This Security Statement applies to the products, services, websites, and applications offered by Pearl Interactive Network, Inc. (Pearl). This Security Statement also forms part of the user agreement for Pearl clients.
Pearl values the trust that our clients place in us by letting us act as custodians of their data. We take our responsibility to protect and secure client information seriously and strive for complete transparency around our security practices detailed below.
Pearl’s information systems and technical infrastructure are hosted within a SOC 2 accredited data center in Central Ohio. Physical security controls at this data center includes 24/7 monitoring, cameras, visitor logs, entry limitations, and all that one would expect at a high-security data processing facility.
Pearl’s approach is to operate its governance, risk, compliance and privacy program based on the NIST Cybersecurity Framework.
Pearl oversees the governance of its risk management compliance program with an executive sponsored and attended information risk management committee that oversees the overall governance, risk and compliance program as well as those expectations specific to individual clients.
Pearl works with a variety of clients who have a wide range of risk management, security, and privacy expectations including HIPAA, PCI-DSS, NIST, CIS Controls, and CMMC framework requirements. Pearl works with clients to ensure our program aligns with their risk, security, and privacy obligations and expectations.
Pearl conducts background screening of all potential employees at the time a contingent offer is made. Pearl then completes a complete background check before making an official offer to hire the potential employee. In addition, all employees are required to take security awareness training which covers physical, personnel, and technical security safeguards and appropriate countermeasures. This security awareness training is completed by all employees on an annual basis.
Vulnerability Management and Penetration Tests
Pearl conducts continuous vulnerability management scans on all workstations. Additionally, Pearl employs an independent third-party to conduct external and internal penetration tests on an annual basis.
Pearl maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are imaged and secured prior to deployment and are equipped with full disk encryption and up-to-date antivirus software. Only company-issued devices are permitted access corporate and production networks.
Pearl maintains a security incident response process that covers the initial response, investigation, client notification (no less than as required by applicable law), public communication, and remediation. This process is reviewed regularly and tested annually.
Despite best efforts, no method of transmission over the internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Pearl learns of a security incident or breach, we will notify affected users so that they can take the appropriate protective actions. Our breach notification procedures are consistent with our obligations under federal laws and regulations as well as any industry rules or standards applicable to us. We are committed to keeping our clients fully informed of any matters relevant to the security of their account and to providing clients all information necessary for them to meet their own regulatory reporting obligations.
Business Continuity Management
Backups are encrypted and stored by Pearl’s Managed Services Provider (MSP). The MSP performs monthly recovery tests to ensure that backup procedures are fast, efficient, and secure. The Business Continuity Plan (BCP) is tested and updated on a regular basis to ensure its effectiveness in the event of a disaster.
Logging and Monitoring
Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized Pearl personnel and their MSP. Logs are preserved in accordance with regulatory requirements.
Pearl is committed to protecting the privacy and accuracy of confidential and personal information collected by its employees, to the extent possible, subject to provisions of state and federal law. Other than as required by laws that guarantee public access to certain types of information, or in response to subpoenas or other legal instruments that authorize access, personally-identifiable information is not actively shared, re-distributed, or sold.