further enhanced data security. These measures include:

 

Data centers

  • On-site 24x7x365 monitoring and security
  • Five compartmentalized zone security access
  • Monitored cameras
  • Biometric access
  • Secure cage with ceiling, secured tile floors and locked cabinets
  • Encrypted data lines
  • Datacenter compliance certifications: SSAE 16 and ISAE 3402 Service Organization Control (SOC) 1 Type II, SOC 2 Type II and SOC 3 reports, PCI DSS, HIPAA, NIST 800-53, ITAR, and US-EU Safe Harbor Privacy framework
  • Annual third-party security audits
  • All client data operations performed in data centers
  • Data loss prevention (email monitoring, removable device blocking, file sharing blocking)

Review centers

  • On-site monitoring and security while review in progress
  • No e-mail or Internet access on review computers except to specific IP addresses for the review platform (outside the review room, we provide reviewers with an Internet café for personal use)
  • No printer access on review computers
  • No local caching of data on review computers
  • No active USB ports or other read/write drives on review computers
  • No personal PCs, tablets, cameras, cell phones, or PDAs permitted in the review room
  • No land line telephones installed in the review room
  • Review rooms segregated by client
  • Reviewer access restricted to the review room to which they are assigned

With respect to physical media, when we receive data in our operations centers on an external device (a DVD or hard drive, for example) we immediately log the media and lock it in a controlled access cabinet. We encrypt any data physically leaving the DiscoverReady network using industry-standard technologies.


Logical data security

To prevent unauthorized data access from outside DiscoverReady, we maintain a fully locked-down firewall and conduct regular penetration testing (using a third-party) to identify potential vulnerabilities. We also employ intrusion detection systems. Our IT staff monitors systems for security changes and anomalies, and they communicate alerts about out-of-the-ordinary activity to appropriate personnel.

Access to every client database is rights-managed, and we create separate logical entities at the client and case level. We also use controlled data storage to prevent unauthorized movement of data within or outside of the system.

 

Process controls for data security

All DiscoverReady employees receive training on IT security when they join the company, and we refresh their training annually. We require adherence to our security policies in employee agreements, and terminated employees lose all system and facility access immediately. DiscoverReady maintains standardized security processes to promote consistency and predictability. We document all our processes and identify the artifacts required by each policy (logs, review dates, actions taken, etc.). We audit security processes at least once per year to ensure they are functioning as expected and providing the proper level of security control. Our CTO and COO review the results of all audits, and take whatever action is necessary to address any risks exposed.