Skip to content

Insperity Retirement Services Security Statement

Introduction

The purpose of this statement is to provide the recipient with an understanding of how Insperity’s data protection program aligns to the SPARK Institute Data Security Best Practices framework. The information contained in this statement for existing and prospective clients is for informational purposes only. This statement does not and is not intended to create, add to or change any agreement between Insperity and its clients. Any binding terms, obligations, or warranties related to Insperity products and/or services shall be in the form of written agreements between Insperity and its clients. Insperity reserves the right to make changes to this statement and the topics covered any time without notice to existing or prospective clients, unless otherwise stated in a written agreement.   

 

Risk Assessment and Treatment

SPARK Standard

 

An understanding of the cybersecurity risk to operations (including mission, functions, image or reputation), organizational assets, and individuals. 


Insperity Comments 


An Insperity enterprise risk assessment (“Review”) is conducted by the Enterprise Risk Management Committee which is composed of key Insperity management. The Review analyzes and identifies Insperity’s enterprise-wide risks. The Review is facilitated by the Director of Internal Audit on a regular basis and is presented to the Insperity Board of Directors.  Risks are identified as well as any remediating factors that lessen risk.  Key management personnel throughout the technology department are assigned to complete the Review.  

  

Security Policy

SPARK Standard 


Established organizational information security policy. 


Insperity Comments 


Insperity has a formally documented set of security policies and guidelines. These policies have been approved and adopted by management and are published for all Insperity corporate employees to review. As part of their employment with Insperity, corporate employees must agree to comply with these policies. The security policies are reviewed on an annual basis for changes reflecting new technologies or business processes.


Organization Security

SPARK Standard 


Established coordinated information security roles and responsibilities that align with internal roles and external partners. 


Insperity Comments 


Insperity has a fully staffed information security team which includes security infrastructure, SOC, penetration testing, networking, cloud governance, and Identity and Access Management. Information security staff responsibilities include prevention, monitoring, reporting, maintaining, testing, and remediation. The Senior Vice President of Innovative Technology Solutions is responsible for the InfoSec management and oversees the information security practice.  

 

Asset Management

SPARK Standard 


Identified the data, personnel, devices, systems and facilities to achieve business purposes and manages them consistent with their relative importance to business objectives and risk strategy 


Insperity Comments 


Insperity maintains a list of current vendors, contracts, partners, and third parties that provide services. Insperity conducts risk assessments with each potential vendor, and with existing vendors if potential risk is introduced to their environments. Risks are classified within the Vendor portfolio platform for remediation, decision making and the highlighting of inherited risks. Vendors are notified if a risk is posed to Insperity. In such cases, a remediation plan is agreed upon and identified Insperity stakeholders verify success in the remediation.  


Human Resource Security

SPARK Standard 


Ensured its personnel and partners are suitable for the roles they are considered for, provides them with cybersecurity awareness education, and trains them to perform their information security-related duties and responsibilities consistent with related policies, procedures and agreements. 


Insperity Comments 


Security and compliance training is required of all employees on an annual basis. All new employees and temporary workforce members will attend the training within a short period of their start date. Topics covered by the program will include industry best practices and security risks that apply to Insperity directly. Insperity incident response procedures are outlined in the training. Periodic security bulletins will be available via corporate email / intranet to reinforce the training.  

 

Physical and Environmental Security

SPARK Standard 


Protected physical access to assets and provides ongoing management. 


Insperity Comments 


Insperity uses a combination of video surveillance, electronic door badge access, keys, and security guards to secure access to its data centers and office buildings. Motion detection video is deployed in the data centers and other restricted areas, and all visitors are required to sign guest logs. It is Insperity’s policy that Insperity employees and visitors wear identification badges while on the premises. 


Communications and Operations Management

SPARK Standard 


Ensured that technical security solutions are managed to protect the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. 


Insperity Comments 


The network infrastructure for Insperity systems is an enterprise-class deployment of redundant routers, switches, firewalls, and access points that are managed and restricted by the networking team.  The overall network is designed to use isolated sub-networks between the internal, external and public-facing segments. Network Access Control (NAC) technology has been deployed to control unauthorized devices being placed on the production network. Insperity provides a secured wireless network for corporate-approved devices. Foreign devices are able to use a segmented guest network for internet-only access.  

 

Access Control

SPARK Standard 


Limited access to assets and associated facilities to authorized users, processes, or devices, and to authorized activities and transactions. 


Comments 


Insperity access control measures authorize privileges no higher than necessary to accomplish required organizational missions or business functions. Insperity also applies least privilege to the development, implementation, and operation of organizational systems. Insperity uses Roles Based Access Controls (RBAC) to provision access based on the least access principal job title. A formal provisioning team is established for administering rights.  

Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). 

 

Information Systems Aquisition Development

SPARK Standard 


Implemented a system development lifecycle to manage systems; developed and implemented a vulnerability management plan; performs vulnerability scans. 


Insperity Comments 


Insperity Application Security (AppSec) team works with Development Teams by performing code reviews around the security on new applications before deploying code to Test/Stage/Prod environments. As an instrumental component of the SDLC, AppSec works with information security teams to validate the vulnerability concerns found during review and helps establish best practices in secure code development. AppSec also works with to Software compliance, InfoSec and external PEN testing vendor to address vulnerabilities in a timely manner, perform thorough testing and validation of remediated vulnerabilities and review of 3rd party software for security vulnerabilities during the evaluation stage.  

 

Incident and Event Communications Management

SPARK Standard 


Executed response processes and procedures and maintains them to ensure timely response to detected cybersecurity events. 


Insperity Comments 


Insperity has established an incident management program that is approved by management and communicated to employees at the time of hire and during annual compliance training.  

Insperity has assigned specific individuals to have a responsibility for the Incident response team. The Insperity incident response team follows a detailed process and has documented procedures for dealing with various events. The response plan addresses intruders, detection, communications, legal issues, containment strategies, and lessons learned activities.    

 

Business Resiliency

SPARK Standard 


Established regularly managed incident response, business continuity, and incident recovery plans. 


Insperity Comments 


Insperity has a formal process and certified team trained to respond to a system emergency involving systems that contain electronic information. A contingency plan has been developed, implemented and is routinely updated. The plan enumerates the specific processes and procedures that will be followed to respond to a system emergency. A pandemic plan has been developed and implemented. Insperity has multiple data centers housing computing resources. Each geographically dispersed data center running the production environment has a rating of tier 4. Redundant systems running at separate sites allow for a site impacted by fire, flood, or weather-related events to not impact services offered to customers. Redundancy is built into systems at various levels including hardware, networking infrastructure, application space, and location. Insperity maintains a comprehensive business continuity plan (BCP) that deals with critical systems, staff, priorities and recovery sites. Insperity does not use offsite tape storage. A mature backup process is in place that places data in multiple data centers for redundancy.   

 

Compliance

SPARK Standard

 

Ensured the understanding and management of legal requirements regarding cybersecurity, including privacy and civil liberties obligations. 

Insperity Comments

 

Insperity must comply with several federal laws as well as industry-specific compliance efforts. These efforts require annual information security audits from outside auditing firms. Outstanding issues identified during an audit are prioritized for remediation and addressed.    

 

Mobile

SPARK Standard 


Adopted a formal policy and security measures to protect against the risks of using mobile computing and communication facilities. 


Insperity Comments 

Insperity has a standard Terms of Use policy which includes mobile use.  

 

Encryption

SPARK Standard 


Ensured the protection of both data at rest and data in transit. 


Insperity Comments 


Backups of retirement services data are encrypted to protect from ransomware. 

 

Supplier Risk

SPARK Standard 


Ensured protection of the organization’s assets that are accessible by suppliers. 


Insperity Comments 


A Virtual Desktop Infrastructure (VDI) is deployed to host secure desktop environments on a central Insperity server. It is a form of desktop virtualization, as the specific desktop images run within virtual machines (VMs) and can be delivered to users or contractors over the internet. VDI are deployed for secure use by users and suppliers when applicable. 


Cloud Security

SPARK Standard 


Ensured protection for assets stored or processed in cloud environments. 


Insperity Comments 


Cloud providers are required to undergo a compliance and security review before initial contract execution occurs.  These providers are reviewed routinely based on their sensitivity and changes in business conditions. 

 

Ransomware

SPARK Standard 


Processes and controls in place to detect and respond to a ransomware event. 


Insperity Comments 


Several malware defenses are deployed along with firewalls, IPS, IDS, on the wire and at the endpoint. Malware logs are generated and centrally collected for actions if applicable. Periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Additionally, Insperity conducts routine phishing test of its employees to blunt the risk of ransomware and encourage employees to be vigilant. 

 

Insperity has designated senior leaders to mobilize in the event of a significant cyber event.  This team meets quarterly and is tasked with maintaining an up-to-date playbook to facilitate an efficient response.  The playbook is evaluated annually through tabletop exercises. 

 

For more information, please contact  | Opens Email  | Opens Email

 

Insperity