IANS Cybersecurity Commitment

Data Collection and Privacy

IANS obtains minimal public personally identifiable information (PII) from its clients to set up user credentials to access our Client Portal. Account creations are manually performed by IANS account managers and are validated by client account owners. When public or credentialed users register for IANS events, IANS collects public PII that includes a user’s name, email, phone number and demographic information relating to the users’ job role and interest related to our events and content coverage. IANS does not sell user information to third parties. You may find in-depth information on our data collection and privacy practices here.

Data Encryption

IANS protects all client data at rest and in transit. While at rest, data is protected by 256-bit Advanced Encryption Standard (AES) algorithm. Passwords are protected via a modern irreversible hash that is slow and quantum computing resilient. Passwords are further guarded by a randomized 128-bit initialization vector. Encryption keys are layered and reside within industry-leading key management service (KMS) vaults.

Data Residency

IANS’ Client Portal website data and infrastructure are based in the U.S. but can also be accessed internationally via the internet from a trusted nation list based on the U.S. Office of Foreign Assets Control’s sanctions programs and country information. IANS’ content delivery network (CDN) serves static assets (e.g., webpage stylesheets, avatar images) from servers across the U.S., but those assets do not contain sensitive customer data.

Data Backup and Retention

IANS uses automated encrypted backup solutions with a recovery target of 24 hours across all major platforms. A monthly manual offline backup is performed and stored on air-gapped FIPS 140-2 Level 2 validated 256-bit encrypted devices. Data across all systems is retained for a minimum of one year.

Data Removal and Retention

Upholding client and individual rights under GDPR, the California Consumer Privacy Act (CCPA) and other applicable laws, IANS’ data removal process adheres to a rigorous decommissioning policy. Corporate data removal requests are fulfilled on contract termination. Individual data removal requests are honored throughout the contract lifecycle. Removal is performed across all operational platforms and backups. Retention periods align with U.S. state and federal laws.

Data Requests

If IANS receives a request from a client or government agency to disclose or delete data outside the bounds of regular business operations, IANS will meet all legal obligations deemed necessary by our legal counsel.

Compliance

IANS complies with the following requirements:

• NIST 800-171 for handling controlled unclassified information for non-federal network systems.
• NIST 800-88R1 for data sanitization and removal.
• GDPR and CCPA frameworks regarding audit acceptance, and the use and processing of personal data.

Client Portal Authentication

The IANS Client Portal offers secure access for client users through the following authentication methods:

• Password-based authentication: Users create strong passwords adhering to NIST recommendations, ensuring sufficient length and complexity. Two-factor authentication (2FA) can be optionally enforced for logins and is mandatory for password resets.
• Single Sign-On (SSO): Available on request through account managers, SSO streamlines access using SAML for seamless integration with a client’s own authentication platform.

Employee and Contractor Background Checks

IANS verifies the identity and background of all employees and contractors, including Social Security number validation and a comprehensive criminal history check. Checks are performed by a third-party vendor and comply with all applicable state and federal laws. Background checks are performed on initial hiring and conducted periodically thereafter.

Access Control and Data Handling

IANS meticulously records all access attempts and security events across its internal systems. All employees must use 2FA and create strong, unique passwords for company systems. High-level clearance personnel are further mandated to use physical 2FA keys. Access is strictly role-based, and highly sensitive systems are isolated within trusted networks.

Adherence to the employee handbook and data handling procedures is mandatory for all employees and contractors. Mobile device users must comply with IANS' BYOD and mobile device management (MDM) policies.

Physical Security

IANS operates within a secured facility equipped with surveillance cameras monitoring all common building entrances. In addition, IANS privately monitors entry points to its office and equipment room. Keycard access and camera footage are logged and retained for all detected activity. All office visitors are logged, issued a badge and must be accompanied by an employee during their visit.

Cybersecurity

IANS conducts annual penetration testing and monthly internal network and vulnerability scans through independent external parties. Results are reviewed and high-priority findings are tracked to resolution. Computing resources and services are monitored and protected by endpoint protection solutions. Appropriate security personnel are alerted of events, incidents and suspicious activities. Corrective actions are performed, as necessary, in a timely manner.

Software Development Life Cycle (SDLC)

Online product development is conducted via secure SDLC practices. Development and production environments are segregated via infrastructure. Non-production environments use test data exclusively. Each pre-production release undergoes a comprehensive code review by our development team. The final release then undergoes an independent audit by a member of the cybersecurity team.

Pull requests provide detailed documentation, including code review results, testing outcomes, approvals, history, comments, feedback and other relevant information. We further enhance code quality through automated vulnerability scanning and static code analysis.

Networks and Remote Access

IANS employs strict network segregation to control access based on employee roles. Office Wi-Fi authentication is enforced with an individual’s corporate credentials, while guest Wi-Fi and IoT devices operate on separate networks. A robust firewall safeguards the office network.

Role-based access controls govern remote access to systems and applications, ensuring only authorized personnel can access sensitive resources. Access to sensitive platforms is further restricted to the trusted office network segment or through the corporate VPN.

Security Awareness and Training

All employees are governed by documented strict security policies covering acceptable use, communication and data handling standards defined within the IANS employee handbook. IANS conducts security training on operational best practices across the board. Internal phishing simulations are conducted on a quarterly basis. Tailored security procedures and annual security training and certifications are required for roles that have an elevated level of access.

Disaster Recovery and Business Continuity

IANS operates its core functions via resilient PaaS and SaaS platforms and does not rely on physical office space to deliver its service to clients. Operational impact assessments, recovery priorities, time estimates, SLAs, vendor dependencies and redundancies, procedures and delegation of authority are defined and tested annually. Management reviews and modifies disaster recovery and business continuity plans based on test outcomes and lessons learned.