Information Security Policy Vendor Attestation

Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0

Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

1.0 Purpose
Safeguard the integrity of Pearson’s sensitive information.

Vendor’s who have access to classified data are required to provide yearly attestation of
compliance with Pearson’s policy and contractual requirement. This ensures that Pearson’s
sensitive classified data is protected from harmful disclosure or from unwanted intrusion.

Data is to be protected in accordance with Pearson’s Global Information Security Policy.

2.0 Scope
“Sensitive Data” which is defined as any information, which through loss, unauthorized
access, or modification could adversely affect Pearson’s business interest, or that is
protected under legal, regulatory, or other applicable requirements, must carry a Strictly
Confidential application flag.

There a two types of sensitive data:

1. Confidential business information which if disclosed may harm Pearson’s business
acumen.
• Sales and Marketing Plans
• Product Pricing
• New Product Plans
• Manuscripts
• Notes associated with new patentable inventions or new copyrights.

This information is highly confidential and is in accordance with legal agreement, all
information subject to non-disclosure.

This type of information includes potential or actual legal disputes, information classified
based on acquisition or divestiture, Client / Attorney Privileges.

2. Private Information which if disclosed could lead to crimes such as identity theft or
fraud. Disclosing private information can make Pearson liable for civil remedies and may
in some cases be subject to criminal penalties. The information is private if it is
associated with an individual and its disclosure might not be in the individual's best
interests. Personal information belonging to an employee or customer is included
although theses individuals may choose to share these data points with others for
personal or business reasons. This would include a broad range of information that could
be exploited and cause damage such as:
• Any unique identification label used by a government regulating body to identify or
attest to an individual’s personal identity, (e.g. National Health / Social Security
Number, Driver’s license, Tax Identification number).
• Payment Card Numbers (PCI- Credit or debit)
• Personal Financial Information (banking)
• Medical Record (HIPAA)
• Student Education Records
• Employment Information
• Addresses
• Telephone numbers
• Non-Pearson E-mail address

"Note- private telephone numbers, home addresses, and non-Pearson email

addresses: in certain jurisdictions, especially outside of the U.S., is considered

Company Confidential Policy_36_ vendor attestation (2).doc Page 1 of 9

 Information Security Policy Vendor Attestation
Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0
Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

“sensitive” information and is subject to privacy laws. For most purposes in the
U.S., however, this information is not subject to privacy laws, although the private
telephone numbers, home addresses, and non-Pearson email addresses of minors may
be subject to certain privacy laws in the U.S. Each location should consult their local
and prevailing laws regarding private telephone numbers, home addresses, and non-
Pearson email addresses."

Data protected under a regulatory requirement will be protected during transmission,

processing, and data storage. Data storage is also referred to as “data at rest.”

3.0 Attestation process overview:

3.1. Pearson vendors that handle (process, view, touch or store) sensitive information
are required to provide a yearly attestation document which is part of this stated
policy.

3.2. Pearson as part of their compliancy program will deliver a copy of this policy to
vendors that they believe handle sensitive information on the behalf of Pearson.

3.3. Each vendor will complete the document answering the questions and return the
document to the Pearson address stated on the document. For items that are not
within compliancy, the vendor can state their compensating controls, or state the
timeframe that they expect to be able to meet the requirement.

3.4. The information returned will be retained by Pearson as part of our compliance
program and will be used by Pearson to ensure Pearson’s data is being
processed, handled and stored is in compliance with stated security policy.

4.0 Responsibility
4.1. Pearson
Pearson has employed reasonable best practices to protect the integrity and
availability of company information assets with the intent to reduce the risk of
inappropriate information access or exposure. It is the responsibility of the
vendor to ensure all safeguards are being exercised, in accordance with Pearson’s
Global Information Security Policy.

4.2. Operating Company

The Operating Companies must perform reasonable due diligence to verify that
vendors who handle, process or store privacy information are in compliance with
Pearson’s Security Standards (Section 11 and 12 of the Global Information
Security and Technology Policy) and any local prevailing laws.

The Operating Company must have contractual assurance that the vendor will do
so as stated by policy 2.3.1. This includes the right for Pearson to perform an
audit after providing reasonable notice.

The Operating Company is to retain a written stand-alone certification document

stating the vendor’s attestation of compliance. This document is to be kept on-file
and is to be revalidated annually.

Company Confidential Policy_36_ vendor attestation (2).doc Page 2 of 9

 Information Security Policy Vendor Attestation
Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0
Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

4.3. Data Security Officer

The Data Security Officer has direct responsibility for Pearson Information
Security Policy compliance, and for the yearly process of distributing this policy to
their vendor for the vendor’s attestation.
4.4. Management
All managers are directly responsible for implementing the Pearson policies within
their business areas, and for adherence by their staff. They are responsible for
retaining their vendor’s attestation, ensuring that the documents are available for
auditors, and for informing Corporate Legal and Information Security should a
vendor not be within compliance.

5.0 Document Retention

All returned attestation documents will be retained for a 7-year period.

6.0 Exception Guidance

The policy is as stated with no exceptions.

Approval _________________________ Date ___________

Information Security

Approval _________________________ Date ___________

PSO/CFO

Company Confidential Policy_36_ vendor attestation (2).doc Page 3 of 9

 Information Security Policy Vendor Attestation
Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0
Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

Pearson requires that all 3rd-party entities that handle, process, or store sensitive
information on behalf of Pearson, attest to compliance with Pearson security standards
relating to those data elements, and to compliance with all legal and regulatory
requirements. Please answer the questions below, sign and return to your Pearson contact
for review.

Policy: Vendors that handle, process or store sensitive information associated with
sensitive and privacy information on behalf of Pearson are to be held to the same level of
security as we impose upon ourselves and are to meet all regulatory compliance in
accordance with any local prevailing legislation.

Company Name:
Address:
City\State\Zip:
Contact Name:
Contact Phone #:
Pearson Operating Company:

Answers Approved By (please print):

Signature:
Title:
For Period: (ie: January 2010 - December 2010)
Date:
Approver's Phone #:

Do you share any of Pearson’s sensitive data with another vendor or business partner?

If yes, please list the vendors or business partners.

Do you handle any credit-card transactions or an individual’s credit-card information?

If so, are you PCI compliant?

Is any of Pearson’s sensitive external data external exposed on the Internet?

Company Confidential Policy_36_ vendor attestation (2).doc Page 4 of 9

 Information Security Policy Vendor Attestation
Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0
Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

Personal information that is subject to data protection legislation must be stored and processed in
accordance with the requirements of the relevant legislation.

Does your
organization have
comparable
Is your
policy statements Estimated
organization Justification if no
Policy Control addressing the Compensating Remediation
compliant with Gap(s) remediation can\will
Statements same control Controls Completion
your policy? occur
area? If yes, Date
Yes\No
please reference
your policy
section:
For Pearson
authorized vendor
and their
employees
sensitive data is to
be viewed only by
individuals who
have a legitimate
job requirement,
having a “need-to-
know” in order to
fulfill their stated
job function.

Personal data is not

to be disclosed,
made available or
otherwise used for
purposes other than
the purpose as
intended by the
application storing
the information,
except with the
explicit consent of
the individual, or as
required by all
relevant and
prevailing laws.

People viewing
data are only to see
the data elements
needed to perform
their specific job
function, and are
not entitled to have
full access to all
records and data
elements.

Company Confidential Policy_36_ vendor attestation (2).doc Page 5 of 9

 Information Security Policy Vendor Attestation
Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0
Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

A record is to be
kept of all users
who have sensitive
data access, and a
report is to be
available for
validation.

Sensitive data
should be relevant
to the purpose for
which the data is
used. The data to
the extent
necessary should
be accurate,
complete, relevant,
and kept up-to-
date.

Data retention of
sensitive
information is to be
limited to the time
such information is
necessary to
accomplish the
intended business
purpose.

All sensitive
paperwork copies
are to be stored in
containers that are
properly secured
from personnel that
have not been
authorized.

Frequent
assessments are
conducted to
ensure continued
sensitive privacy is
compliant.
Assessment
documents are
retained for
auditing.

An inventory is
maintained of
applications that
access, pass or use
sensitive data.
Company Confidential Policy_36_ vendor attestation (2).doc Page 6 of 9
 Information Security Policy Vendor Attestation
Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0
Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

All systems that

use privacy
information use
encryption
technologies when
transmitting private
/ personal data
elements. This
includes both
internal and
external
transmissions.

Data fields
containing sensitive
Personal
Information are to
be encrypted in
accordance with
regulatory
requirements.

Live production
data containing
Personal
Information is not
to be used within
the development or
testing landscape.
The use of “dummy
data” prevents
against tainting,
destruction or
unauthorized
disclosure.

Portable computing
devices (includes
desktop, laptop and
MAC and LINUX-
base systems) that
are used in a work-
at-home or remote
scenario will use
encryption to
protect data stored
on the PC’s hard-
drive. The
encryption process
is used to protect
sensitive
information should
the device be lost
or stolen and to
ensure that at end-

Company Confidential Policy_36_ vendor attestation (2).doc Page 7 of 9

 Information Security Policy Vendor Attestation
Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0
Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

of-life the
information is
rendered
unrecoverable.

Disposal of paper
material must
include the process
of shredding before
the document
leaves a secured
area. This includes
desk scratch copies.

Disposal of
equipment assets
and media that
contains Personal
Information must
be destroyed as not
to allow for any
type of information
recovery. This
includes devices
such as PCs, PDAs,
Cell Phones,
Servers, and media
(tape, CD, DVD,
hard drive, USB
device). When
appropriate, any
vendor who uses a
landfill is to
provide an EPA
certificate as proof
of properly
disposing of the
equipment.

Credit information
is classified as
sensitive. Data
sensitivity is
associated with the
storing, processing,
or transmitting of
Primary Account
Number (PAN, full
magnetic stripe,
CVC2/CVV2/CID
and or PIN block).
At no time will the
full magnetic
stripe data be
stored or available
for viewing.

Company Confidential Policy_36_ vendor attestation (2).doc Page 8 of 9

 Information Security Policy Vendor Attestation
Sponsor: Corporate Information Security Office Number: 500-36 Version: 1.0
Approval: Pearson Shared Operations Issue Date: 08/01/09 Rev Date: 00/00/00

Masking of the
PAN; the first six
and the last four
digits are the
maximum numbers
of digits that can be
displayed.
Any person who
has access to
Payment Card
information stored
on behalf of
Pearson, must sign-
on to the network
and / or application
using their own
authorized ID and
password.

Archiving of data
containing Payment
Card Data is not
permitted, except
as required by
regulatory records
retention. All
Payment Card Data
not subject to
retention beyond its
use in an active
business process
must be removed
from all data files,
even if encrypted.

Company Confidential Policy_36_ vendor attestation (2).doc Page 9 of 9