Physical security
Hall has taken steps to ensure the security of the physical office environment and continuity of business operations in the event of a disaster. Hall web application infrastructure, and customer data, is not located or stored within any physical Hall office environment.
Environment
Access to Hall’s office is restricted using physical locks which only Hall employees can access. Hall’s office remains locked throughout the entire day.
Hall’s office environment also has security safeguards including:
- Security alarms: the office building has motion alarms that alert building management who respond to alarms 24 hours a day, 7 days a week, 365 days a year.
- Security video surveillance: the internal office entry / exit points and network room have continuous video surveillance. The office building has external video surveillance and an agreement is in place with building management to access surveillance footage in the event that it is needed.
- Fire alarms and sprinkler system: fire alarms are installed throughout the office. Sprinkler fire suppression systems and extinguishers are in place.
Visitor access
All visitors must sign-in and be escorted and supervised by Hall employee at all times.
Endpoint security
Hall has an asset management policy in place to protect data that is stored and accessible via endpoints, such as company workstations and laptops.
Fleet management
All corporate endpoints are protected against internal threats and local vulnerabilities via Kandji and Vanta. All devices are continuously monitored for the following checks:
- Full-disk encryption
- Screen lock enabled
- Latest security updates
- Malware detection and anti-virus
- Personal firewall enabled
- Encrypted SSH keys
- Password management software
All corporate devices are also enrolled in mobile device management (MDM) enabling Hall to remotely manage assets to ensure compliance with configuration standards and enabling remote lock and erase in the event of a lost or stolen device.
Network security
All corporate wireless networks, including both corporate and guest networks, encrypt data in transit using WPA2-AES encryption. Guest network traffic and access is separated from corporate network traffic and access.
Corporate networks are protected with Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) to block malicious traffic and actors attempting to access Hall’s corporate network.
Removable media and offline backups
Hall prohibits use of removable media and offline backups to mitigate both the risk of data loss as well as the risk of malware being introduced.
Security training
All new employees receive onboarding and systems training. This training is completed annually by employees and training compliance is monitored.
The main topics covered in security training are:
-
Social engineering: primarily phishing and how to detect and report attacks.
-
Passwords: background in how passwords are cracked, why strong passwords are important, and storage recommendations for passwords.
-
Physical Security: guidelines for maintaining the physical security of offices and equipment.
-
Data Handling: understanding data classification and how to properly handle such data.
-
Compliance: its importance and how it affects operations.
Risk management
Hall has a comprehensive set of risk management principles, policies and procedures in place to identify new business and technical risks, and put plans in place to mitigate those risks.
Risk principles
Hall believes that effective risk management involves:
- A commitment to the security, availability, and confidentiality of Hall infrastructure and services from senior management.
- The involvement, cooperation and insight of all Hall staff.
- A commitment to initiating risk assessments, starting with discovery and identification of risks.
- A commitment to the thorough analysis of identified risks.
- A commitment to a strategy for treatment of identified risks.
- A commitment to communicate all identified risks to the company.
- A commitment to encourage the reporting of risks and threat vectors from all Hall staff.
Security policies
Hall maintains a comprehensive set of organizational security policies that must be agreed to by all employees annually.
All policies are reviewed and approved by management annually. Employees who violate any policies may face disciplinary consequences in proportion to their violation.
Vendor management
Hall relies on vendors to perform a variety of services, some of which are critical for operations. Hall aims to manage its relationship with vendors and manage the risk associated with engaging third parties to perform services.
Risk assessments
Hall conducts due diligence on an individual vendor’s security, business practices, and legal commitments. This assessment includes a review of supply chains for modern slavery. Hall’s vendor management policy provides a framework for managing the lifecycle of vendor relationships.
Data subprocessors
Hall utilizes some vendors as data subprocessors to provide the Hall services. Hall takes a risk-based approach to selecting data subprocessors based on the security and business practices of these vendors. To minimize our risk and the risk to our customers, we aim to utilize as few data subprocessors as possible to provide the Hall services.
Hall’s data subprocessors are listed at data subprocessors.
Confidentiality agreements
All employee and contractor agreements include a confidentiality agreement. All employees agree during and after employment that they will:
- refrain from disclosing confidential information
- not use confidential information for purposes other than their employment
- keep confidential information secure and not disclose or publish information except when authorized or as required by law
On termination of employment, all employees must return all confidential information and must permanently erase all confidential stored on any device.
Background checks
Hall conducts background checks for all new hires, including a Nationally Coordinated Criminal History Check that verifies the following information:
- Identity certification
- Disclosable court outcomes
- Pending charges
In addition to background checks, Hall also verifies the prior employment history before an offer of employment is made to new hires.