Version: 1.2
Date adopted: August 09, 2022
Table of Contents:
Introduction
Each party recognises the importance of maintaining the highest levels of Information Security Management. Confidential Information can exist in many physical and electronic forms, and is subject to many types of human, physical and/or electronic threats when being transmitted, processed and stored.
By each party providing the other party with Confidential Information, it is necessary to define a set of minimum security standard requirements which ensure the continued safe-custodianship of those assets.
This document summarises the minimum technical and organisational controls each party should implement to maintain the security and integrity of Confidential Information in accordance with Security Industry best practices.
Information Security Standard Requirements
Each party shall employ operational and technological processes and procedures in line with good industry practices to protect against unauthorised use, access, loss, destruction, theft or disclosure of any information provided under the Agreement.
ISO27001
Each party shall be either registered to ISO27001, or have suitable controls in place which are aligned to the standard and demonstratable. If the Client is in the process of working towards the certification and is able to demonstrate progression, timescale of completion must be agreed with Transunion.
PCI DSS
If a party is provided with access to Primary Account Numbers or is a Service Provider (in each case as defined by the Payment Card Industry Security Standards Council), it shall ensure that its environment and any subsequent services are provided in a manner which is compliant with the latest version of the Payment Card Industry Data Security Standard (“PCI DSS”). In addition, where applicable, each party must provide the other party with evidence of PCI DSS compliance certification. This must be an Attestation of Compliance (AoC) by an Payment Card Industry Qualified Security Assessor (PCI QSA) or appropriate Self-Assessment documentation that attests to the results of a PCI compliance audit or assessment.
SOC2
Where applicable, SOC 2 compliance reports must be provided to each party as and when requested. This standard is a minimal requirement for those providing or considering a SaaS provider.
Information Security Management
Information Security Management
Information security management defines and manages controls that an organisation needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities.
Each party shall ensure that the following requirements are met:
- All Confidential Information provided by one party to the other party shall be maintained in a secure manner at all times.
- An organisational security policy exists, which has been endorsed at Board level, setting out commitment to comprehensive and ongoing security, including the physical, technological, logical, organisational and contractual measures set out in subsequent sections of this document. This policy must be reviewed on a regular basis.
- Responsibility for maintaining and reviewing the organisational security policy on an annual basis is clearly allocated.
- Each party shall notify the other of the person, and alternate person, with overall responsibility for Information Security, and the person/alternate (if different) to be used as the point of contact in the event of a security incident.
- Sufficient resources, skills and facilities are allocated in order to meet all security responsibilities.
- Confidential Information must be classified according to its sensitivity.
- Appropriate safeguards must be implemented in order to maintain the security and integrity of personal data as required under Data Protection Legislation.
Human Resources Security
Each party will ensure that the following requirements are met:
- Background and integrity checks (in accordance with good industry practice) shall be carried out on each party’s employees agents and subcontractors (“staff”) before their initial employment or subsequent move into a job function that would give them ability to access, use, alter, damage, destroy, copy or disclose any Confidential Information provided by the other party.
- All staff must receive robust initial and ongoing training about their security responsibilities, Data Protection Legislation and other relevant legal obligations.
- All staff must be subject to enforceable obligations of confidentiality (for example, under their contracts of employment, under a contract for services or a separate confidentiality agreement as appropriate).
- Rules and procedures must be in place to withdraw security access privileges for staff not complying with these Minimum Security Standard Requirements.
- Paper disposal procedures must be in place to ensure shredding of any printed materials showing sensitive data.
- Guidelines issued to all staff to lock away any confidential items such as portable media or documents when not in use.
- Take appropriate steps to ensure the reliability of staff who have access to personal data. Such steps to include (but not necessarily limited to): (i) staff undergoing training in Data Protection Legislation and the care and handling of personal data; (ii) pre-employment screening; and (iii) monitoring staff to ensure that they are adhering to policies on Confidential Information.
- The access rights of all staff with access to information processing system(s) or media containing Confidential Information will be removed immediately upon termination of their employment, contract, or agreement, or adjusted upon change of job function.
Physical and Environmental Security
Each party shall ensure that appropriate secure measures will be implemented, at all premises, including remote working locations, at which that party (or its staff), access, store or otherwise process Confidential Information. Such appropriate measures shall include (to the extent possible and/or practical, depending on the applicable location), the following:
- Current and tested premises intrusion detection and notification systems with assigned and documented alarm procedures.
- Ensure adequate and preventative controls are in place for physical protection against natural disasters, malicious attacks and/or accidents.
- Appropriate egress and ingress controls to ensure only authorised access is permitted for those areas with sensitive or classified information being stored or processed.
- Appropriate entry controls for those authorised personnel only
- Issue of keys and codes are restricted only to those who need them for legitimate purposes connected with their duties, with supporting documentation.
- Adequate risk based implementation of security controls for offices, rooms, and facilities.
- Proper visitor management controls in place such as visitor ID tags, escort procedures in order to manage the visitor’s movement within the company; appropriate restrictions on visitor movement, especially to those areas with direct access to printed, screen, physical or logical versions of sensitive information.
- Distinct physical room or rooms for server and communications equipment; issue of keys and codes restricted only to those who need it, documentation of their issue.
- Asset disposal procedure is defined and followed to ensure all hard drives and media (e.g. tapes, CD’s) are cleansed, degaussed or shredded after use so that no remnants of data still exist and / or are recoverable.
- Actively document, implement and communicate a clear desk procedure in line with industry best practice to prevent unauthorised access to sensitive personal and/or confidential information. Clear desk procedures should include regular clear desk audits of all areas that process, store TransUnion data.
Mobile Media
Each party will encrypt all personal data contained in Mobile Media. “Mobile Media” means portable and mobile devices used to store and transport information (including, but not limited to, paper records and magnetic and other electronic media, laptops, computers, mobile phones, memory sticks, PDAs, discs, external hard drives, and magnetic tapes)
Access Control
Each party shall implement the following access control measures in respect of its technical environment:
- Access and type of access to all data/databases/networks/devices enforced based on defined, individual staff/user permissions requiring username and password logon.
- All access permissions set at least privilege and based on a need to know basis.
- Password/logon controls including complexity, expiry, uniqueness, and lockout to meet best practice standards.
- Procedures to grant/rescind user permissions in line with changes in responsibilities, including termination.
- Servers must follow a secure build-standard in line with ISO 27001 requirements and be regularly updated with the latest security patching in accordance with industry best practice.
- Screensaver non-activity lockouts on all servers and workstations in place and as per best practice.
- Display of appropriate security notices as part of the individual user logon process.
- Appropriate levels of activity logging, storage, and review to provide abuse deterrence and to enable forensics in the event of a security breach.
- Distinct logon accounts for individual users of TransUnion Services.
- Obligation to prohibit sharing of logons/passwords.
- Specific responsibility assigned to person or persons to administer user logon accounts, including change of privilege and withdrawal of privilege in the event of user security breach or termination.
Communications and Operations Management
Each party shall ensure that the following requirements are met:
- Protection of all external computer network gateways with appropriate firewalls and current security patches.
- Appropriate vulnerability scanning shall be conducted on external computer network gateways and significant findings remediated accordingly on a regular basis.
- Protection of other external communications access routes (e.g. out of band internet or remote access) with appropriate measures in line with best practice.
- Change control procedures governing amendments to firewall rule bases and other network changes relating to the other party’s Confidential Information.
- Restrictions to remote user access including appropriate user authentication and session encryption.
- Restrictions and procedures to ensure transfer and storage of Confidential Information outside of the logical security perimeter of its network is protected with either a minimum of AES 256-bit digital encryption/authentication or a complex password.
- Appropriate and current antivirus protection measures are in place.
Information Security Incident Management
Each party shall ensure that the following requirements are met:
- Implement technology and processes necessary to log all appropriate security event information. Monitoring of own environment, applications, and processes for actual or potential security intrusions or violations. The log information should be kept for a reasonably amount of time should the logs be required for an investigation.
- Adequate segregation of duties must be in place to maintain the security event information.
- Each party shall notify the other by secure medium of any occurrence of a breach of information security without undue delay upon becoming aware of any such incident. Such notification shall comprise sufficient detail as to allow the other party to ascertain in reasonable detail the magnitude and likely consequence(s) (if any), of any such breach.
- Each party shall notify the other by secure medium of any occurrence of a breach of information security without undue delay upon becoming aware of any such incident or without undue delay upon becoming aware of circumstances which are reasonably likely to lead to such an incident with sufficient detail as to allow the other party to ascertain in reasonable detail the magnitude and likely consequences of the security breach.
- The parties shall co-operate with each other and any appropriate third party in respect of a security breach and will provide the available evidence should it be requested from the other party.
Business Continuity Management
Each party shall have an appropriate Business Continuity Management System (including Disaster Recovery) in place that will include a documented Business Continuity Plan and Policy. A Business Continuity Plan (BCP) must be tested and updated on a regular basis to ensure its effectiveness in the event of a disaster and its continuing relevance to the Business. There must also be a named individual in place who is responsible for the day to day management of Business Continuity.
API Encryption Requirement
If the Client is provided with access to a TransUnion API service, each party shall ensure that its communication with the API is encrypted to a suitable standard in line with industry best practice.