Skip to main content
CCH Software User Documentation

IT Security Policy

HELP-GUIDES-HEADER.jpg

 

IT Security Policy

Note: This version was created May 2020 (Chris Daldy)

OUR COMMITTMENT

Security has never been more important. As a global leader in tax and accounting services, Wolters Kluwer places the utmost importance on the protection of our customers’ data and intellectual property. We recognize that data is the lifeblood of the modern digital economy, particularly in the sectors in which we operate. To deliver an enhanced level of security Wolters Kluwer significantly invests in systems and in expertise, and we operate under globally recognized information security codes of practice. Our approach to your security is pragmatic, risk-based and business-aware. We inspire customer confidence and we play a significant role in enhancing Wolters Kluwer’s reputation in the market.

IT Security from the top down
  • Everyone within the business (from the top to the bottom) is responsible for the security of Wolters Kluwer, employee and client data and for maintaining a strong security culture.
  • Security is part of the global IT risk function at Wolters Kluwer which is vested in a council structure using a three-tiered approach. The three tiers correspond to the functions of management, architecture, and operations.
  • The top tier of the security organizational model is the Information Technology Security Leadership Council. This council oversees the management of risk across the organization to include security strategy as a focal point.
  • The middle tier of the security organizational model is the architecture of security. This council architects and executes the strategy of the global IT security program. Its purpose is to ensure that standardization and efficient security is practiced across the enterprise and that compliance with this policy and external regulations are adhered to.
  • The third tier comprises groups that participate in the operational tier by carrying out the direction of the Information Technology Security Council. These teams are assembled by direction of the Information Technology Security Council to drive a specific topic (e.g. policy update review, etc.).
Who is responsible?
  • Successful security management depends upon clear accountabilities. Wolters Kluwer Executives have collective responsibility for setting strategy and business objectives; owning security risk appetite and accepting security risk consistent with business drivers.
  • Our UK IT Security Manager, Chris Daldy leads UK IT security on behalf of the global and regional Wolters Kluwer Information Security teams, in a role that encompasses information and cybersecurity. All employees, contractors, and temporary and part-time workers are responsible.
  • Shared responsibility for security is built into the Wolters Kluwer DNA. We make sure company information assets are used only in proper pursuit of our business; that information is not improperly disclosed, modified or endangered; and access is not made available to any unauthorized person.
Delivering excellence
  • Wolters Kluwer Security Policies, standards and operational practices are aligned with ISO 27001 – which sets the standards for internationally recognized good practice. This is also ingrained in the way in which we develop, maintain and deliver our TAA UK applications and services to all our Customers.
  Global Policies and Standards
global policies and standards.png
  • An information security policy framework, consisting of policies, standards and procedures is in place to assure the secure provision of applications and services to the
  • customer. This includes the overarching global information security policy and the global acceptable use policy.
  • All policies and standards are reviewed, version- controlled and authorized on a regular basis in relation to the applications and services that Wolters Kluwer provides, and as relevant to the risk and compliance requirements that may arise in the external and internal environments.
  Risk Management
risk management.png
  • There is a formal risk assessment process in Wolters Kluwer and regular and periodic risk assessments of all identified Assets are conducted.
  • The frequency of risk assessments is based on changes in the business or environment that may lead to a compromise to the confidentiality, integrity, availability, and/or privacy of the information and data processed, stored or transmitted by the organization and the impact this may have on the organization or individuals, along with any material changes to the business structure.
  Human Resources
human resources.png
  • All Wolters Kluwer employees undergo background checks to ensure their eligibility and competence to access Wolters Kluwer information.
  • Background checks are conducted according to local legislation and as appropriate to the role being recruited for, to include:
    • Identity verification
    • Employment references
    • Eligibility to work in the relevant geography
    • Validation of education and certifications
  Information Classification
information classification.png
  • Wolters Kluwer operates four levels of data classification to ensure that information assets are appropriately handled, processed and stored.
  • Information assets are assigned a classification level based on the appropriate audience for that information. If the information has been previously classified by regulatory, legal, contractual, or company directive, then that classification will take precedence. The classification level then guides the selection of protective measures to secure the information.
  Security Awareness and Training
security awareness and training.png
  • All employees are required to adhere to our Information Security, Privacy and other policies which highlight our commitment to comply with our legal obligations including to keeping customer data secure.
  • Team members involved in the development and support of the TAA UK applications undergo additional security training that is targeted to their job roles. For example, architects may receive training in secure design principles while developers focus on secure coding practices and principles. Developing skills and careers is an important focus for us and critical to employee engagement. To support formal learning, all employees have access to over 3,000 on-demand learning opportunities through our global Learning Management System (LMS).
  • We also deploy assigned training to demonstrate our commitment to training requirements and our values. Our employees also demonstrate their commitment to learning through high completion rates on important topics such as our values, business principles, and other rules of conduct in our daily work through the annual compliance training, GDPR, and performance management training.

  Access Control
access control.png
  • Wolters Kluwer access controls are pragmatic, thorough and reviewed regularly. Our guiding principles for access are:
    • Business Need: Access to Wolters Kluwer information is only granted where there is real necessity
    • Least Privilege: Never compromising productivity or efficiency, Wolters Kluwer employees are limited to the minimum access permissions they need in order to carry out their work
    • Separation of Duties: To manage conflicts of interest, fraud and reduce error, we ensure that there is enough oversight of access.
    • A formal registration and de-registration procedure to grant and remove access.
  Cryptography
cryptography.png
  • Cryptography assures data is protected against threat or alteration and helps to establish user authorization.
  • Wolters Kluwer use industry-standard HTTPS to protect the confidentiality and integrity of the data passing between user’s browsers, our Cloud platforms and any relevant Third-Party services such as HMRC.
  • For our cloud platforms, encryption is enabled to protect data at rest, and to all data in transit that is submitted to such platforms.
  Physical Security
physical security.png
  • Our offices are physically protected from disclosure, modification or theft of information by unauthorized persons, and controls are in place toreduce the risk of loss or damage. Offices are protected by appropriate access entry controls and 24x7 security presence.
  Patch Management
patch management.png
  • Wolters Kluwer operates a robust patch management process supported by regular, scheduled vulnerability assessments across the infrastructure hosting our applications.
  • Infrastructure is patched weekly and application patching is aligned with our published maintenance schedule. Any significant security issues that we identify are dealt with under our emergency fix process and follow our standard out-of-schedule notification process.
  Host Protection
host protection.png
  • By implementing malware protection solutions, we can detect, remove and protect against known types of malicious software attack. Our solutions use behavioral detection and can recognize anomalies so that we can detect brand new attacks. We deploy our malware protection at appropriate points across the Wolters Kluwer technology infrastructure. As we know that new malware is in constant development, we regularly test and update our protection to reduce the risk of systems being exposed.
  24/7 Monitoring and Incident Management
24-7 monitoring and incident management.png
  • Wolters Kluwer Security does not stop when the business day ends. Wolters Kluwer has a 24x7x365 security monitoring service via our Global Security Operations Centre (SOC).
  • This service is the front line for Wolters Kluwer in reactive response to security incidents that happen anytime of the day or night. Through detection and monitoring of threats and vulnerabilities, managing security incidents, and evolving our preventive infrastructure, an experienced team aims to keep ahead of the threat.

  Vulnerability Management
vulnerability management.png
  • Wolters Kluwer information security teams adhere to a vulnerability management process which is focused on the collection, analysis, summarization, reporting, and tracking of identifiable vulnerabilities in applications, infrastructure, and endpoint systems and networks.
  • This robust process is vital for providing a more accurate visibility of risk across the organization. The process is performed by the Global Information Security team and includes a defense in depth approach to the numerous levels of scanning performed by enterprise-level on-premise and cloud- based tools and at an application security level. These levels of scanning that are applied within the vulnerability management process are designed to provide assurance that any security-related risks that may arise can be identified and treated on a timely basis.
  Independent Security Testing
independent security testing.png
  • Independent third-party technical security assessments (‘pen-testing’) are performed on all internet facing applications on an annual basis to ensure that security risks continue to be reviewed in line with industry.
  • Any risks that are identified are managed and tracked according to the global vulnerability and remediation security standard.
  Service Resiliency
service resiliency.png
  • For our cloud platforms*, data protection processes and procedures are followed for internal service recovery purposes only, this includes a back-up facility that meets the following requirements: (i) Full backups are taken weekly, differential backups are taken every day, log backups are taken every 30 minutes; (ii) Backups are retained for 35 days; and (iii) Backups are encrypted.
(* Please note that the CCH OneClick subscription terms specifically exclude back-ups from the services we provide)
  Business Continuity
business continuity.png
  • In terms of the wider Wolters Kluwer organizational Business Continuity Plan, this comprises the following requirements: Emergency Response
  • Procedure (detection, notification and evacuation procedure), Crisis Management Plan (team, incident management, notification and escalations, review and assess operations, emergency recovery and maintain phase) and Operational Recovery Plan etc.
  Application Security Testing
application security.png
  • Applications are put through a rigorous testing process which includes static and dynamic application security testing (SAST,
  • DAST) using industry leading toolsets.
  • The execution of these testing programs is subject to an internal governance process that is managed by the global software security assurance team and which is designed to ensure that are all code repositories are scanned according to a pre- defined schedule and that the results of all such scans, are reviewed, validated and closed out in accordance with Global Application Security and Vulnerability standards
Secure Development
secure development.png

Software development in Wolters Kluwer follows an Information System Life Cycle Management process which is designed to ensure that prior to the acquisition or development of new information assets, or enhancement of existing information assets that affect implemented security controls, the requirements for security controls should be documented, verified to

ensure that they comply with the appropriate policies and standards, and reviewed and approved by the Division, Business Unit Management and/or the Global IT Security Team.

Our development pipeline contains many integrity controls. This includes code that cannot be merged into the development branch until it has been peer-reviewed and passed several code qualities checks. At various stages automated functional tests are performed to ensure that code performs in isolation and as part of the broader service. Code cannot be deployed without successful completion of regression tests (automated and manual).

Regression tests are an integral part of the code development process. Should there be any changes that are specific to the service functionality that is provided to our Customers, then as part of any impact assessment performed for this change, and in accordance with any service level agreements that may be in place, appropriate communication would take place with the Customer to ensure the impacts of the change are understood and agreed.

 

 

 

  • Was this article helpful?