Data Security

Introduction

Purpose

The security of data is important to us. This data security information is intended to answer as many questions as possible about the security, reliability, and availability of DDI’s applications and data processing systems. This document outlines the flow of data for DDI technology-based solutions and addresses the security measures that we have taken to protect each part of the process.

How to subscribe to our feed?

Copy the link to the RSS feed below to your subscriber platform of choice to get updates and notifications to all changes. 

Subscribe for changes to DDI's Data Security


DDI: Who We Are, What We Do

Founded in 1970, Development Dimensions International (DDI), a global human resource consulting firm, helps organizations close the gap between today’s talent capability and future talent needs. DDI’s expertise includes designing and implementing selection systems and identifying and developing front-line to executive leadership talent. For more information about DDI visit http://www.ddiworld.com.

DDI’s Approach to Data Security

Today’s talent management environment requires the processing of electronic records. Application functionality depends on information storage and transfer across DDI networks and the Internet. Appropriate security is essential and is fully integrated with application functionality and processes. DDI maintains a consistent security framework with appropriate privacy standards within which system applications and user populations leverage information within various business contexts. DDI employs a multi-layered approach to Information Security as it relates to the protection of user data (including candidate, participant, learner, administrator, and customer information) and prevention from unauthorized access, alteration, or destruction. Our policies and processes are designed to:

DDI is committed to operating our businesses in a manner that fosters confidence and trust, which includes the proper use and management of personal data provided to us by our colleagues, customers, and suppliers.

Security Governance

To ensure data integrity, DDI has resources, policies, and processes dedicated to data protection, including a Data Security and Compliance Office and Data Protection Officer, who routinely monitor global standards. 

DDI’s Data Protection Officer (DPO) sets and enforces the vision and strategy for the company’s security and compliance program, with the goal of global consistency, ascertaining that risks are managed appropriately, and objectives are achieved.

Security in Partnership

The security and confidentiality of our customers’ data is a shared responsibility between DDI and our customers. DDI provides a secure platform on which customers can access and leverage their data. In addition, DDI provides tools, services, support, and resources that enable our customers to ensure the security of their data throughout the lifecycle of the engagement. See DDI’s Privacy Statement.

Customers are jointly responsible for the security of their data during and after their engagement with DDI. Customers must understand what data is being collected and held within DDI systems and define the appropriate data sharing policy to ensure that data is shared with only those who are authorized to access it. The data sharing policy should align with risk and compliance requirements that correlate to the importance and classification of that data.

DDI’s Role as a Data Processor

DDI clients operate as a “Data Controller” pursuant to the European Union (EU) Privacy Model Clauses. DDI functions as a “Data Processor” pursuant to EU Model Clauses and the General Data Protection Regulation (GDPR). See DDI’s Privacy Statement.

Data Protection Regulations

DDI is headquartered in the United States and serves customers globally and has employed mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, including Privacy Shield (a replacement to Safe Harbor), EU Model Contract clauses and end user consent. DDI’s certification under the Privacy Shield program may be viewed at the Privacy Shield site: https://www.privacyshield.gov/. DDI maintains compliance with all applicable data security and data privacy regulations.  For more information, please see DDI’s Privacy Statement on DDIWorld.com.  If you have questions around regulatory applicability, reach out to DataProtectionOfficer@ddiworld.com.

Third Party Providers

DDI utilizes third party providers for the provisioning of our Services to you as described in our agreements. All third-party providers are required to comply with DDI’s data processing, protection, and security standards.

For a list of our current sub-processors please see https://www.ddiworld.com/thirdpartyproviders

Data Classification

DDI classifies personal data we collect and process into four categories, each requiring specific actions to ensure security. Data collected is reviewed on a periodic basis and classified according to its use, sensitivity, and importance. See the Confidential Information Policy for details.

Technical and Organizational Measures

Many of our key Technical and Organizational Measures (TOMs) data security and integrity are listed below. Additional details for these and other controls are described in detail later in this document.

CONTROLDDI Uses
Cloud
  • DDI utilizes a variety of cloud-based, GDPR compliant platforms
Data Privacy and Security Awareness Training
  • DDI conducts regular training for DDI associates to learn about data privacy, confidentiality, and security best practices
  • DDI sends regular mock scam emails to teach end users to recognize and avoid phishing attacks, social engineering traps, malicious links, and downloads
Physical Security
  • DDI hosts client facing applications at redundant data centers that are ISO-27001, SOC 2 and SSAE-18 certified
Internal Business Applications
  • DDI uses sub-processors for general business operations including Microsoft Office 365, Microsoft Dynamics for customer relationship management, Oracle for accounting and invoicing, and Oracle Taleo Cloud for online recruitment services
  • These sub-processors only process business contact information
Network Security
  • Managed anti-virus on all components
  • Application-layer firewall
  • Dual redundant multi-segmented network-layer firewalls
  • Physical and logical network separation of each tier
Infrastructure Redundancies
  • Redundant power with Uninterruptible Power Systems (UPS)
  • Connections to multiple Internet provider networks
  • Redundant component infrastructure
  • Clustered high availability systems
  • SAN storage technology for storage redundancy
  • Load balancing for application redundancy
  • “Hot-spares” for all essential network production equipment.
Monitoring and Intrusion Detection
  • Intrusion detection on all network segments
  • 7x24 monitoring, detection, and alert of malicious activity
  • 7x24 monitoring, detection, and alert of system anomalies
  • Regular log review.
Infrastructure Access Controls
  • Least-Rights-Necessary access model
  • Configurable session inactivity timeouts
  • Encrypted passwords
  • Strong password policy for privileged accounts and servers
Independent Audit
  • Annual data processing and financial systems audit
  • Third party certification of controls and processes including ISO27001:2013
QA & Testing
  • Separate QA & testing platforms
  • Gated code promotion strategy
  • Automated and “white box” QA testing processes
Authentication & Authorization
  • Role-based
  • Fully HTTPS/SSL compliant
  • Supports SAML Single Sign-On (SSO)
Platform Availability, Stability & Performance (ASP)
  • Highly scalable virtualized platforms
  • End-user experience monitors for application performance
Vulnerability Assessment
  • Annual infrastructure vulnerability scans
  • Annual Application Penetration Assessment (APA)
  • Quarterly Managed Application Scans (MASs)


Infrastructure Controls

General

DDI hosts client facing applications at redundant SSAE18, SOC 2 Type II, ISO / IEC 27001:2013, HIPAA/HITECH, PCI DSS certified data centers.

DDI’s server infrastructure is located in a dedicated 8’ x 8’ enclosed caged area. Access to this area is limited to the DDI staff responsible for managing the application servers and network components. The data center facility has implemented extensive systems to provide security and physical plant protection. These systems include physical security, fire prevention, security and fire alarms, video surveillance, multiple levels of card access, 24-hour staffing and detailed access and visitor logs. Only data center facility authorized engineers can open and lock equipment cabinets. Additionally, there are no customer names on the cabinets and no cabinet floor plans to associate cabinets with customers. Inside the facility, closed circuit television (CCTV) cameras mounted above each cabinet row monitor all activity.

All DDI equipment is monitored in a temperature-controlled environment. DDI’s hosted solutions operate at an average temperature between 65 and 75 degrees Fahrenheit and average relative humidity between 30% and 45%. All equipment is protected by a fire suppression system with a built-in early warning detection system. The Very Early Smoke Detection Apparatus (VESDA) system detects abnormal particulate matter in the air. A pre-activation fire detection system verifies a fire before activating the suppression system. Heat detectors above and below both the floor and ceiling are controlled in the NOC (Network Operations Center) and monitored off-site.

Physical Access

Physical access to DDI’s application and network systems is highly controlled. All points of entry have badge readers to permit or deny access and video surveillance that is monitored 24x7 by data center facility personnel. Access to this facility is protected 24x7 by security personnel and limited to authorized individuals with a need to manage DDI systems. All approved DDI resources are issued a photo ID for access. Upon an access request, data center facility personnel will verify name and photo matches name and photo in their secure system. Logs of such access are monitored electronically via the badge access system and are reviewed quarterly.

Continuity

The data center facility’s hot sync parallel/redundant systems provide redundant power supply through Uninterruptible Power Systems (UPS) and backup generators. In the event of power failure, an on-site diesel generator system automatically generates power to both AC and DC systems, powering the internal data center facility network without interruption to service. There are connections to multiple telecommunications companies’ networks for redundant internet access and connectivity is load-balanced and provided by more than one ISP. In addition, DDI automatically replicates all production services to a geographically diverse secondary datacenter facility which ensures rapid service recovery in the event of failures at the primary site. SAN and RAID technology solutions are used for storage redundancy and secondary “hot-spare” hardware for core network infrastructure and production application server components is available for production systems. DDI Information Technology (IT) maintains the Service Restoration plans for all services, systems, and applications.

DDI maintains a detailed Disaster Recovery plan for restoring business service in the event of a large-scale system failure. This plan is updated as any changes are made to the system infrastructure or production web farm configuration and is tested on an annual basis.

Applicable Certifications/Standards

SSAE-18

DDI only stores data in data centers that have received unbiased favorable annual SAS 70 Type II audits. Note that the SAS 70 has been replaced by the Statement on Standards for Attestation Engagements (SSAE) No. 18 and our data centers are certified to that standard.

ISO 27001

DDI only uses data centers that have demonstrated their adherence by periodic assessments and annual certification.

DDI also maintains its own ISO27001 certification and is audited annually.

SOC 1/ SOC 2

DDI is neither SOC 1 nor SOC 2 certified. However, DDI’s data hosting provider does keep current SOC 2 certifications.

Server Hardening

DDI’s servers provide a wide variety of services to both internal and external users, and some servers store or process information that may be considered sensitive or confidential in nature. Given the fact that servers can be targeted for attack, it is critical that DDI servers are secured appropriately. DDI’s process of enhancing server security includes the following measures:

For security reasons, we cannot provide all details of our server security controls.

Patch Management

High impact patches are defined as patches that will protect against a security risk that has the potential to significantly impact our network on or before the date of the patch. DDI’s IT team immediately distributes these patches to all devices after testing of the patch on our test platforms. Distribution will occur no later than 24 hours after identification.

Medium or Low impact patches are defined as patches that will protect against a future security risk. DDI distributes these patches to all devices after testing of the patch on our test platforms and testing with a control group of users. Distribution will occur no later than 2 weeks after testing is complete.

Backup, Retention and Archiving Procedures

Data is incrementally backed up on a nightly basis to ensure that all applications and client data is preserved and available to be restored in the event of any loss of data or catastrophic event. Hot back- ups are made to disk and transferred to tape. These backup tapes are rotated, with 30 days of daily backups being maintained. Monthly and yearly 128bit AES encrypted backup tapes are archived offsite.

In accordance with the DDI rotation schedule, authorized datacenter personnel log the tapes into the offsite storage provider's web portal, and then physically place the tapes in a "lock box" for pickup by the storage provider. Authorized personnel then store the tapes, in the DDI dedicated and secured cage.

If a system recovery is necessary, DDI system engineers will retrieve the file, data, or system state if it is less than 24 hours from an on-line backup system. In this event, system or database recovery can be completed in a matter of minutes or possibly several hours. If the file, data, or system state is greater than 24 hours old, DDI system engineers will contact its’ data center facility to retrieve the necessary tape. This retrieval can take several hours or possibly up to one day. After the tape is loaded into the library, DDI system engineers will recover the file, data, or system state immediately.

Backup Schedules and Data Retention

Asset Recovery, Recycling and Disposal

Hardware Recycling/Disposal Procedure

  1. When Hardware has reached its end of life cycle, the hardware is stored in a locked asset room and retained for disposal.
  2. Retired equipment is recycled through an R2 Certified Recycling vendor
  3. DDI receives a Detailed Destruction report of the assets that were recycled for record keeping.

Hard Drive Disposal Procedure

  1. All Hard drives, tape media, Optical drives, etc.… are removed from the hardware and retained for secure bulk destruction at a later date.
  2. For secure data destruction, DDI has contracted the services of recycling vendors who employ Low level, Department of Defense Approved, 7 pass wipe (DoD 5220.22-M(ECE)).
  3. This process is compliant with HIPPA, FACTA, GLB, and unclassified government material
  4. Non-functional hard drives will be degaussed.
  5. All data is purged as set forth in NIST Special Publication 800-88
  6. DDI receives and retains a Certificate of Destruction for record keeping.

Network Security

Network Infrastructure

DDI’s Network Infrastructure consists of dual HA pair of devices providing load-balancing and acceleration capabilities that listens for requests coming via HTTP (redirected to HTTPS) or HTTPS to a web site’s external IP address. The hardware load-balancer translates this to an internal IP of web/application servers and routes the request appropriately. Application servers are maintained in a perimeter, web-facing DMZ. Database and file servers are protected behind additional firewalls with very limited access rules that are only for application traffic. Strong passwords protect Server and service accounts.

Firewalls

Firewall protection is provided by devices functioning as high as Layer 7 of the OSI Model. All hardware is in a redundant passive-active configuration.

Intrusion Detection and Monitoring

DDI uses a comprehensive set of tools that provide continuous real-time monitoring of every component to enable security monitoring, patch management and other remote administration functions. DDI employs a managed services security company for security monitoring, firewall management and intrusion detection systems (systems designed to detect potential threats real time) and response processes.

DDI employs both host-based and network-based detection systems that are monitored and responded to on a 24x7 basis. DDI IT is notified immediately upon the detection of any anomalies via cell phone. Weekly reports are provided to DDI for review. Penetration tests are conducted quarterly.

Malware and Anti-Virus Protection

DDI utilizes several monitoring products to monitor network, servers, databases, and web sites. All application and system event logs are monitored as well. The monitoring environment is configured to automatically send alerts to appropriate staff that are on call 24x7. Specific escalation paths to appropriate DDI System Engineers and DBAs exist to help resolve the issue as quickly as possible.

In addition, DDI network monitoring systems periodically conduct complete scans of every active node on the network to ensure that these nodes are properly configured and are running the most current version(s) of the anti-virus and other security-impacting (ex: Hotfixes; service packs; etc.) code.

All appropriate systems – PCs, servers, gateways systems etc. - are protected by Microsoft’s endpoint protection anti- virus and “zero-day protection” software that is centrally managed and updated.

All gateways are protected by anti-virus software that is centrally managed and updated and the email and browsing infrastructure employs content scanning and heuristic scanning techniques to ensure data is virus-free.

Secure Data Transmission and Encryption

DDI uses SSL/TLS 1.2 for secure HTTPS application data access. SSL technology is provided as standard for all DDI applications and all backup tapes are encrypted using 256bit AES encryption. Encryption is used for passwords stored in application databases.

All files (regardless of confidentiality) remain encrypted when copied from a DDI laptop to an external storage device. If the external device is not encrypted, DDI’s Enterprise Encryption Software will automatically encrypt and password-protect the external device. In addition, DDI utilizes hyperconverged infrastructure that encrypts data at rest utilizing storage controller-based encryption.

Email is not considered to be a secure form of communication however, DDI does offer the ability to encrypt individual messages when explicitly requested.

Application Security

Data Flow

When using DDI applications, data typically flows between three important parties—end users, client associates/candidates, and DDI.

When an end-user accesses a DDI application, the information they provide is submitted via secure encrypted (HTTPS) methods. Web data is delivered to the end-user in the form of test/assessment questions, surveys, graphics, and other content included in the DDI application. The data is processed by the application servers and submitted to database servers for storage. Web/application and database servers are located on separate logical and physical networks protected by firewalls.

DDI uses SSL/TLS 1.2 for secure HTTPS application data access. SSL technology is provided as standard for all DDI applications and all backup tapes are encrypted using 256bit AES encryption. Encryption is used for passwords stored in application databases. All data (regardless of confidentiality) remains encrypted in transmission and at rest.

Role-Based Security

Applications use a role-based security model to determine access rights. Client data is segregated logically based on site, document, user, and other criteria. System changes are controlled through the change management process (detailed in later sections) addressing quality assurance, testing, documentation, change scheduling, and other such IT operational “best practices”.

Account Administration and Access

All infrastructure component administration and account management are strictly controlled by DDI. User accounts are automatically locked/disabled after excessive failure to login correctly. Server and service accounts are required to have strong passwords containing alpha, numeric, and special characters. DDI uses a global remote direct access solution that includes authentication and encryption at an industry standard level.

End-users are granted ‘least privileged access’ permissions to effectively and efficiently do their jobs. All administration and account management are strictly controlled by DDI. User accounts are required to have strong passwords and password-protected screen savers. Account access will be automatically disabled after excessive logon failures or termination of employment.

Access to all data (irrespective of classification) is provided using a “Least Rights Necessary” security model, i.e., granted to those with a legitimate business need such as end-users, client administrators, and various DDI and client support teams.

Direct Database Access

Only very select members of DDI’s engineering team have access at a database level. This access is used for creating off-site backups and performing data restorations. This is all done without viewing data.  See Appendix II for additional information.

As part of DDI's Privileged Identity Management (PIM) process, DDI uses the Azure AD Entitlement Management and Azure Identity Governance tools for the administration and monitoring of privileged accounts and their access to sensitive information.  In support of this process, all database access requests must be formally justified and approved.  If approved, access is only granted for a limited duration.

Access to Data Centers or Backups

Physical access to Data Centers is restricted to a named list of associates. Physical access does not mean access to data. The physical media resides on servers in a locked cabinet. Off-site backups are stored in a fire safe in a secure room. Access to this room is restricted and logged.

Access to Applications

Applications use a role-based security model to determine access rights. Client data is segregated logically based on site, document, user, and other criteria. System changes are controlled through a best practice change management process.

Access to Application Data

End user Participants are either client or DDI associates who input personal information to a DDI application system in the context of completing an online diagnostic or learning activity (such as an assessment, test, survey, or learning journey).  End user Administrators are system end-users who manage accounts and workflow processes within a DDI application system. Administrators may be either client associates or DDI associates who input personal information on behalf of clients or applicants and may progress them through different process phases. Examples include hiring managers, staff development professionals, and other Human Resources roles.

When a user requests technical support from DDI’s Product Support team, they may grant a support representative temporary access to the account. The support team may need to view an individual user’s data as part of the support incident resolution. Access to the account is limited to the scope of the request and troubleshooting/problem-resolution processes required to provide the end user with appropriate assistance.

Application Penetration Testing

DDI employs a managed services security company to test for “dynamic vulnerabilities” such as logic flaw problems, unpublished exploits, and other risks specific to the application environment, which also tests for known and published or “static vulnerabilities”.

Performed annually is the Application Penetration Assessments (APAs) which includes application scanning followed by intensive manual testing to identify application vulnerabilities. Reporting is fully customized and includes both positive and negative findings.

Quarterly Managed Application Scans

Performed quarterly is the Managed Application Scanning (MASs) which includes application level scanning, false positive validation, and automated reporting.

Findings Review

Findings Risk Analysis

Vulnerability Classification

Vulnerabilities are classified using the CVSS scale per the CVSS v3.0 specification (https://www.first.org/cvss/specification-document) and can be calculated on a per-vulnerability basis using the CVSS Calculator (https://www.first.org/cvss/calculator/3.0).

Vulnerability remediation is to be completed as soon as possible once identified using the following table:

SeverityDescriptionService Level
CriticalCritical vulnerabilities have a CVSS score of 9.0 or higher. They can be readily compromised with publicly available malware or exploits2 days
HighHigh-severity vulnerabilities have a CVSS score of 7.0-8.9. There is no known public malware or exploit available30 days
MediumMedium-severity vulnerabilities have a CVSS score of 4.0 to 6.9 and can be mitigated within an extended time frame90 days
LowLow-severity vulnerabilities are defined with a CVSS score of 0.1 to 3.9. Not all low vulnerabilities can be mitigated easily due to applications and normal operating system operations. These should be documented and properly excluded if they can’t be remediated180 days
NoneInformation vulnerabilities have a CVSS score of 0.0. These are considered potential risks but are generally reference information for the state and configuration of an assetNot required


DDI Associate Policies

DDI employs rigorous processes and controls over access and permissions for all infrastructure components, networks, firewalls, servers, databases, etc. This is strictly controlled within the Global Technology Group who has final authority on all administrative user access, system monitoring/notifications, as well as OS, security, and application updates. Regular mock scams are also conducted to help DDI associates to be more aware and to respond to such attacks appropriately.

Screen Locking

All computers are configured to have a password-enabled screen saver. DDI’s policy for screen lockout is 15 minutes. After 15 minutes of inactivity the screen saver will be invoked. The user must then reenter their password to gain access to the computer.

Passwords

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of DDI's resources. To view DDI’s full Password Policy, please reference Appendix I.

Revoking Access

As soon as administrative access to DDI systems and application platforms is no longer required for job responsibilities, it is revoked. This includes termination of employment as well as changes to roles or responsibilities in the company.

This process is completed within 24 hours of a role change, or immediately in the event of involuntary employment termination. In addition, we regularly review which associates have these permissions and make changes as needed.

Data Privacy and Security Awareness Training

All DDI associates receive regular training and best practice guidance on data privacy, security, and confidentiality. Completion of training is monitored to promote the highest level of compliance.

Cookies

Cookies are data files that are sent to a user’s computer upon visiting a website and are stored in a file in the user’s web browser. DDI uses cookies and similar technology (collectively, “cookies”) to assist with navigation and users’ ability to provide feedback, analyze users’ interest in our Products and solutions, assist with content personalization and our promotional and marketing efforts, and provide content from third parties. 

Any authorization cookies are session cookies that expire after the user closes their browser or their session ends. Some analytics and system functionality cookies may last up to 24 hours from creation. Most of our cookies are encrypted, with some minor exceptions such as “language.” We do not store any personal data in cookies.  Users may not opt out of any cookies that are strictly necessary to the function of the system.

See Appendix II for full details of DDI’s cookie policy

Product Development Process and Code Management

Development Release Cycle

DDI employs an agile development model. Agile is an iterative approach to software development and provides a very nimble capability that allows DDI to rapidly respond to the needs of our clients. We have a planned new code release cycle – typically a weekly cycle.

This means that approximately every week DDI releases new features and upgrades. It also gives us frequent windows for releasing fixes to features that do not work as desired. Outside of this cycle we can make “emergency” releases as urgency dictates.

Development Environments

DDI uses separate application instances for testing updated code and have separate instances for early candidate code, and release candidate software. This protects data from ever being controlled or accessed by code still in development. All development code runs against “dummy databases”.

Code Review

Programmers work individually or in teams developing new code. As the end of each cycle approaches, code is peer-reviewed and tested in a QA environment separate from the production environment. This testing period allows us to eliminate most bugs before they are ever introduced to production. Code is also programmatically inspected for known vulnerabilities.

Code Management

Git is used to manage the software development process and serves as the source-code repository. The tool and related processes ensure that no changes are overwritten due to multiple developers making changes to the same module. Change control processes exist at many different levels within application development, QA and implementation including:

Global People Services (Human Resource Policies)

Confidential Information

Upon hire, all DDI associates are required to sign a confidentiality agreement that specifically addresses the concerns and risks of dealing with confidential information. Any associate found to have violated this policy is subject to immediate termination or any applicable legal action. In addition, annually employees sign a Code of Business Conduct and Ethics.

Background Check Policy and Procedure

DDI believes that hiring qualified individuals to fill positions contributes to the overall strategic success of the company. Background checks serve as an important part of the selection process at DDI. This type of information is collected as a means of promoting successful candidate matches for the position, as well as a safe and secure work environment for current and future employees. Background checks help DDI obtain additional applicant related information that helps determine the applicant's overall employability, ensuring the protection of the current people, property, and information of the organization.

DDI’s full Background Check Policy can be made available for viewing if requested. To request the policy, please contact DataProtectionOfficer@DDIWorld.com.

Credential Verification

DDI’s pre-employment checks are designed to ensure that all associates are confirmed to have the degrees and certifications that they purport and/or are required to have. All prospective associates have their stated employment histories and integrity references verified.

SSN Verification

All US-based associates are verified legal US workers, and Social Security Numbers or work authorizations are verified.

Security Incident Response

DDI enforces a comprehensive security incident detection and response plan including intrusion detection, scans, and other methods deemed effective and appropriate. While computer-related incidents are most common, non-computer-related incidents can also be reported through the Incident Hotline or by contacting DDI’s DPO or Corporate Counsel.

The purpose of the Security Incident Response and Notification Policy is to provide general guidance to DDI’s Technical and Managerial staff to enable quick and efficient recovery from physical or logical security incidents including the reporting of, responding to and managing unauthorized access to and/or loss of Confidential Information. DDI shall report any security incidents to affected or potentially affected clients within 48 hours of discovering a security breach.

In the event of a security breach, or suspected security breach the following actions must occur.

  1. Immediate notification of the following DDI personnel:
    • Data Protection Officer
    • DDI General Counsel
    • Data Privacy and Security Office
  2. Proper incident identification and documentation (must include):
    • Description of the relevant incident
    • Time and date on which occurred and was detected
    • The person who reported it, and to whom it was reported
    • Description of Personal Data that may have been compromised
  3. Incident containment activities.
  4. Incident eradication activities or processes.
  5. Incident recovery and review.

Appendix I - DDI Password Policy

Overview

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of DDI's resources. All users, including contractors and vendors with access to DDI systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, the frequency of password changes, and lockout policy for invalid attempts.

Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any DDI facility, has access to the DDI network, or stores any non-public DDI information.

Policy

Guidelines / Standards

System/server-level and user-level passwords have the following requirements:

The following password types should be avoided:

Password Protection Standards

If an account or password compromise is suspected, report the incident to DataProtectionOfficer@ddiworld.com

Password History, Age, and Lockout Standards

Appendix II - DDI’s Cookie Policy

DDI uses the following types of cookies on its website:

To opt-out of having this information used for serving you interest-based ads, click here (or if located in the European Union click here).

DDI Cookie Policy – Products

DDI’s Cookie Policy applies to all DDI Products (“Products”).  Cookies are data files that are sent to a user’s computer upon visiting the Product website and are stored in a file in the user’s web browser. DDI uses cookies and similar technology (collectively, “cookies”) to assist with navigation and users’ ability to provide feedback, analyze users’ interest in our Products and solutions, assist with content personalization and our promotional and marketing efforts, and provide content from third parties. 

Any authorization cookies are session cookies that expire after the user closes their browser or their session ends. Some analytics and system functionality cookies may last up to 24 hours from creation. Most of our cookies are encrypted, with some minor exceptions such as “language”. We do not store any personal data in cookies.

Products only collect essential cookies. Users may not opt-out of cookies when using Products.

Further resources:

Learn about DDI's Data Regulation Compliance
Read our Privacy Policy
GDPR regulation
Submit a data request
Visit this page to select the type of marketing emails you'd like to receive from us or to unsubscribe.