NORC’s security program is compliant with federal government regulations and can be adapted easily to meet the unique requirements of any project. Recent years have been highlighted by breaches in computer security of various government agencies as well as private industry. As a result, every organization has been challenged to meet the potential for such security issues with multilayered approaches to securing computer systems and the data they contain. NORC takes the matter of computer security seriously and has developed a multi-tiered approach to managing the issues surrounding computer and data security.
On many of our projects, compliance with NIST 800.53 recommendations is a requirement. NORC currently has other government projects that require similar compliance, and recent audits by those projects have found that our systems meet or exceed these requirements. We have projects underway for the Department of Labor, the Federal Reserve, and the Bureau of the Census that require independent audits to confirm compliance. In each case we have successfully met the NIST standards.
Physical Security/Facilities
NORC takes great care to enforce physical security measures specifically designed to ensure that access to confidential data is restricted to only those employees who possess the need, as well as the authorization, to review such information.
Network Data Security
NORC requires the use of internal network data storage services to store all project-related datafiles. Partitioned network storage is provided for each project to mitigate the potential for data loss due to accidents, computer equipment malfunction, or human error, as well as to administer access rights regarding privacy issues related to both legal and contractual obligations. Wide arrays of network security precautions are undertaken by NORC to ensure the proper storage of all project data.
Application Security
Application security is an important matter at NORC and we strictly adhere to demanding procedures when dealing with these applications. Software logins are designed to use a specifically encrypted challenge/response technology. All NORC applications that manage case, response, and corporate financial data protect against unauthorized access and restrict authorized access to the minimum necessary level.
Case-Level Security
Data access restriction is accomplished through the use of unique case identifiers that allow the database to create a partition between response data and other data that could be used to identify an individual. NORC retains the option to augment any standard application security practice on a particular project so as to accommodate any special needs that may arise. In addition, the launch of NORCSuite 3 strengthens our ability to do so.
Encrypted Data and Communication
All remote access to internal NORC computing resources requires two-factor authentication and encrypted channels. Only secure, encrypted file transfers are used when exchanging files with clients and/or partners over the Internet. All of NORC’s laptop computers are provisioned with an automatic full disk encryption system to protect against loss of sensitive data should any of these machines be lost or stolen.
Electronic Data Transfer External to NORC
All data used by NORC staff is stored within and transmitted on NORC’s private network and is secured as described above in the section titled “Network data security.” Should a project obligation require that the data be electronically transmitted to or from NORC’s secure, private network, standard protocol dictates that encryption technology be used. Due to the variety of data delivery requirements that projects may demand, any enhanced electronic transfer security can be addressed within alternative protocols.
Access Control / Authentication
All user credentials and associated access permissions are subject to the controls and standards maintained by NORC’s IT department. In particular, passwords must meet stringent requirements for length and complexity and must be changed on a regular basis.
Backup and Retrieval Procedures
All data that currently resides on the NORC network is backed up on a nightly basis. The backups are then stored in a secure, off-site location. Any archived information is retrievable from the storage facility within a few hours. Only a limited number of NORC’s IT personnel are authorized to request the retrieval of these data media from the off-site location. This retrieval process requires a strict identification and authorization procedure. Backups made for the purpose of disaster recovery have a retention period of one year. NORC maintains a Disaster Recovery Plan as part of its standard operating procedure, so that in the event of a major system outage, production systems can quickly be restored and normal operations resumed.
Virus Protection
To keep viruses and other malware from entering our systems, NORC IT has taken several preventative measures. All NORC computer systems are protected from computer viruses by centrally managed anti-malware software and distribution of the latest security patches. NORC’s network is further protected by tightly controlled firewalls and email filtering technology.
Project Personnel Security Practices and Procedures
NORC conducts a pre-employment background investigation on each new or returning employee (if the returning employee has been gone for over one year or has not previously had a background investigation conducted). Additionally, NORC may require employees transferring to a new project or different department to undergo a new background investigation. Offers to new hires are contingent upon the satisfactory completion of a background investigation, and all NORC employees must complete a Commitment to Confidentiality form as a condition of employment. In addition, all staff members receive security training specific to the project to which they are assigned.