Information Security Exhibit
Version 2.1
Updated July 2023
These terms supplement the Data Processing Agreement (“DPA”) between Pearson and Client. Capitalized terms not otherwise defined in this document have the meanings assigned to them in the DPA.
Pearson has agreed to employ appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Client Data (“Information Security Program”) and against accidental loss or destruction of, or damage to, Client Data. Pearson’s Information Security Program shall include specific security requirements for its personnel and all subcontractors, Pearson, or agents who have access to Client Data (“Data Personnel”). Pearson’s security requirements shall cover the below areas.
1. Information Security Policies and Standards. Pearson will maintain information security policies, standards and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Client Data. These policies, standards, and procedures shall be designed and implemented to:
a) Prevent unauthorized persons from gaining physical access to Client Data (e.g. physical access controls);
b) Prevent Client Data from being used without authorization (e.g. logical access control);
c) Ensure that Data Personnel gain access only to such Client Data as they are entitled to access (e.g. in accordance with their access rights) and that, in the course of Processing or use and after storage, Client Data cannot be read, copied, modified or deleted without authorization (e.g. data access controls);
d) Ensure that Client Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Client Data by means of data transmission facilities can be established and verified (e.g. data transfer controls);
e) Ensure the establishment of an audit trail to document whether and by whom Client Data has been entered into, modified in, or removed from Client Data Processing (e.g. entry controls);
f) Ensure that Client Data is Processed solely in accordance with Client’s Instructions (e.g. control of instructions);
g) Ensure that Client Data is protected against accidental destruction or loss (e.g. availability controls);
h) Ensure that Client Data collected for different purposes can be Processed separately (e.g. separation controls);
i) Ensure that Client Data maintained or processed for different customers is Processed in logically separate locations (e.g. data segregation);
j) Ensure that all systems that Process Client Data are subject to a secure software developmental lifecycle; and
k) Ensure that all systems that Process Client Data are the subject of a vulnerability management program that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
2. Physical Security
a) Physical Access Controls. The Pearson Services are hosted in a datacenter located at nondescript facilities owned and operated by a third-party hosting provider (the “Facilities”). Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
b) Limited Employee and Contractor Access. Pearson’s hosting provider provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to them, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Pearson’s hosting provider or its Affiliates.
c) Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Pearson’s hosting provider also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
3. Organizational Security. Pearson will maintain information security policies and procedures addressing:
a) Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any Client Data stored on media before they are withdrawn from the Pearson’s inventory or control.
b) Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of Client Data stored on media.
c) Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
d) Incident Response. All Client Data security incidents are managed in accordance with appropriate incident response procedures.
e) Encryption. All Client Data is stored and transmitted using industry standard encryption mechanisms and strong cipher suites, such as AES-256.
4. Network Security. Pearson Services are hosted in a datacenter located at nondescript facilities owned and operated by a third-party hosting provider. Pearson does not maintain an internal network. The Pearson engineering team makes use of industry standard virtual private networks (“VPN”) to manage infrastructure resources and access the Pearson Services.
5. Access Control (Governance)
a) Pearson governs access to information systems that Process Client Data.
b) Only authorized Pearson staff can grant, modify or revoke access to an information system that Processes Client Data.
c) User administration procedures are used by Pearson to: (i) define user roles and their privileges; (ii) govern how access is granted, changed, and terminated; (iii) address appropriate segregation of duties; and (iv) define the requirements and mechanisms for logging/monitoring.
d) All Data Personnel are assigned unique User IDs.
e) Access rights are implemented adhering to the “least privilege” approach.
f) Pearson implements commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. Pearson protects Client Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Client Data.
7. Personnel
a) Pearson has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and security incident reporting.
b) Pearson has clearly defined roles and responsibilities for employees.
c) Prospective employees are screened, including background checks for Data Personnel or individuals supporting Client’s technical environment or infrastructure, before employment and the terms and conditions of employment are applied appropriately.
d) Data Personnel strictly follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
e) Pearson shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Client Data.
8. Business Continuity. Pearson implements disaster recovery and business resumption plans. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective.