Data Security | SV-PS-230a.1 | Description of approach to identifying and addressing data security risks | Our cybersecurity program is aligned with industry standards (including ISO 27001) and constantly evolves to detect and protect against existing and emerging threats through oversight by a team of dedicated security experts in IT, led by the director of infrastructure and security, who reports to the chief information officer. Our cybersecurity controls and practices — which include authentication controls, authorization controls, audit controls, and encryption — involve every employee in the vigilant protection of our and our clients’ data through technology and training. In addition, we use a threat and vulnerability management and penetration testing program to detect new vulnerabilities and help assign priority to remediation. Huron provides regular cybersecurity and privacy workforce training as well as additional subject-matter-specific training to relevant practice groups, including our healthcare industry business. We also utilize workforce communications tools to reinforce privacy and cybersecurity awareness throughout the year. Huron has an Information Security Management System (ISMS) Steering Committee, which acts as the strategy and review body governing Huron’s information security policies and practices, and comprises representatives from executive leadership, IT, legal, human resources, and business operations leaders. Huron’s daily ISMS activities are overseen by a dedicated governance risk and compliance team, reporting to the chief information officer, which oversees daily ISMS risk and compliance tasks. In 2020, Huron’s board of directors formed the Technology and Information Security Committee to oversee the company’s technology-related strategies, investments, and operational impacts and technology-related risks, including information security, data protection, cybersecurity, and business continuity. |