Our Security Framework

The Global Security Policy is owned by the Experian global risk management committee which is an executive level body, and which assumes ultimate responsibility for the Experian risk position. The Global Security Policy is available to all Experian employees on the Corporate Intranet. The Global Security Policy is reviewed regularly to ensure they are consistent with, and properly address, the following concerns:

• Business needs and business environment;
• External technology environment;
• Internal technology environment;
• Legal, statutory, regulatory and contractual requirements; and
• Other requirements specific to new or unique circumstances
  
  

If required, security standards will be updated to include these controls.

Experian has achieved and subsequently retained certification to ISO/IEC 27001, having successfully made the transition from BS 7799.

The Experian Global Risk Management Committee assumes ultimate responsibility and sponsorship for the Experian risk posture at an executive level. The Global Security Steering Committee assumes operational ownership of the Experian information security policies and standards. The Global Chief Information Security Officer oversees and provides guidance to Experian for the overall development, implementation and coordination of security for systems and physical security. This role is supported by the Global Security Office staff and business unit information security officers. All information assets such as data, applications, software and hardware have a steward appointed who is responsible for ensuring the asset’s security.

Experian places a strong emphasis on training to ensure that employees are aware of the importance of security within the business environment in an ever changing and evolving risk landscape. All staff are required to comply with a comprehensive suite of security requirements and procedures to ensure they operate all systems in a secure manner.

Experian has a classification scheme for all information held by it. A security risk assessment determines the classification of each information asset. All information and information assets, including hardware, software, applications and licences are identified and this configuration information is held and maintained in a configuration management database. The assets in this inventory are classified into one of four categories through a risk assessment based on the sensitivity, value, criticality and impact or inherent risk of the asset.

Controls to protect the confidentiality, integrity and availability throughout the lifecycle of the information or information assets will then be applied in accordance with the classification.

Physical and environmental security requirements are defined by regularly updated risk assessments carried out on all Experian buildings. Minimum requirements are determined and established within these risk assessments. All Experian employees have the responsibility to maintain the levels of security controls required for each Experian building.

Experian has detailed processes and procedures to ensure the confidentiality, integrity and availability of its systems. These include:

• System monitoring and logging
• Change management
• Intrusion detection, prevention and incident management
• Virus and malicious software defence
• Segregation of duties and environments
• Capacity planning
• Cryptographic controls
• Data and voice network security

Experian recognises the value of information and controls required to adequately manage and secure it throughout its lifecycle.

There is a formal user registration and deregistration procedure in place managed by the Global Security Administration function which is certified to ISO 27001:2013. Each process involves gaining sign off from the person responsible for the system then actioning the request in a manner that is fully auditable. Regular reviews of user access rights are performed to identify and remove any invalid or inactive accounts. All Experian employees have to comply with stated security practices in the selection and use of passwords. They are also responsible for ensuring that unattended equipment is adequately protected.

Privileged and administrative accounts are reserved solely for performing system maintenance and related administrative duties. These are reviewed more frequently and are subject to tighter controls. Experian uses authentication and authorisation mechanisms which are proportionate to the sensitivity of the data in the resource which they are protecting. For highly sensitive data Experian requires more than a single factor of authentication and may use location or time based controls to provide additional risk reductions. Experian has a two factor authentication solution in place to ensure all remote access is secure.

Experian has a framework in place to support management of risk at project level advocating that the process commences at project initiation; risks are initially identified via a formal workshop that includes the project stakeholders. The output from this is transferred onto a standard Risk Register template and each risk is assessed in order to determine its impact, probability of occurrence and therefore its priority for attention.

Risk mitigation activity is then considered, appropriate responses selected, and ownership agreed. Subsequent review of the project risks and progress of mitigation actions is the responsibility of the project manager, and is an iterative process undertaken at predetermined intervals for the duration of the project (agreed with project sponsors), with ongoing input from the stakeholders. A mechanism for escalation of significant risks is agreed with the Project Sponsors at project initiation, and implemented by the Project Manager. Above project-level, the risk review process is conducted via formal risk forums across the enterprise; these take place at quarterly intervals to coincide with the Group Audit Committee schedule.

Experian periodically measures compliance with the Experian Global Security Policy via the Global Security Office. Experian’s global security office works with business units to assess their compliance with Experian security policies and standards. The results of these assessments are aggregated and reported to the Global Risk Management Committee.

All Experian staff are subject to screening prior to employment, all new employees are also subject to criminal and financial checking. Screening processes are conducted to provide verification of identity and credentials, as well as to evaluate applicant integrity. Security considerations that support Experian security requirements are addressed through the hiring or contract initiation process and in descriptions of staff job accountabilities and responsibilities or in statements of work to be performed.

All roles are shadowed by backup personnel. Also, process and procedure is a strong additional facet used to underpin and ensure that knowledge is shared to remove single points of failure/excellence. All Experian staff are subject to confidentiality/non-disclosure agreements as part of standard contracts. The agreement extends beyond the period of employment with Experian.

The purpose of Business Continuity Planning is to safeguard the interests of Experian’s key stakeholders (both internal and external), to ensure our ability to comply with legislation, contracts, and other formal and informal commitments, and to protect our reputation, brand and value creating activities. To enable this Experian has a framework for the development and maintenance of Business Continuity Plans based on regulatory, contractual client and financial requirements. The plans are based on risk assessments and business impact analysis which are underpinned by established Business Continuity policies and procedures.

The Experian Global Information Security Policy identifies numerous controls required for outsourcing any services or activities that could potentially impact the security of client data.

The following groups of information security controls and activities are deemed as key when outsourcing to an offshore partner:

• Third party risk identification and control
• Outsourcing contracts
• Governance

When third parties require access to Experian information systems and resources, this request is risk assessed based on the classification and sensitivity of the information that is being accessed, transferred or processed. Any risks that are identified by granting this access are identified and controlled. The third party must demonstrate that their security practices and procedures are consistent with the equivalent Experian standards. Access must be approved by a sponsoring manager and limited to that which is specifically covered by a written contractual agreement. The contract will document information security requirements as contractual terms. Third party access has a review date when third party access is reviewed for termination.

Experian has a formally documented risk-based incident management process to respond to security violations, unusual or suspicious events and incidents. This process is coordinated by the Experian Global Security Office and is owned by the Executive. The purpose of this process is to limit further damage to information assets, identify root cause, and execute corrective actions. Incident communication is tightly controlled to ensure a ‘need to know’ principle while allowing the correct investigation and escalation to occur. Post incident reviews are held to analyse the effectiveness of the incident response and operational processes in order to continually improve them. The Experian incident response processes are periodically audited and tested to ensure their currency and effectiveness.

As a global provider of information solutions we continuously assess information threats and industry trends based upon The Experian Global Security Policy and we have identified a need to clearly define the controls and standards required for information exchanges between Experian, our clients, and other third party organisations.