Cybersecurity and Data Privacy
One of the most important responsibilities we have in a world that is technology-powered and data-driven is the protection of our technology assets and the information they contain. We have robust policies and practices in cybersecurity and data privacy to protect our assets and those of our clients.
Cybersecurity
The cyber threat landscape is always expanding as connectivity grows between physical and digital systems. Cyber threats can compromise critical information, disrupt operations, undermine national security, and even put lives in jeopardy.
Our clients entrust information to us that is essential to national security and global stability. Because of the importance of this information and its relationship to the overall success of our business, all information owned by or entrusted to Booz Allen must be handled with necessary care.
Our Enterprise Cybersecurity team's work is guided by three strategic priorities: Protect Data & Infrastructure, Manage Cyber Risks to the Business, and Build Operational Excellence and Resiliency. With these in mind, the team fulfills its mission of protecting our firm's data and infrastructure while enabling the firm to adapt for continued business growth and evolving client requirements. In support of the firm's VoLT growth strategy and the anticipated increase in mergers and acquisitions (M&A) activity, we formalized our Enterprise Technology Services and Solutions (ETSS) approach to M&A to align with our refined portfolios for enterprise cybersecurity, business systems, user productivity, and infrastructure and engineering. Through this restructure, we proactively streamlined and refined the focus of our diligence process, placing cybersecurity at the forefront of consideration.
We take steps to ensure suppliers will protect Booz Allen Information and Entrusted Information in compliance with applicable legal, regulatory, and contractual requirements. We include provisions in our supplier agreements incorporating applicable information security requirements, and require our suppliers to confirm their compliance with these requirements. Depending on the nature of the supplier's work and the sensitivity of the Booz Allen Information and Entrusted Information provided to the supplier, we evaluate our suppliers compliance with information security requirements using internal and third party resources.
Our cybersecurity program is designed to protect assets such as our networks and data centers and the information they store. We monitor industry best practices, conduct third-party audits, and regularly update our people with trainings, awareness building, and state-of-the-art tools.
All employees are required to participate in annual information security training on a variety of topics including data privacy, phishing, and other emerging issues. We offer additional training, depending on an employee's job function, to make sure they are equipped to respond in a rapidly evolving cyberthreat landscape. We also work closely across functions to share information proactively including close coordination with our supply chain, insider threats team, and others.
Given the highly sensitive nature of much of our client work, we prioritize these efforts to make sure our people, suppliers, and clients are using tools and best practices that protect our networks, systems, and data assets.
Why Space Matters for National Security
Preserving national security is the mission that matters to Vice President Ginny Cevasco—and the one that has fueled her STEM career.
She and her teams accelerate the deployment of new capabilities in space—building more flexible, open systems for intelligence community clients where new technologies can be dropped in as quickly and easily as apps on a smartphone.
Learn more about Ginny- Our operations are aligned with NIST 800-171
- Approximately 67% of our people hold security clearances
- Nearly 6,400 of our people hold one or more cybersecurity certifications
Data Privacy
Globally, regulations have advanced the need to consider privacy rights and practices in all aspects of our work. Beyond applicable regulatory requirements, we carefully assess the impact our work has on individuals and strive to use information in proportional and appropriate ways. To do this, we perform privacy impact analysis, privacy risk management, privacy reviews, and utilize data transfer agreements to protect the information we collect. We review sector-specific Health Insurance Portability and Accountability Act (HIPAA) requirements, regional regulations, and industry best practices so that we are sufficiently prepared to handle any type of personal information required by our clients' missions.
We actively participate in the legal, ethics, and compliance organizations to stay ahead of the most recent and relevant privacy requirements and trends. We engage third parties to assess our data privacy program periodically, and we make program improvements based on their feedback.
All our people receive training on handling of personal data and for certain jobs where it is needed, we provide training on regulated data types and best practices.
We believe in using personal data for a legally permissible and specified purpose and only for as long as necessary. Our philosophy is open data use consistent with clear notice and limited to the expectations of the individuals and clients whose data we protect.
Annual Information Security Training
All employees must complete annual information security training. This training covers Information Security Policy content including: labeling and handling different types of data, protecting IT Assets, and security best practices.
Phishing Training
Booz Allen regularly conducts phishing simulations to test employees' ability to identify and report suspicious emails. Booz Allen remains below the industry standard average of 11% of susceptibility to phishing in firmwide campaigns.