How We Manage Data

Environics Analytics (EA) has established a Data Governance Policy and Practice, which creates the information management systems that ensure that all enterprise and client information is and will continue to be accurate, accessible, and protected throughout its lifecycle.

The policy establishes organizational responsibility for information and data under all Environics Analytics businesses, functions, services, and systems and the procedures used to manage them.

Data Security

Environics Analytics Information Technology (EAIT) and the EA Data Governance Office (DGO) are responsible for delivering and supporting the systems, services, and information technology infrastructure required to manage and use all data and information. EAIT performs generally accepted system administration tasks, including physical site security, monitoring equipment, administration of security and authorization systems, backup and recovery procedures, capacity planning, and system performance monitoring. We regularly assess and enhance our security measures to stay ahead of evolving threats.

Security audit frameworks that EA is aligned with include ISO/IEC 27001 (our approach to managing and protecting sensitive information). This standard outlines requirements for establishing, implementing, maintaining, and continuously improving our information security management systems (ISMS); NIST SP 800-53 (security controls); SOC1 (client services, financial controls); SOC2 (security, availability, processing integrity, confidentiality, and privacy controls); Health Insurance Portability and Accountability Act Security Rule (HIPAA) (protecting electronic personal information). These standards help identify vulnerabilities, evaluate risks, and implement effective security measures.

Data Stewardship

EA has established a Data Stewardship Team to engage all stewards and their departments in taking care of data assets. Data stewards assigned within each functional group are to provide data governance support to their co-workers and to provide subject matter expertise and feedback to the data governance office. The request is for all data-related work to be performed according to policies and practices as established through governance.

Data Transfer

Environics Analytics works with clients to ensure that information and data is transmitted with the utmost security. Transmission processes can be found in the Information and Classification Policy within the Security Policies. The DGO manages the Secure File Transfer Protocol (SFTP) controls. All customer communications transmitted over the internet are encrypted (256 Bit). Environics Analytics utilizes encryption on its own email servers to ensure point-to-point encryption via opportunistic TLS. Supported TLS versions are 1.2 and 1.3

Data Inventory

All client data files collected (inbound) by EA will be logged by the Data Governance Office (DGO). The DGO will record where the data resides on the EA network. As well, the DGO will update associated workflow and data flow documentation. Access to these data is limited to only those staff who require it – permission controls are established and enforced for each data set received.

Retention and Destruction

Retention and destruction of enterprise information are determined by enterprise use requirements and data retention policies. Data are typically retained between three and seven years, dependent on classification. Retention and destruction of client information are determined by client requirements as outlined in the contract or statement of work. If a client or supplier does not require their data retained, we request to be informed of these exceptions before Environics Analytics receives any data.

Upon request from the client to destroy client data, Environics Analytics Data Governance Office will a) clarify the specific files to destroy, b) execute destruction, and c) send client a “certification letter of data destruction” confirming the files, and date executed. Destruction is in accordance with NIST Special Publication (SP) 800-88, Guidelines for Media Sanitization. This process is overseen by the Data Governance Office (DGO).

Data De-identification and Data Anonymization

De-identified Information is Information for which the risk of re-identifying the individual is significantly reduced or eliminated in the context in which it is to be used.

Anonymization is any method that ensures that information about an individual "no longer allows the person to be identified directly or indirectly" in accordance with "generally accepted best practices". Anonymized data requires that the individual be irreversibly no longer identifiable, both directly and indirectly, thus requiring the removal of both direct identifiers and indirect identifiers. Anonymized Information is Information which cannot be re-identified in any context.

The EA Data Governance Office (DGO) will document and guide EA Staff on the execution of processes associated with de-identification, data anonymization, and pseudonymization or any other similar mechanisms. We use rigorous 3rd party re-identification risk assessments to prevent re-identification.

For a data set to be considered de-identified, any directly identifiable information must be removed. The values of a dataset may be transformed in various ways to remove any information that identifies an individual or for which there is a reasonable expectation that the Information could be used, either alone or with other Information, to identify an individual. Depending on the type and nature of the identifiers, different techniques may be applied.

For more information, click here.