Compliance

DFIN IT Governance

IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.

DFIN IT Risk Management

IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.

DFIN Vendor Risk Managment

When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.

Global Investment Companies

DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.

PRODUCTS & SERVICES COVERED

• ARC Suite
• ARC Pro
• Print and Composition Services
• Other Solutions

Global Capital Markets

DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.

The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.

New ActiveDisclosure

DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s New ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting

Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

PRODUCTS & SERVICES COVERED

• New AD

eBrevia

DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.

PRODUCTS & SERVICES COVERED

• eBrevia

VENUE SOC 2 + HITRUST

DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1^st through October 31^st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1^st through April 30^th.

PRODUCTS & SERVICES COVERED

• Venue

ISO 27001 Certification

DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.

PRODUCTS & SERVICES COVERED

• Venue

ISO 9001 Certification

DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.

PRODUCTS & SERVICES COVERED

• Print
• Manufacturing

Security Review Questionnaires

DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.

PRODUCTS & SERVICES COVERED

• Venue
• ActiveDisclosure
• ARC Products
• eBrevia
• File16
• Print and Composition

Cloud Security Alliance CAIQ and STAR Registry

As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.

PRODUCTS & SERVICES COVERED

• CAIQ completed for enterprise

Bridge Letter for SOC 2 Attestation

DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:

To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:

• The description of controls within the DFIN SOC 2 audit report dated December 15, 2021, presents fairly, in all material respects, the aspects of our controls that may be relevant to a user organization's internal control.
• The controls contained within the SOC 2 Type II report achieve the specified control objectives.
• All controls within this report were in place from January 1, 2021, to April 30, 2021, and have remains in place from November 1, 2021 to the date of this letter.
• There have been no known illegal acts, fraud, or uncorrected errors that may have affect management or employees relevant to the SOC 2 audit, within the reporting period.
• We have disclosed all instances in which we are aware that controls have not operated with sufficient effectiveness to achieve the specified control objectives.
• No significant changes have been made to the controls from November 1, 2021, through the date of this letter.

• GCM SOC 2 Report
• GIC SOC 2 Report
• New ActiveDisclosure SOC 2 Report
• VENUE SOC 2 Report
• eBrevia SOC 2 Report