Privacy & Cybersecurity

At Johnson Service Group (JSG), one of our top priorities is maintaining the trust of our clients, candidates, and employees by managing the risks associated with maintaining the cybersecurity, confidentiality, and integrity of the data collected from our employees, clients, and candidates. Johnson Service Group has implemented the “Zero Trust Model” at the organizational, architectural, and operational levels which are designed to maintain the cybersecurity, confidentiality, and integrity of our data. 

Security Governance

JSG’s cybersecurity initiatives are either managed or driven by the internal information security program. JSG’s cybersecurity team, composed of C-Suite and other senior executives representing business functions across JSG and chaired by the VP of Information Technology, is responsible for managing and setting JSG’s data and information security, cybersecurity direction, and strategy.

1 INTRODUCTION

JSG is committed to implementing cybersecurity and information security programs that are designed to protect our data from external and internal threats. JSG’s cybersecurity strategy focuses on detection, prevention, and response based on threat intelligence, risk assessments, and proactive monitoring. JSG’s goal is to protect the data and systems as well as our clients, candidates, and employees. This statement provides an overview of JSG’s approach to information security, cybersecurity, and its practices to secure data, systems, and services.

1.1.1 Information Security Program

Information security is overseen by our Vice President of Information Technology North America (VP of IT), who reports to Executive Leadership (ELT). The VP provides monthly updates to the ELT on relevant risk topics, program status, and incidents.

1.1.2 Technology Risk Management

The VP is responsible for managing the cybersecurity program which conducts cybersecurity and privacy risk assessments in four modes:

• Assessments of core business processes and information assets
• Assessments of Internet-facing services
• Assessments integrated with our supplier due diligence process
• Assessments in response to certain threat or vulnerability intelligence

1.1.3 Internal Audit

The JSG’s internal audit assesses JSG’s overall control environment, raises awareness of control risks, communicates and reports on the effectiveness of JSG’s governance, risk management, and controls that mitigate current and evolving risks, and monitors the implementation of management’s control measures.

1.2 INFORMATION SECURITY POLICIES AND STANDARDS

JSG maintains an extensive set of information, cybersecurity policies, and standards to document the company’s approach to data integrity, information and cybersecurity.

1.2.1 Policies and Standards

JSG maintains policies and standards that address data privacy laws and regulations applicable to JSG in the jurisdictions in which it operates. Policies and standards are reviewed and approved by ELT.  JSG seeks to align our policies and standards with a range of recognized industry standards, including those established by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). JSG policies and standards are available to personnel through the JSG’s intranet (JSGCONNECT). JSG maintains information security acceptable use policies covering topics such as information security, information protection and acceptable use, computers, laptops, and tablets, email, the internet, the intranet, passwords, remote access, software, telecommunications, removable electronic data storage media, mobile devices, instant messaging, wireless access, social media, awareness and training, and enforcement.

1.3 IDENTITY AND ACCESS MANAGEMENT

JSG has implemented controls designed to authenticate and authorize user access to the approved systems and data, including multi-factor authentication (MFA) where applicable.

1.3.1 User Identity Management

JSG has well-developed access controls that are based on the general principles of no privilege without identity, no privilege without approval, and least privilege based on roles and responsibilities. Employees are prohibited from sharing their credentials or any confidential information, such as usernames and passwords.

1.3.2 Access Management

JSG undertakes to require strong password controls and protect access to the JSG network.

1.3.3 Entitlements Management

JSG’s approved authentication and entitlement solutions are used to implement identity and access management and to enable reporting of user entitlements. These solutions are used to manage the access levels of employees throughout the lifecycle of their careers at JSG. 

1.4 DATA SECURITY

JSG keeps individual Personal Information for as long as required or permitted in light of the purpose(s) for which it was obtained.

The criteria used to determine our retention periods include

• For as long as we have an ongoing relationship with you;
• As required by a legal obligation to which we are subject; or
• As advisable in light of our legal position (such as regarding applicable statutes of limitations, litigation, or regulatory investigations).

We may delete Personal Information for inactive accounts from our database, subject to any applicable legal or regulatory obligations. Furthermore, we may delete Personal Information from our database at any time and without providing any notice and justification.

1.4.1 Centralized Inventory

JSG tracks hardware and software in a centralized automated inventory tool by documenting application, associated hardware, and the type of data the application processes.

1.4.2 Data Backup and Recovery (3-2-1)

Data is typically encrypted and securely backed up to a local hardware, secondary location and to the disaster recovery site for recovery purposes. JSG’s backup and recovery are performed using a leading enterprise-grade backup and recovery system.

1.4.3 Logging

JSG has logging and continuous monitoring systems deployed on-site.

1.5 INFRASTRUCTURE SECURITY

JSG protects its infrastructure through the “Zero Trust Model” a tiered network architecture, vulnerability assessment, system hardening, DNS filtering and malware protection.

1.5.2 Enhanced System Configurations

Hard drives on JSG assets are to be encrypted using industry-standard encryption software. Special laptop agents are installed to enable JSG IT to remotely wipe lost or stolen devices.

1.5.3 Malware Protection

JSG deploys behaviour-based endpoint detection and remediation solutions. JSG also has email filter controls in place on email tenants, and DNS filters on our internet browsing, in addition to filtering for phishing, spam and known-bad websites.

1.5.4 Perimeter Network Security

Internet-facing connections are protected by next-generation firewalls that are designed to only allow the defined inbound and outbound traffic. JSG does not provide external access to resources through internet-facing services from the internal infrastructure. Network segmentation was deployed to further secure zones via a combination of firewalls and virtual local area networks. Intrusion detection systems and intrusion prevention systems are deployed at the network perimeter to monitor and block malicious activity.

1.5.5 System Monitoring and Vulnerability Management

JSG has a vulnerability management program that performs vulnerability scans of the internal network environments using an industry-standard tool. JSG also engages third parties to scan its internet-facing infrastructure and provide findings for mitigation.

1.6 MOBILE SECURITY

JSG’s mobile policy allows employees to conduct selective business activities on certain handheld devices, with security controls designed to secure and protect JSG systems and noncritical information, including encryption and authentication.

1.7 DATA SECURITY

JSG implements controls designed to safeguard candidate, employee, supplier, company, and client information (collectively, “Information”), which cover secure storage, handling, and secure, encrypted transmission of data.

1.7.1 Encryption

JSG encrypts certain data when it is transferred outside of the company’s protected security enclosure. This includes encryption at rest (such as laptops, and mobile devices) and encryption in transit (emails). JSG uses strong industry-standard encryption methods and tools.

1.7.2 Data Security

JSG implemented controls designed to protect against unauthorized laptop access, laptop idle timeout and screen lock, VPN idle timeout, physical paper document safe storage and physical security. JSG has implemented the “Zero Trust Model” and “Need to Know access” concepts to safeguard the data and information.

1.8 PHYSICAL SECURITY

JSG implemented physical security controls in JSG facilities including office suites, entry points, data centers and storage facilities.

1.8.1 Physical Security

JSG has industry-standard physical security measures in its data centers and offices, including access restrictions, alarms, environmental controls, and visitor management. JSG maintains video surveillance at selected locations on a risk-adjusted basis.  JSG’s data centers are protected from environmental hazards and power outages by a number of controls in place.

1.9 SUPPLIER SECURITY

JSG includes information security risk management in JSG’s supplier management process, which covers supplier selection, onboarding, performance monitoring, risk management and for select suppliers, periodic reviews of supplier information security processes and procedures.

1.10 CYBER INCIDENT RESPONSE MANAGEMENT

JSG’s cyber incident response management program (IRP) addresses security threats and incidents that have a potential impact on the confidentiality, integrity or availability of information and/or JSG’s technology environment, including contingencies for providing notifications to affected individuals and governing authorities as required by applicable laws and regulations.

1.10.1 Cyber Incident Response Management

JSG has a team responsible for handling cybersecurity threats and incidents that have a potential impact on the confidentiality, integrity or availability of JSG’s information and technology environment. The team maintains JSG’s Cybersecurity Incident Response Plan which contains procedures for identifying and responding to information security incidents and protocols for escalation when clients are impacted by an information security incident, including notification of data breaches where required by applicable laws or regulations.

JSG has:

• Procedures for identifying and responding to cybersecurity incidents.
• Protocols for escalation when clients are impacted by a cybersecurity incident
• Defined an Incident Response Management Team of key JSG executives that provides leadership in response to an incident
• Established an incident communication team to manage communications with impacted individuals, clients, staff, stakeholders, and suppliers during an incident

Security intelligence and threat information are obtained from third-party intelligence service providers, industry consortia, internal monitoring, as well as public and government sources. Threat-hunting surveillance is conducted across JSG’s infrastructure.

1.10.2 Logging

Security event logging to a centralized security information and event monitoring system is enabled for forensic analysis and surveillance analytics by our information technology division.

1.11 BUSINESS CONTINUITY AND TECHNOLOGY RESILIENCE

JSG has a business continuity program (BCP) and Disaster Recovery Plan for business continuity and disaster recovery (DR). The program covers both business and technology resilience. The main features of the program include dispersed capabilities, near-site recovery, far-site recovery and dispersed recovery.

1.11.1 Business Continuity

JSG’s BCP planning and disaster recovery program is comprised of six key elements:

• Incident response management,
• Business continuity requirements,
• Technology resilience,
• Business recovery solutions,
• Assurance and process improvement,
• Continual assessment.

Each business unit by region aims to have a specific business continuity plan (BCP) and assigned BCP coordinator. JSG conducts periodic resilience impact analyses. Regional leaders may at times need to verify the criticality, recovery time objective (RTO), recovery point objective (RPO), dependencies, and recovery strategies of their core processes. These processes determine the type of assurance needed to record completeness, such as people recovery tests, application failover tests, cyber attack tests, training, and tabletop drills.

1.11.2 Incident Response Management and Emergency Response

Incident response management staff monitor the JSG environment, execute pre-established incident response management procedures and coordinate responses to incidents. Training is performed with periodic tests, drills, and tabletop exercises so that our staff is ready to respond to an actual emergency or incident.

1.11.3 Technology Resilience

JSG has a technology resilience program which aims to:

• Minimize dependencies on a single location or cloud supplier;
• Have multiple points of network and telecommunications redundancy;
• Have regional technology operate independently of critical market applications;
• Have bi-annual testing; and
• Allow for secure remote working capabilities.

Continuous improvement is the goal of JSG’s Information Technology and Cybersecurity program. As of the last updated date on this page, to our knowledge, JSG has not had any material data security breaches in the last six (6) years.

Uma Suthan – Vice President, North Amer.