CCC Information Security Program
Overview: This document summarizes the CCC Intelligent Solutions Inc (CCC)’s comprehensive written information security program (the “Program”). It describes the Program elements which CCC intends to (i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers. The Program incorporates CCC’s policies and procedures enumerated below and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations.
Designation of Representatives: CCC’s Chief Information Security Officer is responsible for coordinating and overseeing the Program. The CISO may designate other representatives of CCC to oversee and coordinate elements of the Program. Any questions regarding the implementation of the Program or the interpretation of this document should be directed to the CISO or his or her designees. The CISO meets with the CCC Board of Directors at least bi-annually to review the security program, relevant security incidents and required improvements to the information security program.
Scope of Program: The Program applies to any record containing nonpublic information received from a CCC client, whether in paper, electronic or other form, that is handled or maintained by or on behalf of CCC or its affiliates. For these purposes, the term nonpublic information shall mean any information provided by a CCC client in connection with a CCC provided service.
Elements of the Program:
- Risk Identification and Assessment. CCC will, as part of the Program, undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. The CISO will establish procedures for identifying and assessing such risks in each relevant area of CCC’s operations, including:
- Employee training and management. The CISO will coordinate with CCC’s Human Resources department to evaluate the effectiveness of CCC’s procedures and practices relating to access to and use of client nonpublic information. This evaluation will include assessing the effectiveness of CCC’s policies and procedures in this area, including CCC’s Information Security Policy and Acceptable Use Policies.
- Information Systems and Information Processing and Disposal. The CISO will coordinate with CCC’s Information Technology department to assess the risks to nonpublic information associated with CCC’s information systems, including network and software design, information processing, and the storage, transmission, and disposal of nonpublic information. The assessment will include the methods and controls used to limit access to nonpublic information. This evaluation will include assessing CCC’s current policies and procedures relating to Acceptable Use of CCC’s network and network security, document retention and destruction. The CISO will also coordinate with CCC’s Information Technology department to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws.
- Detecting, Preventing and Responding to Attacks. The CISO will coordinate with CCC’s Information Technology department and other relevant business units to evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. The CISO may elect to delegate to a representative of the Information Technology department the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by CCC.
- Designing and Implementing Safeguards. The risk assessment and analysis described above will apply to all methods of handling or disposing of nonpublic information, whether in electronic, paper, or other form. Such safeguards include ensuring that data is encrypted in transit and at rest, periodic security testing of our products and services, the implementation of multifactor authentication from open public networks, and logging data access and detection of potential unauthorized access. The CISO will, on a regular basis, ensure the implementation of appropriate safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
- Overseeing Service Providers. The CISO will coordinate with those responsible for the third-party service procurement activities among the Information Technology department and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic information of clients and other third parties to which they will have access. The CISO will work with the CCC Legal Department to incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of the CCC Legal Department. These standards will apply to all existing and future contracts entered with such third-party service providers.
- Incident Response Plan: CCC maintains a comprehensive incident response plan designed to identify, contain, respond, and recover to security incidents. The plan is tested on a periodic basis the plan includes the following elements:
- The internal processes CCC will activate in response to a security event.
- Clear roles, responsibilities, and levels of decision-making authority.
- Communications and information sharing both inside and outside CCC.
- A process to fix any identified weaknesses in systems and controls.
- Procedures for documenting and reporting security events and CCC’s response; and
- A postmortem of what happened and as needed, a revision of CCC’s incident response plan and information security program based on what was learned.
- Adjustments to Program. The CISO is responsible for evaluating and adjusting the Program based on the risk identification and assessment activities undertaken pursuant to the Program, as well as any material changes to CCC’s operations or other circumstances that may have a material impact on the Program. The program will be evaluated on a regular basis (at least annually) to ensure that the program is appropriately designed to address the security and privacy threats and risks faced by CCC.