AppendixB: UserAccessSecurityPolicy3.0(ScreeningSolutions)
UserAccessSecurityPolicy4.0(LexisNexisScreeningSolutions)Published:September16,2005
Revised:January1,2010
By:LexisNexisScreeningSolutionsInc.(LN)
ProprietaryandConfidential
Version / Revision / Date / Author / Reason/Description1.0 / Original / September16,
2005 / WorkPlace
Solutions / TailoredtoWPSProducts
1.1 / Revision / May3,2007 / AsimFareeduddin / AddedmentionofanendusertoSectionII
2.0 / Revisions / February1,2008 / BarbaraSmith / RemovedsentenceinsectionIreferencingechoedSPII.
Changed“should”to“must”inreferencetoUserIDsand/or
passwordsharinginSection
V.
InsectionV.changed15minutesto20minutesin9thparagraph.
3.0 / Revised / April15,2009 / AsimFareeduddin
TracyBrady / Revisedtoreflectcompany
namechange.
4.0 / Revised / January1,2010 / CreightonFrommer / Revisedtoreflectcompanynamechange.
I.ObjectiveoftheSecurityPolicy:
LexisNexisScreeningSolutionsInc.(LN)maintainsanddistributesinformationaboutconsumers,someofwhichisconsidered“sensitive”nonpublicpersonalinformation.LNhasdefinedsuchinformationtobefullydisplayedSocialSecurityNumbers(“SSN”),DriversLicenseNumbers(“DL”),andDatesofBirth(“DOB”).LNdevelopedandimplementedthisSecurityPolicyinordertoprotectagainstthemisuseoforunauthorizedaccesstosensitivedatabyusersofLN’ssystems(“System”).ThisPolicydocumentsthesecurityrequirementsthatmustbefollowedbyourSubscribersinordertogainandmaintainaccesstosensitivedata.
II.AccesstothisSecurityPolicy:
ThisPolicyhasbeendevelopedforthesoleuseoftheSubscriberandshouldnotbeduplicatedordistributedtothosethathavenotbeenassignedasanenduserorthesecurityadministratorbytheSubscriber.
III.Righttorestrictaccess:
LNmaydenySubscriberaccesstoallorpartoftheSystemwithoutnoticeifSubscriberengagesinanyconductoractivitiesthatLNinitssolediscretionbelievesviolatesanyofthetermsandconditionsofthesubscriberagreementorthisSecurityPolicy.IfLNdeniesSubscriberaccesstotheSystembecauseofsuchaviolation,theSubscribershallhavenoright(1)toaccessthroughLNanymaterialsstoredontheSystemortheInternetthroughLN,(2)toobtainanycredit(s)otherwiseduetoSubscriber,andsuchcredit(s)willbeforfeited,(3)toaccessthirdpartyservices,merchandiseorinformationontheSystemortheInternetthroughLN,andLNshallhavenoobligationtonotifyanythird-partyprovidersofservices,merchandiseorinformationnoranyresponsibilityforanyconsequencesresultingfromlackofnotification.
IV.Righttomodify:
LNreservestherighttoupdateormodifythisSecurityPolicyatanytimeasmaybenecessarytofurthersecureitsSystem.Subscriberwillbegivenreasonableadvancenoticeofanysuchupdatesormodifications.
V.PolicyProvisions
Subscribersmustassignasecurityadministrator(s)totakefullresponsibilityfortherequirementscontainedherein.
ThesecurityadministratorisresponsiblefortheongoingadministrationofSubscriber’suseridentificationcodes(“UserIDs”).ThisincludesissuinganewUserIDtoauseranddeactivatinganactiveUserIDforauserthatnolongerhasapermissiblepurposetoaccesstheSystemorthatisnolongeremployedbytheSubscriber.TheSubscriberandsecurityadministratoragreestokeepsuchUserIDsconfidentialandassignnewUserIDsonlytothoseemployeesofthecompanywhohavealegitimatepermissiblepurpose.EachindividualusermusthavetheirownuserIDanduserIDsshouldnotbeshared.
ThesecurityadministratorwillbeissuedaspecialUserIDthatenableshim/hertoaccesstheportionsoftheSystemusedtomanageUserIDsorprovidedinstructionsonhowtomanageuserIDsthroughLN’saccountsetupteam.LNwillprovidetheadministratorwithtrainingnecessarytoadministerUserIDsthroughtheSystem.Thesecurityadministrator,wherepossible,willneedtoestablishtheappropriateIPaddressrangesthatareallowedfortheuserbeingaddedtotheSystem.
OnceaUserID(anddefaultpassword)hasbeenactivatedforauser,theusermustchangethedefaultpasswordonthefirstsuccessfulloginattempt.PasswordsandUserIDsmustbealphanumeric,6to15charactersinlength,mustcontainbothlettersandnumbers,andpasswordscannotbethesameastheUserID.Allpasswordsarestoredinanencryptedstatetopreventunauthorizedaccessorviewingbytheadministrator.ThesecurityadministratoragreestoauditsaidUserIDsandpasswordsonareasonablescheduletoensureadherencetothisPolicy.
LNwillrequirealluserstoresettheirpasswordwhenpromptedbythesystem.Failure to resetpasswordswhenpromptedisaviolationofthisSecurityPolicyandwillresultintherevocationoftheUserIDandtheuser’sprivilegetousetheSystem.
LN,onareasonablescheduledeterminedbyLN,willdeactivateinactiveUserIDs.Oncedeactivated,thesecurityadministratormaybeabletodeleteorreactivatetheUserIDasappropriate.IfadeactivatedusercontactsLNforreactivation,asecurityrepresentativeofLNwillcontactthesecurityadministratoroftheaccountasafollowup.Theusermayonlybereactivatedbythesecurityadministratoroftheaccount.Ifthesecurityadministratorisnotavailable,theUserIDwillremaindeactivateduntilsuchtimeasitisreactivatedbytheaccountsecurityadministrator.
LNreservestherighttomonitorand/orconductauditsofSubscriber’sUserIDsandpasswords.
UserIDsandpasswordsandIPaddressesmaybechangedorblockedfromtimetotimebyLNtopreventunauthorizedorsuspiciousaccesstoservicesormisuseofitsSystem.Whereapplicable,iftheIPaddresssubmittedforaparticularlogindoesnotmatchtheIPaddressestablishedbythesecurityadministratorforthisUserID,theloginwillbedenied.Ifroutinemonitoringrevealssignificantreasonforanin-depthinquiry,LNreservestherighttosuspendtheaccountand/orUserID,and/orconductafullauditimmediatelywithoutnotificationtothecustomer.
Subscriberagreestotakeappropriatemeasuressoastoprotectagainstthemisuseand/orunauthorizedaccessofLNdatathroughanymethods,includingunauthorizedaccessthroughortoSubscriber’sUserIDsorpasswords.Thisincludesimplementingmeasuressuchasensuringtheappropriateuseofscreensavers(20minutetimeoutmaximum),notwritingdownpasswordsanywhere,notsharingUserIDorpasswordwithanyoneelse,andpromptlynotifyingthesecurityadministratorifthesubscriberhasanyreasontobelievetheirauthenticationcredentialshavebeencompromised.Suchmisuseorunauthorizedaccessshallincludeanydisclosure,release,viewingorotherunauthorizedaccesstosocialsecuritynumbers,driver’slicensenumbersordatesofbirth.SubscriberagreesthatLNmaytemporarilysuspendSubscriber’saccessforuptoten(10)businessdayspendinganinvestigationofSubscribersuseoraccess.Subscriberagreestocooperatefullywithanyandallinvestigations.Ifanymisuseorunauthorizedaccessisfound,LNmayimmediatelyterminatetheagreementwithSubscriberwithoutnoticeorliabilityofanykind.
IntheeventthatSubscriberlearnsorhasreasontobelievethatsensitiveLNdatahasbeendisclosedoraccessedbyanunauthorizedparty,SubscriberwillimmediatelygivenoticeofsucheventtoLN.Furthermore,intheeventthatSubscriberhasaccesstooracquirespersonallyidentifiableinformation(e.g.,socialsecuritynumbers,driver’slicensenumbersordatesofbirth)fromLN,thefollowingshallapply:Subscriberacknowledgesthatuponunauthorizedaccesstoormisuseofsuchsensitiveinformation(a"SecurityEvent"),Subscribershall,incompliancewithlaw,notifytheindividualswhoseinformationwasdisclosedthataSecurityEventhasoccurred.Also,SubscribershallberesponsibleforanyotherlegalobligationswhichmayariseunderapplicablelawinconnectionwithsuchaSecurityEvent.
VI.Redress
IntheeventthatSubscriber’saccesshasbeensuspendedorSubscriber’sagreementhasbeenterminatedunderthispolicy,SubscribermayfileawrittenrequestforreviewwithLN’sPrivacy,SecurityandComplianceOrganization.