AAP 2022 Corporate Sustainability & Social Report

DATA SECURITY

We believe that the integrity of our technological infrastructure and our ability to mitigate threats to systems that power our operations and from vulnerabilities of third parties with whom we do business is a source of significant value to our business. As part of our strategic transformation, we continue to enhance enterprise-wide cyber security and data management practices. We evaluate the maturity and ongoing enhancements of our work using the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Our security operations function provides 24/7 monitoring across all information assets, which include our privately hosted data centers, cloud-hosted services, all internet- facing resources, distribution centers and all corporate-hosted desktops and laptops. We take a cross-banner approach to identify vulnerabilities in information systems that pose a data security risk that leverages both technological tools and operational procedures. We also comprehensively train our team members at least annually using a variety of methods to increase security awareness enterprise wide. In addition, we highly value the data and privacy of our team members, customers, our business and those with whom we do business. We adhere to fair information principles and address data privacy risks through the leadership of a cross-functional data privacy team, comprising leaders in information security, information technology and legal/compliance. We conducted a cross-functional and multi-pronged risk assessment to understand where we have improvement opportunities so we can embed privacy into the design of our systems and business processes. We developed strategic and tactical playbooks to outline our response in the event of a cyber security incident that involved the compromise of personal information. We also CYBER SECURITY & DATA PRIVACY

have implemented processes to comply with emerging state privacy laws such as the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) and others that become effective in 2023. The Audit Committee of our Board oversees, and regularly receives updates regarding, cybersecurity and data privacy matters. THIRD PARTIES We expect those with whom we do business to adhere to our standards for responsible and ethical business practices. Our Supplier Code of Conduct , which was released in May 2022, sets out the expectations we have for our suppliers in many areas, including human rights, bribery and corruption, conflicts of interest, information security, trade compliance and reporting concerns. This Code was highlighted at our 2022 Partner Summit. We created a third-party risk framework that we piloted with third parties that pose privacy or cyber risks. We maintain programs designed to identify, evaluate and address potential human

rights and environmental issues with our direct import suppliers. We maintain policies that govern our selection of third parties with whom we do business to help us assess

the alignment of those parties to our standards for ethical and compliant behavior and help us mitigate the risks of working with third parties. In addition to screening processes to new international and private label suppliers, we conduct regular audits of existing suppliers to identify and evaluate environmental practices, labor practices, working conditions and records on human rights matters.

ABOUT

PEOPLE

PLANET

COMMUNITY

GOVERNANCE

2022 ADVANCE AUTO PARTS CORPORATE SUSTAINABILITY AND SOCIAL REPORT | 57

Made with FlippingBook. PDF to flipbook with ease