Talent Assessment PlatformTM
We are committed to providing a secure environment, maintaining the confidentiality, integrity, and availability of customers’ information, and protecting their valuable business assets and applications.
Formal Information Security Program
eSkill delivers its clients a high level of security and confidence that is unmatched in the industry. A public version of our formal information security program is available on request.
Compliance
We conduct scheduled internal and third-party audits to ensure the confidentiality, integrity, and availability of customer data.
eSkill Privacy
One of our biggest priorities is to provide clients with a secure and rewarding online experience. For more information, please read our privacy policy.
Data Protection
The eSkill Talent Assessment PlatformTM encrypts data that is transmitted over public network and data is only accessible by vetted, authorized parties.
Data Center
Our cloud platform is built on a highly-availability architecture with no single point of failure and is hosted in multiple AWS data centers in different geographic locations.
Application Security
eSkill’s product teams are required to deliver security by design in all applications by including threat modeling, inline and continuous security scanning, monitoring, and mandatory security reviews.
Network Security
We ensure that sensitive data is protected by implementing security best practices such as hardened router configurations, network segmentation, and active vulnerability assessments.
Host Based Security
eSkill uses a standardized build for every type of server in its architecture to disable unnecessary default user IDs, close potentially dangerous services and ports, and remove unnecessary processes.
Vulnerability Management
We regularly test application code, conduct regular third-party assessments, and scan networks and systems to check for security vulnerabilities.
eSkill Personnel
All candidates undergo background checks before they are hired and are provided regular training on security policies and procedures based on Open Web Application Security Project (OWASP) standards.
Disaster Recovery
The eSkill Talent Assessment PlatformTM maintains SOC 2 Type II certification, which requires the implementation of a formal disaster recovery plan (DRP) that includes annual testing.
Validation
We conduct a statistical validation study and job analysis on every pre-employment test to ensure it is relevant to the job requirements and free of bias. Please read our Validation Report to learn more
EEOC
Our employment assessments meet and uphold EEOC regulations and comply with anti-discrimination requirements outlined in the ADA and ADEA acts. Please review our EEOC compliance guidelines to learn more
Talent Assessment PlatformTM
We recognize the importance of maintaining the confidentiality, integrity, and availability of our customers’ information and the protection of its valuable business assets and applications. This Security and Trust Assurance Packet reflects our commitment to providing a secure environment and adopting effective security standards that align with industry best practices in the areas of security and service management.
With the use of a variety of reliable security technologies as well as a unique combination of trained personnel, mature business processes, and regular third-party audits measured against several international and U.S. standards, the eSkill Talent Assessment PlatformTM delivers a high level of security and confidence that is unmatched in the industry.
This document describes each layer of this assurance approach to provide an overview of the compliance, data protection, and cybersecurity that the eSkill Talent Assessment PlatformTM provides.
While open to sharing information with clients, eSkill asks companies and entities who are not yet clients to sign a non-disclosure agreement before making detailed inquiries using eSkill Talent Assessment PlatformTM services.
Formal Information Security Program, Policies and Procedures
eSkill offers a public version of our formal information security program.
Compliance
To assure that clients’ data confidentiality, integrity, and availability are maintained, we conduct multiple internal audits and third-party audits. The written results are available upon request.
The eSkill Talent Assessment PlatformTM also undergoes periodic external scans and the results are available on request.
The following table shows the types of audits and scans, plus the frequency at which they are conducted.
Audit | Type | Frequency |
---|---|---|
Secure SDLC | Internal | Continuous |
Risk Assessment | Internal | Annual |
NIST and ISO 27001 Control Review | Internal | Continuous |
ISO 27001 Statement of Applicability | External | Annual |
Vulnerability Scanning | Internal | Quarterly |
Vulnerability Assessment | External | Quarterly |
Penetration Testing | External | Annual |
SOC2 2 Type II | External | Annual |
Privacy
Our privacy policies and practices can be found at:
Privacy Product Features
By configuring Data Retention, clients can simplify their compliance with data privacy regulations by removing data. Removal involves anonymizing, deleting, or obfuscating the data. eSkill’s Assessment Platform has internal use Read and Change access logging on personal data fields to meet GDPR requirements.
Third-Party Providers
Before third-party providers are approved to offer parts of eSkill Talent Assessment PlatformTM services, they must go through a formal vendor risk management program review to confirm and monitor that they provide an adequate level of security and comply with relevant data protection requirements. The eSkill Talent Assessment PlatformTM collects only the minimum necessary personal data and uses it only for agreed-on purposes.
Data Protection
Privacy is important to eSkill. We have a comprehensive privacy program that is overseen by our Data Protection Office (DPO). Our DPO actively monitors our compliance with GDPR and other privacy regulations. If you have any questions about our privacy practices, please reach out to your eSkill CSM or representative.
We have established the following safeguards for personal information protection:
- Data is encrypted when transmitted over public networks.
- Personal Information may be anonymized at the request of the customer.
- Data is accessible only by vetted, authorized personnel.
- Client data is prohibited from being stored on eSkill workstations and mobile devices.
Data in motion
- Web Browser User Sessions – TLS 1.1 & 1.2 (and above if available).
- Webservice APIs – TLS 1.2 +.
Data Center
The eSkill Talent Assessment PlatformTM’s cloud platform is based on a high-availability architecture with no single point of failure. It is hosted at AWS data centers in two different geographical locations.
For compliance details on specific data center platforms, please visit
AWS: https://aws.amazon.com/compliance/
Application Security
We have implemented a secure software development lifecycle (secure SDL) and require our product teams to use security training, tools, and processes that are in alignment with the Open Web Application Security Project (OWASP) and NIST.
These guidelines include secure coding implementation in application architecture, authentication, session management, access controls and authorization, event logging, and data validation.
Required processes for product teams include threat modeling, inline and continuous security scanning and monitoring, and mandatory security reviews that enable product teams to deliver security by design.
The eSkill Talent Assessment PlatformTM integrates static, interactive, and dynamic security testing into its secure SDL.
Applications and services are designed to ensure that only authorized users can perform allowed actions within their privilege level to control access to protected resources using decisions based on role or privilege level, and to prevent privilege escalation attacks.
Role-based Access
- User roles can be defined both at the group level and at the user level.
- User roles can be used to adhere to Segregation of Duties (SoD).
- User and group access can be defined down to the assessment level.
Network Security
The eSkill Talent Assessment PlatformTM’s network architecture ensures that sensitive data is protected through best business practice security policies and procedures.
Hardened router configurations. Router configurations correctly route packets to their proper destinations and restrict traffic. Access Control Lists (ACLs) on the front-end routers stop common attacks.
Network segmentation. Our segmented network architecture prevents direct public contact or connection to the eSkill Talent Assessment PlatformTM’s private network segment.
Front-end load balancers. Access to eSkill Talent Assessment PlatformTM services is managed with redundant load balancers. These provide a variety of functions, including TLS session termination, load balancing, network address translation (NAT), and port address translation (PAT).
Distributed denial-of-service (DDoS) protection. A service protects the availability of eSkill Talent Assessment PlatformTM services, even when they are under a distributed denial-of-service (DDoS) attack.
Activity log aggregation. Log activities from network devices and systems are aggregated through an activity log collection system. Logs are fed to a SIEM, where alarms are generated for those events that warrant immediate attention.
Proactive monitoring. Security and Risk Management continuously monitor industry communities for news of security alerts, as well as vendor and partner security changes that may affect Information Services and eSkill Talent Assessment PlatformTM’s product line. Information Services has 24/7 automated monitoring with backup personnel.
Active vulnerability assessment. Security scans of applications and infrastructure are routinely performed by approved third-party assessment vendors, security engineers, and through the use of internal scanning appliances (see table of audits and scans above). These scans check for vulnerabilities in both our external (public facing) web applications and our internal (private) networks. Discovered vulnerabilities are managed through eSkill’s vulnerability and patch management program and the risk is treated per eSkill’s risk management program. vulnerability and patch management program and the risk is treated per eSkill’s risk management program.
VPN. eSkill personnel use a best-in-class VPN when connecting and processing from outside the trusted network. The VPN secure tunnel offers Internal Operations personnel highly secure remote connectivity to perform after-hours maintenance or trouble-shooting. Multifactor authentication is required for all employees who have direct access to the eSkill Talent Assessment PlatformTM’s production systems.
Digital certificates and TLS. We use web server digital certificates to verify the authenticity of all client sites and digital certificates to encrypt all web traffic between clients and servers.
Host Based Security
Information Services employs a hardened, approved, and standardized build for every type of server used within the infrastructure. This procedure disables unnecessary default user IDs, closes unnecessary or potentially dangerous services and ports, and removes processes that are not required.
Servers are built, scanned for vulnerabilities, and remediated before being put out into the wild. This process is repeated every 30 days, with servers being rebuilt from scratch.
All patches are tested using a standard process to ensure proper functioning within the operating environment before they are applied to the servers.
The same process is used for the eSkill Talent Assessment PlatformTM data centers. We control the server builds and dedicated engineers continually update, optimize, and secure the standard build procedures, while adhering to industry best practices and regulatory requirements.
Database storage-area-network (SAN) cluster. eSkill databases are stored on a fully redundant SAN. Drives are configured with RAID for all tiers of storage, and each segment of data has, at a minimum, two standby drives that are used automatically in the event of a drive failure. Database servers use N+1 clustering to prevent downtime in the event of a server failure.
Centralized logging. Events from all systems are collected and aggregated, and alerts are sent, via a centralized log collection engine (SIEM) that is monitored by the eSkill’s Security Operations Center.
Standard change control process. Any changes to the eSkill Talent Assessment PlatformTM’s infrastructure must pass a strict Change Control Process to ensure best practices and minimal service interruption for our clients.
Security information and event management. eSkill receives real-time alerts for a variety of activities that may indicate malicious activity.
Vulnerability Management
We regularly test application code and scan the network and systems for security vulnerabilities. Third-party assessments are also conducted regularly (see table of audits and scans above), including:
- Application vulnerability threat assessments
- Network vulnerability threat assessments
- Selected penetration testing and code review
- Continuous integrated application security testing of each release
- 24×7 advanced scanning of all services
- Security control framework review and testing
Be assured that eSkill is not impacted by the Log4j vulnerability. We will continue to provide important updates as our evaluation of the vulnerability’s impact on our products and services develops. If you have any additional questions or concerns, please contact us.
eSkill Employees
Background checks are performed on all employees before hiring, including education, past employment, criminal record, and other checks according to local laws and requirements.
Employees are provided with regular training on security policies and procedures, including company policies and procedures, corporate ethics and business standards, and secure development training based on OWASP. Completion of security training is tied to system access.
Regular updates are released and periodic performance appraisals are performed to ensure employees’ knowledge of company security policies and procedures is current.
Disaster Recovery
Disaster Recovery, Business Continuity and Incident Response
eSkill maintains a comprehensive continuity of operations strategy complete with tactical playbooks for Disaster Recovery, Business Continuity and Incident Response.
The eSkill Talent Assessment PlatformTM uses a high-availability architecture to ensure that service performance continues to meet client expectations in the event of a failure.
Services are hosted at Tier 3+/Tier 4 co-location facilities that were built using a “fortress” approach. So core services, telecom, and power are diversely supplied to the building and physical access is managed through state-of-the-art technology. These facilities are audited annually by a third-party.
The eSkill Talent Assessment PlatformTM also maintains SOC 2 Type II, which requires the production, maintenance, and testing of a Disaster Recovery Plan (DRP). The current DRP is a formal recovery procedure for recovering the entire application in the alternate data center. The DRP is tabletop tested annually and eSkill also performs disaster simulations to test failover to the secondary data center.
In addition, real-time data replication is performed between the production data center and the disaster recovery center.
Recovery Point Objective 24 hours in the event of a total disaster otherwise 10 minutes
Recovery Time Objective 2 Hours