Maintaining the security and privacy of our customers’ confidential data is one of our highest priorities.
This sets forth the administrative, technical and physical safeguards (“Controls”) Dun & Bradstreet takes to protect customer information. Dun & Bradstreet may update these Controls from time to time to reflect changes in Dun & Bradstreet’s security posture, provided such changes do not materially diminish the level of security herein provided. These Controls have been reasonably designed to protect the confidentiality, integrity and availability of customer information against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration or destruction; and accidental loss, destruction or damage in accordance with laws applicable to the provision of the Services. Dun & Bradstreet maintains security policies, standards, and procedures designed to safeguard the processing of sensitive information by Dun & Bradstreet's employees and contractors in accordance with these Controls.
The D&B control environment reflects the overall attitude, awareness, and actions of corporate governance, management, and D&B employees concerning the importance of controls and their emphasis within the organization. The control environment at D&B begins at the highest level of the Company. Executive and senior leadership play important roles in establishing the Company’s core values and ethical principles and tone at the top which establishes its guiding principles.
D&B strongly values our relationships and the trust of our customers and partners. In today's high-technology environment, we understand an adaptable and agile security program is vital to the integrity of our business, and the privacy and security of confidential and proprietary data is one of our highest priorities. We evaluate and evolve our security, integrity, availability, and confidentiality controls to keep up with the Existing Line threat landscape. D&B’s control environment represents the collective effort and effect of various factors on the establishment, enhancement, or effectiveness of specific risk-mitigating controls.
D&B has designated a Chief Cybersecurity and Technology Risk Officer who oversees our Global Information Security program. The Global Security and Risk team works with lines of business across the company, providing a corporate-wide information security strategy to support business objectives and minimize the likelihood and impact of security incidents to our information assets and that of our customers and third parties.
D&B safeguards networks, systems, applications and data using security in-depth people, process and technologies aligned with globally recognized standards. D&B has policies, standards and procedures in place to validate and enforce security controls. Additionally, we have an independent auditor certify a SOC2 Type 2 attestation annually, demonstrating operational effectiveness of controls (available under mutual NDA).
D&B is committed to our customers’ security, availability and confidentiality when using our products and services. D&B also annually certifies to the ISO/IEC 27001:2022 Information Security Management Systems (ISMS) standard at multiple locations. In addition, D&B annually undergoes PCI, SIG and CAIQ attestations.
D&B classifies its data as Public, Commercial in Confidence, Internal Use Only, Restricted Confidential, and Restricted Sensitive. This data is data that D&B acquires, processes, and offers in products for customers to use as a solution to their business needs. The permissible use of this data must be understood before using it. We safeguard this data by using a combination of preventative and detective technologies such as encryption and intrusion detection systems. Alongside these security measures, we have policies and procedures in place to validate and enforce our security controls. Access to this data is restricted to authorized personnel by physical and logical access controls.
The Global Security and Risk team members and activities are structured under a framework consisting of the following domains and controls:
People
At Dun & Bradstreet, security is everyone's responsibility, and we understand it all starts with our employees. We perform background checks on employees upon hiring. From the start, our employees are provided a custom designed security training and annually thereafter. Throughout the year, we undertake to share and reinforce security best practices, including annual security awareness training, to keep our employees up to date on the latest trends.
Policies & Procedures
Policies, standards, procedures, and guidelines are a critical component of governance at Dun & Bradstreet. They provide the structure and rules around which the organization, and subsidiary organizations operate. Policies are reviewed with appropriate owners for alignment with business objectives and their continuing suitability, adequacy and effectiveness.
This approach achieves greater alignment with various regulations and improves our capability to address the security threats we face. The policy set references external frameworks for cybersecurity standards and incorporates elements as appropriate, including alignment with the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 270001 Information Technology Family of Standards.
D&B conducts an annual policy review and re-certification program to ensure our policies, standards and procedures align to industry best practices and support D&B's business objectives and obligations. Revised policies are published on the Company intranet following management’s approval, so employees can easily access the policies from their desktops. Significant changes to policies are communicated as necessary via meetings, emails, presentations, the Company Intranet, and/or companywide communications.
In addition to our policies, we also maintain compliance processes that address the processing of protected data to comply with applicable statutory, regulatory, contractual, and security requirements. Documented data disposal policies are in place to guide personnel on the procedure for secure disposal of data.
Access rights and privileges necessary to perform a user’s job function is granted in accordance with:
Authorized users are required to identify and authenticate to the network, applications and platforms using their user ID and password. User and device authentication to information systems is protected by passwords.
Upon employee termination, access to the products and systems is revoked.
Multi-factor authentication is required for remote sessions and administrative access to environments that host production systems. Furthermore, the highest levels of privileged access to systems, such as D&B Domain Controllers, is controlled by our Privileged Access Management system.
Network connections are protected through a combination of security controls for the protection of data and systems. These are based on the type and purpose of the connection and include, but are not limited to, network segmentation, deployment of firewalls and other security appliances, and appropriate authentication mechanisms.
D&B seeks to control information access available through the network to avoid unauthorized access while allowing secure access to authorized users and systems. D&B maintains measures to log activity and network traffic and centrally store it using industry standard or vendor specific collection mechanisms.
The implementation of new networking devices (i.e., routers, switches, firewalls) or components of networking systems follows a formal change management process and is approved by Technology Operations and Global Security & Risk teams. Devices deployed in the D&B network are configured to meet security requirements for their individual purposes (internal, public facing, demilitarized). Non-essential services on network devices are disabled or removed.
Direct public access between public networks (e.g. internet) and any internal D&B network is restricted. Traffic, inbound and outbound, from untrusted networks (including guest and external wireless connections) and hosts is restricted.
Wireless and remote access to outside individuals are identified, inventoried, and managed.
At Dun & Bradstreet, data security controls are considered crucial to ensure customer data is securely transmitted, stored, replicated, backed up, and recovered. We aim to adopt best practices to secure data in transit and at rest by implementing industry standard encryption and key management techniques, in accordance with the applicable data privacy regulations.
D&B seeks to monitor access to data and encryption keys for deviations or anomalies through machine learning approach coupled with periodic re-certification to ensure compliance with audit requirements.
Servers, workstations and mobile devices are included under the scope of monitored devices. Protection for data on laptops is using full disk encryption. Anti-malware software is targeted across platforms (workstations and servers) that are susceptible to compromise. Logging and monitoring of our assets helps manage compliance with company security and privacy policies.
Use of removable electronic media is restricted.
Configuration Standards are developed and reviewed annually. Security reviews are conducted on configuration baselines periodically for compliance. Vendor recommendations and industry best practices are considered.
D&B Application security follows a holistic approach to protect user data and system integrity. This can include robust authentication and authorization mechanisms, adherence to secure coding practices, data encryption at rest and in transit, strong input validation. We also focus on regular security testing and monitoring for anomalies.
D&B pursues to continuously patch application vulnerabilities and are further supported by a strong incident response team. We take arduous effort in educating the team, adhering to privacy regulations, and strive to maintain a proactive stance to address emerging threats effectively.
API strategy at D&B is guided by clear security guidelines that integrate with our business objectives. To this end, D&B seeks to implement established API security standards that safeguard the integrity and confidentiality of APIs and our customer data. D&B uses strong authentication and authorization mechanisms, secure communication protocols like HTTPS, proper input validation, protection against common vulnerabilities (e.g., SQL injection, XSS), rate limiting and throttling to prevent abuse.
Additionally uncompromising software supply chain security at D&B aids the integrity and trustworthiness of software components throughout their lifecycle. We vet third-party libraries in use internally and our approach prioritizes mitigation of risks to push for secure software promotion from development to deployment.
D&B investigates incidents relating to integrity, availability, confidentiality and privacy and manages real or suspected breach of security of D&B information systems in a timely, coordinated fashion in line with our Incident and Breach Response Policy while complying with applicable laws and regulations.
D&B has developed and maintains practices which establish Incident classification and prioritization based on the severity of the Incident and the sensitivity of affected systems and data. To support these efforts, D&B has implemented and monitors alerts as part of its detection capability. Investigation of alerts and Security Events, including events related to availability and confidentiality, are conducted as quickly as possible. Confirmed incidents are declared based on the outcome of the investigation.
Monitoring tools are in place to measure usage. Alerts are reviewed to determine if corrective action is required. In the event additional information assets are required to address usage needs, they will be deployed in accordance with formal asset deployment and change management policies. Audit logs seek to record significant information security-relevant activities and events in the D&B systems.
D&B Cyber Threat Intelligence and Hunt employs a vigilant strategy to safeguard D&B Information Technology assets against ever-present threat of malicious cyber actors. Using a proactive approach to security, Cyber Threat Intelligence collaborates with Security Operations and Incident Response, Vulnerability Management Team, Global Compliance and Ethics, and Governance Risk and Compliance to diligently assess and anticipate both current and emerging risks. Cyber Threat Intelligence monitors and understands the adversarial cyber landscape and tracks emerging and known malicious cyber actors. This holistic approach helps D&B resilience in the face of cyber threats, fortifying our defenses and preserving the integrity of the digital landscape.
Threat hunt adopts a proactive stance in fortifying our cybersecurity defenses against malicious threats. It works in coordination with Security Operations and Incident Response, Vulnerability Management Teams, and Cyber Threat Intelligence to identify and mitigate both present and future cyber risks. Threat Hunt operations assumes breach and uses in-depth knowledge of adversary tactics, and security telemetry to identify emerging risks without the aid of automated alerts. Hunt operations and investigations are designed to find adversaries that have evaded the current security tools and posture.
Our cloud security strategy is built on a foundation of "secure by default" principles, with a relentless focus on continuous improvement and a commitment to securing our digital transformation in the cloud. Through this approach, we provide a secure, resilient, and trustworthy cloud environment that enables our clients to achieve their business objectives with confidence.
Our approach to cloud security is central to our cybersecurity strategy, underpinning the trust and reliability our clients have come to expect. Embracing a "secure by default" strategy, we strive to ensure that every aspect of our cloud environment, from infrastructure to applications, is built with security as the foundational principle. This strategy means that every service and deployment is configured to the highest security settings from the outset, reducing the risk of vulnerabilities and ensuring the protection of data across all cloud operations.
Recognizing that the threat landscape is dynamic and constantly evolving, our cloud security framework is designed for continuous improvement. We actively monitor emerging threats and apply cutting-edge security technologies and practices to adapt and respond swiftly. This proactive stance allows us to stay ahead of potential risks, ensuring that our defenses remain robust, and our clients' data is protected against the latest security threats.
The Threat and Vulnerability Management (TVM) team regularly identifies and monitors vulnerabilities through vulnerability scans, penetration tests, intelligence reports, vulnerability feeds, and third-party reporting. We seek to assign severity ratings to to all identified threats and vulnerabilities determined by the likelihood and impact ratings aligned with standards and D&B policy. The company attempts to prioritize remediation basis these severity ratings. This is achieved by documenting vulnerabilities as per the severity levels and assigning remediation tasks to appropriate teams.
D&B maintains a robust Security Awareness Program that focuses on ensuring our employees and contractors adhere to industry best practices. The program includes training on phishing awareness and other topics that cover the emerging threat landscape. All employees are required to complete Security Awareness Training, Code of Conduct and Ethics and Privacy Data, AI Ethics and Compliance training on an annual cadence. D&B also conducts periodic Phishing simulations and subsequent targeted training to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.
The D&B Third-Party Compliance process follows a defined global procurement and risk management lifecycle framework across selection, onboarding, monitoring and termination of the relationship. D&B adheres to documented third -party cyber security policies and standards. Our commitment to protecting all of D&B and customer data are set forth to govern security and due diligence requirements (which include compliance, privacy and technology) for third parties (including our vendors and World-Wide Network Business Partners) doing business with Dun & Bradstreet. Our program takes a holistic approach to third party security. The program includes a risk-based approach and monitoring program with proactive engagement throughout the lifecycle of a third party's relationship with D&B. Third parties are required to comply with our Information Security policies, standards and procedures applicable to the service being provided.
Through continual assessments, we identify potential threats and their impacts to the business, then develop plans for mitigation. Dun & Bradstreet has an established business continuity policy and program that creates actionable solutions with a focus on continuous improvement and business resiliency. Our business continuity and disaster recovery strategies and plans are developed to address events such as natural disasters (earthquakes, hurricanes, pandemics, etc.) and manmade disasters (political unrest, terrorism, etc.). Our plans follow industry best practices such as the Disaster Recovery Institute International and Business Continuity Institute guidelines and materially align to industry standards.
Our physical security standards are designed to restrict unauthorized physical access to data center resources and D&B's locations where sensitive data is stored or processed. Enterprise systems and network infrastructure components are physically located in controlled access areas. The controls may include limited access points, access readers, access monitored by surveillance cameras, and only authorized personnel allowed access.
With our hosted data center providers, the identification, detection and protection for physical and environmental threats (infrastructure, data, and software), are managed through third party compliance requirements and service level agreements.
‘Data Security & Resiliency’ is one of the core principles our responsible Artificial Intelligence program. Please refer D&B’s AI Systems for our approach to Trustworthy AI.
There are multiple Contact Forms popups in the page. Only one Contact Form popup could be present on single page. Please reconfigure Contact Forms and refresh the page.