CENTRAL DE SOLUÇÕES

Information Security Summary

Product Documentation

This document explains Thomson Reuters’ approach to information security and data privacy for Legal One hosted in Microsoft® Azure®.
Thomson Reuters maintains its reputation for providing reliable and trustworthy information through a variety of means, including a comprehensive information security management framework supported by a wide range of security policies, standards, and practices.

Protecting our customers’ information is at the core of our Information Security strategy. We have established policies and a governance structure designed to mitigate and respond to potential security risks.

Legal One

Thomson Reuters Legal One is a fully integrated web-based platform that combines legal information, intelligence, and legal management to answer the legal market for business growth, legal practice, and performance management.
Legal One is hosted in Microsoft® Azure® Cloud within the United States (US) and the United Kingdom (UK) regions. This
paper provides a high-level overview of the security measures that support Legal One in the Microsoft® Azure® environment.

Policy and Standards

Information Security Policies and Standards are reviewed and approved by senior management annually.
Employees and contractors are required to review and acknowledge the Information Security Handbook.
Employees and contractors are required to acknowledge and review the Code of Business Conduct and Ethics.

Training and Awareness

Employees and contractors with access to Thomson Reuters systems are required to complete security awareness training annually.

Physical and Environmental Security

Legal One systems are hosted in Microsoft Azure’s secure data centers that maintain a diverse set of physical and environmental security controls, including but not limited to:

– nondescript facilities
– restricted and controlled physical access
– professional security staff
– video surveillance
– intrusion detection systems

See Microsoft® Azure® Security White Paper for more details: https://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf

Networking Security

Multi-tiered architecture with strategic firewall placement.
Cluster of web servers behind load balancers supporting resilience and uninterrupted service during patch cycles.
Traffic filters control access to database servers.
Client data does not reside in the DMZ.

Data Privacy and Compliance

Thomson Reuters Privacy Statement can be found online at https://www.thomsonreuters.com/en/privacystatement.html.
Legal One data for the United States (US) instance is stored and backed up to data centers geographically dispersed within the United States.
Legal One data for the United Kingdom (UK) instance is stored and backed up to data centers geographically dispersed within the United Kingdom.
See Microsoft® Azure® compliance offerings for more details: Microsoft Azure Compliance Offerings.
Legal One obtains a SOC 1 Type II report annually.

Secure Authentication

Application access requires a secure HTTPS browser session.
Data is transferred from customer site over an encrypted connection after authenticating with an API key and HTTPS browser session.
Two-factor authentication (OnePass) is available for secure user login.
Microsoft® Azure® Active Directory is also available for secure user login.

Access Control

Thomson Reuters restricts employee access to production systems and stored customer data by limiting access to those with a specific business need.
Stored customer data is only accessible with valid login credentials.
Role-based access controls ensure appropriate access rights, permissions, and segregation of duties.
Multi-Factor Authentication is enforced on Thomson Reuters accounts that are used to manage Azure resources.

Application Security

Thomson Reuters has a formal change management process that is performed by authorized personnel.
Thomson Reuters utilizes secure practices within the agile methodology as part of the Software Development Life Cycle.
Development staff participate in a security learning program promoting secure design, development, testing, and best practices which includes OWASP Top 10 security.
Password complexity is enforced, and a captcha system is used to defend against brute force attacks.

Vulnerability Assessments

Manual penetration tests are performed on the Legal One application on an annual basis.
Application code is regularly scanned by industry standard third party security tools.
Application audit history log files are not user modifiable.

Disaster Recovery

Disk-to-disk backup is utilized.
Legal One data and backups are replicated to the disaster recovery site.

Resilience

Thomson Reuters has established a global, structured framework based on industry accepted standards which are designed to support recovery should a disruptive incident occur.
Data servers are backed up multiple times each day and redundant copies are stored within permitted geographic regions.

End Point Security

Severs

Led by a team of experienced security professionals, advanced anti-malware, network intrusion detection system and intrusion prevention system solutions have been deployed across our fleet of devices to monitor and defend the environment.
Detection and alerting mechanisms record external access attempts and attempts to interrupt or degrade the service.
Web servers are configured to disable unnecessary services, deactivate guest accounts, and require complex passwords.

Employee Workstations

Managed internal services endpoints at Thomson Reuters are required to be protected by an up-to-date version of the standard malware protection solution. Signature deployments are required at least daily to internal technology services assets.
Thomson Reuters has a data leakage protection program in place worldwide, subject to local law and regulation and where legally permissible.

For more information, contact your Thomson Reuters representative.

Last updated October 2021

Central de Soluções

Information Security Summary