Dun & Bradstreet Information Security Control Environment
This sets forth the administrative, technical and physical safeguards (“Controls”) Dun & Bradstreet takes to protect customer information. Dun & Bradstreet may update these Controls from time to time to reflect changes in Dun & Bradstreet’s security posture, provided such changes do not materially diminish the level of security herein provided. These Controls are made a part of your agreement with Dun & Bradstreet (“Agreement”) and are in addition to any requirements in the Agreement. These Controls have been reasonably designed to protect the confidentiality, integrity and availability of customer information against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration or destruction; and accidental loss, destruction or damage in accordance with laws applicable to the provision of the Services. Dun & Bradstreet maintains security policies, standards, and procedures designed to safeguard the processing of customer information by Dun & Bradstreet employees and contractors in accordance with these Controls.
The D&B control environment reflects the overall attitude, awareness, and actions of corporate governance, management, and D&B employees concerning the importance of controls and their emphasis within the organization. The control environment at D&B begins at the highest level of the Company. Executive and senior leadership play important roles in establishing the Company’s core values and tone at the top which establishes its guiding principles.
D&B strongly values our relationships and the trust of our customers and partners. In today's high-technology environment, we understand an adaptable and agile security program is vital to the integrity of our business, and the privacy and security of confidential and proprietary data is one of our highest priorities. We evaluate and evolve our security, availability and confidentiality controls to keep up with the current threat landscape. D&B’s control environment represents the collective effort and effect of various factors on the establishment, enhancement, or effectiveness of specific risk-mitigating controls.
D&B has designated a Chief Information Security Officer who oversees our Global Information Security program. The Global Security and Risk team works with lines of business across the company, providing a corporate-wide information security strategy to support business objectives and minimize the likelihood and impact of attacks and security incidents to our information assets and that of our customers and third parties.
D&B is committed to our customers’ security, availability and confidentiality when using our products and services. D&B annually self-certifies to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield privacy frameworks. D&B also annually certifies to the ISO/IEC 27001:2013 Information Security Management Systems (ISMS) standard for our Dublin, Ireland and Marlow, UK locations. In addition, D&B annually undergoes a SOC 2 audit for D&B Hoovers, D&B Datavision, Data Integration Batch, D&B Match, Customer File Processing, Safe Transport, DNBi, Market Insight, Small Business Risk insight, D&B Compliance Check, D&B Credit, D&B Direct+ and Registration portal.
D&B classifies its data as Public, Internal Use Only, Commercial in Confidence, Restricted Confidential, and Restricted Sensitive. This data is data that D&B acquires, processes, analyzes and offers in products for customers to use as a solution to their business needs. The permissible use of this data must be understood before using. We safeguard this data by using a combination of preventative and detective technologies such as encryption and intrusion detection systems. Alongside these security measures, we have policies and procedures in place to validate and enforce our security controls. Access to this data is restricted to authorized personnel by physical and logical access controls.
The Global Security and Risk team members and activities are structured under a framework consisting of the following domains and controls:
- Access Management
- Network Security
- Data Security
- Detection & Response
- System Security
- Software Security
- Validation & Testing
- Awareness & Training
At Dun & Bradstreet, security is everyone's responsibility and we understand it all starts with our employees. We begin by performing background checks on employees upon hiring. From the start, our employees are provided a custom designed security training and annually thereafter. Throughout the year, we continue to share and reinforce security best practices to keep our employees up-to-date on the latest trends.
Policies & Procedures
Policies, standards, procedures, and guidelines are a critical component of governance at Dun & Bradstreet. They provide the structure and rules around which the organization, and subsidiary organizations operate. Policies are reviewed with appropriate owners to ensure alignment with business objectives and their continuing suitability, adequacy and effectiveness.
This approach achieves greater alignment with various regulations and improves our capability to address the security threats we face. The policy set references external frameworks for cybersecurity standards and incorporates elements as appropriate, including alignment with the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27000 Information Technology Family of Standards.
Revised policies are published on the Company intranet following management’s approval, so employees can easily access the policies from their desktops. Significant changes to policies are communicated as necessary via meetings, emails, presentations, the Company Intranet, and/or companywide communications.
In addition to our policies, we also maintain compliance processes that address the processing of protected data to comply with applicable statutory, regulatory, contractual, and security requirements. Documented data disposal policies are in place to guide personnel on the procedure for disposal of data.
Access rights and privileges necessary to perform a user’s job function is granted in accordance with:
- Need to Know
- Need to Use
- Least Privilege
- Segregation of Duties
- Contractual obligations regarding limitation of access to data or services
- Regulatory requirements
Authorized users must identify and authenticate to the network, applications and platforms using their user ID and password. User and device authentication to information systems is protected by passwords that meet D&B's password complexity requirements.
Upon employee termination, access to the products and systems is revoked.
Multi-factor authentication is required for remote sessions and administrative access to environments that host production systems. Furthermore, the highest levels of privileged access to systems, such as D&B Domain Controllers, is controlled by our Privileged Access Management system.
Network connections are protected through a combination of security controls for the protection of data and systems. These are based on the type and purpose of the connection and include, but are not limited to, network segmentation, deployment of firewalls and other security appliances, and appropriate authentication mechanisms.
Access to information available through the network is controlled to prevent and detect unauthorized access while providing secure access to authorized users and systems. Activities and network traffic are logged and centrally stored using industry standard or vendor specific collection mechanisms.
The implementation of new networking devices (i.e., routers, switches, firewalls) or components of networking systems follows a formal change management process and is approved by Technology Operations and Global Security & Risk teams. Devices deployed in the D&B network are configured to meet security requirements for their individual purposes (internal, public facing, demilitarized). Non-essential services on network devices are disabled or removed.
Direct public access between public networks (e.g. internet) and any internal D&B network is restricted. Traffic, inbound and outbound, from untrusted networks (including guest and external wireless connections) and hosts is restricted.
Connection of a new network to existing corporate or business systems networks at any company location or data center is approved by the security team or follows the standard for VPN tunnel connections. Remote connections to the corporate network are accessed via VPNs and MPLS connections through managed gateways.
Wireless and remote access to outside individuals are identified, inventoried, and managed.
Sensitive information is not transmitted over the Internet or other public communications unless it is encrypted in transit. Data files are encrypted using transport layer security (TLS) encryption for web communication sessions.
Where required by applicable law and in accordance with our data classification standards, encryption at rest is used.
D&B uses encryption key management processes to help ensure the secure generation, storage, distribution and destruction of encryption keys.
Detection & Response
D&B investigates incidents relating to security, availability, confidentiality and privacy and responds to any real or suspected breach of security of D&B information systems in a timely, coordinated fashion while complying with applicable laws and regulations. D&B performs security table-top exercises on at least an annual basis.
D&B has developed and maintains practices which establish Information Security Incident classification and prioritization based on the severity of the Incident and the sensitivity of affected systems and data. To support these efforts, D&B has implemented and monitors alerts from various tools to provide an effective detection capability. Investigation of alerts and Security Events, including events related to availability and confidentiality, are conducted to detect new attack patterns as quickly as possible and incidents declared based on the outcome of the investigation.
Monitoring tools are in place to measure current usage against predefined thresholds and generate alerts to notify application and infrastructure support teams when thresholds are exceeded. Alerts are reviewed to determine if corrective action is required. In the event additional information assets are required to address usage needs, they will be deployed in accordance with formal asset deployment and change management policies.
Audit logs are configured to record significant information security-relevant activities and events in the D&B systems.
Servers, workstations and mobile devices are monitored using inventory discovery agents.
Data on laptops are protected by encryption. Anti-malware software is implemented and maintained across platforms (workstations and servers) that are susceptible to compromise.
Use of removable electronic media is restricted.
Default passwords, shipped with operating systems, are changed after initial use.
Configuration Standards are developed and reviewed annually. Security reviews are conducted on configuration baselines periodically to ensure compliance and that vendor recommendations and industry best practices are considered.
The security of D&B software and applications is assessed through the application vulnerability management program and governed through the secure development policy and standards.
Based on the application risk classification, the software would go through appropriate reviews and testing, including design reviews, static application security testing (SAST) and Dynamic application security testing (DAST). The outcome of the testing is captured and delivered through a report and via issue management system. The report documents issues, severity ratings, and the required timeframe for remediation (based on the severity of the issue).
Validation & Testing
Changes to Information assets and systems undergo our formal change management review and approval process prior to any implementation within production environment.
D&B has a Vulnerability Management (VM) program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers or discovered internally through vulnerability scans or Red Team activities.
Vulnerabilities are documented and ranked based on severity levels as determined by the likelihood and impact ratings assigned by VM. D&B assigns appropriate team(s) to conduct remediation and track progress to resolution as needed. Critical vulnerabilities are targeted for remediation within 7 days; High severity vulnerabilities within 30 days; Medium severity vulnerabilities within 120 days.
Awareness & Training
New employees are required to complete security training, Code of Conduct and privacy training as part of the new hire process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with Dun & Bradstreet’s Security Policies, as well as other corporate policies, such as the Code of Conduct and our privacy policies and procedures. D&B employees are annually required to take Code of Conduct, security and privacy training and tracked to completion. D&B conducts periodic security awareness campaigns and Phishing assessments to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.
The D&B Third-Party Compliance process follows a defined global procurement and risk management lifecycle framework across selection, onboarding, monitoring and termination of the relationship. Rules are set forth to govern security and due diligence requirements (which include compliance, privacy and technology) for third parties (including our vendors and World-Wide Network Business Partners) doing business with Dun & Bradstreet. Third parties must comply with our Information Security policies, standards and procedures applicable to the service being provided.
Business Continuity & Disaster Recovery
Through continual assessments, we identify potential threats and their impacts to the business, then develop plans for mitigation. Our business continuity and disaster recovery strategies and plans are developed to address events such as natural disasters (earthquakes, hurricanes, pandemics, etc.) and manmade disasters (political unrest, terrorism, etc.). The plans follow industry best practices such as the Disaster Recovery Institute International and Business Continuity Institute guidelines and materially align to the ISO/IEC 22301:2012 Business Continuity Management System.
Physical & Environmental Security
Our physical security standards are designed to restrict unauthorized physical access to data center resources. Enterprise systems and network infrastructure components are physically located in controlled access areas. The controls may include: limited access points, access readers, access monitored by surveillance cameras, and only authorized personnel allowed access.
With our hosted data center providers, the identification, detection and protection for physical and environmental threats (infrastructure, data, and software), are managed through third party compliance requirements and service level agreements.