Last Updated: Dec 15, 2024
At Robert Half Inc. and Protiviti Inc. (collectively, Robert Half), one of our top priorities is maintaining the trust of our clients, candidates and employees by managing the risks associated with the security, confidentiality and integrity of the data Robert Half collects. Robert Half has implemented security measures at the organizational, architectural, and operational levels designed to maintain the security, confidentiality, and integrity of this data.
Robert Half’s security initiatives are either managed or driven by the Robert Half Enterprise Information Security (EIS) program.
Robert Half’s Enterprise Information Security Council Steering, composed of C-Suite and other senior executives representing business functions across Robert Half and chaired by the CISO, is responsible for managing and setting Robert Half’s data and information security direction and strategy. The committee leaders also provide updates to Robert Half’s Board of Directors on the company’s data and information security direction and strategy, including specific cybersecurity risks the company faces and the measures taken to mitigate these risks.
Various independent third-party reviews of Robert Half’s security program and controls occur annually. As a publicly traded company, Robert Half is subject to annual Sarbanes-Oxley (SOX) audits which focus on security controls related to the integrity of Robert Half’s financial reporting. Robert Half has received various independent certifications for different controls and systems, including ISO 27001 certifications and Service Organization Control (SOC) 2 type 2 attestations for its Protiviti subsidiary. A key strategy for Robert Half is to continue testing and measuring its controls and systems through independent third-party reviews and certifications.
Robert Half is committed to implementing information security programs designed to protect its data and assets from external and internal threats. Robert Half’s information security strategy focuses on prevention, detection and response based on threat intelligence, risk assessments and proactive monitoring. Robert Half’s goal is to establish and maintain controls to protect the information and systems of the company as well as those of our clients, candidates, and employees. This statement provides an overview of the company’s approach to information security and its practices to secure data, systems, and services.
Risk governance and risk management features are integrated into Robert Half’s culture, business practices, and oversight. The company conducts ongoing risk assessments, which include identifying, monitoring, and analyzing control performance, and works to track issues to closure.
The company’s information security risk governance employs a three-line defense model designed to promote accountability and oversight. The model organizes risk management activities across the company’s business units that own and manage risk (first line), independent risk oversight functions (second line), and internal audit (third line).
Information security is overseen by our Chief Information Security Officer (CISO), who reports to the company’s Global Privacy Officer. The CISO provides quarterly updates to the Enterprise Information Security Council Steering on relevant risk topics, program status and incidents.
The CISO is responsible for managing the EIS program which conducts security assessments in five modes:
1. Assessments of core business processes and information assets
2. Assessments of internet facing services
3. Assessments integrated into the development lifecycle of technology projects (see Application and Software Security)
4. Assessments integrated with our supplier due diligence process (see Supplier Security)
5. Assessments in response to certain threat or vulnerability intelligence
The company’s internal audit function assesses the company’s overall control environment, raises awareness of control risks, communicates and reports on the effectiveness of the company’s governance, risk management and controls that mitigate current and evolving risks, and monitors the implementation of management’s control measures. Internal audit is independent of EIS and makes reports to the audit committee of the company’s Board of Directors.
The company’s external auditor independently tests applicable controls as part of their annual audit of the company’s financial statements. A third-party auditor also audits certain controls and processes of Robert Half’s subsidiary Protiviti as part of its SOC 2 certification.
Robert Half and its subsidiary, Protiviti, are leading participants in industry initiatives related to data security and data privacy.
Robert Half maintains an extensive set of information security policies and standards to document the company's approach to enterprise information security.
Robert Half maintains policies and standards that seek to address data privacy laws and regulations applicable to the jurisdictions in which it operates. These policies and standards are reviewed and approved by the relevant companywide governance bodies. The company’s global information security and cybersecurity policy is reviewed at least annually.
Robert Half seeks to align its policies and standards with recognized industry standards, including those established by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). These policies and standards are available to personnel through the company intranet, and cover topics such as:
1. Identity and Access Management: Entitlement management and production access
2. Applications and Software Security: Software change management, open-source software and backup and restoration
3. Infrastructure Security: Capacity management, vulnerability management, networks and wireless
4. Mobile Security and Mobile Applications
5. Data security: Cryptography and encryption, database security, data erasure and media disposal.
Robert Half maintains information security and acceptable use policies. These policies cover various topics including information security, information protection, acceptable use, computers, laptops, tablets, email, the internet, the intranet, passwords, remote access, software, telecommunications, removable electronic data storage media, mobile devices, instant messaging, wireless access, social media, awareness and training, and enforcement.
The company conducts a security awareness campaign focusing on risk prevention to help employees recognize and report cybersecurity concerns. Additionally, engaging, scenario-based security training aims to build knowledge and skills to promote individual accountability.
Robert Half’s goal is for employees to complete the information security training, including cybersecurity and privacy, and pass a test on the content annually. Specific information security training may be provided based on roles. Topics in the information security curriculum include:
Information and cybersecurity essentials
Mobile devices
Social engineering and phishing
Data risk management
Insider threat awareness and escalation
Email and other electronic communication security
Managing application privileges
The company has implemented controls to authenticate and authorize individuals’ access to approved systems and information assets, including multi-factor authentication.
The company has access controls based on the principles of no privilege without identity, no privilege without approval, least privilege, and entitlements commensurate with role or job duties. Employees are prohibited from sharing their individual credential information, such as usernames and passwords.
Robert Half undertakes to require strong password controls to protect access to company’s resources.
Company-approved authentication and entitlement solutions are used to implement identity and access management and to enable reporting of user entitlements. These solutions manage the access levels of employees throughout their career at Robert Half.
System entitlements are reviewed by management on a risk-adjusted basis and are typically reviewed when a worker transfers to new roles or departments within the company. Staff access to selected websites and site categories is blocked or limited based on regulatory, information security and internal control requirements.
The company manages application and software security through its information security practices, vulnerability testing and logging capabilities.
The company seeks to track applications in a centralized inventory tool by documenting application, associated hardware, and the type of data the application processes.
Application information security encompasses various features, including periodic reviews, testing, and validation throughout development and quality assurance environments.
The company conducts penetration testing on company systems to evaluate infrastructure security. These tests include stress testing to mitigate cyberattack threats. The penetration testing methodology used by the company and its suppliers is principally based on several published industry guidelines, such as NIST SP 800-115 and the Open Web Application Security Project Testing Guide.
Data is typically encrypted and securely transferred to a secondary location for recovery purposes. The company’s backup and recovery are performed using an industry-standard enterprise system.
The company has enabled logging for key events, which may include failed logins, administrative activity and change activities.
The company protects its infrastructure through a tiered network architecture, vulnerability assessment, system hardening and malware protection.
The company maintains asset information for hardware in managed inventories. Each managed inventory has an owner and attributes required to manage operational risks and the asset lifecycle associated with the asset class. Inventory management comprises of manual and automated processes and controls, including periodic inventory reviews, and is governed by policies and procedures.
Hard drives on company-provided laptops are encrypted using industry-standard encryption software. Special laptop firmware is designed to enable Robert Half to remotely wipe lost or stolen devices. An inactivity screen lock is enforced by a configuration policy on endpoints.
Robert Half employs an endpoint detection and remediation solution. The company also has anti-malware controls in place on its email and internet proxy systems, in addition to filtering for phishing, spam and known-bad website. Anti-malware alerts are sent to the company’s staff. Malware is addressed and runtime checks are performed on specific executables to reduce the possibility of exploitation via malware. Application whitelisting is deployed to detect, report, and prevent the execution of malware websites.
External network connections are protected by firewalls designed to allow only the required inbound and outbound network ports and services. The company provides external access to selected resources through a tiered network architecture comprising multiple secure zones, creating a segmented environment consistent with the defense-in-depth strategy. Secure zones are implemented via a combination of firewalls and virtual local area networks. Intrusion detection and prevention systems are deployed at the network perimeter to monitor and block malicious activity.
The company has a vulnerability management program that conducts vulnerability scans of both internal and external network environments using an industry-standard scanner. Additionally, the company engages third parties to scan its external facing infrastructure and provide findings on regular basis.
Cloud providers undergo a supplier management review in which we evaluate the secure delivery of services, audit provisions, and compliance with the company’s public cloud control requirements.
The company’s mobile solutions enable employees to conduct business activities on approved handheld devices and incorporates security controls designed to protect company systems and Information, including encryption and authentication.
Company approved mobile applications utilize a range of industry-standard security features.
The company has developed mobile applications for clients and candidates to interact with Robert Half. These applications employ additional industry-standard security controls, which may include prohibited local storage and the implementation of cache clearing.
The company implements controls designed to safeguard candidate, employee, supplier, company, and client information (collectively, “Information”). These controls cover the secure storage, handling, and transmission of data.
Robert Half encrypts certain data when it is transferred outside of the company’s protected security enclosure. This includes encryption at rest (such as tapes, media, laptops, and mobile devices) and encryption in transit (communications). The company uses strong industry-standard encryption methods and tools including commercially available products.
The company has clear desk guidelines which advise employees to keep workspaces clear of paper containing sensitive data to prevent unauthorized access to non-public information. Practices include not leaving documents containing sensitive data visible, unlocked, or unattended. Secure waste bins or on-site document shredders are provided at some offices for the secure storage and disposal (via cross-cut shredding) of confidential paper documentation. The company has implemented controls to lock company workstations after an idle period. Secure data controls are designed to protect Information at the end of the storage device’s useful life.
The company has implemented physical security controls at company facilities, including office spaces, data centers and storage facilities.
The company aims to standardize physical security measures in its data centers and offices, including access restrictions, alarms, environmental controls, and visitor management. We maintain video surveillance and on-site security personnel in some locations on a risk-adjusted basis. The company’s critical data centers are geographically dispersed and rely on diverse utility and power infrastructure with no direct dependencies. The company’s data centers are protected from environmental hazards and power outages by various controls which may include:
Redundant electrical main service
Uninterruptible power supply
Generators
Air conditioning units
Fire detection and suppression systems
Water detection systems
Earthquake resistant facilities and seismic designs, where applicable.
Robert Half incorporates information security risk management into the supplier management process, which covers supplier selection, onboarding, performance monitoring, risk management and, for select suppliers, periodic reviews of supplier information security processes and procedures.
Our policies require suppliers that handle Information to undergo an initial assessment on a risk-adjusted basis. Subsequently, periodic assessments are conducted based on the supplier information security rating, which is calculated based on factors such as the volume and type of data stored and processed. These assessments are designed to analyze the scope and effectiveness of suppliers’ information security, privacy, and business continuity practices. Non-disclosure agreements in place with suppliers are intended to protect any confidential information shared with them.
The company’s security incident management program addresses security threats and incidents that could impact the confidentiality, integrity or availability of Information and/or the company’s technology environment. This including contingencies for providing notifications to affected individuals and governing authorities as required by applicable laws and regulations.
The company has a team responsible for handling information security threats and incidents that could impact the confidentiality, integrity or availability of the company’s information and technology environment. The team maintains the company’s Cybersecurity Incident Response Plan which contains procedures for identifying and responding to information security incidents and protocols for escalation when clients are impacted by an information security incident, including notification of data breaches where required by applicable laws or regulations. Robert Half has:
Procedures for identifying and responding to information security incidents
Protocols for escalation when clients are impacted by an information security incident
A Crisis Management Team of key company executives that provides leadership in response to a crisis
A Crisis Communication Team to manage communications with impacted individuals, the public, clients, staff, investors, and suppliers during a crisis
The company has established a dedicated threat management center. Security intelligence and threat information are obtained from third party intelligence service providers, industry consortia, internal monitoring, as well as public and government sources. Threat-hunting surveillance is conducted across the company’s infrastructure. We use this data to establish a baseline of normal activity, against which we identify anomalies that require further investigation by specialized personnel. We employ automated monitoring tools to streamline and prioritize this process and have also implemented a global security incident preparedness program to support security incident management. The program conducts business focused simulations with business units and regional teams to assess their processes, understanding, and readiness as well as the effectiveness of the plan.
Security event logging to a centralized security information and event monitoring system is enabled for forensic analysis and surveillance analytics by our security operations center.
The company has various programs in place to address disruptions to the business that include business continuity, disaster recovery, technology resilience and the associated crisis management and emergency response.
Each business unit aims to have a specific business continuity plan (BCP) and assigned BCP Plan Manager and Owner. The company conducts an annual lifecycle consisting of a Business Impact Analysis, Business Continuity Plan, and Testing. Business Continuity Plan Managers may at times need to verify the criticality, recovery time objective, dependencies, and recovery strategies of their core processes.
Disaster recovery testing is performed on select critical internally or cloud hosted systems to determine whether recovery time objectives established by the BCP program and recovery capabilities are met.
The company incorporates technology resilience which based on a criticality assessment, aims to maintain the integrity and availability of the company's data and services aligned with established RTOs and RPOs.
Crisis management staff monitor the company environment, execute pre-established crisis management procedures and coordinate responses to incidents worldwide. Training is performed with periodic tests, drills, and tabletop exercises so that our staff are ready to respond in an actual emergency or crisis.
Continuous improvement is the goal of Robert Half's Information Security program.
Clint Maples
Chief Information Security Officer
