Experian Web Access Control System - Internet Security Guidelines

As a leading provider of information, Experian takes its Data Protection and Information Security responsibilities very seriously. As such, it is imperative that all Security Designates and End Users fully understand and adhere to both the internet security requirements and best practice guidelines below.

Experian fully supports and implements practices that protect the confidential nature of the information in our databases and respects consumers' right to privacy. Therefore, only companies that are approved members of our services ("Clients") and have permissible purpose for obtaining credit information and other reports are permitted access to the Experian applications, which provide access to this restricted data.

These guidelines describe the general expectations and security requirements with respect to access to, and usage of Experian information systems by our Clients and their Authorised Users. Security Designates and End User responsibilities when accessing Experian services are also detailed below. It is the responsibility of each authorised system user to ensure that all possible measures are taken to protect the confidential nature of the information that is provided and to protect the integrity of the systems providing this information.

These guidelines describe the general expectations and security requirements with respect to access to, and usage of Experian information systems by our Clients and their Authorised Users. Security Designates and End User responsibilities when accessing Experian services are also detailed below. It is the responsibility of each authorised system user to ensure that all possible measures are taken to protect the confidential nature of the information that is provided and to protect the integrity of the systems providing this information.

Requirements

  1. Each client should nominate a user who will act as the primary interface with Experian on systems access related matters. This and any subsequent changes shall be ratified by the client’s duly authorised representative (e.g. contracting officer, account manager, security manager etc.)
  2. All requests for access must be signed by a duly authorised representative of the client. Note: Partially completed forms and verbal requests will not be accepted.
  3. All requests for access to Experian systems should be assessed to determine that access to each Experian product is appropriate and based upon the legitimate business needs of each employee, prior to being sent to Experian.
  4. Authorised Users must be individually assigned unique access identification accounts ("User ID") and passwords/passphrases. Note: This also applies to the unique Server-to-Server access IDs and passwords/passphrases.
  5. Credentials must be linked to a corporate email address (i.e. webmail addresses should not be used).
  6. Clients are responsible for notifying Experian when their users change role, leave the Company and/or no longer require access.

Roles and Responsibilities

Head Security Designate / Security Designate administration model

Where the Client uses the delegated administration model, the client will appoint a Security Designate to act as the primary interface with Experian on systems access related matters. The Security Designate will be responsible for establishing, administering and monitoring all Clients employees’ access to Experian provided services which are delivered over the internet.

The Security Designate can further identify one or more further Security Designates to undertake the day to day administration of the Authorised Users. Security Designate(s) must be a duly appointed representative of the clients company and shall be available to interact with Experian on information and product access, in accordance with these Guidelines.

The Head Security Designate (or their appointed Security Designate(s)) shall;

  1. Be the primary interface with Experian on systems access related matters and be available to interact with Experian when needed on matters of user access and authorization.
  2. Be responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorised User's job responsibilities.
  3. Review user accounts on an annual basis (minimum) and activity/usage regularly to ensure the user activities are consistent with the individual job responsibilities, business need and in line with contractual obligations. Any suspicious activity shall be reported to Experian.
  4. Be responsible for the initial and on-going authentication and validation of Authorised Users and must maintain current information about each (phone number, valid email address, etc.).
  5. Provide first level support for inquiries about passwords/passphrases or IDs requested by Authorised Users within the Clients’ company.
  6. Submit all requests to create, change or lock Security Designate or Authorised User access accounts and permissions to Experian's systems and information.
  7. Notify Experian to add, change, and lock users within clients company, if a Designate is not in place and no automated facilities have been provided.
  8. Disable an Authorised User ID if it becomes compromised or if employment is terminated by client.
  9. Be responsible for notifying their corresponding Experian representative in a timely fashion of any Authorised User accounts that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorised access to data and/or applications, or account inactivity.
  10. Immediately report any suspicious or questionable activity to Experian regarding access to Experian's products and services.
  11. Report any potential compromise of clients systems that may expose Experian provided products or data to security threats.
  12. Communicate these security practices to Authorised Users.

The following recommendations should be communicated and adhered to by all users:

Passwords/Passphrases:

Do not:

  • use your login name in any form within your password (i.e. as is, in caps, doubled etc.),
  • use your first, middle or last name,
  • use other information easily obtained about you (i.e. employee number, child or spouse's name, address etc.),
  • use common names within the password/passphrase,
  • use consecutive numbers or characters within the password/passphrase (e.g. abcde…, 12345…),
  • write down on paper or store electronically the password/passphrase in clear text,

Do:

  • use a password/passphrase with mixed case alphabetic (upper/lower case), numeric and special characters,
  • use a password/passphrase that is easy to remember, so you don't have to write down,
  • change your password/passphrase often enough to prevent an unauthorised person from guessing your password/passphrase (every 90 days is recommended),
  • change your password/passphrase immediately if you believe it has been compromised and notify the Head Security Designate, Security Designate or Experian's Security Administration group,
  • change your password/passphrase, the first time you log onto a new system.

Other best practice:

  1. Do not share your password/passphrase with anyone (Experian personnel should not be asking you for your password/passphrase).
  2. Do not share your user account or allow anyone to use your account. Log out you’re your workstation is unattended (or lock the screen)
  3. Do not write your password/passphrase down and or try and hide it in an obvious location (i.e. don't post-it on your monitor, hide it in your desk etc.).
  4. Do not repeat your password/passphrase for at least 13 iterations (e.g. password history).
  5. Do not use Experian systems to promote and exercise unauthorised attempts to access Experian systems for which access has not been granted, or other non-Experian systems.
  6. Do not use an email address that can be accessed by anyone other than you and your immediate designate.
  7. Do notify the Head Security Designate or Security Designate when the account is no longer needed.
Privacy| Legal terms| Cookies| Internet Security Guidelines
Experian 2018. All rights reserved.
Experian and the Experian marks herein are service marks or registered trademarks of Experian.