Insperity Security Statement

The purpose of this document is to provide the reader with an understanding of the Information Security, Privacy, and Contingency Planning (InfoSec) infrastructure in place at Insperity. The information contained in this document is for existing and prospective clients, and is for informational purposes only. This document does not and is not intended to create, add to or change any agreement between Insperity and its clients. Any binding terms, obligations, or warranties related to Insperity products and/or services shall be in the form of written agreements between Insperity and its clients. Insperity reserves the right to make changes to this summary, and the topics covered at any time without notice to existing or prospective clients, unless otherwise stated in a written agreement.

Insperity contracts with CyrusOne (Allen, Texas and Austin, Texas) to provide data center hosting services. This summary only addresses Insperity’s InfoSec infrastructure and does not address or include descriptions of the sub-service organizations’ information security and contingency planning infrastructure.

To suggest changes or submit corrections to this document, contact: 

Insperity, Inc.

Attention: Dr. Tim Proffitt

VP of Cybersecurity and Risk Management

19001 Crescent Springs Drive

Kingwood, TX 77339

Information Security Staff  

Insperity has a fully staffed information security team which includes security infrastructure, SOC, penetration testing, cloud governance, vulnerability management, patching, AppSec, and Identity and Access Management. Information security staff responsibilities include prevention, monitoring, reporting, maintaining, testing, and remediation. The Senior Vice President of Innovative Technology Solutions is responsible for the InfoSec management and oversees the information security practice.

Security Policies, Standards, and Maintenance

This summary outlines many of Insperity’s security practices but is not an exhaustive list of practices.   Insperity has a formally documented set of security policies and guidelines. These policies have been approved and adopted by management and are published for all Insperity corporate employees to review. As part of their employment with Insperity, corporate employees must agree to comply with these policies. The security policies are reviewed on an annual basis for changes reflecting new technologies or business processes.

Security and Awareness

Insperity has several programs in place to support its policies and standards, including but not limited to, new employee orientation, regular “awareness” emails, and postings on the company intranet. Each employee undergoes security and awareness training at the time of hiring and annually thereafter. Annual training is a formal requirement, and completion is tracked by Corporate Human Resources.

Employee provisioning and termination

Insperity conducts background checks on all employees. Each position at Insperity has a specific job description and modifier that allows for the proper level of access (role-based access control – RBAC) to be granted to the employee. Formal termination procedures, which apply to all employees when their employment with Insperity ends, require immediate disabling of the employee’s access. All provisioning and de-provisioning are managed and logged into the Insperity Identity and Access Management system for quality checking and auditing processes.

Data Privacy Team

The Insperity Data Privacy Team is responsible for data privacy, third-party risk management (TPRM), software compliance and incident response. The inclusion of these four areas provides a comprehensive view of Insperity’s data and protection requirements. The Insperity Data Privacy Statement  | New Windowaddresses the details of the plan.

Physical Access Controls

Insperity uses a combination of video surveillance, electronic door badge access, keys, and security guards to secure access to its data centers and office buildings. Motion detection video is deployed in the data centers and other restricted areas, and all visitors are required to sign guest logs. It is Insperity’s policy that Insperity employees and visitors wear identification badges while on the premises.

Environmental Protections

Insperity deploys several general practices for environmental controls. Dry pipe, fire extinguishers, fire alarms, smoke detectors, heat sensors, FM200 fire suppression agents, battery backup systems, and diesel generators are used. Battery backup systems along with diesel generators provide uninterrupted power to the data center when power is disrupted from the normal utility service. The data centers have stored capacity for fuel on-site with contracts for emergency delivery when applicable.

Change Management 

Insperity maintains a formal change control process where all changes are tested, scheduled, and approved by the proper management chain. The change control system is in place to track requests, approvals, accountability, and emergency break-fix. All changes to production require testing in preproduction environments or laboratories before submission into production.

Audit and log review

Insperity reviews system logs as needed. Daily, weekly, and monthly reports are generated and reviewed. Logs are extracted from security systems, IoT appliances, network infrastructure, server systems, and others, to be retained in an enterprise security event manager (SEM). Logs shipped to the SEM are retained as long as commercially feasible with a minimum retention of at least six months. Log entries will record individual or process ID, date, time, event description, source, destination, and event data. The SEM supports after-the-fact investigations to answer forensic questions. The SEM provides alarms/alerts to Insperity of critical events and correlated actions as defined by the security team.

Risk Management

An Insperity enterprise risk assessment (“Review”) is conducted by the Enterprise Risk Management Committee which is composed of key Insperity management. The Review analyzes and identifies Insperity’s enterprise-wide risks. The Review is facilitated by the Director of Internal Audit on a regular basis and is presented to the Insperity Board of Directors.  Risks are identified as well as any remediating factors that lessen risk.  Key management personnel throughout the technology department are assigned to complete the Review.

Business Continuity

Insperity has a formal process and certified team trained to respond to a system of emergency involving systems that contain electronic information. A contingency plan has been developed, implemented, and is routinely updated. The plan enumerates the specific processes and procedures that will be followed to respond to a system of emergency. A pandemic plan has been developed and implemented. Insperity has multiple data centers housing computing resources. Each geographically dispersed data center running the production environment has a rating of tier 4. Redundant systems running at separate sites allow for a site impacted by fire, flood, or weather-related events to not impact services offered to customers. Redundancy is built into systems at various levels including hardware, networking infrastructure, application space, and location. Insperity maintains a comprehensive business continuity plan (BCP) that deals with critical systems, staff, priorities, and recovery sites. Insperity does not use offsite tape storage. A mature backup process is in place that places data in multiple data centers for redundancy. 

Incident Response Procedure

Insperity has established an incident management program that is approved by management and communicates to employees at the time of hiring and during annual compliance training. Insperity has assigned specific individuals to have responsibility for the Incident response team. The Insperity incident response team follows a detailed process and has documented procedures for dealing with various events. The response plan addresses intruders, detection, communications, legal issues, containment strategies, and lessons learned activities.     

Compliance Efforts 

Insperity must comply with several federal laws as well as industry-specific compliance efforts. These efforts require annual information security audits from outside auditing firms. Outstanding issues identified during an audit are prioritized for remediation and addressed.   

Third Party Risk Management

Insperity maintains a list of current vendors, contracts, partners, and third parties that provide services. Insperity conducts risk assessments with each potential vendor, and with existing vendors if potential risk is introduced to their environments. Risks are classified within the Vendor portfolio platform for remediation, decision making, and the highlighting of inherited risks. Vendors are notified if a risk is posed to Insperity. In such cases, a remediation plan is agreed upon and identified by Insperity stakeholders to verify success in the remediation.

Data Leak Prevention Policy

Establishes controls to prevent unauthorized disclosure or transmission of sensitive data (PII, PHI, financial, IP, customer info). Implements DLP across endpoints, networks, cloud, and collaboration tools. Requires annual training, continuous monitoring, and incident response. Violations result in disciplinary action.

Technology Audit Policy

Mandates periodic audits to identify vulnerabilities and ensure confidentiality, integrity, and availability. Audits may be internal or third-party, with documentation retained for 6 years. Exception requests require risk assessment and management approval.

Disposal of Electronic Media Policy

Requires proper sanitization (overwriting, destruction) of electronic media before transferring, repair, or disposal to protect data confidentiality. Vendors must sign agreements for repairs. All exceptions must be documented and approved.

Disaster Recovery Policy

Ensures technology resources are protected against service interruptions via disaster recovery and business resumption plans. Plans must be developed, tested annually, and include backup, critical facility prep, and recovery steps. Training is required for all personnel involved.

Change Management Policy

Defines a framework for managing changes to technology assets to protect availability, integrity, and confidentiality. Require formal review, approval, documentation, and emergency change procedures. All changes must be communicated and documented.

Access Control Policy 

Enforces least privilege, role-based access, and secure authentication for systems and facilities. Physical and logical access is restricted and monitored. Privileged access is limited and reviewed regularly. Compliance with legal and contractual obligations is required.

Deidentification of Sensitive Information Policy

Defines procedures for deidentifying PII using masking, pseudonymization, and suppression. Assigns governance roles, requires audit trails, and mandates training. Access to deidentification tools is strictly controlled.

Backup and Restoration of Digital Assets Policy

Specifies requirements for backup, retention, and recovery of electronic assets. Backup schedules and retention periods are defined by data type. Restoration procedures are prioritized by business need and tested regularly.

Data Center Security Policy

Establishes physical access controls for facilities housing sensitive assets. Access is restricted, logged, and reviewed quarterly. Video surveillance and guards are required for primary data centers. Remote sites are monitored, and visitor access is tightly controlled.

Electronic Messaging Policy

Regulates business use of email and instant messaging to protect confidentiality and integrity. Only approved systems may be used; personal use is limited. Messages are monitored, filtered, and logged. Sensitive information must be encrypted and approved for external transmission.

Contractor Policy

Defines rules for contractor account creation, management, and deletion. Accounts expire after 6 months, require MFA, and are strictly controlled. BYOD devices must meet security standards. Access to resources is limited and monitored.

Asset Inventory Policy

Mandates tracking and maintenance of all technology assets. Movement, loss, or disposal of equipment must be reported and documented. Asset owners are responsible for lifecycle management and secure disposal.

Bring Your Own Device (BYOD) Policy

Requires personal devices accessing Insperity resources to be managed securely (MDM, antivirus, encryption, patching). Personal devices are segmented on the network and monitored. Insperity reserves the right to deny access or wipe devices containing sensitive data.

Acceptable Use Policy

Defines appropriate use of technology assets for business purposes. Personal use is permitted within limits. Sensitive information must not be shared without approval. All use is monitored; violations must be reported. Password sharing and circumvention are prohibited.

Data Classification Policy

Establishes four data categories: Unrestricted, Internal, Confidential, Restricted. Each has specific handling, encryption, labeling, and retention requirements. Data owners define classification; annual training and audits are required.

Active Directory Account Policy

Sets rules for configuration, maintenance, and deletion of Active Directory and local accounts. IAM team manages accounts; RBAC is enforced. Secondary, service, and admin accounts require special approval and documentation. Accounts are monitored and reviewed.

Application Development Policy

Requires secure software development practices, including SDLC, risk analysis, secure coding, and documentation. Source code is centrally managed and access is restricted. Logging, auditing, and compliance with password and encryption standards are mandatory.

Certificate Authority Policy

Defines standards for digital certificate management, encryption, and lifecycle. Requires strong algorithms, secure storage, and regular renewal/revocation. Only trusted CAs are permitted for external-facing systems. Roles and responsibilities are clearly assigned.

Cloud Policy

Provides governance for cloud infrastructure, including segmentation, connectivity, firewall, backup, disaster recovery, asset inventory, and compliance. Enforces RBAC, encryption, monitoring, and vulnerability management. All changes and integrations require formal review and approval.

Security Awareness & Training Policy

Annual security awareness training is mandatory for all employees and new hires. This training covers best practices, risks, and individual responsibilities. Non-compliance may result in disciplinary action.

Technology & Infrastructure Policies

Technology: Establishes the framework for all IT and InfoSec policies, including incident management, disaster recovery, physical access, and change management.

Server: Servers must be securely installed, monitored, patched, and managed. Only authorized personnel may administer servers, and all changes must follow change management procedures.

Networking: All network infrastructure must be approved, patched, and monitored. Strict controls exist for internal, DMZ, and external networks, including firewalls, authentication, and encryption.

Monitoring: Active monitoring of systems, networks, and user activity is required. Only authorized teams may conduct monitoring, and logs are retained for 365 days.

Identity & Access Management Policies

Identity & Access Management: Logical access is provisioned based on business needs, with role-based access control (RBAC), separation of duties, and regular reviews. Multifactor authentication (MFA) is required for internet-facing and privileged applications.

Privileged Account: All privileged accounts are managed in a centralized system (CyberArk), with designated owners, MFA, and regular audits. Permanent privilege is not allowed; temporary elevation is tightly controlled.

Password: Strong passwords are required, with regular rotation, vaulting for service accounts, and strict controls against reuse and weak passwords. PIN authentication is used for device-bound access.

Endpoint & Device Security Policies

Portable Computing Devices: Laptops, smartphones, and tablets must use passwords, full disk encryption, and MDM enrollment. Physical security and prompt reporting of theft are required.

Mass Media: Use of USB drives and other removable media is restricted and must be hardware encrypted. Ports are read-only unless approved, and all removals are logged.

Malicious Software: Only approved software may be installed. Endpoint Detection and Response (EDR) is required on all devices, with daily updates and active scanning. Browser extensions are tightly controlled.

Workstation: Ensure all workstations accessing Insperity resources are securely configured and maintained to protect company information. Only compliant, approved workstations may access internal resources. Passwords must meet company standards; use of local accounts is restricted. Software updates are monitored and applied promptly. Unauthorized web services and software are prohibited. Data must be stored on approved enterprise platforms (e.g., OneDrive). Contractor devices require additional security checks and approval. All devices must use an approved operating image and be registered in Active Directory.

Data Protection & Encryption Policies

Encryption: Sensitive data must be encrypted at rest and in transit using AES-256 and TLS 1.2+. Key management is centralized, and encrypted backups are mandatory. Removable media must meet encryption standards.

Electronic Records Retention: Records are retained according to statutory requirements, with secure storage, restricted access, and secure destruction.

Risk, Incident & Vulnerability Management Policies

Technology Risk Assessment: Risks are identified, analyzed, evaluated, mitigated, and monitored through a structured process. Regular reviews and a risk register are maintained.

Incident Response: Defines requirements for managing security and privacy incidents, including reporting, triage, communication, resolution, and documentation. Legal and regulatory notifications are handled by the IIRT and SOC teams.

Vulnerability Management: All devices are scanned regularly. Critical vulnerabilities must be remediated within 14 days, high within 30 days, and medium within 90 days. Penetration tests and custom reports are available.

Third Party Risk Management Policy 

Vendors are assessed for risk, compliance, and oversight. A vendor portfolio is maintained, and periodic assessments are required. Remediation plans are documented and monitored.

Software Policy

Only licensed and approved software may be installed. Technology Solutions manages installation, licensing, and compliance. No employee may use unlicensed or unauthorized software.