Exponent Information Security & Privacy

Exponent systems and data are protected by a comprehensive Information Security and Data Privacy program detailed in the Exponent Information Security Management System (ISMS) and Privacy Information Management System (PIMS). These programs are operated by dedicated security, privacy, information governance, and compliance professionals. Oversight is provided by the Board of Directors in conjunction with senior leadership. Exponents Information Security team conducts risk assessments, performs regular risk reviews, and tracks risks using a documented risk-management process.

Exponent's Information Security and Data Privacy programs are certified to the ISO 27001 and ISO 27701 standards. These programs are also aligned with frame works including: NIST Cybersecurity Framework, NIST SP 800-171 for the Protection of Controlled Unclassified Information in Non-Federal Information Systems and Organizations, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Exponent's ISO certificates can be accessed here.

Exponent has established policies that cover:

Acceptable Use Policies

  • Remote Access
  • Passwords
  • Digital Systems Use
  • Mobile Device
  • Wireless Communication
  • Privacy Policy

Security Policies

  • Information Security
  • Security Incident Reporting
  • Data Backup
  • Information Sensitivity
  • Physical Security and Data Center Operations
  • Cloud Services
  • Systems Acquisition and Deployment
  • Change Management
  • Supplier and Third-Party Relations

Access Controls

Access and processing capabilities are limited to authorized users and authorized devices. A unique user ID with a complex password is assigned to authorized users and is required to login. Passwords are required to be changed frequently. Two-factor authentication is required for remote access and access to cloud systems. Administrative functions are facilitated through separate privileged accounts.


Exponent follows best practice for the deployment and maintenance of its systems and for data maintained within Exponent datacenters and cloud services. Critical data and systems are replicated and backed up to secondary datacenters. Systems are securely designed and are reviewed by the security team before being put into production.


Exponent's Information Security program is regularly audited both internally and externally on an annual basis. Exponent monitors and audits its security, privacy and information governance (people, processes and controls) to ensure compliance with policies and applicable security/privacy standards. Exponent conducts an independent external penetration test annually and regularly scans its external and internal networks for vulnerabilities.

Awareness and Education

Exponent employees, including contractors with Exponent system credentials, complete regularly assigned security awareness training and receive phishing training exercises. Security bulletins and announcements are shared throughout the year to give timely reinforcement reminders for awareness and education.

Business Continuity & Disaster Recovery

Exponent maintains a business continuity & disaster recovery plan that is regularly reviewed and tested. Exponent continuity and recovery considerations include the use of high availability systems, backup services, data replication, and redundant datacenters.

Data Controls

Data is encrypted at rest and in transit, logically separated, and access is granted to authorized users only. File monitoring systems log and monitor access to data while data loss prevention systems monitor the movement of data inside and outside of Exponent.

Data Privacy

Exponent is committed to the protection and privacy of data. The protection and management of data entrusted to us is one of our highest priorities. Exponent follows a least privilege access model and regularly audits individuals' access to data. Exponent respects individuals right to privacy and we are consistently working to remain compliant with privacy regulations. Our Privacy Policy can be viewed here.

Endpoint Security

Workstations and mobile devices are encrypted with whole disk encryption and require password, pin, or biometrics to access. Workstation inventories, software deployment, and security policies are controlled through enterprise configuration management. Workstations, mobile device and servers require registration with Exponent's device management system. Workstations and servers are protected with advanced endpoint protection, which uses AI to assist in combating threats. IT equipment in Exponent offices are physically secured.

Incident Response

Exponent's security incident response plan dictates that security events be evaluated and escalated when appropriate. A security information and event management (SIEM) system maintains and analyzes security logs. This system is monitored 24x7. Logs are regularly analyzed for suspicious activity and unusual behavior by dedicated security personnel. Memberships with legal, cyber and peer organizations are in place to facilitate timely intelligence sharing and response activities. Exponent maintains a close working relationship with its vendors, law enforcement and managed security services providers for additional threat intelligence, analysis and response.

Perimeter Security

Exponent protects data, servers, and endpoints on Exponent and public networks using best-of-breed security controls. These controls include next generation firewalls, next generation anti-virus/anti-malware, web security, email security and intrusion detection systems. This allows Exponent to prevent malicious network attacks, access to suspicious or malicious sites, prevent malicious emails or attachments and mitigate zero-day attacks.

Vendor Management

Exponent assesses potential vendors against a series of criteria to ensure appropriate security standards before granting a vendor system access or placing systems into operation. Contracts and data processing agreements are reviewed by the Information Security, Privacy and Legal teams before execution. The security posture of key vendors is reviewed on a regular basis.