Assessment Platform

We are committed to providing a secure environment, maintaining the confidentiality, integrity, and availability of customers’ information, and protecting their valuable business assets and applications.

Formal Information Security Program

eSkill delivers its clients a high level of security and confidence that is unmatched in the industry. A public version of our formal information security program is available on request.

Compliance

We conduct scheduled internal and third-party audits to ensure the confidentiality, integrity, and availability of customer data.

eSKILL PRIVACY

One of our biggest priorities is to provide clients with a secure and rewarding online experience. For more information, please read our privacy policy.

Data Protection

The eSkill Assessment Platform encrypts data that is transmitted over public network and data is only accessible by vetted, authorized parties.

Data Center

Our cloud platform is built on a highly-available architecture with no single point of failure and is hosted by two Rackspace data centers in different locations.

Application Security

eSkill’s product teams are required to deliver security by design by in all applications by including threat modeling, inline and continuous security scanning, monitoring, and mandatory security reviews.

Network Security

We ensure that sensitive data is protected by implementing security best practices such as hardened router configurations, network segmentation, and active vulnerability assessments.

Host Based Security

eSkill uses a standardized build for every type of server in its architecture to disable unnecessary default user IDs, close potentially dangerous services and ports, and remove unnecessary processes.

Vulnerability Management

We regularly test application code, conduct regular third-party assessments, and scan networks and systems to check for security vulnerabilities.

eSKILL PERSONNEL

All candidates undergo background checks before they are hired and are provided regular training on security policies and procedures based on Open Web Application Security Project (OWASP) standards.

Disaster Recovery

The eSkill Assessment Platform maintains SOC 2 Type II certification, which requires the implementation of a formal disaster recovery plan (DRP) that includes annual testing.

Validation

We conduct a statistical validation study and job analysis on every pre-employment test to ensure it is relevant to the job requirements and free of bias. Please read our Validation Report to learn more

EEOC

Our employment assessments meet and uphold EEOC regulations and comply with anti-discrimination requirements outlined in the ADA and ADEA acts. Please review our EEOC compliance guidelines to learn more

Assessment Platform

eSkill’s Assessment Platform recognizes the importance of maintaining the confidentiality, integrity, and availability of our customers’ information and the protection of its valuable business assets and applications. This Security and Trust Assurance Packet reflects our commitment to providing a secure environment and adopting effective security standards that align with industry best practices in the areas of security and service management.

With the use of a variety of reliable security technologies as well as a unique combination of trained personnel, mature business processes, and regular third-party audits measured against several international and U.S. standards, eSkill’s Assessment Platform delivers a high level of security and confidence that is unmatched in the industry.

This document describes each layer of this assurance approach to provide an overview of the compliance, data protection, and cybersecurity that eSkill’s Assessment Platform provides.

While open to sharing information with its customers, eSkill asks companies and entities who are not yet eSkill Assessment Platform customers to sign an eSkill nondisclosure agreement before making detailed inquiries into the eSkill Assessment Platform services.


Formal Information Security Program, Policies and Procedures

eSkill offers a public version of our formal information security program.


Compliance

To assure that our customers’ data confidentiality, integrity, and availability are maintained, eSkill’s Assessment Platform conducts multiple internal audits and third-party audits on a scheduled basis. The written results of many of these audits are available on request.

eSkill Assessment Platform also undergoes periodic external scans, which are available on request. The following table shows the types of audits and scans, plus the frequency in which they are conducted:

Audit Type Frequency
Secure SDLC Internal Continuous
Risk Assessment Internal Annual
NIST and ISO 27001 Control Review Internal Continuous
ISO 27001 Statement of Applicability External Annual
Vulnerability Scanning Internal Quarterly
Vulnerability Assessment External Quarterly
Penetration Testing External and Internal Annual
SOC2 2 Type II External Annual


Privacy

eSkill’s Assessment Platform privacy policies and practices may be found at:

Privacy Policy

Cookie Policy

Privacy Product Features
By configuring Data Retention, clients can simplify their compliance with data privacy regulations by removing data. Removal involves anonymizing, deleting, or obfuscating the data. eSkill’s Assessment Platform has internal use Read and Change access logging on personal data fields to meet GDPR requirements.

Third-Party Providers
Before third-party providers are approved to offer parts of eSkill Assessment Platform’s services, they must go through a formal vendor risk management program review to confirm and monitor that they provide an adequate level of security and comply with relevant data protection requirements. eSkill’s Assessment Platform collects only the minimum necessary personal data and uses it only for agreed-on purposes.


Data Protection

eSkill Assessment Platform has established the following safeguards for personal information protection:

  • Data is encrypted when transmitted over public networks.
  • Personal Information may be anonymized at the request of the customer.
  • Data is accessible only by vetted, authorized personnel.
  • Client data is prohibited from being stored on eSkill workstations and mobile devices.

Data in motion

  • Web Browser User Sessions – TLS 1.1 & 1.2 (and above if available).
  • Webservice APIs – TLS 1.2 +.

Data Center

eSkill Assessment Platform’s cloud platform is based on a high-availability architecture with no single point of failure that is hosted at Rackspace Data Center in two (2) geographically dispersed data centers.

For compliance details on specific data center platforms, see below:

Rackspace: https://www.rackspace.com/compliance


Application Security

Secure Software Development Lifecycle

eSkill Assessment Platform has implemented a secure software development lifecycle (secure SDL), requiring our product teams to include security training, tools, and processes that are in alignment with the Open Web Application Security Project (OWASP) and NIST. These guidelines include secure coding implementation in application architecture, authentication, session management, access controls and authorization, event logging, and data validation.

Required processes for eSkill Assessment Platform’s product teams include threat modeling, inline and continuous security scanning and monitoring, and mandatory security reviews that enable product teams to deliver security by design. eSkill Assessment Platform integrates static, interactive, and dynamic security testing into the secure SDL.

eSkill applications and services are designed to ensure that only authorized users can perform allowed actions within their privilege level, to control access to protected resources using decisions based on role or privilege level, and to prevent privilege escalation attacks.

Role-based Access

  • User roles can be defined both at the group level and at the user level.
  • User roles can be used to adhere to Segregation of Duties (SoD).
  • User and group access can be defined down to the assessment level.

Network Security

eSkill Assessment Platform’s network architecture ensures that sensitive data is protected through best business practice security policies and procedures.

Hardened router configurations. Router configurations correctly route packets to their proper destinations and restrict traffic. Access Control Lists (ACLs) on the front-end routers stop common attacks.

Network segmentation. eSkill Assessment Platform’s segmented network architecture prevents direct public contact or connection to eSkill Assessment Platform’s private network segment.

Front-end load balancers. Access to eSkill Assessment Platform services is managed with redundant load balancers. These provide a variety of functions, including TLS session termination, load balancing, network address translation (NAT), and port address translation (PAT).

Distributed denial-of-service (DDoS) protection. A service protects the availability of eSkill Assessment Platform services, even when they are under a distributed denial-of-service (DDoS) attack.

Activity log aggregation. Log activities from network devices and systems are aggregated through an activity log collection system. Logs are fed to a SIEM, where alarms are generated for those events that warrant immediate attention.

Proactive monitoring. Security and Risk Management continuously monitor industry communities for news of security alerts, as well as vendor and partner security changes that may affect Information Services and eSkill Assessment Platform’s product line. Information Services has 24/7 automated monitoring with backup personnel.

Active vulnerability assessment. Security scans of eSkill Assessment Platform applications and infrastructure are performed on a routine basis by approved third-party assessment vendors, eSkill Assessment Platform Security Engineers, and internal scanning appliances (see table of audits and scans above). These scans check for vulnerabilities in both our external (public facing) web applications and our internal (private) networks. Discovered vulnerabilities are managed through eSkill’s vulnerability and patch management program and the risk is treated per eSkill’s risk management program. vulnerability and patch management program and the risk is treated per eSkill’s risk management program.

VPN. eSkill personnel use a best-in-class VPN when connecting and processing from outside the trusted network. The VPN secure tunnel offers Internal Operations personnel highly secure remote connectivity to perform after-hours maintenance or trouble-shooting. Multifactor authentication is required for all eSkill Assessment Platform personnel with direct access to production systems.

Digital certificates and TLS. eSkill Assessment Platform’s services use web server digital certificates to verify the authenticity of all client sites. Digital certificates are used to encrypt all internet web traffic between clients and servers.


Host Based Security

Information Services employs a hardened, approved, and standardized build for every type of server used within the infrastructure. This procedure disables unnecessary default user IDs, closes unnecessary or potentially dangerous services and ports, and removes processes that are not required.

Servers are built, scanned for vulnerabilities, and remediated before being put out into the wild. This process is repeated every 30 days, with servers being rebuilt from scratch.

All patches are tested using a standard process to ensure proper functioning within the operating environment before they are applied to the servers.

The same process is used for the eSkill Assessment Platform data centers – we control the server builds.

eSkill Assessment Platform uses dedicated engineers to continually update, optimize, and secure the standard build procedures, while adhering to industry best practices and regulatory requirements.

Database storage-area-network (SAN) cluster. eSkill databases are stored on a fully redundant SAN. Drives are configured with RAID for all tiers of storage, and each segment of data has, at a minimum, two standby drives that are used automatically in the event of a drive failure. Database servers use N+1 clustering to prevent downtime in the event of a server failure.

Centralized logging. Events from all systems are collect- ed and aggregated, and alerts are sent, via a centralized log collection engine (SIEM) that is monitored by the eSkill’s Security Operations Center.

Standard change control process. All changes to any part of eSkill Assessment Platform’s infrastructure must pass a strict Change Control Process to ensure best practices and minimal service interruption for our clients.

Security information and event management. eSkill receives real-time alerts for a variety of activities that may indicate malicious activity.


Vulnerability Management

eSkill Assessment Platform regularly tests application code and scans the network and systems for security vulnerabilities. Third-party assessments are also conducted regularly (see table of audits and scans above), including:

  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Selected penetration testing and code review
  • Continuous integrated application security testing of each release
  • 24×7 advanced scanning of all services
  • Security control framework review and testing

eSkill Personnel

Background checks are performed on all candidates before hiring, including screening of education, past employment, criminal record, and other checks (depending on requirements and local laws).

eSkill Assessment Platform personnel are provided training regularly on security policies and procedures, including company policies and procedures, corporate ethics and business standards, and secure development training based on OWASP. Completion of security training is tied to system access.

To ensure that personnel’s knowledge of company security policies and procedures is current, regular updates are released and periodic performance appraisals are performed.


Disaster Recovery

Disaster Recovery, Business Continuity and Incident Response

eSkill maintains a comprehensive continuity of operations strategy complete with tactical playbooks for Disaster Recovery, Business Continuity and Incident Response.

eSkill Assessment Platform uses a high-availability architecture to ensure that, in the event of a failure, service performance continues to meet client expectations.

eSkill Assessment Platform’s services are located at Tier 3+/Tier 4 co-location facilities. These were built using a “fortress” approach so that core services, telecom, and power are diversely supplied to the building and physical access is managed through state-of-the-art technology. These facilities are audited annually by a third-party.

eSkill Assessment Platform also maintains SOC 2 Type II, which requires the production, maintenance, and testing of a Disaster Recovery Plan (DRP). The current DRP is a formal recovery procedure for recovering the entire application in the alternate data center. The DRP is tabletop tested annually and eSkill also performed disaster simulations to test failover to the secondary data center.

In addition, real-time data replication is performed between the production data center and the disaster recovery center.

Recovery Point Objective             24 hours in the event of a total disaster otherwise 10 minutes

Recovery Time Objective              2 Hours


FUTURE

eSkill Assessment Platform Single-Sign On

eSkill Assessment Platform SAML-based Single Sign-On (SSO) enables client organizations to have a higher degree of control over user ID management and authentication policy.

eSkill Assessment Platform Web Services (APIs)

eSkill Assessment Platform customers can build real-time connectors to eSkill Assessment Platform to more tightly integrate eSkill systems into their own. Connections are established using TLS and OAuth authentication. For more information, please see https://www.eskill.com/solutions-and-integrations/hr-system-integrations/