Service Provider shall be required to secure the D&B Data that Service Provider processes, transmits, stores, or otherwise comes in contact with in accordance with the D&B Data security requirements described below (referred as “Requirement” below). For purposes of this Requirement, any information, including entity information and personal information, that is provided by D&B to Service Provider and/or accessed by Service Provider during its performance of service to D&B are collectively referred to as “D&B Data”.
Last Updated: March 4, 2021
1. Security Program
1.1 Maintain and adhere to a written and comprehensive security policy, and supporting management framework, and enact standards and guidelines based upon that policy for the protection of the confidentiality, integrity and availability (CIA) of data, including D&B Data.
1.1.1 Service Provider understands and acknowledges that the risk environment related to the CIA of D&B Data can change from time to time and that effective security practices may need to be modified to address and mitigate such risks, including executing stricter security practices than those then practiced and/or described herein. Service Provider agrees to take reasonable steps to modify such security measures as those determined and requested in good faith by D&B.
1.2 Service Provider shall clearly define the roles and responsibilities associated with protecting the CIA of data and maintain a current Information Security, or equivalent, organizational chart.
1.3 Ensure that Service Provider staff are provided security awareness training upon hire and annually thereafter. The security awareness training curriculum should include, but not be limited to, information and best practices related to acceptable use, data classification and social engineering (including phishing).
1.4 Periodically assess the risk to Service Provider organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of D&B Data.
1.5 Promptly notify D&B in the event of an actual or suspected Security Event.
1.6 Prevent the disclosure of D&B Data, or information related to D&B Data or its structure (e.g. record and field information), to third parties without the written consent of D&B.
1.7 Service Provider shall create and maintain an operational incident-handling capability for organizational information systems, outlining procedures and protocols for the preparation, detection, analysis, containment, recovery, and reporting of security incidents.
1.8 Monitor, control, and protect organizational communications (i.e., information transmitted or received by Service Provider information systems) at the external boundaries and key internal boundaries of the information systems.
1.9 Service Provider will implement technical measures to prevent screen scraping or robotic harvesting of information (e.g. captcha devices).
1.10 If Service Provider is to leverage the use of a Subcontractor(s) to support the service(s) provided to D&B, D&B must be notified in advance. Included with the notification will be the most recent due diligence assessment, performed by Service Provider, of those Subcontractor(s).
1.11 As part of an audit, D&B shall have the right, upon reasonable notice, to examine and inspect Service Provider’s security policies, processes, and other related evidences to determine compliance with this Requirement. Service Provider agrees to cure all noted deficiencies within a mutually agreed upon timeframe.
2. Access Management
2.1 Allow access (including remote access) to D&B Data only to personnel requiring such access (“need to know”) to carry out the actions in fulfillment of the terms and conditions of the applicable agreement entered by and between D&B and Service Provider (“the Agreement”).
2.2 Access shall be provisioned only on the basis of least privilege.
2.3 Access to systems must be based on a valid, unique user identity to ensure traceability and accountability. Shared accounts shall not be used for any purpose other than system maintenance or related activities.
2.4 No less frequently than once per 180 days, review the listing of all individuals with access, including administrator / privileged access, to D&B Data and, including systems and database administrators to ensure that everyone’s access, and the level of and function such access, remains a requirement to execute the actions in fulfillment of the terms and conditions of the Agreement.
2.4.1 Ensure that IT Assets storing, processing or otherwise containing D&B Data are protected during and after personnel actions such as terminations or transfers.
2.5 Enact the principle of separation the duties to reduce the risk of malicious activity.
2.6 Configure automatic session time-out following periods of inactivity exceeding 15 minutes.
2.7 Disable the access to D&B Data of any Service Provider user account inactive for a period not to exceed 30 days.
2.8 Ensure that no individual’s identification or authentication information is used to originate simultaneous connections or sessions from multiple locations, physical or logical.
2.9 Transmit only encrypted account authentication and authorization information across any network and employ technology to ensure that remote access is authenticated by two factors, e.g. using one-time password generator tokens or bio-metric devices.
2.10 Collect and retain access logs of all events involving access to D&B Data for no less than 1 year.
2.11 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
2.12 Detect and alert relevant Service Provider personnel of unauthorized attempts to access D&B Data in real time, and promptly investigate, document and resolve the matter.
2.13 Retain documentation of all investigations and inquiries of possible unauthorized access attempts and promptly provide same to D&B upon request. For the avoidance of doubt, reports on Service Provider’s shared systems cannot be shared with clients, since it would (i) violate Service Provider’s confidentiality obligations to other clients, and (ii) pose a security risk to other clients.
2.14 Enforce the password policy elements and agree to the conditions described below with respect to any system containing D&B Data:
2.14.1 Users are periodically (no less than annually) made aware of the risks of sharing passwords and not disclose their passwords to others or share passwords.
2.14.2 Users are periodically (no less than annually) made aware of the risks of documenting passwords in any readily perceivable manner, e.g. writing password onto sticky note and attaching to monitor.
2.14.3 Newly-issued and system default passwords must expire on the first use.
2.14.4 Password files must be stored encrypted in a one-way encrypted state (e.g., non-reversible).
2.14.5 Passwords must be masked when typed and entered into the system.
2.14.6 Passwords must have a minimum length of 8 characters.
2.14.7 Passwords must be complex, minimally required to contain both alpha, numeric and symbolic characters.
2.14.8 Passwords must automatically expire, and users required to create new passwords, after a maximum lifetime of 90 days.
2.14.9 Prevent re-use of passwords used within the previous 12 months.
2.14.10 Unlock locked-out user accounts only after the user meets predefined authentication criteria.
2.14.11 The password change procedures must force re-authentication.
2.14.12 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
2.15 Employ industry standard strong encryption methods for stored and transmitted passwords.
2.16 Limit unsuccessful logon attempts & lock out any individual who has failed to provide the correct login credentials in no more than five attempts, for a period not less than one-half hour.
3. Data Protection
3.1 For systems upon which D&B Data resides, establish and maintain procedures for system hardening which align with industry standards such as CIS, NIST, DISA STIG, COBIT, or PCI.
3.1.1 Establish and maintain baseline configurations and inventories of Service Provider IT Assets throughout the respective system development life cycles.
3.1.2 Service Provider shall maintain and operate tools to scan, no less frequently than monthly, servers, network devices, etc. to confirm that Service Provider’s computing assets are in compliance with system hardening requirements.
3.2 Label any storage media under Service Provider’s control that contains D&B Data with a generic name that does not suggest to a reader that D&B Data is contained on that media.
3.3 Use an industry leading encryption method to safeguard data at rest i.e. AES 256) and data in transit (i.e. TLS 1.2).
3.4 For systems upon which D&B Data reside, scan such systems, using reputable solutions (i.e. Qualys, Nessus, etc.), to identify and correct security vulnerabilities that may impact the CIA of D&B Data. Such scans are to occur no less frequently than monthly. Vulnerabilities discovered on Service Provider systems as critical are to be corrected no later than 7 days after discovery. High risk findings are to be corrected within 30 days after discovery. Medium risk findings are to be corrected within 120 days after discovery.
3.5 To the extent Service Provider is responsible for hosting a technology environment for D&B, Service Provider shall maintain an up-to-date network diagram showing all equipment, tools, data flows, and media where D&B Data is Processed or stored, and Service Provider shall comply with applicable PCI requirements.
3.6 D&B Data will reside solely on a segment of Service Provider’s internal network on a subnet protected by up-to-date firewalls configured to deny-all, except authorized traffic, to best provide Confidentiality, Integrity and Availability (CIA) of D&B Data.
3.7 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
3.8 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
3.9 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
3.9.1 Protect audit information and audit tools from unauthorized access, modification, and deletion and limit management of audit functionality to a subset of privileged users.
3.10 Data shall not be stored on mobile computing devices. If it is necessary that mobile computing devices are utilized, a mobile device management (MDM) policy must be in place and provide Service Provider with the ability to remote-wipe devices.
3.11 Prohibit, through the use of administrative and technical controls, the use of removable media (i.e. USB devices). If removable media are required, such devices shall be Service Provider-provided and managed (i.e. encrypted).
3.12 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software i.e., (Deny all, permit by exception) policy to allow the execution of authorized software or network communications traffic.
3.13 Return Data to D&B or certify the destruction of Data, pursuant to procedures set forth by NIST or the DoD, following use or upon D&B’s reasonable request or as otherwise required by the Agreement.
3.14 Perform comprehensive background checks on all individuals, including Employees, with physical or logical access to the systems or physical environment in which D&B Data are stored and ensure that those individuals whose background checks are not in agreement with stated records and employment do not have access to D&B Data.
3.15 Return to D&B all assets owned or issued to Service Provider personnel by D&B at the end of the engagement or termination of the relationship.
3.16 Employ controls and procedure that maintain file integrity through periodic scans of the information systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
4. Systems Development
Software (i.e. source code) developed by Service Provider shall be built with security in the design, architecture and implementation, including but not limited to the following:
4.1 Provide evidence, when requested by D&B, that testing/evaluation and validation of the product is continually part of the Service Provider System Development Lifecycle (SDLC).
4.2 Service Provider will provide and maintain life cycle procedures specific to secure architecture and Software development based on CIS, NIST, DISA STIG, and/or similar standards as well as vendor best practices.Service Provider shall provide D&B with a letter signed by an appropriate senior manager, or equivalent, confirming Service Provider’s procedures as stated in this Section.
4.3 Service Provider will provide the list of open source libraries or components that are incorporated in the Software along with their version numbers.
4.3.1 Perform software component scanning on all the open source libraries using a commercial product.All identified issues must be addressed prior to the software being promoted to production.
4.4 All Application source code must be maintained in an approved and industry recognized source code repository. The repository should be managed by the Service Provider with proper access controls and monitoring.This includes any open source and third-party packages that are being customized in-house.
4.5 Perform static and dynamic code analysis using a reputable commercial product that scans for all Common Weakness Enumerations (CWEs) indicating that all Software has been scanned and has no weaknesses.
4.6 Engage an independent third party to perform application penetration testing (at Service Provider’s expense) of any developed web or mobile Software, analyzing for all possible vulnerabilities.
4.7 In the event that the Service Provider is providing a complete turnkey solution including hardware and Software, the Service Provider will also provide a report for configuration and platform vulnerability scanning that indicates there are no configuration or platform issues.
4.8 In the case of applications/products/solution that are rated as high risk (which rating shall be performed on a case-by-case or Project-by-Project basis by D&B, in consultation with Service Provider, utilizing D&B information security standards), prior to any major releases, D&B expects the Service Provider to perform an end-to-end penetration testand provide a report showing that no security issues are present in the application/product/solution.
4.9 D&B reserves the right to review the results of or request a rescan of Service Provider’s software to confirm the security quality of the Software.Any vulnerability found will be treated as a Software bug, and, if the problem is in the code provided by Service Provider, corrected by Service Provider prior to Service Provider receiving final payment for delivery if applicable.
5. Physical Security
5.1 Implement and enforce policies and procedures for the purpose of safeguarding D&B Data at all facilities where such data is accessed, processed, stored or otherwise handled (including telework sites).
5.2 Systems storing, processing or otherwise handling D&B Data must be secured within locked rooms and facilities with access restricted to only those individuals with a need for such physical access to perform their job functions.
5.3 Create an appropriate number of layers of physical security between unauthorized Persons and systems on which D&B Data is stored, processed or otherwise handled. For most purposes, the appropriate number of physical security layers will be three (e.g. a security guard or turnstile, a locked server room, and locked server cabinets).
5.3.1 Physical access logs shall be maintained, capturing the date, time and individual accessing a particular area.
5.4 Maintain at least one layer of the above in which monitoring can be employed, tracked and reviewed (e.g. 24x7x365 monitoring of real-time CCTV surveillance footage).
5.5 Retain surveillance footage and security monitoring logs for a period of, at a minimum, one year.
5.6 Establish procedures for managing Service Provider visitor for the duration of the visit (i.e. providing an employee escort around Service Provider premises).
5.7 Service Provider shall implement and monitor appropriate environmental security controls (i.e. fire detection and suppression systems). Media or equipment containing D&B Data shall not be moved off of Service Provider premises without prior notification to D&B. Such media and/or equipment shall be properly safeguarded and a chain of custody shall be maintained to ensure accountability.
6. Staff Augmentation / Third Party Developers
To ensure the security, accountability and integrity of D&B Software and Data during Service Provider-provided staff augmentation and/or in cases where Service Provider-provided developers are used for developing and/or maintaining D&B applications and systems, the Service Provider will:
6.1 Service Provider personnel working in D&B facilities shall comply with (i) all D&B physical security requirements as provided to Service Provider, and (ii) D&B logical security requirements as set forth in the applicable SOW.
6.2 Perform and document the results of background checks on individuals that Service Provider contracts for the development, management, maintenance of systems which have access to D&B Data.
6.3 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
6.4 Ensure that developers, managers, systems administrators, and users of Service Provider information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
6.5 Ensure that the code developed by Service Provider and provided by the Service Provider to D&B will be free from known defects.This means that the code developed by the Service Provider Developers and provided by the Service Provider to D&B should not introduce any known vulnerabilities directly or indirectly, and the code should not contribute negatively to the overall security of the application/project.
6.6 If Service Provider is providing applications or Software development, Software enhancement or customization, database administration, system administration or coding Services for D&B, Service Provider’s Employees shall be required (i) to comply with D&B-required secure coding practices and (ii) to have appropriate topic-specific, vendor-specific, or Services-specific industry certifications. The specific secure coding practices and industry certifications that are required shall be listed in the applicable SOW.
7. Software Development Services
If Service Provider provides software development services, Service Provider shall comply with the following obligations:
7.1 Service Provider shall perform static and dynamic code analysis using a reputable commercial product that scans for all Common Weakness Enumerations (CWEs) indicating that all Software has been scanned and has no weaknesses.
7.2 Service Provider shall engage an independent third party at its own cost to perform application penetration testing of any developed web or mobile software, analyzing for all possible vulnerabilities.
7.3 In the event that Service Provider provides a complete turnkey solution including hardware and software, Service Provider will also provide a report for configuration and platform vulnerability scanning that indicates there are no security issues regarding configuration or platform.
7.4 In the case of applications/products/solution that are rated by D&B according to D&B information security standards as high risk, Service Provider shall, prior to any major releases, to perform an end-to-end penetration test and provide a report showing that no security issues are present in the application/product/solution.
8. Indemnification
In addition to any other Indemnification provisions in the Agreement, Service Provider shall at its expense indemnify, defend and hold harmless D&B and its Affiliates, and their respective officers, directors, employees, agents, representatives, successors and assigns, from and against any and all Losses and threatened Losses arising from, in connection with, or based on third party allegations in connection with a Security Event that arises out of (i) a breach of Service Provider’s obligations under the Agreement or the applicable SOW, (ii) a breach of Law applicable to Service Provider or to the Services being provided, or (iii) the willful misconduct of Service Provider or any employee or subcontractor of Service Provider).
