Year in Review 2022
Comscore maintains a dedicated team of security professionals who hold Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) certifications. The team's responsibilities include vulnerability management, security incident response, and implementing and managing information protection technologies.
Comscore develops, monitors, and enhances security controls in accordance with ISO 27001 best practices:
Comscore has implemented and manages several information protection technologies, as appropriate:
Information Security Policies
Do you have a security policy?
Yes, Comscore maintains and updates several security-related policies in alignment with ISO 27001 best practices as noted below.
Do you communicate your policies to employees?
Yes, Comscore makes its policies available to all employees/contractors and we conduct annual security training which includes testing its employees on policy content.
Organization of Information Security
What security framework is your organization based on?
Comscore bases its security program on the ISO 27001:2013 control framework. Our security program is audited as part of our SOX, MRC, SOC3.
Human Resource Security
Do you conduct background checks on your employees and contractors?
Yes, where allowed by law. For contractors, we do not conduct background checks on personnel brought on through agencies, which do their own background checks. For direct, non-agency contractors, we conduct the background checks ourselves.
Do you require your employees to sign non-disclosure agreements?
Yes, where allowed by law and typically occurs prior to employment.
Is security awareness training provided to your employees?
Yes, Comscore has developed a Security Awareness Training Program. Security awareness is delivered to Comscore employees using a multi-pronged approach. Primary training is done via computer based training. Employees will complete initial training during “Onboarding”. The training is conducted through the Comscore Learning Management System (LMS). Awareness is enhanced through newsletters, posters, and emails. Policies are posted on an internal SharePoint site.
Do you support an asset management process?
Are there procedures for the disposal and/or destruction of physical media (e.g., paper documents, CDs, DVDs, tapes, disk drives, etc.)?
Yes, per Comscore's IT Asset and Media Disposal Policy, which is reviewed by our external auditors.
Are strong passwords in use?
Yes, Comscore has policies that determine and enforce password strength, history, as well as the prohibition of sharing user passwords and access.
What network access controls do you support?
We support a multi-tier firewall architecture supported by a stateful inspection firewall. All external access is mediated by an Internet DMZ. Access to internal networks is restricted based on authorized applications.
Is your remote access VPN subject to two-factor authentication?
Do you encrypt data in transit?
Yes, TLS or IPSSEC VPN is used to protect data in transit. Our policy requires encryption of data in transit over a public network.
Do you encrypt data at rest?
Yes, full disk encryption is required for client devices. Server side encryption is limited to regulated, personal or sensitive information. 256-bit AES is used to encrypt data at rest.
How do you manage your encryption keys?
Our encryption keys are stored in a FIPS compliant key vault and are supported by redundant, fail-safe architecture.
Physical and Environmental Security
How do you ensure that your third party data centers are secure?
Comscore conducts security reviews of its data center providers and also reviews and relies on independent third party audits, such as SOC 1, 2 or 3, or ISO 27001.
Is access to Comscore's third party data centers restricted and controlled?
Yes, for the data centers that Comscore has access to (i.e. AWS does not allow onsite access to its data centers), Comscore restricts access to key personnel and conducts periodic access reviews. Comscore regularly reviews access to its third party data centers. Physical access controls include but are not limited to: multi-level physical security architecture; card reader access control; mantraps; multi-factor authentication, including PIN and biometric; 24x7 monitoring/CCTV surveillance).
What operational technologies does Comscore deploy to protect data?
We have implemented and manage several information protection technologies:
Do you regularly review logs?
Yes, Comscore utilizes a Security Incident and Event Management (SIEM) to aggregate logs and detect security threats and anomalies in our environment.
Are wireless connections encrypted and authenticated?
Yes, only company owned and managed devices are permitted on the corporate wireless LAN. All other devices are restricted to an isolated guest network permitting access only to the Internet. We utilize industry standard wireless encryption (WPA2).
Are email exchanges encrypted?
Yes, our e-mail gateways leverage SMTP over TLS.
System Acquisition, Development and Maintenance
Is security addressed in SDLC and QA processes?
Comscore utilizes a formal Security Development Life Cycle process to ensure security is addressed throughout the development process. Comscore developers also undergo developer security training.
How will you monitor your third parties/subcontractors to ensure they meet security standards?
Comscore performs a full security and privacy screen of all its suppliers. Monitoring and review is risk-based.
Do you require the use of confidentiality or non-disclosure agreements with vendors?
Security Incident Management
Are incident reporting policies and procedures are in place?
Yes, Comscore's Incident Response policy and procedures ensure an incident is promptly investigated, contained, remediated, and reported internally and externally, as appropriate, including required regulatory notifications, subject to required approvals. Our process formally defines roles & responsibilities, incident severity criteria, required notifications, the approach taken to use various tools to detect indicators of compromise. An Incident Coordinator oversees the incident response process. A Computer Security Incident and Response Team, composed of technical application and infrastructure experts, is engaged to investigate and remediate incidents.
Business Continuity/Disaster Recovery
Are Comscore services recoverable in the event of a disaster?
Data is replicated to the standby facility and/or backed up to tape, depending on recovery time and recovery point objectives. Disaster recovery plans are documented and regularly tested via table-top exercise and an annual parallel test. Backups include a weekly fulls and daily incrementals. Tapes are stored offsite.
Do you have a BC/DR Plan?
Yes, it is regularly reviewed, updated, and approved by management.
Is there an independent third party review of Comscore's information security program?
Comscore attests its security program to the ISO 27001 (security) and ISO 27701 (privacy) standards. Our ISO certificate is available upon request (MNDA required to release it).
Does Comscore comply with GDPR and other privacy regulations?
Yes, as noted on our Privacy and GDPR pages.
How does Comscore protect Personal Information?
Comscore protects PI data using the following techniques, depending on the needs of the application: sanitization, masking, hashing, anonymization, pseudonymization, and encryption (256 bit AES).
If you believe you have found a security vulnerability or need to report a security issue, please submit the form below. A member of our security staff will review your issue and get back to you. We request that you do not share or publicize an unresolved vulnerability to or with third parties.