General Questions
Question: Where are the servers located that store and process client data?
Answer: The servers are located in the USA.
Question: Is your product considered software?
Answer: No, it is not SaaS; it is a simple website that allows users to access and download economic information in PDF, Word, or Excel format.
Question: Are external email accounts allowed?
Answer: Yes, they are allowed, but no peer-to-peer programs can be installed, as staff are blocked from installing any unsanctioned third-party software.
Question: Do you have a network traffic scanning solution?
Answer: No.
Question: How do you manage user printing activity?
Answer: We have password-controlled printing service access for staff members.
Question: Do you require key recovery functions for encryption processes?
Answer: No, we do not require all encryption processes supporting service offerings (e.g., any application using encryption services) to include centralized key-recovery functions that may only be accessed by authorized personnel.
Question: What digital certificate authority do you use?
Answer: We use SSL certificates from DiGicert for all our HTTPS sites. SSL certificates from Digicert are also used on Firewalls to permit Cisco AnyConnect VPN connectivity.
Question: Are there any restrictions on PKI certificates?
Answer: Yes, we use different types of SSL Certificates from DigiCert for our internal and client-facing sites that use HTTPS. We use SAN certificates for our HTTPS sites where an FQDN is used for the common name.
Question: What risk level does my.ibisworld.com fall under?
Answer: MyIBISWorld is a low-risk application: we hold little to no client branding (we can upload client logos in admin) and hold no confidential or proprietary data (although we do hold personal data - see Privacy Policy here).
API questions
Question: Where can various client questions be answered?
Answer: Various client questions can be answered by reviewing our Developer website. (See note)
Question: Where can I find FAQs related to the API?
Answer: For FAQs, visit here.
Question: How can I get started with the API?
Answer: To get started with the API, refer to the Getting Started guide.
Data privacy questions
Question: Do you have a privacy policy?
Answer: Yes, we have a privacy policy. You can find it here. The policy covers data collection, use, processing, safeguarding, transfer, storage, and disposal.
Data Protection Officer
We take data privacy very seriously and have appointed a dedicated Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with data protection regulations. Our DPO is responsible for monitoring our data protection policies, providing advice on data protection impact assessments, and serving as the primary contact for any data protection-related inquiries.
For any questions or concerns regarding data protection, please contact our Data Protection Officer:
Name: Gavin Smith
Email: [Email Address]
Phone: [Phone Number]
Our DPO is here to help you with any issues or questions you may have regarding how we handle your personal data.
Question: Do clients have access to highly confidential data or abilities?
Answer: No, clients do not have access to sensitive or confidential information.
Question: How is staff access to client information managed?
Answer: Access to client information is limited by role-based access control. Only staff members who require access as part of their job function have permission to view client information.
Encryption/Cryptography Questions
Question: Do you have an Encryption Policy?
Answer: Yes, you can find our Encryption Policy in the Securing Data Policy.
Question: Do you utilize full disk encryption on laptops and/or servers?
Answer: We are currently investigating configuring laptops with BitLocker hard drive encryption for high-risk staff. However, server hard disks are not encrypted, except where we encrypt specific information (e.g., passwords).
Question: Do you encrypt data on portable/removable media?
Answer: We do not require laptops, mobile devices, and removable media to be encrypted with a strong industry-standard algorithm for media encryption. However, we are in the process of testing encryption for high-risk staff.
Question: Do you encrypt data at rest?
Answer: For MyIBISWorld clients, we encrypt passwords and user profile information (i.e., the values entered by users) at rest. We use the MS SQL encryption feature, specifically encrypting data with a passphrase using the TRIPLE DES algorithm with a 128-bit key length. For ProcurementIQ clients, we encrypt passwords at rest using AES256 key size encryption. Otherwise, we do not generally encrypt data at rest, as we do not store sensitive personal data. A description of the data we collect is detailed in our privacy policy.
Question: Is data backup encryption implemented?
Answer: We do not currently encrypt the devices used for backup. However, we are in the process of implementing encryption for all data backed up to AWS S3 or Glacier.
Question: Do you encrypt data in transit between the client and IBISWorld?
Answer: Yes, both MyIBISWorld and ProcurementIQ only allow HTTPS (using TLS 1.2 or higher), ensuring encryption during transit.
Question: Is data in transit within IBISWorld encrypted?
Answer: Our site-to-site VPN tunnels handle encryption of data between sites. Additionally, our internal sites used by staff are mostly HTTPS and require an authenticated Cisco AnyConnect-based VPN connection to access them. Firewall configuration details cannot be shared.
Question: Are all unsupported versions of SSL/TLS disabled?
Answer: Yes.
Question: Do you hash passwords?
Answer: No, we encrypt passwords using a symmetric key and store them. We do not hash passwords (hashing means storing the hash of the password, rather than the password itself).
Question: Is clear text client data ever visible by anyone, including system administrators?
Answer: Passwords are not visible, but user data will be visible to IBISWorld Client Relationship Managers to provide usage information to clients.
Question: Do you encrypt emails?
Answer: We do not automatically encrypt emails before they leave the organization.
Question: Is there a key recovery function?
Answer: We do not require all encryption processes supporting service offerings to include centralized key-recovery functions that may only be accessed by authorized personnel.
Question: What digital certificate authority do you use?
Answer: We use SSL certificates from DiGicert for all our HTTPS sites. DigiCert certificates are also used on Firewalls to permit Cisco AnyConnect VPN connectivity.
Question: Are there any PKI certificate restrictions?
Answer: Yes, we use different types of SSL Certificates from DigiCert for our internal and client-facing sites that use HTTPS.
Question: Who controls encryption key management, i.e., creation, distribution, rotation, revocation?
Answer: IBISWorld does not require encryption key management. We use a combination of symmetric encryption keys in libraries (DLLs) and SQL stored procedures, as well as certificates (logins) for some of our applications.
Question: What is your key management platform? Is it open, proprietary, or manual?
Answer: Our key management platform is manual.
Business Continuity and Disaster Recovery Questions
Question: Does the service provider have the capability to execute a recovery from a security incident, a complete system failure, or destruction?
Answer: Yes.
Question: Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness?
Answer: Yes, testing is typically conducted annually.
Question: What were the results of your last business continuity and disaster recovery test?
Answer: Please contact IT via this link for the latest results.
Question: Do you conduct BIA in relation to the processes that support service provision to your clients?
Answer: Yes, we conduct a BIA at least annually, in line with the testing of our Business Continuity and Disaster Recovery Policy.
Question: Do you have the capability to recover data for customers in the case of a failure or data loss?
Answer: Yes, please refer to our Data Backup and Recovery Policy. Note that IBISWorld stores very limited customer data (data is restricted to user information required for login).
Question: Are critical data and vital documents backed up and readily available offsite or online?
Answer: Yes.
Question: Does your cloud solution include software/provider-independent restore and recovery capabilities?
Answer: Yes, we can restore VMs or data from images or backups; only IBISWorld can restore data.
Question: Does your cloud solution include image backup and restore capability?
Answer: Yes.
Question: If using virtual infrastructure, does your cloud solution include independent hardware restore and recovery capabilities?
Answer: Yes, hardware is handled by AWS.
Question: If using virtual infrastructure, do you provide tenants with a capability to restore a Virtual Machine to a previous state in time?
Answer: No, system restores to particular points in time are managed by IBISWorld as part of our Data Backup and Recovery policy.
Question: Provide details for the business continuity and disaster recovery responses for the People, Business Operations, Premises, and Equipment identified as essential in maintaining business delivery operations.
Answer: Critical location is web hosting facilities at AWS US West Oregon and AWS US-East Ohio.
Question: Are policies and procedures established and made available for all personnel to adequately support services operations’ roles?
Answer: Yes.
Question: Have you implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual, or business requirements?
Answer: Yes, see IBISWorld’s Data Backup and Recovery Policy.
Question: In the event of failure, what has been the service provider’s average recovery time?
Answer: Our most likely disaster scenario is failure of an AWS availability zone (AZ); RTO for my.ibisworld.com is 0-1 hr. In our most recent AZ failure test, users were pushed to redundant AZs within seconds (max. 15 seconds).
Cloud Questions
Question Cloud Access Management
Answer IT staff have varying levels of administrative access depending on their job-function and/or project they are working on. Some access provided to IT staff is temporary for the duration of the project.
Question Cloud Service Authentication
Answer We use cloud-based authentication for the API and a proprietary cloud-based application security model for website authentication and access.
Question Cloud Account Credential Management
Answer Only authorized IT staff have different levels of access to our cloud provider; credentials based on job-function/task. We do not permit IT staff to use credentials in plain text in code or configuration files.
Question Cloud Identity and Access Management Solution
Answer We use AWS IAM.
Question Cloud Data Availability
Answer Availability as per compliance with laws and regulations.
Question Cloud VM Images and Snapshot Integrity
Answer We do daily backups of critical databases. We also take images of certain servers in addition to the daily backups.
Question Cloud Jump or Bastion Host Management
Answer We do not use jump/bastion hosts.
Question Cloud Jump or Bastion Host Security
Answer We do not implement security controls (e.g., DLP, key stroke logging) on jump/bastion hosts.
Question Cloud Certifications Compliance
Answer We do not maintain annual compliance with any cloud-specific industry certifications.
Question What type of cloud service? E.g. public, private, hybrid?
Answer We use Amazon Web Services (AWS), which is Public Cloud. However, within AWS we set up a Virtual Private Cloud. Our websites (client, retail, internal websites like IBISAdmin) run using the infrastructure set up in the Virtual Private Cloud. help.ibisworld.com uses community cloud.
Question Cloud Architectural Diagrams
Answer Not applicable.
Question Cloud Encryption Key Controls
Answer Not applicable.
Question Cloud Storage of Encryption Keys
Answer We do not prevent storage of any cloud service customer managed encryption keys on any persistent storage device.
Question Cloud Host-Based Firewalls
Answer We use AWS provided firewall services along with firewalls on individual virtual machines.
Question Cloud Usage Oversight and Governance
Answer Not applicable.
Question Cloud Hardware Security Module (HSM) Usage
Answer We do not have a physical Hardware Security Module (HSM) to protect encryption keys.
Question Cloud Hypervisor Procedure
Answer Not applicable.
Question Cloud Incident Management Capabilities
Answer As all servers and database systems hosted with AWS are already segmented into separate subnets with firewall isolation based on the role performed, we can isolate them based on any specific incident.
Question Cloud Operating System and Application Integrity
Answer We do quarterly updates of the operating systems of servers and applications, but any critical security updates are rolled out much quicker based on severity.
Question Cloud Inventory
Answer We use multiple cloud vendors for various functions and these are documented.
Question Cloud Key Management System (KMS)
Answer No encryption Key Management System (KMS) solution to support cloud service customer managed encryption keys.
Question Cloud Key Management Procedure
Answer We do not have a cloud key management procedure that gives our cloud service clients the ability to generate, rotate, and solely manage a unique encryption key.
Question Cloud Customer Data Log Storage
Answer We do not prevent the storage of cloud service customer data in cloud service provider logs.
Question Cloud Password Management
Answer Not applicable.
Question Cloud Computing Policy
Answer There is no formal cloud computing policy in place.
Question Cloud Resource Pooling
Answer We do not use cloud resource pooling.
Question Cloud Concentration Risk Management
Answer We utilize multiple availability zones and regions for business continuity, which mitigates the need for employing multiple cloud providers.
Question Cloud Perimeter Security Solution
Answer We use a combination of load-balancers and AWS security group-based firewalls.
Question Cloud Out-of-Band Network Segmentation
Answer Not applicable. We use AWS.
Question Cloud Virtualization Operations Network Segmentation
Answer We use isolated VPC and private/public subnets in AWS.
Question Are cloud services used to store client data?
Answer Amazon Web Services is used for web and database server hosting. We use Salesforce.com as our CRM system and Sisense as our BI platform.
Question Cloud Application Code Testing
Answer No testing and acceptance procedure for outsourced and packaged application code within the cloud.
Question Cloud Open Source and Third Party Software Testing
Answer No testing procedures to evaluate open source and third party software used to provide cloud services for known vulnerabilities.
Question Cloud External Time Service Usage
Answer Not applicable.
Question Cloud Trusted Supply Chain
Answer Not applicable.
Question Cloud Technology or Provider Usage
Answer Amazon Web Services is used for web and database server hosting. We use Salesforce.com as our CRM system and Sisense as our BI platform.
Question Cloud Master Image Vulnerability Management
Answer Not applicable.
Question Is the cloud service you use Saas, IaaS or Paas?
Answer IaaS (Infrastructure as a Service) [See note]
Access/Log in questions
Question Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access?
Answer IT Infrastructure is restricted by Role-Based Access to IT staff. Access level is reviewed as per the IT Security Overview Policy and User Access Review Policy.
Question Do you manage and store the user identity of all personnel who have network access, including their level of access?
Answer IT Infrastructure is restricted by Role-Based Access to IT staff. Access level is reviewed as per the IT Security Overview Policy and User Access Review Policy.
Question Do access controls on applications, operating systems, databases, and network devices deny access unless explicitly granted based on a legitimate business need and least privilege?
Answer Yes.
Question Are any Administrative interfaces published directly through the Internet, and is access to them strongly authenticated?
Answer Yes.
Question Are privileged accounts, including administrative and root accounts, strictly controlled, segregated from general usage, logged, and monitored?
Answer Yes.
Question Are non-production personnel permitted to have routine access to production environments?
Answer No. Non-IT staff do not have access to Production environments. Only qualified IT staff are permitted access to the Production environment. There is no distinction between Production or Testing teams within the qualified IT staff group.
Question Are controls in place to ensure non-production staff cannot implement changes to production environments that bypass formal change management processes?
Answer Yes. Non-IT staff do not have access to Production environments. Only qualified IT staff are permitted access to the Production environment. There is no distinction between Production or Testing teams within the qualified IT staff group.
Question Can IBISWorld restrict client site access from specific IPs?
Answer Yes. Clients can be set up to only allow access to IBISWorld’s client site if the user is accessing from a whitelisted IP. IPs are provided by the client and managed by IBISWorld staff in our internal-only administration system.
Question Privileged Access Management
Answer IT staff have differing levels of privileged access depending on their job function and any temporary requirement for a project. Any access change can be requested but must be approved by the network and systems manager, software development manager, or CIO. All privileged access to network, servers, and other systems are logged. MFA is not yet implemented but planned for in the future.
Question Multiple Physical Location Log-In Restriction
Answer We do not restrict multiple physical location logins for system administrators.
Question Does the application make use of security challenge questions? (e.g., for password resets or in support of authentication.)
Answer No. We do not have security challenge questions.
Question Have security challenge questions been screened to ensure the information required is “out-of-wallet” (i.e., cannot be obtained from a single source and not easily obtainable from publicly available data)?
Answer No. We do not have security challenge questions.
Question Are client passwords masked to prevent display on the screen, emails, etc.?
Answer Yes. Passwords are prevented from displaying in clear text during the password reset process or when used to log on to any client or internal systems. Passwords are not accessible (via reports, displayed on internal websites, etc.) to any users (external or internal).
Question Are any passwords stored in clear text?
Answer No. Passwords are encrypted in transit and encrypted at rest.
Question Are client users locked out after a certain number of failed login attempts?
Answer Yes. After 6 attempts.
Question When a client user is locked out for failed login attempts, how long is the duration of the lockout?
Answer 15 minutes.
Question Do you offer multi-factor authentication? If so, what type(s)?
Answer For my.ibisworld.com, a verification code is sent to the user’s email if the user is accessing from an unrecognized browser.
Question Do your staff use multi-factor authentication to access your internal systems?
Answer IBISWorld staff must use a VPN and Cisco Duo MFA to log in when outside the office.
Question Do you have password policies for mobile devices you issue to your staff and/or BYOD mobile devices?
Answer See IT Security Overview Policy - Mobile devices page 4.
Question Do you have an internal Password Management Policy?
Answer Staff are forced to change their passwords every 90 days with specific requirements for length, complexity, etc., and are not able to repeat the last 20 passwords. There are stricter guidelines for IT staff.
Question How often are IBISWorld staff required to change their password?
Answer IBISWorld staff are required to change their Windows credentials every 90 days.
Question How does a user reset their password?
Answer Users can reset their password via the forgotten password functionality or by asking their administrator.
Question Do you force users to change their initial passwords?
Answer We send initial passwords for new staff directly to their manager. For new client users, we send a password reset email once the account is created. This email includes the user name and link to our secure site to reset the password. Users then create their password on our secure website.
Question Are clients’ passwords required to be 8 or more characters long?
Answer Yes.
Question Are clients’ passwords required to use at least 1 uppercase, 1 numeric, and 1 special character?
Answer True for MyIBISWorld, but the PROCUREMENTIQ CLIENT SITE IS DIFFERENT - it requires only 1 letter and 1 number. IT DOES NOT REQUIRE SPECIAL CHARACTERS.
Question Do your clients’ passwords expire automatically?
Answer We don’t enforce client password expiry by default; on MyIW, expiry can be configured to any number of days required by a client. For PIQ, passwords can be set to expire with IT assistance (as a one-off); however, an automated interval cannot be set.
Question Can clients dictate password criteria as needed to ensure compliance with clients’ security standards?
Answer No.
Question Are clients prevented from reusing previously used passwords? If yes, how many?
Answer When a client user resets a password, it cannot be the same as the current password. That is, only the most recently used password cannot be used again when resetting a password.
Question Are client passwords hashed or encrypted in storage?
Answer Yes.
Question Is the password ever sent via email?
Answer Passwords are not sent over email - users must reset passwords through the application.
Question Is the username ever included with the password in the same email?
Answer We do not send passwords via email.
Question Do you ask a user that has forgotten their username or password to confirm their identity by providing account details like email and/or phone number?
Answer No.
Question When does the password reset email expire?
Answer MyIW + PIQ: 24 hrs from the time of sending (time + date on email).
Question Is remote user access approved by management, monitored, and controlled?
Answer Yes.
Question Remote Access Policy
Answer See Employee Handbook. Staff eligible for Work-From-Home are provided with Cisco AnyConnect VPN solution for remote access. There isn’t a separate policy, but this is covered in the Employee Handbook.
Question Remote Network Access MFA
Answer Multifactor authentication for remote network access is required. We use Cisco Duo for MFA.
Question Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?
Answer IBISWorld uses a Role-Based Access Control (RBAC) model meaning that access to management information systems where IBISWorld and client data are stored is based on the user’s job title. See IT Security Overview policy pages 5-6.
Question Centralized Authentication Mechanism for staff?
Answer We use Microsoft Active Directory for all staff authentication (based on job function) to their computers, intranet sites, network shares, etc.
Question Are users required to re-authenticate after being inactive for a period of time?
Answer MyIW: By default, a session will time out after 120 minutes of inactivity, no longer configurable at the client level since IndustryNow launch. PIQ: sessions timeout after 120 minutes.
Question Do you have processes in place for user access rights, including privileged users, to be reviewed?
Answer While we do review access rights at least annually, we have role-based access, so a user’s access changes when their role is changed.
Question Are documented processes in place to remove access as soon as possible after an employee or contractor’s departure from your organization, as well as emergency processes for immediate access removal?
Answer See Staff Off-Boarding Access Policy. Also, IBISWorld uses a Role-Based Access Control (RBAC) model meaning that access to management information systems where IBISWorld and client data are stored is based on the user’s job title. See IT Security Overview policy pages 5-6.
Question Are accounts accessed by external parties (including your organization’s third parties), that are used for system support and maintenance, enabled only during the time period necessary to conduct support activities, and monitored when in use and removed when no longer necessary?
Answer Yes.
Question Do any third parties have access to your organization’s systems which host or process client data? If yes, how is this secured?
Answer Our systems are designated for the internal use of the staff of IBISWorld and its entities/companies (i.e., PIQ). Third-party vendors can access our systems when required to provide support where third-party systems are used to deliver IBISWorld services. IBISWorld employs a range of security controls which differ between vendors and include, but are not limited to, SSO, MFA, VPC, and maintenance access windows.
Question Emergency Change and Break Glass Procedure
Answer No. We do not have an emergency change/break glass procedure to grant temporary access to systems or the network for break-fix activities.
Question Functional/Non-Human ID Management
Answer No. We do not have a process to manage functional/non-human IDs.
Question Group Account Procedures
Answer No. We do not enforce a change of password for group accounts upon termination or transfer of a user.
Question How does a new user request, or create, a new account?
Answer User accounts can be created by emailing or phoning the client relationship manager; client administrators can also create new accounts on the my.ibisworld.com application; users can also create their own account (if that setup is enabled).
Question Does the information provided by a user to verify identity when creating an account contain values other than PII? An example would be the employee ID or email address or a subscriber ID.
Answer Yes. Email address is required when creating an account. Other categories of information are optional and can be added/removed at client request.
Question Is it possible for the user to have more than one set of credentials to access a single account? If yes, then please provide further details on how this is accomplished.
Answer Yes. If a client requires Federated SSO (user will use their organization’s credentials) and the client also requires the user to have an individual username and password (supplied by IBISWorld).
Question Are any client’s company identifiers/codes required for registration?
Answer No. Client users do not need to provide their company code/identifier for registration unless the client specifically requires IBISWorld to collect the code/identifier for usage reporting purposes.
Question Do you notify individuals by email after account creation, password change, or account updates?
Answer Yes.
Question If the account change is to the email address, do you also send an alert to the original email address, not just the new one?
Answer No. We do not have this feature.
Question Unique User Identification
Answer We create all staff users’ accounts from Microsoft Active-Directory, where a unique ID is set up for each account. Client users of my.ibisworld.com and procurementiq.com all have user accounts with unique IDs and usernames.
Question System User Identification
Answer Basic user information is required, such as name, job title, phone number, email. Sensitive information is not required.
Removable Media (e.g. CDs, USBs)
Question Removable Media Management/policy
Answer No. We do not have a system/procedure/policy for the use, storage, and management of removable media. However, as per our IT Security Policy Overview, employees are made aware that client information and IBISWorld proprietary information can be stored on removable media only when required in the performance of assigned duties and must be deleted following the completion of those duties.
Question Media Destruction & Disposal
Answer Yes. See IT Asset Disposal Policy and see Asset Management Policy.
Question Backup Media Transportation
Answer Not applicable. We do not store data on remote devices or store these in a storage facility.
Question Media Removal for Clients
Answer No. IBISWorld does not store client-related assets (e.g., credit cards, media, hardware), so no removal procedure is required.
Question Media Decommissioning Process
Answer Yes. When disposing of IT assets such as computers, monitors, laptops, printers, etc., the disposal must be coordinated with IBISWorld’s Network Administrator to ensure that all data is removed using approved data removal tools and procedures. It is also a requirement that all software be removed prior to disposal to prevent potential breaches of software license agreements.
Question Media Encryption Policy
Answer No. We do not have a Media Encryption Policy.
Question Removable Media Tracking
Answer No. We do not have a system/procedure for tracking the secure storage of removable media.
Question Third Party Media Handling
Answer No. We do not have a system/procedure for monitoring third-party(ies) handling and storing media.
Question Is documented management approval required to be obtained prior to the distribution of any removable media containing client data?
Answer No. We do not distribute client data via portable media.
Question Is client data stored on removable media?
Answer No.
Question Is all removable media containing client data encrypted using a strong commercial product?
Answer No. Portable media containing client data are not used.
Question Do you have a Data Retention Policy
Answer Yes. See Data Retention Policy.
Data Management Questions
Question Data Segregation Policy
Answer No. We do not have a Data Segregation Policy.
Question Data Loss Prevention Policy
Answer Yes. See Data Loss Prevention Policy.
Question Data Classification Policy
Answer No. Although we do have a Data Classification section in the Data Loss Prevention Policy, we do not have a data classification policy that defines and documents an information/data classification scheme, no data labeling and handling procedures, and no Data Governance Policy that includes escalation of critical data quality issues.
Question Data Labeling and Handling Procedures
Answer No. We do not have data labeling and handling procedures.
Question Data Back Up Procedures
Answer Yes.
Question Are all data backups disconnected from and inaccessible through the organization’s network?
Answer No, we have different layers of backups - such as NAS and cloud.
Question Are all data backups secured with different access credentials from other administrator credentials?
Answer Yes.
Question Do access credentials for data backups utilize an authentication mechanism outside of Active Directory?
Answer Yes.
Question Desktop Data Storage Restrictions
Answer No.
Question Password and Application System Data File Storage Separation
Answer No. We do not have password files or application system data stored in different file systems.
Question Data Governance Policy
Answer No. We do not have a policy that includes escalation of critical data quality issues.
Question Information Owner Designation
Answer No. We do not designate “Information Owners” and define their roles and responsibilities, in writing, for all information under your control, and review that list at least annually.
Question Persistent Storage of Confidential Information in a DMZ
Answer No. We do not have a policy/procedure in place to ensure the persistent storage of confidential information in DMZs is prevented.
Question Encrypted Emails
Answer No. We do not automatically encrypt emails before they leave the organization.
Question Auto Forwarding Emails
Answer Yes. Auto forwarding is allowed.
Question Outbound Email Scanning
Answer Yes. We do outbound spam filtering for O365, but we do not have controls to detect and prevent confidential data being sent out in an email or attachment.
Question External Email Accounts
Answer Yes. It is allowed, but no peer-to-peer programs can be installed, as staff are blocked from installing any unsanctioned third-party software.
Question Is information classified based on its value, criticality, sensitivity, and nature of its function, and is it protected in accordance with its classification, client security requirements, and applicable legal, regulatory, and contractual obligations?
Answer Yes. Please see the Data Classification section in the Data Loss Prevention Policy.
Question What are the individual classification categories regarding data and systems and their corresponding security controls?
Answer Tier 1 - Confidential Data (e.g., restricted to and authorized only from data owner, approved by VP level or higher), Tier 2 - Internal/Private Data (e.g., role-based access control), Tier 3 - Public Data. Please see the Data Classification section in the Data Loss Prevention Policy.
Question Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?
Answer No.
Question Is a documented process in place to return or securely destroy all instances and copies of client data at contract termination (including backups)?
Answer Yes. Client data is deleted in accordance with our Data Retention Policy.
Question Is all physical and electronic media containing client data disposed of in a manner that ensures the information cannot be recovered or reconstructed into a usable format?
Answer Yes.
Question Is data backed up (copied or archived) on a regular basis and available for restoration after a data loss event?
Answer Yes.
Question Is client-specific data backed up to portable media?
Answer No. Client usage information - i.e., what reports a client user downloaded - is backed up to AWS for restoration in case of a data loss event.
Information Security Policies
Question Information Security Policy Communication Plan
Answer Yes. IBISWorld staff are required to sign our Employee Handbook and Standard Conditions of Employment during on-boarding. These documents oblige staff to use IBISWorld Information Resources appropriately. Updates to these documents are sent to staff. Updates typically occur annually. The IT Security Policy is updated annually and sent to staff following an update. Incidents reported to the incident response group are escalated and communicated to the appropriate stakeholders as per the Incident Response Policy.
Question Endpoint Information Exfiltration Security
Answer Yes. DataDog, Cisco AMP Network Monitor tools are cloud-based, so no logs are stored on our servers.
Question Information Security Policy Exception Process
Answer No. There is no process to approve exceptions to the established information security policies.
Question Information Security Risk Monitoring Procedure
Answer Yes.
Question Information Security Policy Owner
Answer Yes. IBISWorld’s information security policies are owned by the Chief Information Officer (CIO). The CIO receives assistance from the IT Operations and Compliance Analyst to update these policies. The CIO, Global Head of IT, Global Network and Systems Manager, and IT Operations and Compliance Analyst conduct quarterly meetings to review and update information security policies, ensuring that all policies are updated at least annually.
Question Information Security Risk Management Policy
Answer Yes. See Risk Management and Assessment Policy; see Threat and Vulnerability Monitoring Policy; see Information Security Policy.
Question Information Security Policy
Answer Yes.
Question Regulatory Compliance Policy
Answer No. IBISWorld is in the process of creating a formal Compliance Policy with designated ownership of tasks, inventory of policies and procedures, reviews, and broader education of staff. At present, compliance is the domain of process owners, primarily the CIO, SVP HR, SVP finance, and legal counsel.
Question Information Security Roles And Responsibilities
Answer Yes. See Information Security Group Policy. Security is within the scope of roles defined in the policy.
Question Information Security Policy Sponsor
Answer Gavin Smith: IBISWorld information security policies are owned by the Chief Information Officer (CIO). The CIO delegates policy updates to the IT Operations & Compliance Manager.
Question IT Security policy governance
Answer See note: The CIO, IT Operations & Compliance Analyst, Global IT Manager, Global Network & Systems Manager, and Solutions Architect meet quarterly to review and update information security policies, discuss security issues, and organize security testing.
Question Access Request Process
Answer Yes. See IT Security Policy.
Question Separation of Duties
Answer Yes. See IT Security Policy. There are different internal departments of IT to provide role-based access to different systems and websites.
Question Designated Owner of User Accounts
Answer Yes. The requester of the account is the owner (provided the account is created after an internal approval process). All client accounts have a designated user admin and designated Client Relationship Manager. IT user access for specific servers and databases is controlled by the Database Administrator and Network and Systems Manager. These two staff members ensure user access is only granted to appropriately skilled individuals and that access is periodically reviewed.
Question Staff Access Change Management
Answer Yes. Access change requests are initiated by the respective staff member’s manager. All former-employee access is revoked as per the former-employee clean-up process.
Question Return of Corporate Assets and Media
Answer Yes. All assets issued to staff as per the asset-tracking system are to be returned upon their termination/resignation as per the termination checklist. The termination checklist is completed by the terminating manager and returned to Finance once complete.
Question Access Credential Storing and Sharing Policy
Answer No. We do not have an Access Credential Storing and Sharing Policy.
Question Server Baseline Security
Answer Yes.
Question Data Loss Prevention
Answer Yes.
Question Data Retention Policy
Answer Yes.
Comments
0 comments
Please sign in to leave a comment.