Information Security

Yes. VSP has a dedicated Office of Information Security which is responsible for the administration of our Security and Information Protection Plan (SIPP), and related corporate policies.

VSP's Chief Information Security Officer (CISO) provides the senior leadership for the Office of Information Security.

The Office of Information Security is responsible for cyber operations which includes incident response, identity and access management, vulnerability management, and endpoint protection. It also oversees security governance, risk and compliance (including information security risk management), security audit and compliance, and security policy governance. Finally, the Office of Information Security provides security architecture expertise including guidance regarding security standards, requirements, and program direction.

VSP is committed to safeguarding the confidentiality, integrity, and availability of client and member data. To do this, VSP has information security policies that are documented in three collections: the SIPP, relevant sections of the Employee Handbook, and VSP’s ISO/IEC 27001:2013 Policies. Together, these resources provide the needed information, standards, and guidance for interested parties at all levels, from end users to third-party auditors.

No. To reduce the risk profile of your data, you can provide unique identification numbers in lieu of employee Social Security numbers.

VSP leverages third-party service providers for the delivery of ancillary services when it improves operations efficiency (e.g., we leverage a domestic partner to scan paper claims, store physical records, host our disaster recovery solution, host cloud-based applications, etc.). Such providers are carefully vetted by our Office of Information Security team to ensure that the confidentiality, integrity, and availability of any client and member data they process, store, or transmit is appropriately protected.

VSP recognizes that members want the freedom and flexibility to use their vision care benefits when it’s convenient for them. That’s why the member portal on VSP.com was developed – to provide access to the information members and their VSP Network Providers need to manage the patient’s vision care. VSP protects the availability of this information by maintaining an industry-leading business continuity plan committed to: protecting against service interruptions, providing appropriate redundancy to support disaster recovery, and ensuring VSP Network Providers are supported in providing members with care when they need it. VSP also has member service centers in Ohio and California that provide personalized call-center support for members needing an explanation of their benefits, help locating a VSP Network Provider, or who have any other questions.

VSP has implemented many security features on vsp.com to protect member and client information. Members connect through an encrypted connection using appropriate encryption standards, and no member or client data resides on the webserver. The code used to develop the website is dynamically tested for security flaws, and the systems used to provide the website are periodically subject to vulnerability testing and patched regularly to address any vulnerabilities that are identified.