Learn more
Up

Information Security Policy in Supplier Relationships

1. Information Security Policy

1.1. Introduction

The INFORMA D&B business processes largely depend on its Information Systems and the information they store. The goal of the Information Security Policy is to establish the overall Information Quality and Security directives for the organisation, and to protect the information assets.

These directives include the adoption of a series of organisational measures and rules outlined in this document and elaborated on in the associated documents, aimed at protecting and improving the information resources of INFORMA D&B and the Information Systems used for processing the information, and to combat threats, whether internal or external, deliberate or accidental, with a view to guaranteeing the quality, confidentiality, integrity, availability and legality of the information.

This Policy is based on the recommendations of good practices to guarantee Security in the Management of Information Systems (international ISO 27001 standards) and the applicable legislation in force.

 

1.2. Purpose

The overriding purpose behind the creation of this policy is to guarantee the quality of the information and access to it for the users to perform their tasks, and to avoid losses of information and non-authorised access to it.

 

1.3. Information security policy

In response to a new technological environment where the convergence between information and communications technology has given rise to a new productivity paradigm for companies, INFORMA D&B is deeply committed to maintaining a competitive service, providing its information services and creating databases containing economic, financial and marketing information of companies and businessmen of the utmost quality, where the use of good practices is essential to achieve the goals of confidentiality, integrity, availability and legality of all the information managed.

Therefore, INFORMA D&B makes the following commitments in building the framework to apply of its Information Security Management System (ISMS):

  • guarantee the resources required to implement the processes and activities involved in the management of Information Security, which includes raising the awareness of internal and external employees about this issue and their respective responsibilities in contributing to the efficacy of the ISMS;
  • define the strategy with regard to Information Security management, in line with the policies and strategic goals of Informa D&B;
  • make sure the information security management system achieves the intended results;
  • guarantee compliance with all applicable and relevant laws for the ISMS.
  • encourage ongoing improvement of the ISMS.

As such, the following information security goals are established:

  • the information processed by INFORMA D&B will be accessed solely by authorised staff, who are identified in advance, at all times and through suitable means;
  • the information processed by INFORMA D&B will be complete, accurate and up-to-date;
  • guarantee the security of the information transmitted inside the organisation and to any outside entities;
  • the information processed by INFORMA D&B will be accessible to and used by the authorised and identified users at all times, whereby their permanence is guaranteed against any eventuality;
  • provide training and awareness-raising initiatives for the staff involved and interested parties;
  • guarantee that all information security incidents and/or suspected weaknesses are reported and dealt with;
  • identify information security risks, which shall be permanently assessed, controlled and if possible mitigated;
  • guarantee the business continuation plans are established, maintained and tested.

 

1.4. Penalties

Any deliberate or negligent breach of the information security rules established in the ISMS, which could lead to damages (that come to pass or not) incurred by INFORMA D&B, will be subject to appropriate penalties.

All actions that compromise the information security of INFORMA D&B and which are not covered by the information security rules in the ISMS shall be reviewed by the General Management and by the Information Security Committee, to define a solution in accordance with the company’s criteria and the applicable legislation.

2. Information Classification

2.1. Information Classification

Information is an important asset of Informa D&B, and as such must be properly protected throughout its life cycle, from its creation to its destruction.

In order to implement a suitable security level for the processing and use of the information, a classification system shall be established for the information in Informa D&B. This system must allow the information to be categorised in a quick and simple way depending on its degree of confidentiality, integrity and availability, and which shall aid decision making in relation to the security of this information. Therefore, it is necessary to implement an information classification system that accurately reflects the critical degree of the information, in accordance with the following levels:

  • commercial confidential – refers to all the information that Informa D&B acquires, processes, analyses and/or provides to entities outside the organisation within the scope of commercial relationships that are in place or may be established.
  • public – all the information in the public domain or the disclosure of which has no impact on the organisation’s activity; its content cannot contain information of a personal nature or the personal information of clients and partners, and cannot have any associated legal restrictions (local, national or international) in terms of access and utilisation.

 

2.2. Handling and marking of the information according to its protection level

2.2.1. General Rules:

  • the information should be classified in accordance with the classification rules, regardless of its means of transmission (hard copy, electronic or other);
  • the responsibility for classifying the Informa D&B information is attributed to its owner or the person responsible for its creation;
  • in all situations where the exchange of information includes documents with different classification levels, the rules corresponding to the highest level shall be applied;
  • the Information Classification level may only be changed after consulting and obtaining consent from the person responsible for the information (Reclassification).

2.2.2. Classification levels

Each classification level includes the following attributes for its correct classification and utilisation:

  • access – information access restrictions;
  • creation – precautions to take into account when creating the information;
  • disclosure/distribution – restrictions that may affect the disclosure of the information (e.g. secure
transmission channels);
  • reproduction/printing – restrictions applied to the reproduction or printing of the information;
  • transmission/transport – measures that should be adopted to protect the 
information during its transmission or transport;
  • storage – precautions to take into account for storing the information;
  • destruction – precautions to take into account when destroying the information.

 

  Commercial confidential Public
Access Access to the information is applied to partners, clients, suppliers and other entities with whom commercial relationships may be established Unrestricted access
Creation The information shall be classified at the moment it is created The information shall be classified at the moment it is created
Reproduction / printing Its reproduction and/or printing is permitted in accordance with the commercial needs Its reproduction and/or printing is permitted without restrictions
Transmission / transport For information on hard copy, sent by post, the normal postal service may be used. For electronic transmission, always use coded means when the information is in movement but it is not necessary to codify each file; only the hosting channels or means need by coded. Its transmission and transport is permitted without restrictions
Labelling For hard copy (paper):
  • the classification level must be written on the footer of the documents – this content is confidential and cannot be distributed and/or reproduced, in its entirety or in part, without obtaining prior consent from Informa D&B.
For electronic means:
  • the classification level must be written on the footer of the documents – this content is confidential and cannot be distributed and/or reproduced, in its entirety or in part, without obtaining prior consent from Informa D&B (apart from previously defined situations).
For physical means (equipment):
  • no visible classification is necessary.
In the labels of the magnetic devices, document footers and covers no visible classification is necessary
Destruction
  • The information carried on physical means must be destroyed using the mechanisms the organisation possesses for this purpose.
  • Information in electronic format shall be deleted from the devices where it is stored, using tools to securely delete information. If it is not possible to electronically destroy the information, it must be destroyed physically.
The destruction does not require methods that reverse the procedure

3. Management of Information Security Incidents

3.1. Management of an Information Security Event

An information security event may be detected through several sources both internal and external to INFORMA D&B, namely:

  • clients;
  • third parties that have a relationship with INFORMA D&B and which become aware of an occurrence.

Upon detection of an occurrence, by any external party, it must be reported immediately and using the fastest means of communication to INFORMA D&B by notifying the Client Support Service apoio@informadb.pt.

Version 2.0