Security (original) (raw)
Effective security is built on three pillars: people, processes and technology.
People
Comscore maintains a dedicated team of security professionals who hold Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) certifications. The team's responsibilities include vulnerability management, security incident response, and implementing and managing information protection technologies.
Process
Comscore develops, monitors, and enhances security controls in accordance with ISO 27001 best practices:
- Security Policies, Procedures, and Standards - Develop, recommend, and implement enterprise information security policies, technical standards, guidelines, procedures, and other elements of an infrastructure necessary to support information security.
- Security Awareness - All Comscore personnel are required to complete security training. We also provide targeted training to our software developers.
- Third Party Security Reviews - We perform third-party security reviews of our key suppliers.
- Incident Response - Comscore's security team has developed and manages the security incident response process.
- Disaster Recovery - Maintain and enhance disaster recovery plans and coordinate exercises.
- Risk Assessments - Perform risk assessments and recommend risk mitigation projects.
Technology
Comscore has implemented and manages several information protection technologies, as appropriate:
- Web Application Firewall (WAF)
- Denial of Service Protection
- Encryption of data in transit
- Encryption of personal and sensitive data at rest
- Endpoint protection (AV) including machine based learning
- Network Intrusion Detection System (NIDS)
- Security Incident and Event Management (SIEM) systems with threat intelligence
- Machine Readable Threat Intelligence (MRTI)
- Stateful inspection and next-generation firewalls
- Third Party penetration testing
- Virtual Private Network for customer, partners, and corporate remote access
- Regular application security testing and system vulnerability scanning
- Data Loss Protection (DLP)
Frequently asked questions
Information Security Policies
Yes, Comscore maintains and updates several security-related policies in alignment with ISO 27001 best practices as noted below.
Yes, Comscore makes its policies available to all employees/contractors and we conduct annual security training which includes testing its employees on policy content.
Organization of Information Security
Comscore bases its security program on the ISO 27001:2013 control framework. Our security program is audited as part of our SOX, MRC, SOC3.
Human Resource Security
Yes, where allowed by law. For contractors, we do not conduct background checks on personnel brought on through agencies, which do their own background checks. For direct, non-agency contractors, we conduct the background checks ourselves.
Yes, where allowed by law and typically occurs prior to employment.
Yes, Comscore has developed a Security Awareness Training Program. Security awareness is delivered to Comscore employees using a multi-pronged approach. Primary training is done via computer based training. Employees will complete initial training during “Onboarding”. The training is conducted through the Comscore Learning Management System (LMS). Awareness is enhanced through newsletters, posters, and emails. Policies are posted on an internal SharePoint site.
Asset Management
Yes, per Comscore's IT Asset and Media Disposal Policy, which is reviewed by our external auditors.
Access Control
Yes, Comscore has policies that determine and enforce password strength, history, as well as the prohibition of sharing user passwords and access.
We support a multi-tier firewall architecture supported by a stateful inspection firewall. All external access is mediated by an Internet DMZ. Access to internal networks is restricted based on authorized applications.
Cryptography
Yes, TLS or IPSSEC VPN is used to protect data in transit. Our policy requires encryption of data in transit over a public network.
Yes, full disk encryption is required for client devices. Server side encryption is limited to regulated, personal or sensitive information. 256-bit AES is used to encrypt data at rest.
Our encryption keys are stored in a FIPS compliant key vault and are supported by redundant, fail-safe architecture.
Physical and Environmental Security
Comscore conducts security reviews of its data center providers and also reviews and relies on independent third party audits, such as SOC 1, 2 or 3, or ISO 27001.
Yes, for the data centers that Comscore has access to (i.e. AWS does not allow onsite access to its data centers), Comscore restricts access to key personnel and conducts periodic access reviews. Comscore regularly reviews access to its third party data centers. Physical access controls include but are not limited to: multi-level physical security architecture; card reader access control; mantraps; multi-factor authentication, including PIN and biometric; 24x7 monitoring/CCTV surveillance).
Operations Security
We have implemented and manage several information protection technologies:
- Web Application Firewall (WAF)
- Denial of Service Protection
- Encryption of data in transit
- Encryption of personal and sensitive data at rest
- Endpoint protection (AV) including machine based learning
- Mobile Device Management
- Network Intrusion Detection System (NIDS)
- Security Incident and Event Management (SIEM) systems with threat intelligence
- Machine Readable Threat Intelligence (MRTI)
- Stateful inspection and next-generation firewalls
- Third Party penetration testing
- Virtual Private Network for customer, partners, and corporate remote access
- Frequent application and system vulnerability scanning
- Data Centric Audit and Protection (DCAP)
- Data Loss Protection (DLP).
Yes, Comscore utilizes a Security Incident and Event Management (SIEM) to aggregate logs and detect security threats and anomalies in our environment.
Communications Security
Yes, only company owned and managed devices are permitted on the corporate wireless LAN. All other devices are restricted to an isolated guest network permitting access only to the Internet. We utilize industry standard wireless encryption (WPA2).
Yes, our e-mail gateways leverage SMTP over TLS.
System Acquisition, Development and Maintenance
Comscore utilizes a formal Security Development Life Cycle process to ensure security is addressed throughout the development process. Comscore developers also undergo developer security training.
Supplier Relationships
Comscore performs a full security and privacy screen of all its suppliers. Monitoring and review is risk-based.
Security Incident Management
Yes, Comscore's Incident Response policy and procedures ensure an incident is promptly investigated, contained, remediated, and reported internally and externally, as appropriate, including required regulatory notifications, subject to required approvals. Our process formally defines roles & responsibilities, incident severity criteria, required notifications, the approach taken to use various tools to detect indicators of compromise. An Incident Coordinator oversees the incident response process. A Computer Security Incident and Response Team, composed of technical application and infrastructure experts, is engaged to investigate and remediate incidents.
Business Continuity/Disaster Recovery
Data is replicated to the standby facility and/or backed up to tape, depending on recovery time and recovery point objectives. Disaster recovery plans are documented and regularly tested via table-top exercise and an annual parallel test. Backups include a weekly fulls and daily incrementals. Tapes are stored offsite.
Yes, it is regularly reviewed, updated, and approved by management.
Compliance
Comscore attests its security program to the ISO 27001 (security) and ISO 27701 (privacy) standards. Our ISO certificate is available upon request (MNDA required to release it).
Comscore protects PI data using the following techniques, depending on the needs of the application: sanitization, masking, hashing, anonymization, pseudonymization, and encryption (256 bit AES).
Security Concerns
If you believe you have found a security vulnerability or need to report a security issue, please submit the form below. A member of our security staff will review your issue and get back to you. We request that you do not share or publicize an unresolved vulnerability to or with third parties.