All DRC personnel are trained in security requirements, which include physical building access, employee confidentiality and behavior, data access, network and Internet access, and the safeguarding of client documents and products.
Building Security
All of DRC’s secure facilities are designed to meet the stringent security requirements of large-scale testing programs. We develop, produce, process, and store all materials in an environment secure from access by the general public or unauthorized staff. DRC enforces strict security measures to prohibit unauthorized personnel from gaining access to client materials through either deliberate or unintentional action.
DRC also employs standard security measures at all of our scoring facilities. We limit access to scoring centers to staff and visitors accompanied by authorized staff. We require readers to sign legally binding confidentiality agreements before work begins, and readers are aware that no scoring materials are to leave the centers. To prevent the unauthorized duplication of secure materials, readers are unable to print from their imaging stations.
Computing Environment Security
DRC employs security controls relating to our hardware, data, and network connections. We manage more than 200 terabytes of client data; therefore, security is an inherent, inextricable, and indispensable component of our system. Three specific areas of computing security are summarized here.
-
Internal Computer Security: Network access to client data is tightly restricted. Using current security best practices, DRC denies all access to sensitive data and then grants access to only selected staff. We audit network accounts quarterly and require unique, complex passwords that change every 60 days.
-
External Computer Security: DRC has secured our internal network through the use of firewalls, protecting company resources from unauthorized external access. Websites containing sensitive material require public-key cryptography security through Secure Sockets Layer (SSL) connections. Our intrusion detection system allows DRC to detect possible infiltration or denial of service attacks and take appropriate actions before a security breach occurs.
-
Computer Virus Protection: DRC has an extremely aggressive virus scanning solution. Our virus scanning software packages automatically update virus definitions daily to protect email, server operating systems and network storage systems, workstations, removable media, and Internet file transfers.
DRC’s Survey Services business unit has been audited and received Certification and Accreditation under the Federal Information Security Management Act (FISMA) through the U.S. Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). DIACAP is the new process by which systems are certified as meeting a set of stringent security requirements and then accredited for operation by a designated Department of Defense official.