Employees undergo information security and privacy awareness training upon hire and annually thereafter. The information security and privacy awareness training program includes ongoing phishing detection training.
RSM has a dedicated information security team. The team is led by the chief information security officer and has five sub-teams underneath—security architecture, security operations, identity and security services, cyber incident response and IT governance. RSM’s leadership culture drives continuous improvement and includes appropriate layers of oversight, leadership participation and a risk-based approach to the control of protected information.
RSM information security standards are aligned with an internationally recognized industry standard for security, the ISO/IEC 27001 framework, and are guided by security requirements specific to RSM’s operating environment, and laws and regulations that are relevant to RSM and information security best practices.
RSM actively monitors vulnerabilities and potential security threats or events. RSM utilizes industry-standard prevention and detection tools including intrusion prevention systems, intrusion detection systems, data loss prevention, and security information and event management to protect the network. RSM also has an incident response plan and incident response task force that will be utilized in the event of an incident.
RSM performs a security review on vendor cloud-based solutions that store or access confidential information. Vendor contracts include confidentiality clauses and security, privacy, data integrity and data breach provisions as needed. Contractor and other nonemployee contracts include a requirement to comply with RSM’s acceptable use and information security policy.
RSM collects, uses and retains personal information subject to its publicly available privacy policy. As further described in the privacy policy, RSM processes such data for several purposes, including to provide services to its clients. Such data may be retained for as long as is necessary for the purposes described in the privacy policy or to achieve the purposes for which the information was collected, or as may be permitted under applicable law. RSM has a dedicated data privacy office, and its privacy program is aligned with the ISO/IEC 27701 framework.