Learn more
Up

Informa D&B S.A.U. (S.M.E.) Information Security Policy

Informa D&B S.A.U. (S.M.E.) Information Security Policy

Introduce aquí tu descripción

Política de seguridad de la información

Introduction

Informa D&B S.A.U. (S.M.E.)'s business processes depend on information systems and the information they store to a large extent. The mission of the Information Security Policy is to establish the company's general information quality and security guidelines aside from protecting information assets.

These guidelines include adopting administrative, technical, physical, organisational and standard security measures. These measures have been reasonably designed to protect and enhance its information systems and its customer's information against internal or external, deliberate or accidental threats and to ensure information quality, confidentiality, integrity, availability and legality.

Informa D&B S.A.U. (S.M.E.) highly values customers' relationships and trust. In today's technological environment, we understand that an adaptable and agile security programme is vital to our business integrity, and confidential data privacy and security is one of our top priorities. We evaluate and make our security measures evolve to keep pace with the current threat landscape. Informa D&B S.A.U. (S.M.E.) may periodically update these security measures to reflect changes, provided that these do not materially reduce the level of security, but rather for the improvement or effectiveness of specific risk mitigation measures.

Informa D&B S.A.U. (S.M.E.)'s Security Policy is based both on the good practices recommendations that guarantee security in information systems management and on the applicable legislation in force, being annually certified under the ISO/IEC 27001:2013 standard for Information Security Management Systems (ISMS) for our locations in Madrid.

Organisation and people

Informa D&B S.A.U. (S.M.E.)'s Security Policy reflects the company's Management general commitment, awareness and actions all the way down to the employees. At Informa D&B S.A.U. (S.M.E.), we understand that security is everyone's responsibility.

From the first day, our employees are welcomed with a security guide, the Security Manual with the requirements and conditions mandatory for all Informa D&B S.A.U. (S.M.E.)'s employees; they sign the conformity commitment. All employees receive monthly tips, news and relevant updated information on security matters.

Informa D&B S.A.U. (S.M.E.) has appointed a Group Global CISO who, together with the Information Security Department, globally supervises information through our Master Security Plan and all security programs. The Security team works with business lines across the enterprise, providing an enterprise-wide information security strategy to support business objectives, minimise the likelihood and impact of attacks and security incidents on our information assets and those of our customers.

Policies and Procedures

Policies, procedures and instructions are critical to Informa D&B S.A.U. (S.M.E.) management. They provide the structure and rules around which the organisation operates. The Security Section reviews policies with the other Departments to ensure alignment with business objectives and their continued suitability, appropriateness and effectiveness.

This approach aligns more with various regulations and enhances our ability to address security threats. The set of policies references external frameworks for cyber security standards and incorporates elements as appropriate, including alignment with the International Organisation for Standardisation and International Electrotechnical Commission (ISO/IEC) of ISO 27000 Family Information Technology Standards.

Revised Informa D&B S.A.U. (S.M.E.) policies are posted, after their approval, on the company's intranet so that employees can easily access the policies from their computers. Significant policies' changes are communicated as necessary through meetings, emails, presentations, the company intranet and/or company global communications.

Objectives and Commitments

In response to a new technological environment where IT and communications converge and facilitate a new productivity paradigm for businesses, Informa D&B S.A.U. (S.M.E.) is firmly committed to providing a competitive service through its information services, as well as the creation of databases of economic, financial and marketing information on businesses and entrepreneurs in a quality environment, where the application of good security practices is a fundamental pillar to achieve the confidentiality, integrity, availability and legality objectives of all the information managed..

Consequently, Informa D&B S.A.U. (S.M.E.) assumes the following commitments as part of the Information Security Management System (ISMS) application structure:

  • To provide resources to implement information security management processes and activities, including internal and external staff awareness on this subject and the corresponding responsibilities so that they contribute to the effectiveness of the ISMS
  • Define the information security management strategy to be followed in line with Informa D&B S.A.U. (S.M.E.)'s policies and strategic objectives.
  • Ensure that the information security management system achieves the expected results.
  • Ensure compliance with all applicable legislation relevant to the ISMS.
  • Promote the continuous ISMS improvement.

Therefore, the following information security objectives are established:

  • The information processed by Informa D&B S.A.U. (S.M.E.) will be disclosed exclusively to authorised persons, after identification, at the authorised time and by the authorised means;
  • The information processed by Informa D&B S.A.U. (S.M.E.) will be complete, accurate and valid;
  • Guarantee the security of the information transmitted within the company and with any external entity;
  • The information processed by Informa D&B S.A.U. (S.M.E.) will be accessible and may be used by authorised and identified users at any time, guaranteeing its permanence in any contingency;
  • Provide training and awareness-raising both to the employees involved and to the interested parties;
  • Ensure that all information security incidents and/or suspected deficiencies are recorded and addressed;
  • Identify information security risks, which will be continuously assessed and monitored and, if possible, reduced;
  • Ensure that business continuity plans are established, maintained and tested.

Informa D&B S.A.U. (S.M.E.) Information Security Policy

Members and activities of the Security team are structured within a framework consisting of the following guidelines:

  • Risk Evaluation
  • Organisation of Information Security
  • Human Resources Security

Assets Management

  • Information Classification
  • Access Management
  • Physical and environmental security
  • Operations and communications security
  • Business Continuity
  • Compliance
  • Detection and response
  • Information security incident management
  • Validation and Testing
  • User Security Manual
  • Employee awareness

Risk Evaluation

Informa D&B S.A.U. (S.M.E.) performs two types of security risk analysis to evaluate and define the risk level, discovering the potential threats and vulnerabilities to which they are exposed. These are based on the identified assets and on scenarios following the COBIT methodology and the general principles of ISO 31000.

Based on the good practices recommendations that guarantee Security in information systems' management (international standards ISO 27001),

For the development of both analyses, the following actions are performed:

  • Identification of the asset/scenario
  • Identification of its criticality
  • Identification of its threats
  • Identification of its impact probability

If a risk's threshold exceeds the accepted risk level, measures will be established to counteract this risk with a Treatment Plan.

Information Security Organisation

Management of Informa D&B S.A.U. (S.M.E.) Management is committed to the definition, development, implementation and review of the management system, taking an active part in the system's reviewing and monitoring tasks, among which the following should be highlighted:

  • Definition and approval of the ISMS objectives and indicators.
  • Definition and approval of the Information Security Policy.
  • Decision on the creation of a Security Committee assigning direct responsibilities to it.
  • Ultimate decision-making, especially if problems or differences of opinion arise that could not be resolved following established security procedures and instructions.

Human Resources Security

The Human Resources Department is fully committed to safety, ensuring that employees, contractors and third parties:

  • Are appropriately selected
  • Ensuring that employees understand their responsibilities, are appropriate to their roles, and can reduce theft, fraud or misuse of resources allocated to employees risks.
  • They know the threats and issues affecting information security and their responsibilities and obligations./li>
  • They leave the organisation or appropriately change jobs.

Assets management

Informa D&B S.A.U. (S.M.E.) periodically carries out an assets inventory, identifies associated risks and defines the appropriate protection responsibilities. This includes ensuring that the information receives adequate protection following its importance and avoiding unauthorised disclosure, modification, elimination or destruction of the information stored in media.

The Security Section standardizes third-party software before it is installed on user equipment to ensure it complies with best security practices.

At Informa D&B S.A.U. (S.M.E.) the assets handed over to employees are inventoried, information on assets is handed over to employees and the return is updated, either due to change or end of services.

This includes the Clean Desk Policy, the use of photocopiers and printers and storage media handling.

Confidential information is not transmitted via the Internet or other public communications unless encrypted in transit. Data files are encrypted for web communication sessions using Transport Layer Security (TLS) encryption.

Whenever applicable, all distributed information follows the Traffic Light Protocol (TLP) to guarantee the correct distribution of our information to third parties.

Generally Informa D&B S.A.U. (S.M.E.). uses its own SFTP channels for data transmission and may adapt to the needs of a third party, provided that its characteristics are not less secure than those offered by us.

Where required by applicable law and in accordance with our data classification standards, encryption at rest is used. This encryption may also be applied at the request of a third party following the classification of information with the tools available

Information Classification

This section covers all information that Informa D&B S.A.U. (S.M.E.) acquires, processes, analyses and offers in products for customers to use as a solution to their business needs.

Information is an essential asset of Informa D&B S.A.U. (S.M.E.) and, as such, it must be adequately protected throughout its life cycle, from its creation to its destruction.

To implement an adequate level of security for the treatment and use of information at Informa D&B S.A.U. (S.M.E.), an information classification system has been established to categorise information according to its degree of confidentiality, integrity and availability in a quick and easy way, and to establish an agility factor in decision-making related to its security. The implementation of an information classification system that adequately reflects its degree of criticality has become necessary; it operates according to the following levels:

  • Reserved information / business secret: The disclosure of this type of information outside the authorised channels could result in serious damage to Informa D&B S.A.U. (S.M.E.) or its interested parties (customers, suppliers, shareholders and employees).
  • Confidential information: All information for which Informa has signed confidentiality agreements with its interested parties. As well as customer information that includes personal data and is processed by Informa D&B S.A.U. (S.M.E.) in its capacity as data processor.
  • Internal use:All information used regularly and exclusively by employees in the routine performance of their activities is not classified as confidential.
  • Public use (unprotected):) Any other information not classified in the previous sections. They do not require special protection.

General rules for the treatment and labelling of information according to its classification:

  • Information shall be classified according to the classification rules, regardless of its medium (physical, electronic or other);;
  • The owner or the person responsible for the creation of the information shall be responsible for the classification of Informa D&B S.A.U. (S.M.E.) information;
  • In all situations where documents with different classification levels are exchanged, the rules corresponding to the highest level shall apply;
  • The change of the classification level of the information can only be made under consultation and with the consent of the person responsible for the information (Reclassification).

For proper classification and use, each classification level comprises the following attributes:

  • Access: access to information limitations
  • Identification: Labelling of information according to its classification
  • Storage: Precautions to take into account when storing information
  • Copies: Control of copies of information in case it is classified as Restricted or Confidential.
  • Disclosure/Distribution: Limitations that may affect information disclosing (e.g. secure transmission channels).
  • Printing: Restrictions applied to the printing of information (including reproduction);
  • Transmission: Measures to be taken to protect information during transmission or transport;
  • Destruction: Precautions to be taken when destroying information.

Access to this data is restricted to authorised personnel by physical and logical access controls.

Access management

Informa D&B S.A.U. (S.M.E.) defines the different accesses always following the following principles:

  • All access is forbidden, unless expressly authorised.
  • Minimum privilege: the privileges of each entity, user or process are reduced to the minimum necessary to fulfil their obligations.
  • Need to know and responsibility to share: privileges are assigned in such a way that entities, users or processes only have access to knowledge of the information required to fulfil their obligations or functions.
  • Capacity to authorise: Only staff with the authority to do so may grant, alter or revoke authorisation for access to resources, in accordance with the criteria established by their manager. Access permissions are regularly reviewed.

Authorised users must identify and authenticate themselves to the network, applications and platforms using their user ID and password. The authentication of users and devices in the information systems is protected by passwords that comply with the password complexity requirements of Informa D&B S.A.U. (S.M.E.):

  • Minimum of 14 characters, and a combination of 3 of the following 4 characteristics: lower case, upper case, numbers or symbols.

  • Expiration of passwords after 90 days

  • Temporary locking after several failed attempts to prevent brute force attacks.

  • The user's name or derivatives thereof shall not be used.

  • No more than one change may be made on the same day.

  • The use of telephone numbers, vehicle registration numbers, birthdays or anniversaries, names of family members, pets, friends, etc. shall be avoided.

Permissions are always based on access by profiles or roles after analysis, study and design in the different systems so that the access rights of users and the necessary legal or regulatory protection of the information are defined from the start and by default.

Upon employee termination, access to products and systems is revoked.

Multi-factor authentication is required for remote sessions and certain environments hosting production systems. In addition, higher levels of privileged access to systems, such as Informa D&B S.A.U. (S.M.E.) domain controllers, are controlled by our privileged access management system.

Physical and environmental security

Informa D&B S.A.U. (S.M.E.) has the necessary controls in place to ensure that the organisation day-to-day activities guarantee compliance with the physical and environmental security objectives in its facilities.

Our data centre provider manages the identification, detection and protection of physical and environmental threats (infrastructure, data and software) through third party compliance requirements and service level agreements. It also has one of the most stringent security certifications in the industry.

Within all these physical controls is the unattended equipment feature which defines that:

  • Work sessions must be closed when the equipment is left unattended.
  • Screen savers on users' computers should be automatically activated upon inactivity, locking the computer.

Operations and communications security

A combination of security controls for the protection of data and systems protects network connections. These are based on the type and purpose of the connection and include, among others, network segmentation, implementation of firewalls, IPS, anti-virus on computers and servers and other security devices, and appropriate authentication mechanisms.

Access to information available through the network is controlled to prevent and detect unauthorised access while providing secure access to authorised users and systems. Network traffic and activities are centrally logged and stored using industry standard or vendor-specific collection mechanisms.

Deployment of new network devices (i.e. routers, switches, firewalls) or network system components follows a formal change management process and is approved by the Technology Operations and Security teams. Devices deployed on the Informa D&B S.A.U. (S.M.E.) network are configured to meet the security requirements for their individual purposes (internal, public, demilitarised).

Direct public access between public networks (e.g. Internet) and any Informa D&B S.A.U. (S.M.E.) internal network is restricted. Traffic, incoming and outgoing, from untrusted networks (including external wireless and guest connections) and hosts is restricted.

The security team approves the connection of a new network to existing corporate or business system networks at any enterprise location or data centre or follows the standard for VPN tunnel connections. Remote connections to the corporate network are accessed via VPN connections through managed gateways.

Wireless and remote access to external parties is identified, inventoried and managed.

In this section Informa D&B S.A.U. (S.M.E.) includes all activities related to the processing and communication means to be followed, the way to carry out any maintenance operation on the systems, and details aspects such as change management and capacity management.

The guidelines for the different environments are set out, isolating test data from production data.

Business continuity and disaster recovery

Informa D&B S.A.U. (S.M.E.) has a Business Continuity Plan which defines the plan's organisation and responsibilities and considers different risks and scenarios.

This plan includes daily backup copies of all stored information at Informa D&B S.A.U. (S.M.E.).

Periodic annual tests are carried out to check its viability, obtaining a satisfactory result in the last tests carried out

Compliance

Informa D&B S.A.U. (S.M.E.)'s Third Party Compliance process covers a risk management lifecycle and global procurement defined throughout the relationship's selection, onboarding, monitoring and termination. The rules are established to govern security and due diligence requirements (including compliance, privacy and technology) for third parties (including our suppliers and global network business partners) doing business with Informa D&B S.A.U. (S.M.E.). Third parties must comply with our Information Security policies, standards and procedures applicable to the service provided.

Detection and response

Informa D&B S.A.U. (S.M.E.) investigates incidents related to security, availability, confidentiality and privacy and responds to any actual or suspected breach of security of Informa D&B S.A.U. (S.M.E.)'s information systems in a timely and coordinated manner while complying with applicable laws and regulations. Informa D&B S.A.U. (S.M.E.) conducts security simulation exercises at least once a year.

Informa D&B S.A.U. (S.M.E.) has developed and maintains practices that establish the classification and prioritisation of information security incidents based on the severity of the incident and the sensitivity of the systems and data affected. To support these efforts, Informa D&B S.A.U. (S.M.E.) has implemented and monitors alerts to provide an effective detection capability.

Audit logs are configured to record significant activities and events related to information security in Informa D&B S.A.U. (S.M.E.) systems.

Validation and Testing

Changes on information assets and systems are subject to our formal change management review and approval processes prior to any implementation within the production environment.

Informa D&B S.A.U. (S.M.E.) has a vulnerability management programme* to continuously monitor vulnerabilities recognised by suppliers, reported by researchers or discovered internally through various vulnerability scans. These are managed on a risk basis.

Vulnerabilities are documented and classified according to severity levels determined by impact and probability classifications. Informa D&B S.A.U. (S.M.E.) assigns the appropriate teams to perform remediation and track progress to resolution as necessary. Critical vulnerabilities are targeted for remediation within 7 days; High severity vulnerabilities within 30 days; Medium severity vulnerabilities within 120 days *.

User Security Manual

Informa D&B S.A.U. (S.M.E.) has a User Security Manual accessible from the intranet mandatory for all employees or personnel with access to its systems; it defines the different policies for the responsible use of information assets, equipment provided by the company, external equipment and information storage.

This Manual also includes Personal Data Protection clauses, intellectual property and confidentiality clauses..

Employee awareness

All Informa D&B S.A.U. (S.M.E.)'s employees receive cybersecurity training (as necessary and appropriate for their role) throughout the year, as well as on our privacy policies and procedures. Informa D&B S.A.U. (S.M.E.) conducts periodic security awareness campaigns on the different Cybersecurity landscape scenarios to educate, raise awareness and empower staff members on their responsibilities and provide guidance to create and maintain a secure workplace. This awareness is assessed annually to evaluate the degree of acquired knowledge and understanding.

On the intranet you have a notice board on different professional and personal campaigns to avoid becoming a victim of current threats.