Data Security

Introduction

Purpose

The security of data is important to us. This data security information is intended to answer as many questions as possible about the security, reliability, and availability of DDI’s applications and data processing systems. This document outlines the flow of data for DDI technology-based solutions and addresses the security measures that we have taken to protect each part of the process.

To receive alerts when changes are made to this page subscribe to our Trust Center.


DDI: Who We Are, What We Do

Founded in 1970, Development Dimensions International (DDI), a global human resource consulting firm, helps organizations close the gap between today’s talent capability and future talent needs. DDI’s expertise includes designing and implementing selection systems and identifying and developing front-line to executive leadership talent. For more information about DDI visit http://www.ddiworld.com.

DDI’s Approach to Data Security

Today’s talent management environment requires the processing of electronic records. Application functionality depends on information storage and transfer across DDI networks and the Internet. Appropriate security is essential and is fully integrated with application functionality and processes. DDI maintains a consistent security framework with appropriate privacy standards within which system applications and user populations leverage information within various business contexts. DDI employs a multi-layered approach to Information Security as it relates to the protection of user data (including candidate, participant, learner, administrator, and customer information) and prevention from unauthorized access, alteration, or destruction. Our policies and processes are designed to:

DDI is committed to operating our businesses in a manner that fosters confidence and trust, which includes the proper use and management of personal data provided to us by our colleagues, customers, and suppliers.

Security Governance

To ensure data integrity, DDI has resources, policies, and processes dedicated to data protection, including a Data Security and Compliance Office and Data Protection Officer, who routinely monitor global standards. 

DDI’s Data Protection Officer (DPO) sets and enforces the vision and strategy for the company’s security and compliance program, with the goal of global consistency, ascertaining that risks are managed appropriately, and objectives are achieved.

Security in Partnership

The security and confidentiality of our customers’ data is a shared responsibility between DDI and our customers. DDI provides a secure platform on which customers can access and leverage their data. In addition, DDI provides tools, services, support, and resources that enable our customers to ensure the security of their data throughout the lifecycle of the engagement. See DDI’s Privacy Statement.

Customers are jointly responsible for the security of their data during and after their engagement with DDI. Customers must understand what data is being collected and held within DDI systems and define the appropriate data sharing policy to ensure that data is shared with only those who are authorized to access it. The data sharing policy should align with risk and compliance requirements that correlate to the importance and classification of that data.

DDI’s Role as a Data Processor

DDI clients operate as a “Data Controller” pursuant to the European Union (EU) Privacy Model Clauses. DDI functions as a “Data Processor” pursuant to EU Model Clauses and the General Data Protection Regulation (GDPR). See DDI’s Privacy Statement.

Data Protection Regulations

DDI is headquartered in the United States, serves customers globally and has employed mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, including self-certification with the EU-US Data Privacy Framework (DPF), EU Model Contract clauses, and end user consent. DDI’s certification under the DPF may be viewed at https://www.dataprivacyframework.gov/. DDI maintains compliance with all applicable data security and data privacy regulations.  For more information, please see DDI’s Privacy Statement on DDIWorld.com.  If you have questions around regulatory applicability, reach out to DataProtectionOfficer@ddiworld.com.  

Third Party Providers

DDI utilizes third party providers for the provisioning of our Services to you as described in our agreements. All third-party providers are required to comply with DDI’s data processing, protection, and security standards.

For a list of our current sub-processors please see https://www.ddiworld.com/thirdpartyproviders

Data Classification

DDI classifies personal data we collect and process into four categories, each requiring specific actions to ensure security. Data collected is reviewed on a periodic basis and classified according to its use, sensitivity, and importance. 

Technical and Organizational Measures

Many of our key Technical and Organizational Measures (TOMs) data security and integrity are listed below. Additional details for these and other controls are described in detail later in this document.

CONTROLDDI Uses
Cloud
  • DDI utilizes a variety of cloud-based, GDPR compliant platforms
Data Privacy and Security Awareness Training
  • DDI conducts regular training for DDI associates to learn about data privacy, confidentiality, and security best practices
  • DDI sends regular mock scam emails to teach end users to recognize and avoid phishing attacks, social engineering traps, malicious links, and downloads
Internal Business Applications
  • DDI uses sub-processors for general business operations including Microsoft Office 365, Microsoft Dynamics for customer relationship management, Oracle for accounting and invoicing, and Paylocity for online recruitment services.  These sub-processors only process business contact information. 
Network Security
  • Managed anti-virus on all components
  • Application-layer firewall
  • Dual redundant multi-segmented network-layer firewalls
  • Physical and logical network separation of each tier
Infrastructure Redundancies
  • Microsoft Azure datacenters provide fully redundant platforms 
  • Hosted in primary and secondary Azure Datacenters 
  • Load balancing for application redundancy
  • “Hot-spares” for all essential network production equipment.
Monitoring and Intrusion Detection
  • Intrusion detection on all network segments
  • 7x24 monitoring, detection, and alert of malicious activity
  • 7x24 monitoring, detection, and alert of system anomalies
  • Regular log review.
Infrastructure Access Controls
  • Least-Rights-Necessary access model
  • Configurable session inactivity timeouts
  • Encrypted passwords
  • Strong password policy for privileged accounts and servers
Independent Audit
  • Annual data processing and financial systems audit
  • Third party certification of controls and processes including ISO27001:2013
QA & Testing
  • Separate QA & testing platforms
  • Gated code promotion strategy
  • Automated and “white box” QA testing processes
Authentication & Authorization
  • Role-based
  • Fully HTTPS/SSL compliant
  • Supports SAML Single Sign-On (SSO)
Platform Availability, Stability & Performance (ASP)
  • Highly scalable virtualized platforms
  • End-user experience monitors for application performance
Vulnerability Assessment
  • Annual infrastructure vulnerability scans
  • Quarterly Application Penetration Assessment (APA)


Infrastructure Controls

Hosting Environment

DDI Services are hosted on Microsoft Azure (https://azure.microsoft.com). Microsoft data centres securely house the physical resources and infrastructure used to provide cloud solutions. Microsoft owns, operates and maintains all its physical data centres. All services are hosted in redundant US-based Azure datacenters.

Microsoft Azure cloud services operate with a cloud control framework, which aligns controls with multiple regulatory standards. Microsoft designs and builds cloud services using a common set of controls, which streamlines compliance across a range of regulations not only for today, but for tomorrow as well. Microsoft engages independent auditors to perform in-depth audits of the implementation and effectiveness of these controls.

Microsoft Azure is ISO/IEC 27001 and ISO/IEC 27017 certified. Audit reports, including SOC 1 and SOC 2, are available at https://servicetrust.microsoft.com

DDI’s cloud supervision processes, tools, and technologies to ensure the organized oversight, control, administration, and maintenance of cloud computing infrastructure, services, and resources. These processes, tools, and technologies are owned by the Director of Global Technology Services and Information Security in partnership with the Director of DevOps.  Supervisory tools cover both infrastructural and product-based setups. Supervision allows DDI administrators to promote control, visibility, and scalability while adapting rapidly to changes in the cloud landscape.  Examples of the critical operations are: – installation, changes, and deletion of virtualized devices such as servers, networks and storage; – termination procedures for cloud service usage; – backup and restoration. 

DDI maintains a detailed Disaster Recovery plan for restoring business service in the event of a large-scale system failure. This plan is updated as any changes are made to the system infrastructure or production web farm configuration and is tested on an annual basis.

Applicable Certifications/Standards

SSAE-18

DDI only stores data in data centers that have received unbiased favorable annual SAS 70 Type II audits. Note that the SAS 70 has been replaced by the Statement on Standards for Attestation Engagements (SSAE) No. 18 and our data centers are certified to that standard.

ISO 27001 / ISO 27701 

DDI only uses data centers that have demonstrated their adherence by periodic assessments and annual certification.   

DDI maintains its own ISO27001 certification and is audited annually. DDI also maintains its own ISO27701 certification audited annually. 

SOC 1/ SOC 2

DDI has completed a Type1 SOC 2® audit as of September 30, 2023 covering the Pinpoint platform.

DDI hosts all services in datacenters that have been audited for SOC1 and SOC2.

Server Hardening

DDI’s servers provide a wide variety of services to both internal and external users, and some servers store or process information that may be considered sensitive or confidential in nature. Given the fact that servers can be targeted for attack, it is critical that DDI servers are secured appropriately. DDI’s process of enhancing server security includes the following measures:

For security reasons, we cannot provide all details of our server security controls.

Patch Management

High impact patches are defined as patches that will protect against a security risk that has the potential to significantly impact our network on or before the date of the patch. DDI’s IT team immediately distributes these patches to all devices after testing of the patch on our test platforms. Distribution will occur no later than 24 hours after identification.

Medium or Low impact patches are defined as patches that will protect against a future security risk. DDI distributes these patches to all devices after testing of the patch on our test platforms and testing with a control group of users. Distribution will occur no later than 2 weeks after testing is complete.

Backup, Retention and Archiving Procedures

Data is incrementally backed up on a nightly basis to ensure that all applications and client data is preserved and available to be restored in the event of any loss of data or catastrophic event. Hot back-ups are made directly to fast access tier cloud storage and transferred to archive tier cloud storage. Daily backups are stored in hot storage for two weeks with AES-256 encryption. Weekly full backups are stored in archive storage for one month. Monthly full backups are stored for one year in archive tier. Yearly full backups are stored in archive tier for five years. All archive tier storage is AES-256 encryption.

All backup data is stored in a zero-trust cloud provided by Commvault cloud. Rotation of the backups into archive tier storage is handled automatically by Commvault software.

If a system recovery is necessary, DDI system engineers will retrieve the file, data, or system state from an on-line backup system. In this event, system or database recovery can be completed in a matter of minutes or possibly several hours. DDI system engineers will recover the file, data, or system state immediately.

Backup Schedules and Data Retention

· DB Server Backups: 1 day of log backups taken every 15 mins (in hot tier cloud storage) Incremental backups stored for 3 days (in hot tier cloud storage)

· File Servers and Production VMs: Retained for 14 days in hot tier cloud storage

· Office 365/Sharepoint Online: Deleted items retained for 5 years in cloud storage

· Weekly Copy: Retained for 1 month in archive cloud storage

· Monthly Copy: Retained for 1 year in archive cloud storage

· Yearly Copy: Retained for 5 years in archive cloud storage

Asset Recovery, Recycling and Disposal

Hardware Recycling/Disposal Procedure

  1. When Hardware has reached its end of life cycle, the hardware is stored in a locked asset room and retained for disposal.
  2. Retired equipment is recycled through an R2 Certified Recycling vendor
  3. DDI receives a Detailed Destruction report of the assets that were recycled for record keeping.

Hard Drive Disposal Procedure

  1. All Hard drives, tape media, Optical drives, etc.… are removed from the hardware and retained for secure bulk destruction at a later date.
  2. For secure data destruction, DDI has contracted the services of recycling vendors who employ Low level, Department of Defense Approved, 7 pass wipe (DoD 5220.22-M(ECE)).
  3. This process is compliant with HIPPA, FACTA, GLB, and unclassified government material
  4. Non-functional hard drives will be degaussed.
  5. All data is purged as set forth in NIST Special Publication 800-88
  6. DDI receives and retains a Certificate of Destruction for record keeping.

Network Security

Threat Intelligence 

DDI has established a Security Team of cross-functional associates who specialize in infrastructure and application security to continually enhance its security posture. In collaboration with DDI’s Privacy, Security, and Compliance Office (PSCO) the Security Team gathers, analyzes, disseminates, and responds to information about emerging and potential threats to the security of the organization and its data.  

 DDI’s Security Team proactively scans for and considers threat information from various internal and external sources and across the following layers: 

 The Security Team meets weekly to review and triage alerts from third-party monitoring systems regarding potential and emerging threats and communicate this information to appropriate levels of the organization, depending on scope, urgency, and impact. Outcomes of the triage process are used to determine action items to be addressed, captured within the DevOps system. The Security Team leader informs DDI’s Executive Leadership Team (ELT) of any imminent or active threats that have direct or potential impact on the business and an overview of any thematic or material threats, immediately when appropriate, or regularly on a quarterly basis. 

Network Infrastructure

DDI’s services are hosted in a cloud instance utilizing services that provide dependable and scalable acceleration capabilities to our application. All incoming requests are load balanced and inspected by a secure module with the option of caching. All infrastructure is securely placed within containers protected by Firewalls Inbound and Outbound. All traffic is inspected and logged. Strong authentication methods are applied to protect all assets.

Firewalls

Application Layer Firewalls are deployed with all assets/infrastructure for protection. All firewalls will inspect inbound and outbound traffic while logging all sessions. All Firewalls provide SSL Decryption, IDPS and Theat Intelligence.

Intrusion Detection and Monitoring

DDI uses a comprehensive set of tools that provide continuous real-time monitoring of every component to enable

functions. DDI employs a managed services security company for security monitoring, firewall management and intrusion detection systems (systems designed to detect potential threats real time) and response processes.

DDI employs both host-based and network-based detection systems that are monitored and responded to on a 24x7 basis. DDI IT is notified immediately upon the detection of any anomalies via mobile phone. Weekly reports are provided to DDI for review. Penetration tests are conducted quarterly.

Malware and Anti-Virus Protection

DDI utilizes several monitoring products to monitor network, servers, databases, and web sites. All application and system event logs are monitored as well. The monitoring environment is configured to automatically send alerts to appropriate staff that are on call 24x7. Specific escalation paths to appropriate DDI System Engineers and DBAs exist to help resolve the issue as quickly as possible.

In addition, DDI network monitoring systems periodically conduct complete scans of every active node on the network to ensure that these nodes are properly configured and are running the most current version(s) of the anti-virus and other security-impacting (ex: Hotfixes; service packs; etc.) code.

All appropriate systems – PCs, servers, gateways systems etc. - are protected by Microsoft Defender anti-virus and “zero-day protection” software that is centrally managed and updated.

All gateways are protected by anti-virus software that is centrally managed and updated and the email and browsing infrastructure employs content scanning and heuristic scanning techniques to ensure data is virus-free.

Secure Data Transmission and Encryption

DDI uses SSL/TLS 1.2 for secure HTTPS application data access. SSL technology is provided as standard for all DDI applications. All passwords and API keys are securely stored in encrypted keyvaults.

All files (regardless of confidentiality) remain encrypted when copied from a DDI laptop to an external storage device. If the external device is not encrypted, DDI’s Enterprise Encryption Software will automatically encrypt and password-protect the external device.

Email is not considered to be a secure form of communication however, DDI does offer the ability to encrypt individual messages when explicitly requested.

Application Security

Data Flow

When using DDI applications, data typically flows between three important parties—end users, client associates/candidates, and DDI.

When an end-user accesses a DDI application, the information they provide is submitted via secure encrypted (TLS) methods. Web data is delivered to the end-user in the form of test/assessment questions, surveys, graphics, and other content included in the DDI application. The data is processed by the application servers and submitted to database servers for storage. Web/application and database servers are located on separate logical and physical networks protected by firewalls.

DDI uses SSL/TLS 1.2 for secure HTTPS application data access. TLS encryption is provided as standard for all DDI applications. All backup data is stored in a zero trust cloud utilizing AES-256 encryption at all tiers. Encryption is used for passwords stored in application databases. All data (regardless of confidentiality) remains encrypted in transmission and at rest.

Role-Based Security

Applications use a role-based security model to determine access rights. Client data is segregated logically based on site, document, user, and other criteria. System changes are controlled through the change management process (detailed in later sections) addressing quality assurance, testing, documentation, change scheduling, and other such IT operational “best practices”.

Account Administration and Access

All infrastructure component administration and account management are strictly controlled by DDI. User accounts are automatically locked/disabled after excessive failure to login correctly. Server and service accounts are required to have strong passwords containing alpha, numeric,

and special characters. DDI uses a global remote VPN solution that includes authentication and encryption at an industry standard level.

Access to all data (irrespective of classification) is provided using a “Least Rights Necessary” security model, i.e., granted to those with a legitimate business need such as DDI and authorized client end-users, including participants, administrators as well as various DDI and client support teams. End-users are granted ‘least privileged access’ permissions to effectively and efficiently do their jobs. All administration and account management are strictly controlled by DDI. User accounts are required to have strong passwords and password-protected screen savers. Account access will be automatically disabled after excessive logon failures or termination of employment.

Direct Database Access

Only very select members of DDI’s engineering team have access at a database level. This access is used for creating off-site backups and performing data restorations. This is all done without viewing data.  See Appendix II for additional information.

As part of DDI's Privileged Identity Management (PIM) process, DDI uses the Azure AD Entitlement Management and Azure Identity Governance tools for the administration and monitoring of privileged accounts and their access to sensitive information.  In support of this process, all database access requests must be formally justified and approved.  If approved, access is only granted for a limited duration.

Access to Applications

Applications use a role-based security model to determine access rights. Client data is segregated logically based on site, document, user, and other criteria. System changes are controlled through a best practice change management process.

Access to Application Data

End user Participants are either client or DDI associates who input personal information to a DDI application system in the context of completing an online diagnostic or learning activity (such as an assessment, test, survey, or learning journey).  End user Administrators are system end-users who manage accounts and workflow processes within a DDI application system. Administrators may be either client associates or DDI associates who input personal information on behalf of clients or applicants and may progress them through different process phases. Examples include hiring managers, staff development professionals, and other Human Resources roles.

When a user requests technical support from DDI’s Product Support team, they may grant a support representative temporary access to the account. The support team may need to view an individual user’s data as part of the support incident resolution. Access to the account is limited to the scope of the request and troubleshooting/problem-resolution processes required to provide the end user with appropriate assistance.

Application Penetration Testing

DDI employs a managed services security company to test for “dynamic vulnerabilities” such as logic flaw problems, unpublished exploits, and other risks specific to the application environment, which also tests for known and published or “static vulnerabilities”.

Performed quarterly, the Application Penetration Assessments (APAs) include application scanning followed by intensive manual testing to identify application vulnerabilities. Reporting is fully customized and includes both positive and negative findings.

Findings Review

· Detailed report received from third party security vendor.

· Findings reviewed by the Data Protection Officer, Director of Infrastructure and Cybersecurity and Director of Product Development.

Findings Risk Analysis

· For critical and high ratings, a problem ticket is created in the service management system and assigned for immediate action.

· For medium and low ratings, entries are added to the application backlog and prioritized against other development work.

· All findings and prioritization details are shared and vetted at the DDI Data Security Office’s Risk Analysis meeting. If the severity of any finding is deemed to be changed, this decision is documented and shared with application development partners.

Vulnerability Classification

Vulnerabilities are classified using the CVSS scale per the CVSS v3.0 specification (https://www.first.org/cvss/specification-document) and can be calculated on a per-vulnerability basis using the CVSS Calculator (https://www.first.org/cvss/calculator/3.0).

Vulnerability remediation is to be completed as soon as possible once identified using the following table:

SeverityDescriptionService Level
CriticalCritical vulnerabilities have a CVSS score of 9.0 or higher. They can be readily compromised with publicly available malware or exploits2 days
HighHigh-severity vulnerabilities have a CVSS score of 7.0-8.9. There is no known public malware or exploit available30 days
MediumMedium-severity vulnerabilities have a CVSS score of 4.0 to 6.9 and can be mitigated within an extended time frame90 days
LowLow-severity vulnerabilities are defined with a CVSS score of 0.1 to 3.9. Not all low vulnerabilities can be mitigated easily due to applications and normal operating system operations. These should be documented and properly excluded if they can’t be remediated180 days
NoneInformation vulnerabilities have a CVSS score of 0.0. These are considered potential risks but are generally reference information for the state and configuration of an assetNot required


DDI Associate Policies

DDI employs rigorous processes and controls over access and permissions for all infrastructure components, networks, firewalls, servers, databases, etc. This is strictly controlled within the Global Technology Group who has final authority on all administrative user access, system monitoring/notifications, as well as OS, security, and application updates. Regular mock scams are also conducted to help DDI associates to be more aware and to respond to such attacks appropriately.

Screen Locking

All computers are configured to have a password-enabled screen saver. DDI’s policy for screen lockout is 15 minutes. After 15 minutes of inactivity the screen saver will be invoked. The user must then reenter their password to gain access to the computer.

Passwords

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of DDI's resources. To view DDI’s full Password Policy, please reference Appendix I.

Revoking Access

As soon as administrative access to DDI systems and application platforms is no longer required for job responsibilities, it is revoked. This includes termination of employment as well as changes to roles or responsibilities in the company.

This process is completed within 24 hours of a role change, or immediately in the event of involuntary employment termination. In addition, we regularly review which associates have these permissions and make changes as needed.

Data Privacy and Security Awareness Training

All DDI associates receive regular training and best practice guidance on data privacy, security, and confidentiality. Completion of training is monitored to promote the highest level of compliance.  Regular mock scams are also conducted to help DDI associates to be more aware and to respond to such attacks appropriately. 

Web Filtering  

DDI manage access to external websites to reduce exposure to malicious content, including restricting access to known or suspected harmful sites and prohibiting use of unauthorized web resources. Associates complete mandatory training to help them identify and avoid such sites. Exceptions to these restrictions are reviewed on an ad-hoc basis and must be approved by DDI’s Security Team. Associates can pose security questions or concerns to DDI’s Privacy, Security, and Compliance Office (PSCO) or report potential security incidents through our formal incident reporting and response process, should the need arise.  

Cookies

Cookies are data files that are sent to a user’s computer upon visiting a website and are stored in a file in the user’s web browser. DDI uses cookies and similar technology (collectively, “cookies”) to assist with navigation and users’ ability to provide feedback, analyze users’ interest in our Products and solutions, assist with content personalization and our promotional and marketing efforts, and provide content from third parties. 

Any authorization cookies are session cookies that expire after the user closes their browser or their session ends. Some analytics and system functionality cookies may last up to 24 hours from creation. Most of our cookies are encrypted, with some minor exceptions such as “language.” We do not store any personal data in cookies.  Users may not opt out of any cookies that are strictly necessary to the function of the system.

See Appendix II for full details of DDI’s cookie policy

Product Development Process and Code Management

Development Release Cycle

DDI employs an agile development model. Agile is an iterative approach to software development and provides a very nimble capability that allows DDI to rapidly respond to the needs of our clients. We have a planned new code release cycle – typically a weekly cycle.

This means that approximately every week DDI releases new features and upgrades. It also gives us frequent windows for releasing fixes to features that do not work as desired. Outside of this cycle we can make “emergency” releases as urgency dictates.

Development Environments

DDI uses separate application instances for testing updated code and have separate instances for early candidate code, and release candidate software. This protects data from ever being controlled or accessed by code still in development. All development code runs against “dummy databases”.

Code Review

Programmers work individually or in teams developing new code. As the end of each cycle approaches, code is peer-reviewed and tested in a QA environment separate from the production environment. This testing period allows us to eliminate most bugs before they are ever introduced to production. Code is also programmatically inspected for known vulnerabilities.

Code Management

Git is used to manage the software development process and serves as the source-code repository. The tool and related processes ensure that no changes are overwritten due to multiple developers making changes to the same module. Change control processes exist at many different levels within application development, QA and implementation including:

Global People Services (Human Resource Policies)

Confidential Information

Upon hire, all DDI associates are required to sign a confidentiality agreement that specifically addresses the concerns and risks of dealing with confidential information. Any associate found to have violated this policy is subject to immediate termination or any applicable legal action. In addition, annually employees sign a Code of Business Conduct and Ethics.

Background Check Policy and Procedure

DDI believes that hiring qualified individuals to fill positions contributes to the overall strategic success of the company. Background checks serve as an important part of the selection process at DDI. This type of information is collected as a means of promoting successful candidate matches for the position, as well as a safe and secure work environment for current and future employees. Background checks help DDI obtain additional applicant related information that helps determine the applicant's overall employability, ensuring the protection of the current people, property, and information of the organization.

DDI’s full Background Check Policy can be made available for viewing if requested. To request the policy, please visit https://trust.ddiworld.com/.

Credential Verification

DDI’s pre-employment checks are designed to ensure that all associates are confirmed to have the degrees and certifications that they purport and/or are required to have. All prospective associates have their stated employment histories and integrity references verified.

SSN Verification

All US-based associates are verified legal US workers, and Social Security Numbers or work authorizations are verified.

Security Incident Response

DDI enforces a comprehensive security incident detection and response plan including intrusion detection, scans, and other methods deemed effective and appropriate. While computer-related incidents are most common, non-computer-related incidents can also be reported through the Incident Hotline or by contacting DDI’s DPO or Corporate Counsel.

The purpose of the Security Incident Response and Notification Policy is to provide general guidance to DDI’s Technical and Managerial staff to enable quick and efficient recovery from physical or logical security incidents including the reporting of, responding to and managing unauthorized access to and/or loss of Confidential Information. DDI shall report any security incidents to affected or potentially affected clients within 48 hours of discovering a security breach.

In the event of a security breach, or suspected security breach the following actions must occur.

  1. Immediate notification of the following DDI personnel:
    • Data Protection Officer
    • DDI General Counsel
    • Data Privacy and Security Office
  2. Proper incident identification and documentation (must include):
    • Description of the relevant incident
    • Time and date on which occurred and was detected
    • The person who reported it, and to whom it was reported
    • Description of Personal Data that may have been compromised
  3. Incident containment activities.
  4. Incident eradication activities or processes.
  5. Incident recovery and review.

Appendix I - DDI Password Policy

Overview

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of DDI's resources. All users, including contractors and vendors with access to DDI systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, the frequency of password changes, and lockout policy for invalid attempts.

Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any DDI facility, has access to the DDI network, or stores any non-public DDI information.

Policy

Guidelines / Standards

System/server-level and user-level passwords have the following requirements:

The following password types should be avoided:

Password Protection Standards

If an account or password compromise is suspected, report the incident to DataProtectionOfficer@ddiworld.com

Password History, Age, and Lockout Standards

Appendix II - DDI’s Cookie Policy

DDI uses the following types of cookies on its website:

To opt-out of having this information used for serving you interest-based ads, click here (or if located in the European Union click here).

DDI Cookie Policy – Products

DDI’s Cookie Policy applies to all DDI Products (“Products”).  Cookies are data files that are sent to a user’s computer upon visiting the Product website and are stored in a file in the user’s web browser. DDI uses cookies and similar technology (collectively, “cookies”) to assist with navigation and users’ ability to provide feedback, analyze users’ interest in our Products and solutions, assist with content personalization and our promotional and marketing efforts, and provide content from third parties. 

Any authorization cookies are session cookies that expire after the user closes their browser or their session ends. Some analytics and system functionality cookies may last up to 24 hours from creation. Most of our cookies are encrypted, with some minor exceptions such as “language”. We do not store any personal data in cookies.

Products only collect essential cookies. Users may not opt-out of cookies when using Products.

Further resources:

Learn about DDI's Data Regulation Compliance
Read our Privacy Policy
GDPR regulation
Submit a data request
Visit this page to select the type of marketing emails you'd like to receive from us or to unsubscribe.