At Universal, we are committed to information security and operate a comprehensive program that proactively works to safeguard our customers’ sensitive information.
We are ISO 27001 certified by Schellman, LLC covering the mission support, digital engagement, and information technology environments. This certification represents a program of annual risk assessments, internal and external audits, continual improvement, penetration testing, vulnerability management, employee training, physical and personnel security, and business continuity processes.
We have a full-time IT Security team, tasked with managing the risks to Universal’s data and technology environment. All Universal employees work together to safeguard company data and information systems against unauthorized access, disclosure, destruction, or alteration.
Furthermore, we are routinely undergo audits by our Fortune 500 clients.
The following sections provide a summary of our approach to information security.
Governance & Compliance
All Universal employees are subject to the Code of Conduct. This document describes their obligation to protect the privacy of client data, incident reporting requirements, appropriate use of IT resources, and ethical expectations.
All Universal employees are subject to pre-employment background checks and must complete annual online training covering IT security, data privacy laws and the importance of maintaining the confidentiality of our clients’ information. Employees whose job functions require them to handle sensitive client data must complete additional in-person training.
All Universal employees and contractors are bound by confidentiality and non-disclosure agreements.
All reported or suspected incidents of fraud or malfeasance are investigated by the office of the Chief Compliance Officer at the direction of the General Counsel.
Headquarters Physical Security
Physical access to Universal’s headquarters location is managed by a proximity card and photo-ID system and perimeter doors are locked at all times. Deliveries are received in a section of the building isolated from technology and trip support operations. Visitors are required to sign in, are identified by a prominent visitor badge, and are required to be accompanied at all times by a Universal employee while in our facility. Employee and contractor access restrictions are based on job function and authorized by the supervisor, security manager, or facility manager. Access is promptly revoked whenever an employee or contractor separates from Universal employ, regardless of cause.
In order to serve our global customer needs, our headquarters operates around the clock and observes these security practices at all times.
Data Center Security
Our CyrusOne data center is SSAE 18 Type II and ISO/IEC 27001:2013 certified as well as PCI-DSS compliant. It undergoes annual, independent, third-party audits to ensure it continues to meet strict compliance requirements for processes, controls, and safeguards. The data center is secured by onsite guards 24 hours a day, 365 days a year, video surveillance, key card security for strict access control, and man-trap type security doors to prevent tailgating. The data center is equipped with fire monitoring and suppression systems. Further, CyrusOne segregates customer infrastructure to restrict access in the event multiple customers are on-site at the same time.
Universal contracts space in both Houston and Austin, Texas CyrusOne facilities to safeguard data and operations against environmental threats. Throughout recent events, including hurricane Harvey, COVID, and the Houston 2021 freeze, both data centers offered uninterrupted operation.
User and Access Management
Access to customer information follows the principle of least privilege and is determined by employee job duties. All user access requires management authorization and assigned privileges are periodically reviewed by the IT Security Office. Additionally, we utilize contemporary technologies to alert the IT Security Office of file access activities that deviate from normal work behavior. Upon employee separation, access to the physical campus and all systems is disabled immediately after notification by Human Resources.
Administrative access is more tightly controlled, abides by the principle of least privilege, and restricted by job function.
Network and System Security
Universal combines extensive network perimeter intrusion prevention against malware along with system-level safeguards, including data-at-rest encryption, regular software updates, periodic off-site backups, and advanced endpoint security tools. Additionally, these security technologies are monitored 24×7. The company network is subdivided into zones based on differing trust levels, to improve our ability to detect suspicious events and to limit the potential exposure of sensitive information. Further, the network perimeter prevents access to certain types of Internet sites and content that Universal’s leadership team have determined are not essential for the business or create undue risk.
Remote access to the company’s information resources requires encryption-in-transit and multifactor authentication of individual employees. Universal-owned and managed workstations are provided for remote work, both to limit the flow of company data and ensure a high standard of system management.
Company email is filtered against contemporary threats such as spam, malicious software, phishing, impersonation of key personnel, and other fraudulent messages. Further tools are used to detect and warning when outgoing messages contain certain types of data.
Sensitive data storage is monitored for anomalous user access patterns, early warning signs of ransomware activity, and alterations to assigned access permissions.
All web applications are scanned for common vulnerabilities as part of our overall vulnerability management program and utilize contemporary HTTPS encryption methods to protect data.
Annually, our digital mission management platform, uvGO, and the company network undergoes a 3rd party penetration test. Observed issues are promptly remediated under the umbrella of our vulnerability management program.
A comprehensive incident response plan governs detection, containment, investigation, reporting, and ongoing improvements to our security posture.
Our Business Continuity Program provides structured plans for the recovery of critical business functions and the resumption of those functions in the event of disaster. We review our business continuity plans periodically and conduct disaster recovery exercises, including scenarios based on weather, loss of access to our facilities, pandemic, or various cybersecurity incidents to ensure that these plans are ready, should a need arise.