HORIBA Instruments Incorporated (HII) has successfully maintained the internationally recognized ISO27001:2013 Standards Certification since 2022, demonstrating our commitment to information Security and Data protection. The associated risk management and controls ensure CIA (Confidentiality, Integrity, and Availability) of sensitive data.
ISO 27001:2013 — HII - Irvine, CA (HQ) covering all Fields and Shared Services
Encryption is a crucial part of HII's information security strategy, enhancing data protection and maintaining strong security. HII ensures data confidentiality through encryption by making sensitive data unreadable to unauthorized users and reducing the risk of data breaches. Encryption also ensures data integrity by detecting unauthorized alterations and verifying data authenticity. It protects data residing on servers and storage devices through full-disk or file-level encryption and safeguards data in transit using protocols like SSL/TLS and VPNs.
Implementing robust application access controls is essential for maintaining system and data security at HII. Key methods used by HII include Single Sign-On (SSO), which streamlines authentication and reduces credential management burdens, and Multi-Factor Authentication (MFA), which enhances security by requiring multiple verification forms. HII enforces “least privilege access”, granting users only the necessary access rights for their roles, and utilizes Privileged Access Management (PAM) systems to secure privileged accounts and manage passwords via vault systems. Endpoint Protection Management (EPM) restricts privileged access on all endpoints. The Infosec team regularly reviews access control policies to address evolving threats, and user education reinforces security best practices.
Physical security is vital for protecting both employees and information at HII. Each site adheres to our physical security standards with controlled entry and exit points and maintains and reviews logs regularly. Facility Managers issue and deactivate access cards, conduct monthly Physical Access Reviews, and monitor security cameras. Employees undergo Information Security Training, which includes physical security measures such as preventing tailgating, restricting recording devices, and keeping workspaces free of confidential information. Elevated security is enforced in sensitive areas like server rooms and labs, with restricted access and photography prohibited.
Data backup and recovery are essential components of HII's information security strategy to protect against data loss, ensure business continuity, and maintain a strong security posture. A solid recovery plan minimizes downtime and enables data recovery after incidents such as cyberattacks, hardware failures, or natural disasters. Regular backups protect data integrity and availability, with verification drills conducted to ensure reliability and accurate restoration. By incorporating secure offsite locations, HII safeguards data against localized incidents like fire or flooding, ensuring critical business operations can continue during and after an incident.
HII's Vulnerability Assessment and Penetration Testing (VAPT) process includes asset classification, reconcilation and prioritizing vulnerability analysis and mitigation. We prioritize remediation based on criticality of vulnerability and Asset classification. We conduct regular vulnerability assessments and penetration testing to discover weaknesses. VAPT results are shared with stakeholders, highlighting vulnerabilities and mitigation recommendations. Prompt patching and verification of fixes complete the process, ensuring effective risk mitigation. HII's security experts also keep themselves up-to-date on the latest security trends.
HII's general system design principles for ensuring information security involve gathering requirements, conducting a security design review, implementing secure development practices, assessing infrastructure and applications, deploying the systems, and maintaining continuous monitoring and improvement.
A Business Continuity Plan (BCP) is crucial for HII's information security, ensuring that critical business functions continue during and after a disaster. HII has developed site-specific BCPs due to multi-site operations, focusing on maintaining the availability of critical services and minimizing operational downtime. The BCPs include detailed disaster recovery plans for quickly restoring IT systems, data, and infrastructure, and integrating backup and recovery processes to ensure data integrity. Compliance with legal and regulatory requirements is coordinated by the legal team. The plan enhances incident management response by defining clear roles and responsibilities and ensuring effective team actions during disruptions. Additionally, proactive defense measures are implemented, anticipating potential security incidents and preparing responses, with regular tests and drills to improve BCP effectiveness and ensure continuous improvement.
Security Incident Management is a critical component of HII's information security strategy, providing structured processes and tools for detecting, responding to, and recovering from security incidents. HII Employees have multiple avenues to report incidents, which are continuously monitored to ensure rapid detection and response. Quick identification and ease of reporting minimize the time attackers can remain undetected, with a two-tier response for immediate resolution and permanent fixes following detailed root cause analysis. The approach aims to contain incidents to prevent the spread and minimize damage. Thorough analysis, documentation, and knowledge sharing from incidents drive continuous improvement in security measures and response strategies.
Server monitoring and alert methods are integral to HII's operations. By actively monitoring server activity and setting up alerts for unusual behavior, HII reduces the risk of unauthorized access or malicious activities. Regular monitoring ensures the stability and integrity of server hardware and software by detecting issues early and allowing for prompt corrective actions, preventing downtime and data loss. Alerts enable proactive responses to potential security threats or operational issues, maintaining a robust and secure IT infrastructure.
HII's background check program is an important aspect of its information security strategy for managing and protecting sensitive information. The HR team verifies the integrity and reliability of any potential employees to ensure they have a history of trustworthy behavior, reducing the risk of insider threats. By integrating background checks into HII's hiring process, we strive to create a secure and trustworthy environment for managing sensitive information.
Training is a critical aspect of HII's onboarding process. Employees and consultants are required to take annual Infosec Awareness Training and new employees and consultants are required to complete the training as part of their onboarding requirements. Additional specialized information security training is provided for onboarded IT staff.
HII employee separation or change of employment are governed by HR procedures. Through automated processes, HR informs the IT team and the Facilities team to revoke network access, application access and building access. Asset Management procedures are invoked to ensure the proper handling of the assets, including wiping information and asset ownership changes.
Supplier risk assessments play a crucial role in HII’s information security. This helps identify, evaluate, and mitigate risks associated with third-party vendors. HII evaluates new vendors' risk profile when assessing new vendors who require access to employee Personally Identifiable Information (PII), confidential or highly confidential data, network access, unescorted physical access, or software development services/products. These assessments are an integral part of our information security strategy, ensuring resilience and integrity within the supply chain.
