In an increasingly competitive global market with rapid adoption of cloud services for information management and increasing security risks, good security practices are essential for all companies to protect its own, customer and employee data against continuously evolving cyber security threats and to demonstrate compliance against statutory and /or regulatory requirements.
At Clarivate, we understand the importance of adopting industry-leading security practices and technology needed to protect customers’ data. Our security practices are embedded across all our technology, programs and processes. Clarivate has adopted the International Standards Organization (ISO) 27000 family of standards – ISO/IEC 27001:2013 as the basis for its Information Security Management System and established, documented, implemented all policies, standards and controls which conform to the requirements of ISO 27001 Security Standard.
Our security framework is built on leading information security standards and delivered by an in-house team of experts in cloud, application and information security. Discover the measures defined in our Information Security Program that we take to identify and protect from emerging threats.
Personnel Security
All our staff are subject to our code of conduct encompassing our company’s values and mission. They are made aware of their responsibilities, our policies and standards and receive regular guidance and support from our Information Security team on best practices relating to data security.
In accordance with relevant laws and regulations, adequate background verification checks are performed while recruiting an individual as permanent staff to ensure the authenticity of the individual and to reduce the possibility of threat to critical information assets.
We conduct mandatory information security training on an ongoing basis and provide supplemental training to specific target groups and individuals as required. Our staff are bound by obligations of confidentiality and understand the consequences for failing to adhere to our policies and their responsibilities.
An Employee exit process is followed at Clarivate which involves revocation of system permissions/access rights and return of company assets in a timely manner.
User Access management
Clarivate has a well-defined process for granting access to all information assets. Privileges and access rights are granted to employees based on “Need-to-know” and “Least-privilege” principles to protect information assets against unauthorized access and disclosure. Clarivate password policy is enforced across the board on all information assets, which ensures a minimum length, complexity, password expiry, history and account lockout requirements in case of failed attempts.
Infrastructure security
Our services are offered through public and private networks. Communications are protected against eavesdropping by secure channels, and strong encryption. Clarivate has secured its perimeter with state of art Network Intrusion Prevention Systems (NIPS), Application Firewalls and Network based Firewalls.
There are tiered controls, including the use of network segmentation, to ensure the appropriate level of protection to systems and data. Data Loss Prevention controls are also deployed for email security.
Endpoint and virus protection
In line with our policies, all Clarivate owned and supported operating systems which are hosted in our data centers or deployed in the cloud are required to be configured with our antivirus solution.
Patch management
We gather and review security threat intelligence from our internal vulnerability management tools, vendors and other third-party security organizations. Our patch management standard provides appropriate patching practices to our technology teams. At times, additional security controls may be implemented to provide mitigation against known threats.
Security monitoring
Automated and systemic centralized security logging and monitoring of the operating environment is ongoing through our SOC (Security Operation Center) for real-time awareness, event correlation and incident response.
Incident response
An incident response process is in place to address incidents as they are identified. Incidents are managed by a dedicated incident response team which follows a documented procedure for mitigation and communications. The plan is implemented according to various recognized standards and industry best practices such as: 1) NIST Computer Security Incident Handling Guide, 2) VERIS Community Database (VCDB) and 3) Verizon Data Breach Investigations Report (DBIR).
Clarivate’s Incident Response process requires incidents to be effectively reported, investigated, and monitored to ensure that corrective action is taken to control and remediate security incidents in a timely manner.
Device lockdown
Standard security builds are deployed across our infrastructure with our security agents installed. Our server builds are based on industry practices for secure configuration Management.
Operations Security
Clarivate ensures all changes to operating information systems environment which includes changes to servers, network equipment and software are subject to formal change management process.
Clarivate ensures backup copies of information and software are maintained for data recovery in case of events such as system crash or accidental deletion of information.
Capacity management and monitoring
Monitoring of systems, services and operations are implemented to ensure the health of our operating environments. Management tools are implemented to monitor and maintain an appropriately scaled and highly available environment.
Vulnerability scanning
Our Information Security Team supports a vulnerability scanning and policy compliance service that product and technology teams utilize for internal and external vulnerability scanning and configuration compliance. Internet-facing sites on our global network are periodically scanned as a practice in our program focused on vulnerability management.
Risk assessment
Our product and technology teams engage information security subject matter experts regularly to provide risk assessments services. Architecture reviews, external vulnerability scans, application security testing and technical compliance reviews are several of the services performed during risk assessment activities.
Following risk assessment activities our Information Security Risk Management team consults with product and technology teams to develop remediation plans and roadmaps to address gaps in compliance, or areas of identified risk.
Additionally, our IT Governance, Risk and Compliance team performs audits against policies, standards and regulatory requirements, and registers findings for review and remediation initiatives within the business.
Physical security and third-party vendor management
All strategic data centers including cloud service providers where most of applications and products are deployed and managed to the standards, and industry best practice that Clarivate has adopted. Our guidelines include requirements for physical security, building maintenance, fire suppression, air conditioning, UPS with generator back-up, and access to diverse power and communications. Clarivate reviews third party data centers assurance reports as part of our Vendor Risk Management program.
A variety of secure methods are used to control access to our facilities to ensure that access is only gained in a controlled way on an operational needs basis. Depending on the sensitivity of the facility, these methods may include some or all of the following: the use of security staff, ID cards, electronic access control incorporating proximity card readers, physical locks and pin numbers.