Experian Client Access Management

Guidelines and responsibilities

As a leading provider of information, Experian takes its Data Protection and Information Security responsibilities very seriously. As such, it is imperative that our clients fully understand and adhere to both the internet security requirements and best practice guidelines below.

Experian fully supports and implements practices that protect the confidential nature of the information in our databases and respects consumers' right to privacy. Therefore, only companies that are approved members of our services ("Clients") and have permissible purpose for obtaining credit information and other reports are permitted access to the Experian applications, which provide access to this restricted data.

Client roles and responsibilities

Roles

There are 4 key client roles within Experian’s client access management framework:

  1. End Users – individuals who use Experian’s products and services.
  2. Authorised Signatories – nominated contacts who are responsible for submitting or approving end user access requests. Authorised Signatories are captured at the product level. An Authorised Signatory can be responsible for one or more products.
  3. Security Designates – individuals who have elevated access rights and are able to create, amend and remove End Users within Experian products.
  4. Security Reviewers – nominated contacts who are responsible for regularly reviewing End Users, Authorised Signatories and Security Designates to ensure the roles they hold are still relevant and appropriate. Security Reviewers can be captured either at the individual product level or at the organisation level.

Notes:

  1. Where the Authorised Signatory and/or Security Reviewer is a generic/shared mailbox, the client is responsible for controlling who within their organisation has access to that mailbox.
  2. The same contact can be nominated as both the Authorised Signatory and the Security Reviewer. However, a Security Designate cannot also be an Authorised Signatory or a Security Reviewer.

Responsibilities

Role Responsibility Frequency
End Users
  • Comply with Experian’s standard terms and acceptable usage policy when accessing Experian products and services.

Note: End users must access Experian systems using their own named user IDs. The sharing of user IDs is not permitted.

  • N/A
Authorised Signatories
  • Submit or approve End User Access requests.
  • Review and approve (or reject) any End User access requests when requested by Experian.
  • Notify Experian immediately when an End User leaves the business or changes roles and no longer requires access to Experian products or services.
  • Ad-hoc
  • Ad-hoc
  • Ad-hoc
Security Designates
  • Create, amend and delete End User access.
  • Ad-hoc

Security Reviewers

  • Review Authorised Signatories, Security Designates and Security Reviewers to ensure they are still the correct contacts.
  • Review End Users to ensure their access to Experian products and services is still valid.
  • Review and approve (or reject) any End User access requests when requested by Experian (in the absence of the Authorised Signatory).
  • Quaterly
  • Annually
  • Ad-hoc

General guidelines

The following recommendations should be communicated and adhered to by all users:

Passwords/passphrases dos & don’ts:

Do:

  • Use a password/passphrase with mixed case alphabetic (upper/lower case), numeric and special characters.
  • Use a password/passphrase that is easy to remember, so you don't have to write it down.
  • Change your password/passphrase often enough to prevent an unauthorised person from guessing your password/passphrase (every 90 days is recommended).
  • Change your password/passphrase immediately if you believe it has been compromised and notify the relevant Authorised Signatory, Security Reviewer or Security Designate.
  • Change your password/passphrase, the first time you log onto a new system.

Do not:

  • Use your login name in any form within your password (i.e. as is, in caps, doubled etc.).
  • Use your first, middle or last name.
  • Use other personal information which could be easily obtained (i.e. employee number, child or spouse's name, address, etc.).
  • Use common names within the password/passphrase.
  • Use consecutive numbers or characters within the password/passphrase (e.g. abcde…, 12345…).
  • Write down on paper or store electronically the password/passphrase in clear text.
  • Share your username, password or passphrase with anyone.

Other acceptable usage requirements

  1. Do not share your password/passphrase with anyone (Experian personnel will never ask you for your password/passphrase).
  2. Do not share your user account or allow anyone to use your account. Log out of your workstation if unattended (or lock the screen).
  3. Do not repeat your password/passphrase for at least 13 iterations (e.g. password history).
  4. Do notify the Authorised Signatory or Security Designate when the account is no longer needed.

Access request SLAs

The SLA for access requests in currently 5 working days. The most efficient way to submit an access request is to send it via e-mail to client.supportolcs@uk.experian.com and include the words “User” or “Access” in the e-mail subject line.