Trust Center

At NACD, information security is a top priority, which includes safeguarding against external threats and malicious insiders. The company's cybersecurity strategy emphasizes the detection, analysis, and response to cyber threats, effective management of cyber risks, and resilience against cyber incidents.

NACD strives to meet the industry's best practices for information security and applies controls to protect its members, partners, and the organization. Our dedicated security program is structured around well-established frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), control frameworks (e.g., NIST 800-53, Center for Internet Security benchmarks), and regulatory requirements (e.g., General Data Protection Regulation, Payment Card Industry Data Security Standard, etc.). 

This document states our commitment to information security and privacy. It also intends to assist our members and partners with the information they need to complete standard supply chain assessment questionnaires. 
If any additional information is required, please feel free to contact us.

The information below provides an overview of NACD’s approach to information security and practices to secure data and systems aligned with the five functions of the NIST CSF: Identify, Protect, Detect, Respond, and Recover.

Identify

Risk Governance and Oversight

The organization’s risk governance and risk management are shaped by its management culture, embedded practices, and formal oversight. The organization’s governance model is based on the daily operations of managers and their teams and bolstered by various governance risk committees such as the Enterprise Risk Committee, Information Security Steering Committee, or Audit Committee.

Information Security and Cybersecurity Policies and Standards

The organization has established policies (e.g., Information Security Policy, Acceptable Use Policy) and standards (e.g., Vulnerability Management, Identity & Access Management) for information security to guarantee adherence to management regulations, laws, best practices, and directives. Policies and standards are available to all employees.

Asset Management

The company has implemented an asset management initiative to appropriately inventory, categorize, and safeguard its applications, data, and hardware to maintain security.

Protect

Training and Awareness

All employees and contractors undergo an annual cybersecurity awareness training. The organization also provides targeted training at regular intervals to keep personnel informed about the latest cyber threats and countermeasures.

Identity and Access Management

The organization has implemented access control policies that facilitate the identification, authorization, authentication, and management of individuals' access to the organization's information assets and systems.

Application and Software Security

The organization utilizes its software management process to oversee the security of its applications and software. The organization also conducts penetration testing to ensure the security of applications and infrastructure.

Infrastructure Security

The organization safeguards its infrastructure by implementing a comprehensive control framework encompassing architecture reviews, vulnerability assessments, system hardening, and malware protection.

End User Device Security

Employees conduct business on managed devices with standard security controls to protect the organization’s systems and member data.

Data Protection and Privacy

The organization has put in place measures to ensure the safety and security of their own and their members' information. These measures include and are not limited to secure storage, proper handling, secure transmission, and record retention. Please refer to our privacy policy for details on information we collect.

Physical Security

The organization has implemented uniform security protocols within its data center and office, including card access, video surveillance, on-site security staff, environmental controls, and visitor management.

Vendor Security

The organization’s vendor management process incorporates information security risk management.

Detect

Logging and Continuous Monitoring

The organization employs detective measures across network, endpoint, and application layers to identify any abnormal activity that may indicate a potential threat.

Anomaly Detection

The organization ensures prompt detection of any security anomalies or events and an in-depth analysis of their potential impact.

Enforcing Protective Measures

The organization conducts testing and validation of all security measures in place to ensure their efficacy and comprehensiveness.

Respond

Security Incident Management

The security incident management program implemented by the organization is capable of efficiently detecting and managing security threats and incidents that could affect the confidentiality, integrity, or availability of the organization's information and technology environment.

Response Planning

The organization implements synchronized measures for responding to security incidents, including communication management and evaluation of the efficacy of response activities.

Cyber Insurance

The organization holds a cybersecurity insurance policy that covers its expenses resulting from a security incident, including any necessary customer notifications and credit monitoring services.

Recover

Business Continuity and Technology Resilience

The organization has implemented a Business Continuity Program for Disaster Recovery, which addresses business and technology resilience.