Informa D&B S.A.U. (S.M.E.)'s business processes depend on information systems and the information they store to a large extent. The mission of the Information Security Policy is to establish the company's general information quality and security guidelines aside from protecting information assets.
These guidelines include adopting administrative, technical, physical, organisational and standard security measures. These measures have been reasonably designed to protect and enhance its information systems and its customer's information against internal or external, deliberate or accidental threats and to ensure information quality, confidentiality, integrity, availability and legality.
Informa D&B S.A.U. (S.M.E.) highly values customers' relationships and trust. In today's technological environment, we understand that an adaptable and agile security programme is vital to our business integrity, and confidential data privacy and security is one of our top priorities. We evaluate and make our security measures evolve to keep pace with the current threat landscape. Informa D&B S.A.U. (S.M.E.) may periodically update these security measures to reflect changes, provided that these do not materially reduce the level of security, but rather for the improvement or effectiveness of specific risk mitigation measures.
Informa D&B S.A.U. (S.M.E.)'s Security Policy is based both on the good practices recommendations that guarantee security in information systems management and on the applicable legislation in force, being annually certified under the ISO/IEC 27001:2013 standard for Information Security Management Systems (ISMS) for our locations in Madrid.
Informa D&B S.A.U. (S.M.E.)'s Security Policy reflects the company's Management general commitment, awareness and actions all the way down to the employees. At Informa D&B S.A.U. (S.M.E.), we understand that security is everyone's responsibility.
From the first day, our employees are welcomed with a security guide, the Security Manual with the requirements and conditions mandatory for all Informa D&B S.A.U. (S.M.E.)'s employees; they sign the conformity commitment. All employees receive monthly tips, news and relevant updated information on security matters.
Informa D&B S.A.U. (S.M.E.) has appointed a Group Global CISO who, together with the Information Security Department, globally supervises information through our Master Security Plan and all security programs. The Security team works with business lines across the enterprise, providing an enterprise-wide information security strategy to support business objectives, minimise the likelihood and impact of attacks and security incidents on our information assets and those of our customers.
Policies, procedures and instructions are critical to Informa D&B S.A.U. (S.M.E.) management. They provide the structure and rules around which the organisation operates. The Security Section reviews policies with the other Departments to ensure alignment with business objectives and their continued suitability, appropriateness and effectiveness.
This approach aligns more with various regulations and enhances our ability to address security threats. The set of policies references external frameworks for cyber security standards and incorporates elements as appropriate, including alignment with the International Organisation for Standardisation and International Electrotechnical Commission (ISO/IEC) of ISO 27000 Family Information Technology Standards.
Revised Informa D&B S.A.U. (S.M.E.) policies are posted, after their approval, on the company's intranet so that employees can easily access the policies from their computers. Significant policies' changes are communicated as necessary through meetings, emails, presentations, the company intranet and/or company global communications.
In response to a new technological environment where IT and communications converge and facilitate a new productivity paradigm for businesses, Informa D&B S.A.U. (S.M.E.) is firmly committed to providing a competitive service through its information services, as well as the creation of databases of economic, financial and marketing information on businesses and entrepreneurs in a quality environment, where the application of good security practices is a fundamental pillar to achieve the confidentiality, integrity, availability and legality objectives of all the information managed..
Consequently, Informa D&B S.A.U. (S.M.E.) assumes the following commitments as part of the Information Security Management System (ISMS) application structure:
Therefore, the following information security objectives are established:
Members and activities of the Security team are structured within a framework consisting of the following guidelines:
Informa D&B S.A.U. (S.M.E.) performs two types of security risk analysis to evaluate and define the risk level, discovering the potential threats and vulnerabilities to which they are exposed. These are based on the identified assets and on scenarios following the COBIT methodology and the general principles of ISO 31000.
Based on the good practices recommendations that guarantee Security in information systems' management (international standards ISO 27001),
For the development of both analyses, the following actions are performed:
If a risk's threshold exceeds the accepted risk level, measures will be established to counteract this risk with a Treatment Plan.
Management of Informa D&B S.A.U. (S.M.E.) Management is committed to the definition, development, implementation and review of the management system, taking an active part in the system's reviewing and monitoring tasks, among which the following should be highlighted:
The Human Resources Department is fully committed to safety, ensuring that employees, contractors and third parties:
Informa D&B S.A.U. (S.M.E.) periodically carries out an assets inventory, identifies associated risks and defines the appropriate protection responsibilities. This includes ensuring that the information receives adequate protection following its importance and avoiding unauthorised disclosure, modification, elimination or destruction of the information stored in media.
The Security Section standardizes third-party software before it is installed on user equipment to ensure it complies with best security practices.
At Informa D&B S.A.U. (S.M.E.) the assets handed over to employees are inventoried, information on assets is handed over to employees and the return is updated, either due to change or end of services.
This includes the Clean Desk Policy, the use of photocopiers and printers and storage media handling.
Confidential information is not transmitted via the Internet or other public communications unless encrypted in transit. Data files are encrypted for web communication sessions using Transport Layer Security (TLS) encryption.
Whenever applicable, all distributed information follows the Traffic Light Protocol (TLP) to guarantee the correct distribution of our information to third parties.
Generally Informa D&B S.A.U. (S.M.E.). uses its own SFTP channels for data transmission and may adapt to the needs of a third party, provided that its characteristics are not less secure than those offered by us.
Where required by applicable law and in accordance with our data classification standards, encryption at rest is used. This encryption may also be applied at the request of a third party following the classification of information with the tools available
This section covers all information that Informa D&B S.A.U. (S.M.E.) acquires, processes, analyses and offers in products for customers to use as a solution to their business needs.
Information is an essential asset of Informa D&B S.A.U. (S.M.E.) and, as such, it must be adequately protected throughout its life cycle, from its creation to its destruction.
To implement an adequate level of security for the treatment and use of information at Informa D&B S.A.U. (S.M.E.), an information classification system has been established to categorise information according to its degree of confidentiality, integrity and availability in a quick and easy way, and to establish an agility factor in decision-making related to its security. The implementation of an information classification system that adequately reflects its degree of criticality has become necessary; it operates according to the following levels:
General rules for the treatment and labelling of information according to its classification:
For proper classification and use, each classification level comprises the following attributes:
Access to this data is restricted to authorised personnel by physical and logical access controls.
Informa D&B S.A.U. (S.M.E.) defines the different accesses always following the following principles:
Authorised users must identify and authenticate themselves to the network, applications and platforms using their user ID and password. The authentication of users and devices in the information systems is protected by passwords that comply with the password complexity requirements of Informa D&B S.A.U. (S.M.E.):
Permissions are always based on access by profiles or roles after analysis, study and design in the different systems so that the access rights of users and the necessary legal or regulatory protection of the information are defined from the start and by default.
Upon employee termination, access to products and systems is revoked.
Multi-factor authentication is required for remote sessions and certain environments hosting production systems. In addition, higher levels of privileged access to systems, such as Informa D&B S.A.U. (S.M.E.) domain controllers, are controlled by our privileged access management system.
Informa D&B S.A.U. (S.M.E.) has the necessary controls in place to ensure that the organisation day-to-day activities guarantee compliance with the physical and environmental security objectives in its facilities.
Our data centre provider manages the identification, detection and protection of physical and environmental threats (infrastructure, data and software) through third party compliance requirements and service level agreements. It also has one of the most stringent security certifications in the industry.
Within all these physical controls is the unattended equipment feature which defines that:
A combination of security controls for the protection of data and systems protects network connections. These are based on the type and purpose of the connection and include, among others, network segmentation, implementation of firewalls, IPS, anti-virus on computers and servers and other security devices, and appropriate authentication mechanisms.
Access to information available through the network is controlled to prevent and detect unauthorised access while providing secure access to authorised users and systems. Network traffic and activities are centrally logged and stored using industry standard or vendor-specific collection mechanisms.
Deployment of new network devices (i.e. routers, switches, firewalls) or network system components follows a formal change management process and is approved by the Technology Operations and Security teams. Devices deployed on the Informa D&B S.A.U. (S.M.E.) network are configured to meet the security requirements for their individual purposes (internal, public, demilitarised).
Direct public access between public networks (e.g. Internet) and any Informa D&B S.A.U. (S.M.E.) internal network is restricted. Traffic, incoming and outgoing, from untrusted networks (including external wireless and guest connections) and hosts is restricted.
The security team approves the connection of a new network to existing corporate or business system networks at any enterprise location or data centre or follows the standard for VPN tunnel connections. Remote connections to the corporate network are accessed via VPN connections through managed gateways.
Wireless and remote access to external parties is identified, inventoried and managed.
In this section Informa D&B S.A.U. (S.M.E.) includes all activities related to the processing and communication means to be followed, the way to carry out any maintenance operation on the systems, and details aspects such as change management and capacity management.
The guidelines for the different environments are set out, isolating test data from production data.
Informa D&B S.A.U. (S.M.E.) has a Business Continuity Plan which defines the plan's organisation and responsibilities and considers different risks and scenarios.
This plan includes daily backup copies of all stored information at Informa D&B S.A.U. (S.M.E.).
Periodic annual tests are carried out to check its viability, obtaining a satisfactory result in the last tests carried out
Informa D&B S.A.U. (S.M.E.)'s Third Party Compliance process covers a risk management lifecycle and global procurement defined throughout the relationship's selection, onboarding, monitoring and termination. The rules are established to govern security and due diligence requirements (including compliance, privacy and technology) for third parties (including our suppliers and global network business partners) doing business with Informa D&B S.A.U. (S.M.E.). Third parties must comply with our Information Security policies, standards and procedures applicable to the service provided.
Informa D&B S.A.U. (S.M.E.) investigates incidents related to security, availability, confidentiality and privacy and responds to any actual or suspected breach of security of Informa D&B S.A.U. (S.M.E.)'s information systems in a timely and coordinated manner while complying with applicable laws and regulations. Informa D&B S.A.U. (S.M.E.) conducts security simulation exercises at least once a year.
Informa D&B S.A.U. (S.M.E.) has developed and maintains practices that establish the classification and prioritisation of information security incidents based on the severity of the incident and the sensitivity of the systems and data affected. To support these efforts, Informa D&B S.A.U. (S.M.E.) has implemented and monitors alerts to provide an effective detection capability.
Audit logs are configured to record significant activities and events related to information security in Informa D&B S.A.U. (S.M.E.) systems.
Changes on information assets and systems are subject to our formal change management review and approval processes prior to any implementation within the production environment.
Informa D&B S.A.U. (S.M.E.) has a vulnerability management programme* to continuously monitor vulnerabilities recognised by suppliers, reported by researchers or discovered internally through various vulnerability scans. These are managed on a risk basis.
Vulnerabilities are documented and classified according to severity levels determined by impact and probability classifications. Informa D&B S.A.U. (S.M.E.) assigns the appropriate teams to perform remediation and track progress to resolution as necessary. Critical vulnerabilities are targeted for remediation within 7 days; High severity vulnerabilities within 30 days; Medium severity vulnerabilities within 120 days *.
Informa D&B S.A.U. (S.M.E.) has a User Security Manual accessible from the intranet mandatory for all employees or personnel with access to its systems; it defines the different policies for the responsible use of information assets, equipment provided by the company, external equipment and information storage.
This Manual also includes Personal Data Protection clauses, intellectual property and confidentiality clauses..
All Informa D&B S.A.U. (S.M.E.)'s employees receive cybersecurity training (as necessary and appropriate for their role) throughout the year, as well as on our privacy policies and procedures. Informa D&B S.A.U. (S.M.E.) conducts periodic security awareness campaigns on the different Cybersecurity landscape scenarios to educate, raise awareness and empower staff members on their responsibilities and provide guidance to create and maintain a secure workplace. This awareness is assessed annually to evaluate the degree of acquired knowledge and understanding.
On the intranet you have a notice board on different professional and personal campaigns to avoid becoming a victim of current threats.