RSM’s information security program establishes a secure foundation for sustainable digital growth through strategic, technical and organizational measures that protect RSM’s digital assets.
Our information security mission calls for protecting the confidentiality, integrity and availability of RSM and client data. To support this mission, our leadership team has driven continuous improvement through appropriate levels of oversight, leadership participation and a risk-based approach to control protected information. Our people undergo information security and privacy awareness training upon hire and annually thereafter. This training includes ongoing phishing detection training.
We also have a dedicated information security team. Led by our chief information security officer (CISO), this team includes but is not limited to the office of the CISO, security operations, cyber incident response, security architecture and engineering, and information security governance.
Our information security standards are aligned with an internationally recognized industry standard for security, the ISO/IEC 27001: 2022 framework, and are guided by security requirements specific to our operating environment, as well as by laws and regulations relevant to our firm. Information security best practices are also taken into consideration.
We actively monitor vulnerabilities, as well as potential security threats and events. We use industry-standard prevention and detection tools, including intrusion prevention and detection systems, data loss prevention, and security information and event management to protect our network. We have an incident response plan and an engaged incident response task force.
At RSM, digital products and services are sourced with security considerations at the forefront. We perform a security review on any vendor solution that stores or accesses confidential information. Vendor contracts include confidentiality clauses and security, privacy, data integrity and data breach provisions, as needed. Work agreements with contractors and other non employees include a requirement to comply with our acceptable use and information security policy.
We collect, use and retain personal information subject to our publicly available privacy policy. As described in that policy, we process this data for several purposes, including to provide services to our clients. This data maybe retained for as long as necessary for the purposes described in our privacy policy, to achieve the goals for which the information was collected or as permitted under applicable law. We have a dedicated enterprise privacy office led by our enterprise privacy leader.
