Kantar Media Security Measures

Information Security Programme

1. Maintain an information security programme with administrative, technical and physical safeguards appropriate to the size and complexity of operations, the nature and scope of activities, and the sensitivity of data processed.
2. Designate staff with responsibility for information security and risk management.
3. Regularly monitor, review and update the security programme to ensure safeguards remain appropriate.

Policies and Governance

1. Maintain comprehensive written information security policies and procedures covering:
   1. commitment to information security;
   2. classification, labelling, and handling of information;
   3. acceptable use of systems, networks, and messaging;
   4. incident management and breach response;
   5. authentication and password rules;
   6. access controls and periodic rights reviews; and
   7. disciplinary measures for non-compliance.
2. Review and update policies periodically and when fundamental changes occur.
3. Maintain a code of ethics, acknowledged annually by staff.

Asset and Information Management

1. Maintain inventories of information assets, systems and data.
2. Apply classification and handling rules, including encryption of sensitive information, including personal data, in storage and in transit.
3. Apply secure data destruction standards (e.g. NIST SP 800-88 or equivalent).

Physical and Environmental Security

1. Provide physical entry controls for areas where sensitive information, including personal data, is stored, processed or accessed.
2. Restrict entry to authorised personnel only.
3. Maintain environmental controls (fire suppression, HVAC, power, emergency systems) and monitoring of sensitive areas.

Personnel Security

1. Conduct background checks prior to providing personnel access to sensitive information, including personal data, subject to local law.
2. Provide mandatory security, data protection, and privacy training on hire and refresh annually.
3. Maintain formal user registration and de-registration processes, with access revoked promptly on termination.

Communications and Operations

1. Perform regular data backups, test restorations quarterly, and encrypt all backup media.
2. Maintain up-to-date malware protection, firewalls, intrusion detection, and patch management.
3. Encrypt mobile devices used to access or store sensitive information, including personal data.
4. Prevent unauthorised storage, replication or transfer of sensitive information, including personal data.

Access Control

1. Enforce best practices for authentication (e.g. unique IDs, MFA for critical systems).
2. Apply password rules consistent with NIST SP 800-63B (minimum length, complexity, lifecycle).

Area	Requirement
Minimum password length	8 characters
Password complexity	Two of the four character types (upper, lower, digits, special), not to be easily associated with an individual or process, not found in a dictionary, and not to represent a pattern. It is strongly recommended that passwords contain three of the four character types.
Maximum password lifetime	At most 90 days
Minimum password history	One day
Protection in transit	Mandatory. Passwords must be encrypted in transit.
Protection in storage.	Mandatory. Passwords must be hashed using an approved has algorithm.

1. Review access rights at least annually.
2. Prevent unattended exposure of sensitive information, including personal data, in physical or digital form.

Secure Development and Testing

1. Apply secure development lifecycle methods and coding standards.
2. Conduct secure code reviews before deployment.
3. Perform quarterly vulnerability scans of external-facing systems.
4. Perform annual penetration tests by an independent provider.
5. Remediate vulnerabilities within agreed timeframes (e.g. 30 days for critical/high).

Contractor and Third-Party Management

1. Select contractors capable of maintaining equivalent security standards.
2. Put in place written contracts requiring appropriate safeguards no less protective than these Security Measures.
3. Conduct periodic reviews of contractor security practices.
4. Maintain a register of all third parties involved in processing sensitive data, including personal data.

Audit and Assurance

1. Facilitate periodic security audits, including penetration testing and vulnerability assessments, by authorised parties in line with contractual obligations.
2. Cooperate with supervisory authorities and regulators during audits or investigations related to data protection and security.
3. Address and remediate any findings and weaknesses identified during audits within reasonable timeframes.

Incident Response

1. Maintain and test an incident response process, including evidence preservation, engagement with law enforcement, and forensic analysis.
2. Provide timely notification of incidents within 48 hours, with investigation, mitigation and corrective action.
3. Produce final reports within 10 days following an incident, including root cause, corrective actions, and prevention measures.

Business Continuity

1. Maintain and test a business continuity plan covering technology and operations.
2. Ensure capability to restore services within defined recovery times.

Encryption Standards

1. Apply strong encryption algorithms (e.g. AES-256, RSA-2048, SHA-256) for protecting data.
2. Apply encryption in transit and at rest for sensitive information, including personal data.
3. Maintain robust key management practices.

Preferred Encryption Algorithms
Purpose	Algorithms	Minimum Key Length (Bits)
Key Exchange	RSA	2048 preferred, otherwise 1024
Data Protection	AES in CBC mode	256 preferred, otherwise 128
Hash	SHA-256	N/A
HMAC	HMAC SHA-256	256
Digital Signature	RSA with SHA-256DSA with SHA-256	2048 preferred, otherwise 1024

Additional Acceptable Encryption Algorithms
Purpose	Algorithms	Minimum Key Length (Bits)
Data Protection	AES in GCM mode	1024 preferred, otherwise 248
Hash	SHA-256 preferred, otherwise SHA-2	N/A
HMAC	HMAC SHA-256 preferred, otherwiseSHA-2SHA-1 & MD5 should never be used unless an exception for technology is needed	256 preferred, else 128
Digital Signature	ECC with SHA-256, otherwise SHA-2RSA with SHA-256 preferred, otherwise SHA-2DSA with SHA-256 preferred, otherwise SHA-2	160 min 2048 preferred, otherwise 1024