Information Security Policy Framework

VERSION 1.2 August 2017

This document contains Private or Internal Use Only Information and should not be shared with third
parties.
 Information Security Policy Framework

Revision History
Version Date Section Author Description

Initial September 2014 All ER&C Reviewed by Verisk’s Security Council

v1.0
October 2014 All ER&C Reviewed by Verisk’s CIO Council

October 2014 All ER&C Reviewed by Verisk’s Policy Committee

v1.1 June 2016 All ER&C • Added List and definitions of Roles and
Responsibilities (Sect 4)
• Added reference to the annual review (Sect 3)
• Added reference to Encryption Policy (Sect 8)
• Added sections on Enforcement , Exceptions
v1.2 August 2017 All ER&C • Added sections for new policies in force
(Backup, DB Security, Acceptable Use, Data
Destruction)

Private Information, Internal Use Only. Do not share with third parties. Page 2
 Information Security Policy Framework

Table of Contents
Revision History ..................................................................................................................................... 2
Table of Contents .................................................................................................................................. 3
1. Background .................................................................................................................................... 5
2. Scope ............................................................................................................................................. 5
3. Information Security Policy and Guidelines ..................................................................................... 5
4. Roles and Responsibilities .............................................................................................................. 5
5. Information Security Education and Awareness .............................................................................. 7
6. Acceptable Use .............................................................................................................................. 7
7. Data Classification .......................................................................................................................... 8
8. Workforce Information Handling ...................................................................................................... 8
9. Asset Management ......................................................................................................................... 8
10. Identity and Access Management ............................................................................................... 8
11. Database Security ....................................................................................................................... 9
12. Encryption ................................................................................................................................... 9
13. Physical Security ......................................................................................................................... 9
14. Software Use and Virus Protection ............................................................................................ 10
15. Security Logging and Monitoring ............................................................................................... 10
16. Configuration Management ....................................................................................................... 10
17. Vulnerability and Patch Management ........................................................................................ 10
18. Risk Management ..................................................................................................................... 11
19. Incident Management ................................................................................................................ 11
20. Network Security ....................................................................................................................... 11
21. Firewall Management Policy...................................................................................................... 11
22. External Connection Authorization ............................................................................................ 12
23. Cloud Services Security ............................................................................................................ 12
24. Wireless Networking.................................................................................................................. 12
25. Secure Development ................................................................................................................. 12
26. Vendor Risk Management ......................................................................................................... 13
27. Mobile Communications ............................................................................................................ 13
28. Data Storage and Archiving....................................................................................................... 13
29. Data Destruction and Disposal .................................................................................................. 13
30. Business Continuity Management ............................................................................................. 14
31. Backup Management ................................................................................................................ 14
32. Policy for Acceptance of Credit Card Payments ........................................................................ 14
33. Bring Your Own Device (BYOD) Policy ..................................................................................... 14

Private Information, Internal Use Only. Do not share with third parties. Page 3
 Information Security Policy Framework

34. Clean Desk Policy ..................................................................................................................... 14

35. Compliance ............................................................................................................................... 15
36. Exceptions ................................................................................................................................ 15
37. Enforcement.............................................................................................................................. 15
Appendix A: General Disclosure Statement ......................................................................................... 16

Private Information, Internal Use Only. Do not share with third parties. Page 4
 Information Security Policy Framework

1. Background
The Verisk Analytics’ Information Security Policy Framework defines the fundamental principles for the
protection of firm wide information resources, the proper controls needed to ensure compliance with
internal and external regulations, and to uphold Verisk Analytics’ reputation with our clients. All Verisk
Analytics’ employees, contractors and third parties are responsible for ensuring compliance with the
Information Security Policy.

2. Scope
This Information Security Policy Framework and all related security documents apply to all employees
(full and part-time) and contractors of Verisk Analytics and its member companies. In addition, this
policy applies to all Verisk Analytics information regardless of the location where it is received,
developed, stored and/or accessed. This includes information that is physical, electronic, and
processed and stored by Verisk managed processing facilities as well as vendor and cloud-based
service providers.

3. Information Security Policy and Guidelines

Verisk Analytics has established this Information Security Policy Framework to provide management
direction and support for information security. This framework shall be supported by individual security
policies that implement the objectives of each key area of information security set forth herein. Further,
to support the implementation of these policies, guidelines shall be developed for critical processes and
technology that define how those processes shall be implemented to support the information security
goals of the organization.

Verisk’s information security policies are subject to review on an annual basis by the respective
members of Enterprise Risk & Compliance designated as policy owners. These policies are also
subject to review after any major change to the organization or infrastructure environment. The
objective of the assessment is to address the development, implementation, maintenance and
dissemination of this Framework and its associated Policies.

4. Roles and Responsibilities

Verisk Analytics shall define a security organization that includes roles and objectives to delineate the
responsibilities of the organization with respect to information security and supports the identification
and assignment of information security roles within the organization.

Role Responsibilities
SVP of Collaborates with all Verisk operating and functional units to implement and deliver effective
Enterprise and appropriate compliance and risk-mitigation services. The SVP of Enterprise Risk &
Risk & Compliance chairs and provides leadership of the enterprise-wide Compliance and Security
Compliance Councils.

Enterprise The ERMC provides guidance and authority related to the enforcement of Verisk’s enterprise-
Risk wide risk management framework and Enterprise Risk & Compliance function, including the
Management strategies, policies, procedures, processes, and systems, established by management to
Committee identify, assess, measure, monitor, and manage the major risks facing Verisk. The ERMC is
(ERMC) responsible for the approval of policy exceptions and risk acceptance for all business and
functional units.

Private Information, Internal Use Only. Do not share with third parties. Page 5
 Information Security Policy Framework

VP of Has responsibility for the oversight of the state of information security and risk management
Information across Verisk and all of its member companies. This includes security engineering,
Security & operations, administration, identity and access management and information risk
Information management. The VP of Information Security & Information Risk Management reports to the
Risk SVP of Enterprise Risk & Compliance and is also responsible for the rollout and maintenance
Management of Information security policies and the periodic reporting on the state of Information Security
at Verisk to the CEO.
Global Global Security Services (GSS) report to the VP of Information Security and Information Risk
Security Management. Key GSS functions include:
Services • Identity and Access Management
• Deployment of security tools throughout the enterprise and independent monitoring of key
information generated
• Systems vulnerability management
• Threat intelligence
• Security Incident Response Management

Information Information Risk Officers (IRO) report to the VP of Information Security and Information Risk
Risk Officers Management. Each of Verisk’s Business and Functional units is aligned with a designated
IRO to maintain a continual assessment of the information risk management effectiveness
throughout the enterprise. The IROs work with the business unit’s Security Council liaison to
assess the effectiveness of their specific risk management activities and manage their
respective plans of action and mitigation where gaps are identified. See Information Risk
Officer Alignment with Verisk Business Units on the corporate intranet.

Business Business Owners of Verisk Analytics and their member companies are the Business Unit
Owners Heads accountable for managing the risks of their respective organization in accordance with
Verisk Information Security Policies. Business Owners are the custodians of the systems and
data covered in the business or functional units that they oversee. Their responsibilities
include:
• Ensure that physical and technical safeguards are in place to safeguard their systems,
and that all security control activities are performed in accordance with Verisk policies as
well as contractual and regulatory requirements.
• Assume full risk responsibility for any period that they operate out of compliance. In the
event that compliance with a specific policy is suspended, the Business Owner or one of
their delegates must immediately inform their Information Risk Officer.
• Review and approve any policy exceptions and risk acceptance (PERA) form submitted to
the Enterprise Risk Management Committee (ERMC). The business owner maintains the
discretionary right to temporarily override compliance with a policy due to extenuating
circumstances or a specific business need. However, this must be a temporary measure
until a more favorable solution is found which reinstates the Policy.

Data Owners Data Owners report to and are empowered by their respective Business Owner with full
accountability for the business unit’s segment of product and services. Their responsibilities
include:
• Maintain an awareness of the sensitivity and classification of the data they handle, as well
as the laws and regulations associated with protecting the information/data.
• Define, describe and classify all data in their area in adherence with Verisk’s Data
Classification and Handling Policy.
• Determine and authorize appropriate access rights to the application systems and data
resources supporting their products and services.
• Approve access requests and periodically validate access permissions to the application
systems and data resources.
• Maintain documentation supporting the actions taken to mitigate or accept identified risks
as noted in Risk Assessments conducted by Verisk Analytics’ Information Risk Officers.

Private Information, Internal Use Only. Do not share with third parties. Page 6
 Information Security Policy Framework

Application Application Owners are responsible for the overall procurement, development, integration,
Owners modification, or operation and maintenance of application systems supporting Verisk
businesses and functional units. This includes the following:

• Design, coding, testing, and implementation of software developed in-house as well as for
the acquisition of software from external sources.
• Provide key deliverables and artifacts, including the program code, specifications, system
documentation, test plans and test results.
• Develop and maintain documentation and data flows concerning threat models and test
plans, conducting tests, and preparing risk mitigation/acceptance proposals.

System Systems Owners are responsible for providing the technology services for the set of
Owners application systems and related infrastructure supporting Verisk businesses. This includes
services performed on information that is physical, electronic, and processed and stored by
Verisk managed processing facilities as well as vendor and cloud-based service providers.
Verisk managed processing facilities include the data centers covered by Verisk’s Managed
Services as well as services managed directly by the business unit (i.e. non-managed
services).

Workforce All Verisk employees and contractors are accountable for understanding and complying with
all security policies, guidelines and procedures. As such, they must:
• Read and comply with Verisk’s Information Security Policy principles.
• Report breaches of security, actual or suspected, to their business owner management
and/or Verisk’s Help Desk in accordance with Verisk’s Incident Response Policy.
• Take reasonable and prudent steps to protect the security of all systems and data to
which they have access.

Verisk Composed of individuals from Verisk’s business units, corporate functions and member
Security companies. In addition, the Security Council is represented by Verisk’s Information
Council Technology and Risk & Compliance’s Information Risk Officers. The Security Council
members, on behalf of their respective business units, ensure that Verisk’s Information
Security Policies are adopted and consistently followed. The Security Council formally meets
on a monthly basis.

5. Information Security Education and Awareness

Employees must acknowledge and adhere to the Verisk Analytics Information Security Policy
Framework and any revisions to this framework and related policies as instructed by Management.

Management shall establish a program to disseminate information security training to employees upon
hiring and on a periodic basis. Appropriate training material should be developed based upon job
function, and additional training mandated for roles with information security responsibilities.

6. Acceptable Use
The purpose of Verisk’s Acceptable Use Policy is to establish the acceptable use of information
systems at Verisk to ensure these systems are to be used only for business purposes in serving the
interests of the company, and our clients and customers during normal operations. Inappropriate use
exposes Verisk Analytics to risks including virus attacks, legal issues, and a compromise of network
systems and services. Please review Verisk’s Employee Covenants for further details.

Private Information, Internal Use Only. Do not share with third parties. Page 7
 Information Security Policy Framework

7. Data Classification
The classification of all data received, processed, produced and stored by Verisk and its member
companies is vital in determining what baseline processes and mechanisms are appropriate for
safeguarding that data.

Data shall be classified as to its sensitivity to the organization and security controls shall be applied
accordingly. Data shall be labelled and handled in line with its classification. Data Owners or their
assigned delegates should evaluate and assign appropriate classification based on the value and
sensitivity of the information in accordance with the Data Classification and Handling Policy.

8. Workforce Information Handling

Verisk’s Workforce Information Handling Policy defines the fundamental principles for the protection of
Workforce Personal Data that is collected, obtained, used, maintained, accessed, transferred,
transmitted, stored, disclosed, destroyed or otherwise processed during the course and after the
conclusion of the Workforce members’ employment with Verisk. Verisk is committed to ensuring the
privacy of Workforce member data by using it only for legitimate business purposes, treating such data
confidentially, and safeguarding it in accordance with Verisk’s Data Classification and Handling Policy.

9. Asset Management
All Verisk Information Assets shall be clearly identified, documented and regularly updated in a centrally
managed Configuration Management Database (CMDB). All such assets shall have designated
business, data, application and system owners. All Verisk Workforce shall use company assets in
accordance with the Verisk’s Acceptable Use Policy and be classified in accordance with Verisk’s Data
Classification and Handling Policy. Verisk’s Asset Management Policy pertains to all of Verisk’s
Information Assets, including but not limited to hardware and software, products and services,
applications, servers, workstations, mobile devices, networking devices, firewalls, phones, printers,
facsimiles and cabling plants. This includes assets managed on premises as well as those supported
by third-party hosting and cloud based services.

10. Identity and Access Management

All actions initiated by a member of Verisk’s workforce needs to be associated with a corresponding
“common identifier” (i.e., userID). Verisk’s Identity Management Policy defines the principles of
recognizing a Verisk workforce member’s unambiguous and auditable identity, through which the user
will be held accountable for all related activities throughout Verisk systems.

Information access shall be defined by a principle of least privilege and access rights shall be limited to
the minimum necessary to perform job functions. All employees shall be authorized according to
guidelines defined by Business Owners and Data Owners, in cooperation with the Global Security
Services in creation of appropriate rules and access controls.

Access to Verisk Analytics information shall be controlled through a managed process that addresses
authorizing, modifying and revoking access, as well as a periodic review of information system

Private Information, Internal Use Only. Do not share with third parties. Page 8
 Information Security Policy Framework

privileges. All individuals must be authenticated prior to gaining access to any Verisk Analytics
information resources.

Details for access control processes and standards, as well as password control, reset and complexity
requirements are found in the Access Management Policy.

11. Database Security

Define and implement procedures to ensure the integrity and consistency of all information stored in
electronic form such as databases, data warehouses and data archives. Sensitive data must be
protected in accordance with the Verisk Analytics Data Classification & Handling Policy. Data subject to
encryption must adhere to the Verisk Analytics Encryption Policy.

Data owners, application owners, system owners, product owners, and all others involved in the system
lifecycle must always know and fully document the location of all data - especially Protected Regulated
Information. Documentation must be updated continually. Database accounts used by DBAs for
administrative duties must be unique individual accounts, and not shared group accounts. Activities
performed by these accounts must be effectively monitored by independent personnel.

All multi-user, business critical or restricted databases must be inventoried at the appropriate level.
Additionally, some description of database contents is required; detailed descriptions will be required
when the database contains Protected Regulated Information (see Data Classification and Handling
Policy).

Servers and host systems on database and application hosts must be configured and administered
according to the Verisk Analytics Configuration Management Policy and System Hardening Standards.
This includes all changes to configuration, and any changes to the location of Protected Regulated
Information. The database software version must be currently supported by the vendor.

12. Encryption
Encryption shall be used, where required, either contractually or by the Data Classification and
Handling Policy, to protect the confidentiality, authenticity and/or integrity of information. Management
shall implement cryptographic measures that are consistent with regulatory requirements for protected
information. Details for the specific principles related to encryption are found in the Encryption Policy.

13. Physical Security

All Verisk Analytics facilities and information resources, including data centers and storage facilities,
shall have appropriate physical access controls in place to protect them from unauthorized access.
Other protective measures, such as video surveillance of physical information resources and systems,
as well as safeguards against environmental hazards and electronic penetration, shall be maintained.

All computing and electronic devices, such as desk top computers, must be accompanied by a
authorization from the data owners when it is being removed from a Verisk Analytics’ location.

To prevent loss, damage, theft or compromise of Verisk Analytics computer assets, physical media,
and confidential documents, and mobile devices, shall be handled in accordance with the Physical
Security Policy.

Private Information, Internal Use Only. Do not share with third parties. Page 9
 Information Security Policy Framework

14. Software Use and Virus Protection

Software installed on any machine connecting to a Verisk Analytics or member company network must
only be used for business purposes. Employees are prohibited from using any unlicensed software as
well as freeware, streaming (i.e., stock ticker, news services, etc.), or peer-to-peer software without the
consent of Verisk Analytics’ VP of Information Security and Information Risk Management and
respective Business Owner.

Antivirus software must be installed on all Verisk Analytics workstations. Employees shall be prohibited
from disabling antivirus software and employees must report malware incidents to the Information
Security Incident Response Team for proper handling of potential or suspected viruses. The
Information Security Team is responsible for triage and remediation of malware incidents, per the
Information Security and Privacy Incident Response Policy.

15. Security Logging and Monitoring

Verisk Analytics will monitor and maintain logs recording user activities, exceptions, faults and security
events to allow for the detection and prevention of information security events. Logs shall be kept for
sufficient time to support investigation of suspicious events and logs shall be regularly reviewed, in
accordance with the Security Logging and Monitoring Policy and regulatory requirements.

Logging software, tools, facilities and log information shall be protected against tampering and
unauthorized access. The system clocks of information processing systems shall be synchronized to
an authoritative single time source to allow logs timestamps to be correlated.

16. Configuration Management

Systems components, including operating systems, database management systems, network devices
and applications, shall be implemented in accordance with established guidelines to ensure security
parameters, services, protocols and ports are configured in line with established industry security
baselines. A summary of requirements can be found in the Configuration Management Policy and
Minimum Baseline Hardening Benchmarks.

17. Vulnerability and Patch Management

Technical vulnerabilities for all information systems being used shall be monitored to ensure that the
organization’s exposure to such vulnerabilities is evaluated and appropriate measures taken to address
the associated risk in a timely manner in accordance with the Vulnerability and Patch Management
Policy.

A standard procedure and system shall be deployed for the monitoring and controlled deployment of
system patches and updates according to a defined software lifecycle. A change control process
should be documented to accurately account for software configuration control and monitoring.

Private Information, Internal Use Only. Do not share with third parties. Page 10
 Information Security Policy Framework

18. Risk Management

Risk assessments shall be completed annually, in accordance with development lifecycle method. Risk
assessments shall also be completed upon major changes to the Verisk Analytics organization or
infrastructure environment. The results of the assessment must be communicated to the business, and
a summary of all risk acceptances or mitigations achieved must be documented.

19. Incident Management

The Information Security Organization shall implement processes and controls that monitor, identify,
respond to, and remediate incidents that threaten Verisk Analytics information systems, services and
supporting processes. An information security incident is defined as any event or activity that threatens
the confidentiality, integrity and availability of Verisk Analytics information systems. An information
security event is defined as any measurable occurrence out of the norm. It is the responsibility of all
individuals to formally report information security events and incidents.

Verisk Analytics and its member companies must adhere to the Verisk Analytics Information Security
Information Security and Privacy Incident Response Policy. State notification laws and mandates may
override the notification schedule documented in this policy.

20. Network Security

Verisk Analytics shall employ measures to ensure the protection of information in networks and its
supporting information processing facilities. Security measures shall be deployed to provide network
connection control, authentication and encryption as defined in the Network Policy as well as the
network device Minimum Baseline Hardening Benchmarks configuration documents. Grouped or
segregated networks shall be established for information services, systems and information users
based on security requirements.

Exchange of information between Verisk Analytics and other organizations shall be protected by
adequate information security controls. This includes, but is not limited to, communications pertaining
to industries with applicable laws, rules and regulatory requirements.

Communication resources shall be used for business purposes only. Any form of instant messaging
which travels outside of Verisk Analytics’ network is strictly prohibited.

21. Firewall Management Policy

The purpose of Verisk’s Firewall Management Policy is to describe security-related controls necessary
to ensure the effective implementation and monitoring of firewalls deployed throughout Verisk’s
networks. This policy describes the technical and administrative standards required to effectively
manage firewalls. This includes the specific roles and responsibilities for implementing, maintaining,
and monitoring firewall controls.

Private Information, Internal Use Only. Do not share with third parties. Page 11
 Information Security Policy Framework

22. External Connection Authorization

Direct connections to entities external to Verisk are required for business operations. These
connections are typically to provide access to vendors or customers for service delivery. Since Verisk’s
Information Security Policies do not extend to the users of the third parties' networks, these
connections can present a significant risk to Verisk’s network. The purpose of Verisk’s External
Connection Authorization Policy is to provide principles and guidelines for deploying and securing direct
connections to third parties.

23. Cloud Services Security

The Scope statement of this Framework indicates that information that is physical, electronic, and
processed and stored either by Verisk managed processing facilities or vendor and cloud-based service
providers must adhere to Verisk’s Information Security Policies. Verisk’s Cloud Services Security Policy
mandates that for cloud services to be deployed, specific approval of Verisk business, finance and
technology must be obtained. It is imperative that Verisk employees do not open cloud services
accounts or enter into cloud service contracts for the storage, manipulation or exchange of company-
related communications or company-owned data without the approval of the Enterprise Security
Architecture Review Board. This policy pertains to all external cloud services, e.g. cloud-based email,
document storage, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-
Service (PaaS), etc.

24. Wireless Networking

Verisk Analytics and its member companies must adhere to the Verisk Analytics Wireless Policy.
Throughout Verisk Analytics’ locations, only approved wireless equipment may be implemented.
Accordingly, wireless connectivity may only be implemented and supported by approved personnel.
Unapproved wireless access devices, such as rogue access points connected to the production
network, are strictly prohibited. For resiliency, mitigating controls shall be put in place to prevent
functionality and negative impacts of rogue access points.

Wireless networks shall be segmented, and shall require appropriate authentication mechanisms and
logging capabilities, defined in the Identity Management Policy, Access Management Policy, and
Security Logging and Monitoring Policy.

25. Secure Development

Information security requirements shall form an integral part of systems development lifecycle, including
requirements for information systems that provide services over public networks i.e. the internet.
System development shall follow processes to ensure secure coding practices, application vulnerability
scanning, and formal change control procedures that address documentation, approval, testing and
implementation of changes. As stated in the Secure Development Policy, the objective of secure
development will be to simulate the production environment, including security requirements and
approved processes and procedures only.

Systems in development and/or testing environments shall be segmented from production networks
and information systems. Access to these segmented networks and development systems shall be
limited to approved personnel only.

Private Information, Internal Use Only. Do not share with third parties. Page 12
 Information Security Policy Framework

All Verisk Analytics information systems and software implementations are subject to the requirements
defined in the Minimum Baseline Hardening Benchmarks.

26. Vendor Risk Management

Information security requirements shall be established and agreed with any Vendor that can access,
process, store, communicate, or provide IT infrastructure components for, Verisk Analytics’ information.
Assets accessible by Vendors shall be protected according to the requirements outlined in the Data
Classification and Handling and Access Management Policies.

As stated in the Vendor Risk Management Policy, Vendors shall be regularly monitored, reviewed and
audited by Verisk Analytics, including due diligence before Vendors are engaged. Vendor connections
to Verisk Analytics and subsidiary networks are prohibited unless approved by the Business Unit Heads
and Verisk Analytics’ VP of GSS, according to a standard method of evaluation and appropriate risk
assessment activities.

27. Mobile Communications

All mobile devices connecting to Verisk Analytics resources are subject to the Mobile Device and BYOD
Policies. WiFi hotspot functionality, as found on various Android, Apple iOS and other mobile devices,
as well as 4G mobile WiFi devices, are prohibited in Verisk Analytics office spaces unless express
approval is obtained from Verisk Enterprise Risk and Compliance. Theft or loss of a company mobile
asset is considered an information security incident.

Remotely accessible Verisk Analytics information assets, including but not limited to web-accessible
resources and file sharing systems, must be secured with encryption and authentication consistent with
the framework in Verisk’s Access Management Policy document.

28. Data Storage and Archiving

All Verisk information stored on internal or third party-managed storage devices must be periodically
backed up with an approved backup system. Data Owners are responsible for defining the specific
information they need to back up and coordinating with their associated information technology
operations to verify that the backup process conforms to their requirements.

Employees should consult regulatory requirements and the Data Classification and Handling Policy
when backing-up individual information. All media should be sanitized and handled according to the
Verisk Analytics Data Classification and Handling Policy

29. Data Destruction and Disposal

The sanitization of all media containing Verisk Information provides assurance that Verisk information
cannot be retrieved or reconstructed while these devices are either being redistributed or retired from
use. Verisk’s Data Destruction and Disposal Policy is based on the NIST 800-88 Guidelines for Media
Sanitization to ensure compliance with internal and external regulations, and to uphold Verisk Analytics’
reputation with our clients. All media subject to destruction and disposal should be sanitized and

Private Information, Internal Use Only. Do not share with third parties. Page 13
 Information Security Policy Framework

handled in accordance with the related information classification, consistent with Verisk’s Data
Classification and Handling Policy.

30. Business Continuity Management

Verisk Analytics’ critical business processes and information resources shall have formally developed
contingency plans that provide for the prompt and effective continuation of critical services in the event
of a service disruption. Details for determining each business unit’s contingency plans, back-up and
recovery requirements can be found in Verisk’s Business Continuity Management Policy,

31. Backup Management

Verisk Analytics Business Units and Functional Areas are required to Create and manage a data
backup plan in accordance with the Verisk Business Continuity Management Policy, and applicable
laws and regulations. Including, but not limited to coordinating disaster recovery plans. In cooperation
with Verisk Legal, determine retention periods for all data under their ownership and management.
Develop and maintain sufficient documentation and logging procedures for all data under their
ownership and management. Maintain an accurate and up-to-date Information Asset inventory in
accordance with the Verisk Asset Management Policy.

32. Policy for Acceptance of Credit Card Payments

Verisk Analytics maintains a strict policy regarding the collection, management and use of credit and
debit card information and other personal financial data. This information is classified as Protected
Regulated Information as per Verisk’s Data Classification and Handling Policy and may only be handled
by a limited number of authorized team members in specific positions as designated by either the
Business Unit Head (for their respective business unit) or Verisk’s Chief Financial Officer. Verisk’s
Policy for Acceptance of Credit Card Payments provides guidance on accepting credit card payments
for authorized transactions and invoices, and for consistently and diligently protecting this information
against unauthorized usage or disclosure.

33. Bring Your Own Device (BYOD) Policy

Verisk’s BYOD policy was established to permit employees and other members of the workforce to
bring personally owned mobile devices (smart phones and tablets) to their workplace, and use those
devices to access company e-mail systems, including calendars, tasks, and notes. The BYOD program
requires compliance with Verisk Information Security and other company policies to effectively protect
company information sent to, accessed, and stored on those devices. All eligible members of Verisk’s
workforce must understand their agreements and consents when they choose to use their own devices
for their convenience. Program participation is at the discretion of each operating and functional unit,
based on consideration of the risks and benefits to their respective organization. Specific objectives and
requirements can be found in Verisk Bring Your Own Device (BYOD) Policy, Workforce Member
Agreement and Policy Guidance.

34. Clean Desk Policy

The purpose for this policy is to ensure that all sensitive/confidential materials are removed from

Private Information, Internal Use Only. Do not share with third parties. Page 14
 Information Security Policy Framework

an end user workspace and locked away when the items are not in use or a member of Verisk’s
Workforce leaves his/her workstation. This policy establishes the minimum requirements for
maintaining a “clean desk” – where sensitive/confidential information about our employees, our
intellectual property, our customers and our vendors, as defined in Verisk’s Data Classification and
Handling Policy, is secure in locked areas and out of site. Verisk’s Clean Desk Policy is a standard
practice as per various frameworks such as NIST 800-53, SANS Top 20, ISO 27001/17799 compliant,
but it is also part of standard basic privacy controls.

35. Compliance
Verisk Analytics recognizes its burden to exercise due care for the safeguarding of data in its custody
including, but not limited to, Personally Identifiable Information (PII), Protected Health Information (PHI),
and Verisk Analytics Intellectual Property. To this end, and for overall assurance of the confidentiality,
integrity and availability of Verisk Analytics information systems, an independent review of compliance
with this Policy shall be conducted on a regular basis.

Verisk Analytics must adhere to applicable Data Privacy provisions of the following federal laws:
Gramm-Leach Bliley Act (GLBA); Health Insurance Portability and Accountability Act (HIPAA); Fair
Credit Reporting Act (FCRA); and the Payment Card Industry (PCI) standard. This is not intended to
be an exhaustive list of applicable law federal, state or local laws that must similarly be complied with.

Further, all employees shall comply with relevant national and local legal, regulatory and contractual
requirements. Any Verisk Analytics employee who does not comply with this policy may be subject to
disciplinary action, up to and including termination. Access to Verisk Analytics’ information systems
and resources is a privilege, not a right, and may be revoked or suspended at any time.

36. Exceptions
While our intent is to operate in compliance with enterprise policies, on occasion extenuating
circumstance prohibit full compliance. For these circumstances, policy exceptions and acceptance of
high risk conditions require formal review and approval by the business unit head, and by the
Enterprise Risk Management Committee (ERMC). For the definition and required actions, see section
5.4 - Policy Exceptions and Risk Acceptance and Appendix B of the Verisk Risk Policy.

37. Enforcement
Global Security Services is responsible for enforcing this policy. Any member of the Verisk Analytics
workforce found to have violated this policy may be subject to disciplinary action up to and including
termination of employment.

Private Information, Internal Use Only. Do not share with third parties. Page 15
 Information Security Policy Framework

Appendix A: General Disclosure Statement

• Unless specifically stated otherwise, all programs, data and documentation received,
developed, stored and/or transmitted by employees are the property of Verisk Analytics. Verisk
Analytics reserves the right to examine all information received, stored and/or transmitted by
Verisk Analytics or its member companies’ systems including but not limited to email and
Internet activity.
• Employees should have no expectation of privacy with regard to the access or use of these
systems, data or resources. Willful or intentional misuse of Verisk Analytics or its member
companies’ systems and data can result in termination of access privileges as well as
disciplinary action. In addition, this Information Security Policy reinforces the Verisk Analytics
Employee Covenants.
• All information belonging to Verisk Analytics’ and/or third party’s deemed private, confidential,
sensitive, or proprietary (Refer to Data Classification and Handling Policy) which includes but is
not limited to, Personally Identifiable Information (PII) or Protected Health Information (PHI),
must be treated as such unless expressly authorized by Verisk Analytics Management, the Data
Custodian, a disclosing party or by Law.
• Employees must use reasonable and prudent measures to protect all data from accidental or
intentional damage, modification, destruction or unauthorized disclosure. Moreover, Employees
must ensure data integrity, reliability, and availability in accordance with this Information
Security Policy, the Verisk Analytics Information Security Best Practice document, signed
contractual agreements, and local, state and national laws.
• Prior to or immediately upon separation of employment, all data in the possession of the
Employee must be returned intact and without compromise according to any policies contained
herein, expressed or implied. Upon receipt, this information will be handled or stored in
accordance with the policies contained in this document.
• Changes, questions or concerns regarding this Information Security Policy, should be directed
to Verisk Analytics’ VP of Information Security and Information Risk Management by email
to infosec@iso.com.

Private Information, Internal Use Only. Do not share with third parties. Page 16