Cision Information Security Policy
We take security seriously at Cision. Cision has been handling our customers’ non-public information for over 60 years, and maintaining its confidentiality is an integral element of our culture.
We have undertaken a variety of measures to protect our customers’ information, to assure the confidentiality, integrity and availability of Cision information resources, and to secure our facilities, networks and systems. These measures are defined in Cision's Information Security Policy. Led by our Chief Information Security Officer, Cision’s Information Security Office is charged with developing, maintaining and monitoring compliance with the Information Security Policy. The Information Security Management program is based on an ISO 27002 framework.
The Information Security Policy applies to individuals and entities that are provided access to Cision's information resources, including third party consultants, contractors and vendors.
We apply the principle of role-based access control at Cision. Access to customer information is restricted to only those whose roles require such access. The editorial processes and procedures that are in place have been designed to protect our customers’ information. Our standard operating procedures include requiring that employees who will have access to sensitive information undergo background checks, sign confidentiality agreements and receive training in information security, as well as in ethics and compliance.
Over the last years, with cyber security becoming particularly important, we have made significant investments in Information Technology architecture, policies, systems and practices in keeping with our Information Security Policy. Our Information Security Policy provides for a multi-dimensional approach to information security:
- Applications undergo regular vulnerability assessments on the running applications (dynamic), application code (static), as well as on the hosts in the environment, using industry standard tools. Vulnerabilities are categorized, and high severity findings are prioritized and remediated as swiftly as possible during regular development cycles. Critical applications are penetration tested on an annual basis.
- Multi-factor authentication is required for remote access into our network.
- Applications follow a multi-tiered model, which provides the opportunity to apply controls at each layer, practicing “defense in depth.” Our Internet facing portals are hosted in a network environment that is separated from our internal environment by firewalls. The Internet facing tier employs secure communication through cryptographic protocols such as SSL and TLS. The data centers that house our applications follow industry standard practices and provide an attestation of their annual audits such as SOC Type II.
- We utilize encryption to protect press release information in transit to distribution points.
- Employee end-user machines have industry standard anti-virus software installed, which is updated and monitored regularly. Email spam filters are employed at the perimeter to help prevent internal virus outbreaks and phishing campaigns. Internet browsing is controlled, and known malicious external websites are blocked and logged to assist with the prevention of internal virus outbreaks and data theft.
- Multi-step authentication is mandatory for all Online Member Center users in the US and Canada.
Notwithstanding these protections, Cision recognizes that all IT systems remain vulnerable to attack; therefore, monitoring is essential. Our data centers employ intrusion detection systems that are regularly monitored. A Security Operations Command Center (SOCC) monitors the perimeter 24/7 and anomalous behavior is alerted to the Computer Security Incident Response Team (CSIRT). A formalized Incident Response Plan is followed by the SOCC and CSIRT.