To support this mission, our leadership team drives continuous improvement and includes appropriate levels of oversight, leadership participation and a risk-based approach to the control of protected information. Our people undergo information security and privacy awareness training upon hire and annually thereafter. This training includes ongoing phishing detection training.
We also have a dedicated information security team. Our chief information security officer leads the information security team which includes, but is not limited to, security operations, cyber incident response, security architecture and engineering, and information security governance.
Our information security standards are aligned with an internationally recognized industry standard for security, the ISO/IEC 27001 framework, and are guided by security requirements specific to our operating environment, as well as by laws and regulations relevant to our firm. Information security best practices are also taken into consideration.
We actively monitor vulnerabilities, as well as potential security threats and events. We use industry-standard prevention and detection tools, including intrusion prevention systems, intrusion detection systems, data loss prevention, and security information and event management to protect our network. We also have an incident response plan and incident response task force that are engaged in the event of an incident.
At RSM we perform a security review on vendor cloud-based solutions that store or access confidential information. Vendor contracts include confidentiality clauses and security, privacy, data integrity and data breach provisions, as needed. Contractor and other nonemployee contracts include a requirement to comply with our acceptable use and information security policy.
We collect, use and retain personal information subject to our publicly available privacy policy. As described in our privacy policy, we process such data for several purposes, including to provide services to clients. This data may be retained for as long as is necessary for the purposes described in our privacy policy, to achieve the purposes for which the information was collected or as permitted under applicable law. We have a dedicated privacy office led by our enterprise privacy leader and our privacy program is aligned with the ISO/IEC 27701 framework.
