Yes, Comscore maintains and updates several security-related policies in alignment with ISO 27001 best practices as noted below.

Yes, Comscore makes its policies available to all employees/contractors and we conduct annual security training which includes testing its employees on policy content.

Comscore bases its security program on the ISO 27001:2013 control framework. Our security program is audited as part of our SOX, MRC, SOC3.

Yes, where allowed by law. For contractors, we do not conduct background checks on personnel brought on through agencies, which do their own background checks. For direct, non-agency contractors, we conduct the background checks ourselves.

Yes, where allowed by law and typically occurs prior to employment.

Yes, Comscore has developed a Security Awareness Training Program. Security awareness is delivered to Comscore employees using a multi-pronged approach. Primary training is done via computer based training. Employees will complete initial training during “Onboarding”. The training is conducted through the Comscore Learning Management System (LMS). Awareness is enhanced through newsletters, posters, and emails. Policies are posted on an internal SharePoint site.

Yes.

Yes, per Comscore's IT Asset and Media Disposal Policy, which is reviewed by our external auditors.

Yes, Comscore has policies that determine and enforce password strength, history, as well as the prohibition of sharing user passwords and access.

We support a multi-tier firewall architecture supported by a stateful inspection firewall. All external access is mediated by an Internet DMZ. Access to internal networks is restricted based on authorized applications.

Yes.

Yes, TLS or IPSSEC VPN is used to protect data in transit. Our policy requires encryption of data in transit over a public network.

Yes, full disk encryption is required for client devices. Server side encryption is limited to regulated, personal or sensitive information. 256-bit AES is used to encrypt data at rest.

Our encryption keys are stored in a FIPS compliant key vault and are supported by redundant, fail-safe architecture.

Comscore conducts security reviews of its data center providers and also reviews and relies on independent third party audits, such as SOC 1, 2 or 3, or ISO 27001.

Yes, for the data centers that Comscore has access to (i.e. AWS does not allow onsite access to its data centers), Comscore restricts access to key personnel and conducts periodic access reviews. Comscore regularly reviews access to its third party data centers. Physical access controls include but are not limited to: multi-level physical security architecture; card reader access control; mantraps; multi-factor authentication, including PIN and biometric; 24x7 monitoring/CCTV surveillance).

We have implemented and manage several information protection technologies:

• Web Application Firewall (WAF)
• Denial of Service Protection
• Encryption of data in transit
• Encryption of personal and sensitive data at rest
• Endpoint protection (AV) including machine based learning
• Mobile Device Management
• Network Intrusion Detection System (NIDS)
• Security Incident and Event Management (SIEM) systems with threat intelligence
• Machine Readable Threat Intelligence (MRTI)
• Stateful inspection and next-generation firewalls
• Third Party penetration testing
• Virtual Private Network for customer, partners, and corporate remote access
• Frequent application and system vulnerability scanning
• Data Centric Audit and Protection (DCAP)
• Data Loss Protection (DLP).

Yes, Comscore utilizes a Security Incident and Event Management (SIEM) to aggregate logs and detect security threats and anomalies in our environment.

Yes, only company owned and managed devices are permitted on the corporate wireless LAN. All other devices are restricted to an isolated guest network permitting access only to the Internet. We utilize industry standard wireless encryption (WPA2).

Yes, our e-mail gateways leverage SMTP over TLS.

Comscore utilizes a formal Security Development Life Cycle process to ensure security is addressed throughout the development process. Comscore developers also undergo developer security training.

Comscore performs a full security and privacy screen of all its suppliers. Monitoring and review is risk-based.

Yes.

Yes, Comscore's Incident Response policy and procedures ensure an incident is promptly investigated, contained, remediated, and reported internally and externally, as appropriate, including required regulatory notifications, subject to required approvals. Our process formally defines roles & responsibilities, incident severity criteria, required notifications, the approach taken to use various tools to detect indicators of compromise. An Incident Coordinator oversees the incident response process. A Computer Security Incident and Response Team, composed of technical application and infrastructure experts, is engaged to investigate and remediate incidents.

Data is replicated to the standby facility and/or backed up to tape, depending on recovery time and recovery point objectives. Disaster recovery plans are documented and regularly tested via table-top exercise and an annual parallel test. Backups include a weekly fulls and daily incrementals. Tapes are stored offsite.

Yes, it is regularly reviewed, updated, and approved by management.

Comscore attests its security program to the ISO 27001 (security) and ISO 27701 (privacy) standards. Our ISO certificate is available upon request (MNDA required to release it).

Yes, as noted on our Privacy and GDPR pages.

Comscore protects PI data using the following techniques, depending on the needs of the application: sanitization, masking, hashing, anonymization, pseudonymization, and encryption (256 bit AES).