Security aspects are embedded from early stages of design, development and implementation of technology systems within Clarivate to ensure highly secure, reliable and robust products for clients. The Security standards adopted by Clarivate provide a consistent framework for all our technology professionals to identify threat vectors, vulnerabilities and control weaknesses throughout the product development lifecycle. Instead of treating security as an afterthought, security by design offers a proactive and prescriptive response that is entrenched in the very DNA of Clarivate.
Security by Design
Early considerations of cyber security and compliance aspects during the design and development phase of our information systems or products not only helps to avoid present and future vulnerabilities but also reduces redesign and problem-solving costs. Instead of treating security and compliance as an afterthought or a tail-end task to projects, security and compliance by design offers a proactive and prescriptive response that is entrenched into the very fabric of how Clarivate designs its technology solutions.
The Information Security team at Clarivate produces design references as architecture frameworks and checklists, as applicable to define the key requirements for embedding security and compliance by design principles in technology acceptance, system design and development processes which includes but not limited to application security controls, data encryption standards, cloud design reference architecture, etc.
Secure Software Development
Clarivate has a defined Secure Software Development Lifecycle for software development based on industry-standards for Information Security. Product releases undergo several levels of security assessments prior to product deployment. Through controls like Establish Design Requirements, Analyse Attack Surface, and Threat Modelling, the Security Development Lifecycle helps Clarivate identify potential threats while running a service, exposed aspects of the service that are open to attack.
Products are assessed for exposure to a variety of both common and complex attack types and vulnerabilities. Clarivate incorporates security specific test plans within its Quality assurance processes. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) is utilized where applicable during the product development cycle.
Clarivate utilizes third party services to conduct network and application security assessment to identify security threats and vulnerabilities. Formal procedures are in place to assess, validate, prioritize, and remediate identified issues.
All design references need our information systems and products to generate exception logs, enable auditing and log activities to detect suspicious behaviour which could lead to early indications of a full-blown attack and the logs help address the repudiation threat where users deny their actions.
Clarivate has a 24×7 Cyber Security Operations Centre (SOC) which monitors all threats, events and exceptions from logs captured through Security Incident and Event Management (SIEM) tool. The logs collected through the SIEM are encrypted end to end and is correlated with threat intelligence databases for anomaly detection and possible threats to the product or hosted environment. The team also subscribes to vulnerability notification systems to stay apprised of security incidents, advisories, and other related information to initiate actions; in collaboration with cloud operations team, on the notification of a threat or risk once confirmed that a valid risk exists, that the recommended changes are applicable to service environments, and the changes will not otherwise adversely affect the services. Access to logs is restricted and defined by policy and logs are reviewed on a regular basis. SOC team also conducts audit of cloud hosted assets using automated vulnerability assessment tools.
Security Incident Response
Clarivate has a well-established Incident Response Framework which establishes the procedures to manage security incidents leading to suspected or confirmed data breach or compromise. The framework outlines the process for incidents to be effectively reported, investigated, and monitored to ensure that corrective action is taken to control and remediate security incidents in a timely manner.
Incident handling, management roles and responsibilities have been defined for management of the incidents. Incident Response Procedure summaries the steps to be taken to minimize the impact of a security incident, to investigate why, how and when it happened, identify any weaknesses and apply appropriate measures to reduce security risks to an acceptable level.
Information Security Team & Incident Management teams are responsible for overseeing investigation and resolution of security incidents with support from other functions. An escalation and communication plan to notify Privacy, Legal or Executive Management in the event of a security incident has been established.
Clients are notified based on regulatory requirements in the event of a confirmed breach.