Compliance

DFIN IT Governance

IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.

DFIN IT Risk Management

IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.

DFIN Vendor Risk Managment

When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.

Global Investment Companies

DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1^st to October 31^st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1^st through April 30^th. 

PRODUCTS & SERVICES COVERED

• Arc Suite
• ArcPro
• Print and Composition Services
• Other Solutions

The GIC SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.

Global Capital Markets

DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1^st to October 31^st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1^st through April 30^th. 

The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.

ActiveDisclosure

DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting 

Our SOC 2 Type II audit runs for 6 months with the observation period of May 1^st to October 31^st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1^st through April 30^th. 

PRODUCTS & SERVICES COVERED

• ActiveDisclosure

The ActiveDisclosure report is available to current clients and prospective clients under a signed non-disclosure agreement.

VENUE SOC 2 + HITRUST

DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of June 1^st to November 30^th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1^st through May 31^st. 

PRODUCTS & SERVICES COVERED

• Venue

The VENUE SOC 2 + HITRUST report is available to current clients and prospective clients under a signed non-disclosure agreement.

ISO 27001 Certification

DFIN has obtained ISO 27001 in 2022 for the Enterprise. 

The ISO 27001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement.

ISO 9001 Certification

DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically. 

PRODUCTS & SERVICES COVERED

• Print
• Manufacturing

The ISO 9001 certification is available to current clients and prospective clients under a signed non-disclosure agreement.

Security Review Questionnaires

DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes. 

PRODUCTS & SERVICES COVERED

• Venue
• ActiveDisclosure
• Arc Suite
• Section 16, Form 144, Schedule 13D & 13G
• Print and Composition

SIGs, CAIQs and DDQs are made available to current clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fufillment.

Cloud Security Alliance CAIQ and STAR Registry

As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered. 

PRODUCTS & SERVICES COVERED

• CAIQ completed for enterprise

The CAIQ can be made available to current and future clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fulfillment.

Bridge Letter for SOC 2 Attestation

DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. 

PRODUCTS & SERVICES COVERED 
 

• GCM SOC 2 Report
• GIC SOC 2 Report
• ActiveDisclosure SOC 2 Report
• Venue SOC 2 Report

Bridge letters are available to current and prospective clients under a signed non-disclosure agreement.