Keeping our clients' data secure, private and confidential is one of our top priorities.
Set out on this page are the administrative, technical and physical safeguards ("controls") that Informa D&B applies to protect customer information. Informa D&B updates these controls periodically to reflect changes in its security stance, with the aim of continually improving the effectiveness of these controls. These controls form part of Informa D&B's agreements ("agreement") with its customers and are appropriately designed to protect, in accordance with the laws applicable to the provision of services, the confidentiality, integrity and availability of customer information against foreseen or real threats or dangers; against unauthorised or unlawful access, use, disclosure, alteration or destruction; and accidental loss, destruction or damage. Informa D&B also maintains security policies, standards and procedures designed to safeguard the processing of customer information by Informa D&B employees and subcontractors in accordance with these controls.
Informa D&B's control environment reflects the general stance, awareness and actions of the Company's governance, management and employees regarding the importance of controls and their emphasis within the organisation. The control environment at Informa D&B starts at the highest level of the Company. Executive and senior leadership play an important role in establishing the Company's core values, as well as defining its guiding principles.
Informa D&B strongly values its relationships and the trust of its customers and partners. In today's high-tech environment, we understand that an easily adaptable and agile security programme is vital to the integrity of our business, and the privacy and security of confidential and proprietary data is one of our highest priorities. We evaluate and develop our security, availability and confidentiality controls to keep up-to-date with the current threat landscape. Informa D&B's control environment represents the collective effort and effect of many factors on the establishment, improvement or effectiveness of specific risk mitigation controls.
Informa D&B has appointed a chief information security officer (CISO), who oversees our global information security programme. The global security and risk team works in line with the business across the company, providing a corporate-level information security strategy in accordance with the company's objectives. The aim is to minimise the likelihood and impact of attacks and security incidents on our information assets and those of our clients and third parties.
Informa D&B is committed to the security and confidentiality of our customers when they use our products and services. Informa D&B is also certified annually to the ISO/IEC 27001 Information Security Management Systems (ISMS) standard.
Informa D&B follows the best information classification practices, using the following labels: "public", "internal use", "commercial confidential" and "confidential". The data thus classified is content that Informa D&B acquires, processes, analyses and offers in products for customers to use as a solution to their business needs. The purpose of using this data must be understood before it is applied. We protect this data using a combination of preventative and detection technologies, such as encryption and intrusion detection systems. Alongside these security measures, we have adopted policies and procedures aimed at validating and enforcing our security controls. Access to this data is restricted to authorised personnel through physical and logical access controls.
The members and activities of the global security and risk team fall under the following domains and controls:
At Informa D&B, security is everyone's responsibility, and we realise that it all starts with our employees. We start by carrying out background checks on employees when they are hired. From the outset, our employees receive tailor-made safety training, and annually thereafter. Throughout each year, we continue to share and reinforce communication about best safety practices to keep our employees up to date on the latest trends.
Policies, standards, procedures and guidelines are a critical component of governance at Informa D&B. They provide the structure and rules around which the organisation operates. Policies are reviewed with those responsible to ensure alignment with the Company's objectives and ongoing suitability and effectiveness.
This practice allows for alignment with the various regulations and improves our ability to deal with the security threats we may face. The set of policies is based on external frameworks on cybersecurity standards and aligns with other elements that should be considered, such as the 27000 family of information technology standards from the International Organisation for Standardisation and International Electrotechnical Commission (ISO/IEC).
Revised policies are published in an internal Company repository, after approval, so that employees can easily access them from their workstations. Significant changes to policies are communicated, as necessary, through meetings, e-mails, presentations, the Company's intranet, and/or through Company-wide communications.
In addition to our policies, we also maintain compliance processes for processing protected data in order to fulfil applicable legal, regulatory, contractual and security requirements.
The access rights and privileges required to fulfil a user's task are granted according to:
Authorised users must authenticate themselves on the network, applications and platforms using their user ID and password. Authentication of users and devices in information systems is done by passwords, which fulfil Informa D&B's password complexity requirements.
Upon termination of employment, access to products and systems is revoked.
Network connections are protected using a combination of security controls to protect data and systems. These controls are based on the type and purpose of the connection and include, but are not limited to, network segmentation, the use of firewalls and other security devices, and appropriate authentication mechanisms.
Access to information available through the network is controlled in order to prevent and detect unauthorised access, while providing secure user access to authorised systems. Network activities and traffic are recorded and logs stored, and industry- or supplier-specific collection mechanisms are used.
The devices deployed on the Informa D&B network are configured to meet security requirements, taking into account their specific objectives (internal, externally oriented, demilitarised). Non-essential network services are disabled or removed.
Direct public access via public networks (e.g. Internet) to any Informa D&B internal network is restricted. Incoming and outgoing traffic from untrusted networks (including external wireless links or guests) and hosts is restricted.
The connection of a new network to Company or commercial system networks, located within the Company, or to a data center, follows best international practices.
Sensitive information is not transmitted over the Internet or other public communication routes unless it is encrypted in transit. Data files are encrypted using encrypted Transport Layer Security (TLS) for web communication sessions.
Informa D&B uses encryption key management procedures to help ensure the secure generation, storage, distribution and destruction of encryption keys.
Informa D&B investigates incidents related to security, availability, confidentiality and privacy in a timely and coordinated manner, and responds to any actual or suspected breach of the security of Informa D&B's information systems, while complying with applicable laws and regulations. Informa D&B carries out security exercises, simulating real scenarios, at least once a year.
Informa D&B has developed and maintains practices that establish the classification and prioritisation of information security incidents, based on the severity of the incident and the sensitivity of the systems and data affected. To support these efforts, Informa D&B has implemented and monitors alerts from various tools, which ensure effective detection.
There are monitoring tools whose purpose is to measure current use against predefined thresholds and generate alerts to notify application and infrastructure support teams when said thresholds are exceeded. Alerts are reviewed to determine whether corrective action is required. If additional means of information are required to respond to utilisation needs, these will be implemented in accordance with formal asset management and change management policies.
The audit log systems are configured to record significant activities and events relevant to information security in Informa D&B's systems.
Servers, workstations and mobile devices are monitored using specific agents, e.g. inventory discovery. Data on laptops is protected by encryption. Anti-malware software is applied and maintained on platforms that are likely to be compromised. The use of removable electronic media is restricted.
Configuration standards are developed and reviewed annually. Security reviews are carried out periodically to ensure compliance, taking into account supplier recommendations and industry best practices.
The security of Informa D&B's software and applications is assessed through a vulnerability management programme and governed by the secure development policy and standards.
Based on the application's risk classification, the software undergoes the applicable reviews and tests, including design reviews and static application security tests (SAST). The results of the tests are captured and analysed using an appropriate application security management system.
Informa D&B has applied a vulnerability management procedure to continuously monitor vulnerabilities that are detected by suppliers, reported by researchers or discovered internally through vulnerability scans or Red Team activities.
Vulnerabilities are documented and categorised by level of severity, considering the foreseeable probability and impact. Informa D&B assigns the appropriate team(s) to carry out the correction and monitor the process until resolution, as necessary. Critical vulnerabilities should be resolved immediately; high severity vulnerabilities should be resolved in the short term; medium severity vulnerabilities in the medium term; and mitigation plans should be accompanied by a residual risk management process.
New employees complete security training, code of conduct and privacy training as part of the onboarding process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with Informa D&B's Security Policies, as well as other Company policies such as the Code of Conduct and privacy policies and procedures. Informa D&B periodically carries out security awareness campaigns and specific tests to make its employees aware of their responsibilities and provide guidance on creating and maintaining a safe workplace.
This process follows a global framework defined for supply, and for the risk management lifecycle, at the moments of selection, utilisation, monitoring and termination of the relationship. Rules are established for establishing security and due diligence requirements (which include compliance, privacy and technology) for third parties (including our suppliers and business partners) operating with Informa D&B. These entities must follow the guidelines of our policies, comply with our standards and apply our information security procedures to the service being provided.
Through ongoing assessments, we identify potential threats and their impact on the business and develop appropriate mitigation plans. Our business continuity and disaster recovery strategies and plans are designed to respond to the most typical events, whether natural or not, such as natural disasters or man-made disasters. The plans follow industry best practice and are specifically aligned with the principles of ISO/IEC 22301:2012 (Business Continuity Management System).
Our physical security standards are designed to restrict unauthorised physical access to data centre resources. Company systems and network infrastructure components are physically located in controlled access areas. Control measures can include: limited access points, access readers, access monitored by surveillance cameras, limiting access to authorised personnel.
The use of our hosted data centre providers means that the identification, detection and protection of physical and environmental threats (infrastructure, data and software) are managed through third-party compliance requirements and service level agreements (SLA).