Académique Documents
Professionnel Documents
Culture Documents
This document contains Private or Internal Use Only Information and should not be shared with third
parties.
Information Security Policy Framework
Revision History
Version Date Section Author Description
v1.1 June 2016 All ER&C • Added List and definitions of Roles and
Responsibilities (Sect 4)
• Added reference to the annual review (Sect 3)
• Added reference to Encryption Policy (Sect 8)
• Added sections on Enforcement , Exceptions
v1.2 August 2017 All ER&C • Added sections for new policies in force
(Backup, DB Security, Acceptable Use, Data
Destruction)
Private Information, Internal Use Only. Do not share with third parties. Page 2
Information Security Policy Framework
Table of Contents
Revision History ..................................................................................................................................... 2
Table of Contents .................................................................................................................................. 3
1. Background .................................................................................................................................... 5
2. Scope ............................................................................................................................................. 5
3. Information Security Policy and Guidelines ..................................................................................... 5
4. Roles and Responsibilities .............................................................................................................. 5
5. Information Security Education and Awareness .............................................................................. 7
6. Acceptable Use .............................................................................................................................. 7
7. Data Classification .......................................................................................................................... 8
8. Workforce Information Handling ...................................................................................................... 8
9. Asset Management ......................................................................................................................... 8
10. Identity and Access Management ............................................................................................... 8
11. Database Security ....................................................................................................................... 9
12. Encryption ................................................................................................................................... 9
13. Physical Security ......................................................................................................................... 9
14. Software Use and Virus Protection ............................................................................................ 10
15. Security Logging and Monitoring ............................................................................................... 10
16. Configuration Management ....................................................................................................... 10
17. Vulnerability and Patch Management ........................................................................................ 10
18. Risk Management ..................................................................................................................... 11
19. Incident Management ................................................................................................................ 11
20. Network Security ....................................................................................................................... 11
21. Firewall Management Policy...................................................................................................... 11
22. External Connection Authorization ............................................................................................ 12
23. Cloud Services Security ............................................................................................................ 12
24. Wireless Networking.................................................................................................................. 12
25. Secure Development ................................................................................................................. 12
26. Vendor Risk Management ......................................................................................................... 13
27. Mobile Communications ............................................................................................................ 13
28. Data Storage and Archiving....................................................................................................... 13
29. Data Destruction and Disposal .................................................................................................. 13
30. Business Continuity Management ............................................................................................. 14
31. Backup Management ................................................................................................................ 14
32. Policy for Acceptance of Credit Card Payments ........................................................................ 14
33. Bring Your Own Device (BYOD) Policy ..................................................................................... 14
Private Information, Internal Use Only. Do not share with third parties. Page 3
Information Security Policy Framework
Private Information, Internal Use Only. Do not share with third parties. Page 4
Information Security Policy Framework
1. Background
The Verisk Analytics’ Information Security Policy Framework defines the fundamental principles for the
protection of firm wide information resources, the proper controls needed to ensure compliance with
internal and external regulations, and to uphold Verisk Analytics’ reputation with our clients. All Verisk
Analytics’ employees, contractors and third parties are responsible for ensuring compliance with the
Information Security Policy.
2. Scope
This Information Security Policy Framework and all related security documents apply to all employees
(full and part-time) and contractors of Verisk Analytics and its member companies. In addition, this
policy applies to all Verisk Analytics information regardless of the location where it is received,
developed, stored and/or accessed. This includes information that is physical, electronic, and
processed and stored by Verisk managed processing facilities as well as vendor and cloud-based
service providers.
Verisk’s information security policies are subject to review on an annual basis by the respective
members of Enterprise Risk & Compliance designated as policy owners. These policies are also
subject to review after any major change to the organization or infrastructure environment. The
objective of the assessment is to address the development, implementation, maintenance and
dissemination of this Framework and its associated Policies.
Role Responsibilities
SVP of Collaborates with all Verisk operating and functional units to implement and deliver effective
Enterprise and appropriate compliance and risk-mitigation services. The SVP of Enterprise Risk &
Risk & Compliance chairs and provides leadership of the enterprise-wide Compliance and Security
Compliance Councils.
Enterprise The ERMC provides guidance and authority related to the enforcement of Verisk’s enterprise-
Risk wide risk management framework and Enterprise Risk & Compliance function, including the
Management strategies, policies, procedures, processes, and systems, established by management to
Committee identify, assess, measure, monitor, and manage the major risks facing Verisk. The ERMC is
(ERMC) responsible for the approval of policy exceptions and risk acceptance for all business and
functional units.
Private Information, Internal Use Only. Do not share with third parties. Page 5
Information Security Policy Framework
VP of Has responsibility for the oversight of the state of information security and risk management
Information across Verisk and all of its member companies. This includes security engineering,
Security & operations, administration, identity and access management and information risk
Information management. The VP of Information Security & Information Risk Management reports to the
Risk SVP of Enterprise Risk & Compliance and is also responsible for the rollout and maintenance
Management of Information security policies and the periodic reporting on the state of Information Security
at Verisk to the CEO.
Global Global Security Services (GSS) report to the VP of Information Security and Information Risk
Security Management. Key GSS functions include:
Services • Identity and Access Management
• Deployment of security tools throughout the enterprise and independent monitoring of key
information generated
• Systems vulnerability management
• Threat intelligence
• Security Incident Response Management
Information Information Risk Officers (IRO) report to the VP of Information Security and Information Risk
Risk Officers Management. Each of Verisk’s Business and Functional units is aligned with a designated
IRO to maintain a continual assessment of the information risk management effectiveness
throughout the enterprise. The IROs work with the business unit’s Security Council liaison to
assess the effectiveness of their specific risk management activities and manage their
respective plans of action and mitigation where gaps are identified. See Information Risk
Officer Alignment with Verisk Business Units on the corporate intranet.
Business Business Owners of Verisk Analytics and their member companies are the Business Unit
Owners Heads accountable for managing the risks of their respective organization in accordance with
Verisk Information Security Policies. Business Owners are the custodians of the systems and
data covered in the business or functional units that they oversee. Their responsibilities
include:
• Ensure that physical and technical safeguards are in place to safeguard their systems,
and that all security control activities are performed in accordance with Verisk policies as
well as contractual and regulatory requirements.
• Assume full risk responsibility for any period that they operate out of compliance. In the
event that compliance with a specific policy is suspended, the Business Owner or one of
their delegates must immediately inform their Information Risk Officer.
• Review and approve any policy exceptions and risk acceptance (PERA) form submitted to
the Enterprise Risk Management Committee (ERMC). The business owner maintains the
discretionary right to temporarily override compliance with a policy due to extenuating
circumstances or a specific business need. However, this must be a temporary measure
until a more favorable solution is found which reinstates the Policy.
Data Owners Data Owners report to and are empowered by their respective Business Owner with full
accountability for the business unit’s segment of product and services. Their responsibilities
include:
• Maintain an awareness of the sensitivity and classification of the data they handle, as well
as the laws and regulations associated with protecting the information/data.
• Define, describe and classify all data in their area in adherence with Verisk’s Data
Classification and Handling Policy.
• Determine and authorize appropriate access rights to the application systems and data
resources supporting their products and services.
• Approve access requests and periodically validate access permissions to the application
systems and data resources.
• Maintain documentation supporting the actions taken to mitigate or accept identified risks
as noted in Risk Assessments conducted by Verisk Analytics’ Information Risk Officers.
Private Information, Internal Use Only. Do not share with third parties. Page 6
Information Security Policy Framework
Application Application Owners are responsible for the overall procurement, development, integration,
Owners modification, or operation and maintenance of application systems supporting Verisk
businesses and functional units. This includes the following:
• Design, coding, testing, and implementation of software developed in-house as well as for
the acquisition of software from external sources.
• Provide key deliverables and artifacts, including the program code, specifications, system
documentation, test plans and test results.
• Develop and maintain documentation and data flows concerning threat models and test
plans, conducting tests, and preparing risk mitigation/acceptance proposals.
System Systems Owners are responsible for providing the technology services for the set of
Owners application systems and related infrastructure supporting Verisk businesses. This includes
services performed on information that is physical, electronic, and processed and stored by
Verisk managed processing facilities as well as vendor and cloud-based service providers.
Verisk managed processing facilities include the data centers covered by Verisk’s Managed
Services as well as services managed directly by the business unit (i.e. non-managed
services).
Workforce All Verisk employees and contractors are accountable for understanding and complying with
all security policies, guidelines and procedures. As such, they must:
• Read and comply with Verisk’s Information Security Policy principles.
• Report breaches of security, actual or suspected, to their business owner management
and/or Verisk’s Help Desk in accordance with Verisk’s Incident Response Policy.
• Take reasonable and prudent steps to protect the security of all systems and data to
which they have access.
Verisk Composed of individuals from Verisk’s business units, corporate functions and member
Security companies. In addition, the Security Council is represented by Verisk’s Information
Council Technology and Risk & Compliance’s Information Risk Officers. The Security Council
members, on behalf of their respective business units, ensure that Verisk’s Information
Security Policies are adopted and consistently followed. The Security Council formally meets
on a monthly basis.
Management shall establish a program to disseminate information security training to employees upon
hiring and on a periodic basis. Appropriate training material should be developed based upon job
function, and additional training mandated for roles with information security responsibilities.
6. Acceptable Use
The purpose of Verisk’s Acceptable Use Policy is to establish the acceptable use of information
systems at Verisk to ensure these systems are to be used only for business purposes in serving the
interests of the company, and our clients and customers during normal operations. Inappropriate use
exposes Verisk Analytics to risks including virus attacks, legal issues, and a compromise of network
systems and services. Please review Verisk’s Employee Covenants for further details.
Private Information, Internal Use Only. Do not share with third parties. Page 7
Information Security Policy Framework
7. Data Classification
The classification of all data received, processed, produced and stored by Verisk and its member
companies is vital in determining what baseline processes and mechanisms are appropriate for
safeguarding that data.
Data shall be classified as to its sensitivity to the organization and security controls shall be applied
accordingly. Data shall be labelled and handled in line with its classification. Data Owners or their
assigned delegates should evaluate and assign appropriate classification based on the value and
sensitivity of the information in accordance with the Data Classification and Handling Policy.
9. Asset Management
All Verisk Information Assets shall be clearly identified, documented and regularly updated in a centrally
managed Configuration Management Database (CMDB). All such assets shall have designated
business, data, application and system owners. All Verisk Workforce shall use company assets in
accordance with the Verisk’s Acceptable Use Policy and be classified in accordance with Verisk’s Data
Classification and Handling Policy. Verisk’s Asset Management Policy pertains to all of Verisk’s
Information Assets, including but not limited to hardware and software, products and services,
applications, servers, workstations, mobile devices, networking devices, firewalls, phones, printers,
facsimiles and cabling plants. This includes assets managed on premises as well as those supported
by third-party hosting and cloud based services.
Information access shall be defined by a principle of least privilege and access rights shall be limited to
the minimum necessary to perform job functions. All employees shall be authorized according to
guidelines defined by Business Owners and Data Owners, in cooperation with the Global Security
Services in creation of appropriate rules and access controls.
Access to Verisk Analytics information shall be controlled through a managed process that addresses
authorizing, modifying and revoking access, as well as a periodic review of information system
Private Information, Internal Use Only. Do not share with third parties. Page 8
Information Security Policy Framework
privileges. All individuals must be authenticated prior to gaining access to any Verisk Analytics
information resources.
Details for access control processes and standards, as well as password control, reset and complexity
requirements are found in the Access Management Policy.
Data owners, application owners, system owners, product owners, and all others involved in the system
lifecycle must always know and fully document the location of all data - especially Protected Regulated
Information. Documentation must be updated continually. Database accounts used by DBAs for
administrative duties must be unique individual accounts, and not shared group accounts. Activities
performed by these accounts must be effectively monitored by independent personnel.
All multi-user, business critical or restricted databases must be inventoried at the appropriate level.
Additionally, some description of database contents is required; detailed descriptions will be required
when the database contains Protected Regulated Information (see Data Classification and Handling
Policy).
Servers and host systems on database and application hosts must be configured and administered
according to the Verisk Analytics Configuration Management Policy and System Hardening Standards.
This includes all changes to configuration, and any changes to the location of Protected Regulated
Information. The database software version must be currently supported by the vendor.
12. Encryption
Encryption shall be used, where required, either contractually or by the Data Classification and
Handling Policy, to protect the confidentiality, authenticity and/or integrity of information. Management
shall implement cryptographic measures that are consistent with regulatory requirements for protected
information. Details for the specific principles related to encryption are found in the Encryption Policy.
All computing and electronic devices, such as desk top computers, must be accompanied by a
authorization from the data owners when it is being removed from a Verisk Analytics’ location.
To prevent loss, damage, theft or compromise of Verisk Analytics computer assets, physical media,
and confidential documents, and mobile devices, shall be handled in accordance with the Physical
Security Policy.
Private Information, Internal Use Only. Do not share with third parties. Page 9
Information Security Policy Framework
Antivirus software must be installed on all Verisk Analytics workstations. Employees shall be prohibited
from disabling antivirus software and employees must report malware incidents to the Information
Security Incident Response Team for proper handling of potential or suspected viruses. The
Information Security Team is responsible for triage and remediation of malware incidents, per the
Information Security and Privacy Incident Response Policy.
Logging software, tools, facilities and log information shall be protected against tampering and
unauthorized access. The system clocks of information processing systems shall be synchronized to
an authoritative single time source to allow logs timestamps to be correlated.
A standard procedure and system shall be deployed for the monitoring and controlled deployment of
system patches and updates according to a defined software lifecycle. A change control process
should be documented to accurately account for software configuration control and monitoring.
Private Information, Internal Use Only. Do not share with third parties. Page 10
Information Security Policy Framework
Verisk Analytics and its member companies must adhere to the Verisk Analytics Information Security
Information Security and Privacy Incident Response Policy. State notification laws and mandates may
override the notification schedule documented in this policy.
Exchange of information between Verisk Analytics and other organizations shall be protected by
adequate information security controls. This includes, but is not limited to, communications pertaining
to industries with applicable laws, rules and regulatory requirements.
Communication resources shall be used for business purposes only. Any form of instant messaging
which travels outside of Verisk Analytics’ network is strictly prohibited.
Private Information, Internal Use Only. Do not share with third parties. Page 11
Information Security Policy Framework
Wireless networks shall be segmented, and shall require appropriate authentication mechanisms and
logging capabilities, defined in the Identity Management Policy, Access Management Policy, and
Security Logging and Monitoring Policy.
Systems in development and/or testing environments shall be segmented from production networks
and information systems. Access to these segmented networks and development systems shall be
limited to approved personnel only.
Private Information, Internal Use Only. Do not share with third parties. Page 12
Information Security Policy Framework
All Verisk Analytics information systems and software implementations are subject to the requirements
defined in the Minimum Baseline Hardening Benchmarks.
As stated in the Vendor Risk Management Policy, Vendors shall be regularly monitored, reviewed and
audited by Verisk Analytics, including due diligence before Vendors are engaged. Vendor connections
to Verisk Analytics and subsidiary networks are prohibited unless approved by the Business Unit Heads
and Verisk Analytics’ VP of GSS, according to a standard method of evaluation and appropriate risk
assessment activities.
Remotely accessible Verisk Analytics information assets, including but not limited to web-accessible
resources and file sharing systems, must be secured with encryption and authentication consistent with
the framework in Verisk’s Access Management Policy document.
Employees should consult regulatory requirements and the Data Classification and Handling Policy
when backing-up individual information. All media should be sanitized and handled according to the
Verisk Analytics Data Classification and Handling Policy
Private Information, Internal Use Only. Do not share with third parties. Page 13
Information Security Policy Framework
handled in accordance with the related information classification, consistent with Verisk’s Data
Classification and Handling Policy.
Private Information, Internal Use Only. Do not share with third parties. Page 14
Information Security Policy Framework
an end user workspace and locked away when the items are not in use or a member of Verisk’s
Workforce leaves his/her workstation. This policy establishes the minimum requirements for
maintaining a “clean desk” – where sensitive/confidential information about our employees, our
intellectual property, our customers and our vendors, as defined in Verisk’s Data Classification and
Handling Policy, is secure in locked areas and out of site. Verisk’s Clean Desk Policy is a standard
practice as per various frameworks such as NIST 800-53, SANS Top 20, ISO 27001/17799 compliant,
but it is also part of standard basic privacy controls.
35. Compliance
Verisk Analytics recognizes its burden to exercise due care for the safeguarding of data in its custody
including, but not limited to, Personally Identifiable Information (PII), Protected Health Information (PHI),
and Verisk Analytics Intellectual Property. To this end, and for overall assurance of the confidentiality,
integrity and availability of Verisk Analytics information systems, an independent review of compliance
with this Policy shall be conducted on a regular basis.
Verisk Analytics must adhere to applicable Data Privacy provisions of the following federal laws:
Gramm-Leach Bliley Act (GLBA); Health Insurance Portability and Accountability Act (HIPAA); Fair
Credit Reporting Act (FCRA); and the Payment Card Industry (PCI) standard. This is not intended to
be an exhaustive list of applicable law federal, state or local laws that must similarly be complied with.
Further, all employees shall comply with relevant national and local legal, regulatory and contractual
requirements. Any Verisk Analytics employee who does not comply with this policy may be subject to
disciplinary action, up to and including termination. Access to Verisk Analytics’ information systems
and resources is a privilege, not a right, and may be revoked or suspended at any time.
36. Exceptions
While our intent is to operate in compliance with enterprise policies, on occasion extenuating
circumstance prohibit full compliance. For these circumstances, policy exceptions and acceptance of
high risk conditions require formal review and approval by the business unit head, and by the
Enterprise Risk Management Committee (ERMC). For the definition and required actions, see section
5.4 - Policy Exceptions and Risk Acceptance and Appendix B of the Verisk Risk Policy.
37. Enforcement
Global Security Services is responsible for enforcing this policy. Any member of the Verisk Analytics
workforce found to have violated this policy may be subject to disciplinary action up to and including
termination of employment.
Private Information, Internal Use Only. Do not share with third parties. Page 15
Information Security Policy Framework
Private Information, Internal Use Only. Do not share with third parties. Page 16