We have robust teams and programs to manage our privacy and information security risks. Information security covers all information, including personal and nonpersonal information such as trade secrets and material nonpublic information, while privacy is focused on the personal information of individuals. Privacy and information security are governed separately within Allstate although the two teams work closely together.
Allstate’s information security program, including our policies and standards, is developed, monitored, managed and updated by the Allstate Information Security team under the direction of the Allstate Chief Information Security Officer and the Information Security Council (ISC).
The ISC is led by the Chief Information Security Officer, who is also the Senior Vice President of Information Security. The ISC consists of cross-functional, high-level leaders from across Allstate, including the Chief Privacy Officer. The ISC is charged with monitoring, making mitigation decisions and escalating information security risk as part of Allstate’s formal governance structure. The ISC actively monitors information security risk and, as a decision-based forum, has the authority to direct mitigation activities or escalate risks that are outside established tolerances.
The Operating Committee directed that the ISC will have delegated authority from the Enterprise Risk and Return Council for information security risk oversight. Allstate’s information security strategy and the National Institute of Standards and Technology’s (NIST) cybersecurity framework guide the decisions and actions of the ISC.
Allstate uses a risk-based approach to establish our information security program, which maps to both the NIST cybersecurity framework as well as ISO 27001, with support from other standards and best practices. ISO 27001 is an information security standard developed by the International Organization for Standardization; the most recent version was released in 2013.
Our information security practices have been and continue to be subject to both internal and external audits – another way we ensure our cybersecurity program is effective. We conduct multiple vulnerability analyses across the enterprise on a daily basis using an automated process. We also do tests and exercises to identify and resolve exploitable vulnerabilities.
Privacy is an area of operational risk and falls under the oversight of the Operational Risk Council. The Operational Risk Council is overseen by the Enterprise Risk and Return Council. The Allstate privacy team, along with its policies and programs, is managed by the Chief Privacy Officer, who is also the Chief Ethics and Compliance Officer. The privacy team works with liaisons and experts across the enterprise to communicate with and educate employees on our privacy practices, and act as our front line for privacy protection.
The privacy team also works to ensure that third-party risk assessments are done for entities or applications that store or capture personal information and that privacy impacts of proposed process changes are evaluated. Our expectations for privacy protection are outlined in our Vendor Code of Ethics.
If Allstate suspects that personal identifiable information may have been compromised, the privacy team is responsible for incident response: the investigation, notification, response and corrective action. If necessary, the incident and response may be escalated up to the Operational Risk Council and the Board of Directors. The privacy team and other leaders help make sure that Allstate remains in compliance with the growing body of regulation that applies to the personal information for which Allstate is responsible.
Employees are trained on Allstate policies, and our external privacy statements are transparent and accessible by stakeholders. Allstate has implemented an annual compliance confirmation process, which requires every employee to complete three annual mandatory training courses and agree to follow appropriate company policies. One such course is the Information Security & Privacy Refresher, which educates employees on security and privacy policies, standards and processes. All employees must agree to comply with the following:
Because Allstate agency owners and their staff are not Allstate employees, they are not covered in the annual compliance confirmation process. We provide specific cybersecurity training for new agency staff as well as key cybersecurity responsibilities for all agency users annually. Agency owners are also required to maintain a written information security policy for each agency.
Training employees to maximize the value of these controls is a critical and complementary part of our cybersecurity management. Investing in a strong Integrated Digital Enterprise system with appropriate security controls is just one way we protect Allstate data. We understand that our policies can only be effective when we communicate these controls throughout our team. Our annual compliance confirmation process provides foundational education for all employees regarding their responsibilities and basic policies: 100% of our global employees complete mandatory compliance confirmation and the associated training annually. The training also provides further detail about risks identified over the last 12 months as specifically relevant to the company or worldwide. We use a personal approach to engage employees.
Our dedicated security marketing communications and security education teams collaborate on a year-round internal campaign to convey messages about strong security practices such as password security and traveling safely. Our dedicated security education team also operates phishing simulations with real-time feedback and training for employees who fall for the attempt. It also notifies leadership when an employee fails the test multiple times.
Additionally, we provide on-demand and topic-specific training, allowing us to customize programs around current issues. We offer more advanced and specialized training to employees in higher-risk roles. For example, users who may access HIPAA-protected health information or developers working with payment card information receive additional training on secure practices.
We evaluate our training results using four levels:
If employees have a privacy or security incident to bring to the attention of senior leadership, they can alert members of the Information Security team via the new CyberSOC hotline and email addresses. Additionally, there are phone numbers and email addresses in the Global Code of Business Conduct that can be used to report an incident.
Our security and privacy requirements extend to suppliers who have access to, store or use Allstate data. Allstate emphasizes the importance of customer privacy and data security with suppliers through our procurement standards, practices and contracts. We have established a security assessment program for our suppliers, which could involve on-site assessments for critical suppliers. We also require all contingent workers who have access to our network to take a training course on Allstate’s security policies.