Agenda Item
b. CLEAR Attendance Zone Verification Software (Not to exceed $141,548)
Summary: Presented by: Presented by: Triscilla Weaver, Ph.D., Chief of Access & Opportunity, Division of Access & Opportunity
Request: It is requested that the DeKalb County School Board of Education (“the Board”) approve access and usage of THOMSON REUTERS CLEAR, a public record information database software not to exceed $141,548.
Why: DeKalb County School District relies on school registrars to review and process thousands of documents families enter into the Infinite Campus (IC) student information system to verify residency in our attendance boundary. This process is particularly difficult for schools with large grade band shifts, such as elementary to middle school and middle to high school. Through registrar interviews, school visits, and IC audits, we have discovered fidelity challenges and inaccurate documents leading to attendance zone imbalances.
Approval of a comprehensive attendance zone verification software will support registration across the district and will ensure we have accurate data in the student information system (Infinite Campus). CLEAR provides access to a comprehensive collection of public records information we will use to cross-reference family attendance zone documentation information. Annually, the registration team will run a batch verification process to determine accuracy and support families with attendance options and programs. The seven registration support staff will uphold the standard operating procedures (SOP) and run individual school requests and residency affidavits.
Please note this is a sole source vendor and documentation is attached.
The approval of this contract aligns with Strategic Goal Area 6: Organizational Excellence and Goal Area 2: School, Family, and Community Engagement.
Details: Approval of a comprehensive attendance zone verification software will support registration across the district and will ensure we have accurate data in the student information system (Infinite Campus). The CLEAR software will alert DSCD registration administrators of inconsistent addresses, and we will further review based on the SOP process (attached).
DCSD has several departments and programs for families that need support in providing documentation to complete annual verification and the new student registration process. We also have a team and process for families experiencing unstable or inadequate housing (McKinney Vento), as we want to be sensitive to these situations. Lastly, we have a process for families living with another family in the DCSD boundaries.
The registration team will allow 10 administrator users on the platform with strict search criteria guidelines. The student assignment leaders will use the CLEAR platform to run internal audits and manage families' safety and security.
Financial impact: The initial contract duration shall be effective through June 30, 2025.
The total budget for these services will be allocated from the supplies and materials (computer software) student assignment budget 100-2210-561200-00011-7010-9990-8010-092-0000 in the amount of $141,548.
Contact: Triscilla Weaver, Ph.D., Chief of Access and Opportunity, Division of Access & Opportunity, 678.676.0485
Ms. Sarita Smith, Executive Director of Student Assignments, Division of Access & Opportunity, 678.676.0207
Effective: Upon Board Approval
Status: Approved by the Office of Legal Affairs
CLEAR
Information Security Summary
Product Documentation
This document explains Thomson Reuters’ approach to information security and data privacy for CLEAR.
Protecting our customers’ information is at the core of our Information Security strategy. Thomson Reuters
maintains its reputation for providing reliable and trustworthy information through a variety of means, including
a comprehensive information security management framework supported by a wide range of security policies,
standards, and practices.
Online Investigation Software Policy and Standards
Thomson Reuters CLEAR is designed to meet the unique • Thomson Reuters manages a set of information security
needs of your investigations and fraud prevention programs. policies and standards designed to provide information
CLEAR streamlines your research by bringing relevant content security and risk management principles that apply to
into a single working environment online, through batch files our people, processes, and technology practices.
or through an API. The online customizable dashboard and
• Our policies and standards are closely aligned with the
intuitive interface saves time by allowing you to search data
International Organization for Standardization (ISO/IEC
and view results in a way that matches how you work.
27002:2013) and the National Institute of Standards
CLEAR software makes it easier to locate people, businesses, and Technology Cybersecurity Framework (NIST CSF).
assets and affiliations, and other critical information. With its
• Information security policies and standards are reviewed
vast collection of public and proprietary records, investigators
and approved by senior management annually.
can dive deep into their research and uncover hard-to-find
data. • Employees are required to acknowledge and review the
Thomson Reuters Code of Business Conduct and Ethics
Our Employees annually.
• All Thomson Reuters directors, officers, employees, and
contractors (“employees”) are subject to the Thomson
Data Privacy and Compliance
Reuters Code of Business Conduct and Ethics which sets • Thomson Reuters Privacy Statement can be found
forth the laws, rules, and standards of conduct that online at:
apply to our employees in all the countries where we do https://www.thomsonreuters.com/en/privacy-
business. statement.html.
• Thomson Reuters employees must complete pre- • CLEAR obtains a SOC 2 Type 2 report annually, a third-
employment background screening checks and comply party assessment conducted on application security
with confidentiality depending on the country and controls, which covers operational control systems that
position at issue, to the extent customary and permitted follow the predefined trust services principles and
by law. criteria.
Training and Awareness
• Employees with access to Thomson Reuters systems are
required to complete mandatory information security
and privacy training on an annual basis.
• Specialized training is delivered by Thomson Reuters to
particular groups of employees as necessary.
• Thomson Reuters conducts regular enterprise-wide
phishing simulation exercises to all employees.
• Thomson Reuters also partners with third-party vendors
to provide training resources for all skill levels through
customized internal programs.
� CLEAR Information Security Summary |2
Resilience Secure Authentication
• Thomson Reuters has established a global, structured • CLEAR software uses multi-factor authentication and
framework based on industry accepted standards offers two-factor authentication via OnePass for secure
designed to support recovery should a disruptive user login.
incident occur.
• Single Sign-On (SSO) configuration is also available via
• Production data center features include key resilience Secure Authentication Markup Language (SAML).
measures, such as separate power supplies, UPS
systems, diesel generators, HVAC, batteries, fire Encryption
suppression, CCTV monitoring, biometric
authentication, and more. • All interaction with CLEAR software occurs inside secure
HTTPS sessions.
• Redundant application servers and disaster recovery
tools are implemented. • CLEAR data is encrypted in transit using at least TLS 1.2
supported protocols.
• Data servers are backed up regularly.
• CLEAR data at rest is encrypted with at least AES 256-
Physical and Environmental Security bit key encryption.
• Thomson Reuters’ commitment to a secure operating Application Security
environment is demonstrated by our ongoing ISO/IEC
27001:2013 certification program of our data centers’ • Thomson Reuters has a formal change management
information security management systems (ISMS). process that is performed by authorized personnel.
• Thomson Reuters data center facilities are secured by • Thomson Reuters has an established process around
computer-managed access control systems with security changes which are considered and tested prior to
guards monitoring entrances. implementation.
• In the event an on-site visit is granted by Thomson • CLEAR operational and code changes are included in
Reuters, visitor registration requires presentation of the change control process, for example database
government issued identification. Visitors are required to changes, network connectivity changes, implementation
sign in at building entrances and must have escorts of new hardware, and changes to existing hardware.
within the buildings as well as appropriate badges. • Thomson Reuters utilizes secure best practices within
• Access is recorded, documented, and monitored across the agile methodology as part of the Software
our data centers. Multi-level security access is required Development Life Cycle.
for access to restricted areas, e.g., ID cards, electronic • Development staff participates in a security learning
access control incorporating proximity card readers, pin program promoting secure design, development, testing
numbers, and/or biometric devices. and security industry best practices.
• Access to delivery and loading areas is controlled and • Password complexity is enforced, and a captcha system
monitored, and deliveries and access are only allowed in is used to defend against brute force attacks.
those controlled areas.
• CLEAR uses highly trained technical support staff who
Access Control are available 24x7x365.
• Thomson Reuters uses role-based access controls to Vulnerability Management
ensure appropriate access rights, permissions, and
segregation of duties. • Manual penetration tests are conducted annually by a
third-party tester.
• CLEAR employs Thomson Reuters’ identity and access
controls and regularly reviews administrativeaccess to • Application code is regularly scanned by industry
enterprise resources, product environments, and standard third-party security tools.
applications. • Internet facing systems are regularly scanned for
• CLEAR query data is stored securely, and mechanisms vulnerabilities.
are in place to prevent unauthorized access.
Copyright © 2022 Thomson Reuters. All rights reserved.
Thomson Reuters may modify this document at any time
to reflect changes to the law or changes to our services.
Last updated November 2022 | TR2031122/1_CT
� CLEAR Information Security Summary |3
End Point Security For More Information
• About Corporate Governance visit our Investor Relations
Servers site online at: https://ir.thomsonreuters.com
• Led by a team of experienced security professionals, • Read about our products online at:
advanced anti-malware, network intrusion detection https://thomsonreuters.com
systems and intrusion prevention systems have been
deployed across our fleet of devices designed to monitor • Our Procurement Guide describes customer contracting
and defend the environment. policies and is available online at:
https://www.thomsonreuters.com/en/resources/thoms
• Detection and alerting mechanisms record external on-reuters-procurement-guide.html
access attempts and attempts to interrupt or degrade
the service. • Contact your Thomson Reuters Representative or
contact us online at:
• Web servers are configured to disable unnecessary https://www.thomsonreuters.com/contact-us
services, activate/deactivate guest accounts and require
complex passwords.
Employee workstations
• Managed internal services endpoints at Thomson
Reuters are required to be protected by an up-to-date
version of the standard malware protection solution.
Signature deployments are required at least daily to
internal technology services assets.
• Thomson Reuters has a data leakage protection
program in place worldwide, subject to local law and
regulation and where legally permissible.
Security Operations
• Thomson Reuters follows a 24x7x365 Security
Operations model, with a global response footprint and
a main Cyber Fusion Center located in Richmond,
Virginia.
• Analytics, sensors, software agents, vulnerability
scanners, and application white-listing tools are
deployed across data centers to help detect, disrupt, or
deny malicious activities, including spoofing, hijacking,
and distributed denial of service (DoS).
• A dedicated team of security analysts provides
continuous monitoring and analysis of the latest security
threats to help identify and defeat malicious activities.
Copyright © 2022 Thomson Reuters. All rights reserved.
Thomson Reuters may modify this document at any time
to reflect changes to the law or changes to our services.
Last updated November 2022 | TR2031122/1_CT
�