ThreatMetrix® – Systems Development Process

1. Development Policy and Procedures or Standards

Due to the hefty scope of the LexisNexis, the technology used varies from region to region and is segregated for different acquisitions. ThreatMetrix is its independent brand (subsidiary) that operates with the integration of LexisNexis. When ThreatMetrix was acquired, it possessed its own data and LexisNexis consolidated the data needed for acquisition; therefore, the acquisition does not constitute that LexisNexis will migrate ThreatMetrix’s data on its internal platform, as funding is provided by LexisNexis.

A collection of outsourcing policies is listed on the official website of LexisNexis under Outsourcing Agreements. These policies are applicable in the United Kingdom, although subject to change depending on the government regulations where LexisNexis is operating. Some of these policies are masked and require official credentials for viewing. What can be derived however, are the four phases of an outsourcing transaction: Preliminary Issues, Outsourcing Agreements, Contact Management in Outsourcing, and Outsourcing by Type and Sector.

Preliminary Issues: Initial phases include analyzing requirements, scoping the project, commencing the procurement process, and finalizing with bidder selection and contract negotiation. For public sector transactions, compliance with the Public Contracts Regulations, 2015, must adhere and with a strict bidding criterion, consequently adding time and cost to the process. Subsequently, the supplier must assess the customer’s proposed outsourcing project and the customer assesses the supplier’s ability to provide the services. An Invitation to tender (ITT) is correspondingly issued followed by a project initiation document, a letter of intent, and drafting the agreement.

Outsourcing Agreements:

Transition of the services are handed over to the supplier and the enhancement transformation of the services commences to achieve cost cuts. Transformation enhances and modernizes services to cut costs and introduce newer efficiencies to how the service will be provided.
Compliance with good industry practice and international standards on information security constitutes the service description when outsourcing. The supplier must meet specified service levels that include availability, reliability, and fix time.
ThreatMetrix utilizes cloud solutions that have been under scrutiny for ambiguous service levels that create an impediment in the event of a security breach. Consequently, the European Commission developed standardization guidelines for cloud computing (Cloud Service Level Agreement Standardization Guidelines, 2014).
The charges are then comprised of different pricing models. Pricing models such as fixed price, fixed price with volume variation, time and materials, cost plus, and gain share are implemented via legal advisers in order to ensure charging structures and payment terms (LexisNexis Payment Terms and Interest, n.d.).
IPR (Intellectual Property Rights) tend to be the source of disputes during outsourcing contracts. In place, are pre-exiting co-agreed IPRs and post implementation IPRs developed as part of the services. The clause can be accessed only with validated credentials (Intellectual Property In Outsourcing, n.d.)
Under TUPE, an employment protection regulation established in 2006, employees receive protection once services are outsourced by transferring the employee contracts to the new supplier.
Business Continuity and Disaster Recovery policies ensure the continuity of operations during major events, supply chain issues, malware attacks, and key person illness or resignation.
Under the Protections of Employment Regulations Act of 2006 (TUPE), suppliers must employ transfer employees under the same benefits. The supplier, however, is granted the free will to issue their own form of pensions and is not required to adhere to the former conditions or pension plans.
Since outsourcing requires the transfer of services or assets to the supplier, some tax implications (direct or indirect) may be imposed. Third party suppliers may be subject to value-added taxes. Tax inefficiency may also arise if they are outsourced to a low-cost region.
The General Data Protection Regulation (GDPR), represents the administrative access of personal data within the organization. Correspondingly restrictions and responsibilities are placed upon the customer in favor of the supplier to be able to perform their obligations (GDPR, n.d.).
The percentage of charges paid within a given period formulates the financial cap on liabilities for a supplier. Loss from profit is often negotiated to prevent financial harm to the supplier.
PCI DSS Compliance: Payment Card Industry Digital Security Standard for all entities involved in card payment processing. Provisions will also be drafted to construct the terms of termination and exit regarding any integration.

Contract Management in Outsourcing: To earn supplier potential, incentivization through reward programs are introduced. Bonuses, gain sharing, and results-based contracting provide a foundation for suppliers to engage with LexisNexis. In the case of disputes, exit strategies are preliminarily established to clarify the costs and penalization of doing so. A contingency is to have an exit plan drawn within the contract and to update its terms regularly. As a result, mechanisms to aid in disputes are in place to avoid pursuing matters externally.

Outsourcing by Law and Sector: Contracts are frequently awarded by central government, law enforcement, and local authorities. Equal Treatment and non-discrimination are mandated under the Public Contracts Directive (Outsourcing by Law and Sector, n.d.). No tax exemptions are applied in this case. The Local Government Act of 1999 and The Government and Public Involvement Health Act determine a service is delivered in-house or is outsourced. Procurement in terms of balancing, costs, and social requirements are structured under these acts. When entering into an outsourcing venture, some financial companies are subject to regulatory rules to ensure effective risk management. As a result, a Financial Conduct Authority (FCA) document administers these rules. Unfortunately, the FCA is only accessible by those directly involved. Colocation, fully managed, and build to operate are three main types of data outsourcing models. Colocation allows customers to rent space in data centers and for suppliers to facilitate as the customer operates their own servers. The data center and all the servers are autonomously owned and managed by the supplier under the fully managed service. Finally, using a build and operate scenario, the data center is built and designed by the supplier and the customer data is sequentially migrated (Outsourcing by Law and Sector, n.d.).

Since LexisNexis possesses immense amounts of data, LexisNexis regulates what is provided to a customer. For instance, if the product provided was for the purpose of detecting fraud, only information counteracting fraud will be provided. Data is tremendously valued; therefore, an exclusive sales team is dedicated that negotiates fiscal terms Any constraints or failures in functionality are reported by the sales team. Communication was conducted by a development team that has determined severity based on the defect capacity. Changes are prioritized in accordance with severity. Biweekly releases are issued on products where defects are addressed sequentially with reference to severity tickets. ETA is provided on release (Silva, 2020).

The development team follows the agile methodology after transitioning from a waterfall model in 2017 (Silva, 2020). The transition occurred due to feedback being received on a provided minimum viable product (MVP). To readjust focus, when a new market is introduced to the market minimum functionality is provided. For example, if the product were to mitigate fraud detection (such as the product integrated by ThreatMetrix called LexIDâ (LexID, n.d.)), detecting person X as a fraud would initiate by rolling out MVP. The MVP would be incapable of detecting fraud but will be able to trace digital identity. The functionality is subsequently compounded with minor iterations biweekly. The waterfall methodology was abandoned due to time consumption and delays.

IT governance and risk and compliance requirements are in place naturally accredited to the nature of private data stored. The procurement of data is contingent upon clearance levels and regionally allocated. Tickets to request approval for data is approved by administrators and mandates a waiting period. Correspondingly, an information system security team is deployed and responsible for the detection of malicious threats. The governance structure followed to facilitate this encompasses an annual review, the identity of contract managers, details of each board and steering committee, reporting requirements, and an escalation and dispute resolution (Outsourcing Agreements – Overview, n.d.).

2. Establishing the requirements / project leadership

The need formed under the desire to consolidate information obtained by both LexisNexis and ThreatMetrix. The latter possessed valuable data pertaining to digital identity for well over 1.4 billion unique users (Lunden, 2018). Considering the pre-obtained data for tracing digital footprints and sensitive information by LexisNexis, the collaboration merited mutual benefits. ThreatMetrix began independently and currently operates as a subsidiary following the acquisition. Expansion is constant based on the provided technology and infrastructure from LexisNexis. The needs analysis for expansion of data retention and convergence of a complete digital identity portrayed that the acquisition was targeted. Fresh competitors of data acquisition are always monitored and targeted for buyouts to prevent the rewriting of their innovative technology. The initial digital identity procurement prior to the acquisition contained a massive customer base. The initial request to acquire was made by LexisNexis to merge the data both companies possess and expand the digital identity spectrum. ThreatMetrix was a massive identity repository and has extensive capabilities in providing digital identity solutions in devices, email, and social intelligence. Mark Kelsey, Risk and Business Analytics CEO, has dedicated sales teams that analyze and weigh the advantages and create a future trajectory through cost analyses. Feasibility plan is always in place and ThreatMetrix must outline how they will be conducting their business under LexisNexis compliance (Silva, 2020).

Under the agile methodology, LexisNexis gathers up requirements for ThreatMetrix and subsequently maintains it through biweekly iterate release. To successfully meet the customer’s demand, communication with the customer is established to fathom what they’re attempting to improve. A project manager was allocated to that specific ThreatMetrix acquisition working alongside a product manager. The product manager possesses wealthy knowledge about ThreatMetrix and its limitations. A project manager is allocated to perform the actual tasks of ThreatMetrix. The project manager thereon out delegates responsibilities to his or her subordinates. GIRA is the tool that the HR development team used to complete the acquisition. GIRA reads through requirements documents and creates a “GIRA” ticket in the form of EPIC, a communication method, outlining what needs to be accomplished. EPIC is further divided down into “stories”, which is a module of what can be accomplished (Ambler, 2018). Since fraud detection was the area that needed to be expanded of LexisNexis, that would be define the EPIC ticket. Fraud prevention can be divided into discerning what addresses are considered discrepant paralleled with how many phone numbers are associated with a person. Stories are further broken down into tasks, and that is where LexID was integrated with ThreatMetrix (ThreatMetrix, n.d.). A breakdown of the process appears as follows: EPIC>Stories>tasks (Silva, 2020). Tasks are what developers calibrate and the reason for the deployment of this process was to regulate how many hours are spent for production. Formal documentation of requirements follows a standardized series of questions: What does it entail? What the outcome would be? What products will be impacted? Who are the customers? Stakeholders would be provided representation in the document through listing any ideas to improve the product.

Several project managers led the requirements for integration and mutually agreed by them. The requirements revolved around how each entity, LexisNexis and ThreatMetrix, will continue to access their data from original data centers giving LexisNexis with complete ownership. Collective directors must approve of any change in the market allocation comprised of several teams including the legal team governing how the data will be used. ThreatMetrix team, meriting the acquisition, were the real champions of the project. Since ThreatMetrix was established as a cyber security start-up since 2005 (Lunden, 2018), to being purchased for $817 million. Reed Taussig was the president and CEO of ThreatMetrix at the time and still remains in charge of the subsidiary. Evaluations are executed by all members of the board through revision and gap visualization. Stakeholders and directors must sign off on the requirements documents. Management structure did not change, and the only new aspect would be the legal team watching over ThreatMetrix to ensure compliance.

3. Systems development options and decisions

A viable IT application development staff is present for every product. LexisNexis maintains its own development staff; yet, the core products possess a shared development resource, signifying the product is owned by the project managers and the products are functioned by the teams (product and sales teams). For LexisNexis acquisitions independent development teams exist.

Purchasing ThreatMetrix was fueled by procuring the market segment of a larger comprehensive digital footprint. Incentives to acquire were not short of a sizeable customer base and users. The application was acquired and then the data storage became outsourced as ThreatMetrix. ThreatMetrix cooperates to become the supplier of information such as digital ID, names, IP addresses, and websites visited all formed the digital footprint. The information from the LexisNexis integration augmented the footprint contributing a physical ID such as a social security number, phone number, and a physical address of individuals. To portray a clearer image, take Amazon as an example, as a customer of ThreatMetrix they require a physical and digital ID. By merging the two methods of ID it was able to minimize the digital ID and LexID to one person. Accordingly, the digital footprint can be traced and authenticated.

The decision to acquire was publicly revealed early in 2018 and finalized later that year. The announcement was made by the RELX Group, the parent company of LexisNexis. Paradoxically, ThreatMetrix had previously made acquirements of its own in 2012 through the procurement of TrustDefender, a platform that specializes in detecting malware-based attacks (Constine, 2012). According to the president and CEO of ThreatMetrix Reed Taussig, they have already been collaborating with LexisNexis for 2 years (Lunden, 2018). LexisNexis announced the acquisition on their website and the Risk and Business Analytics CEO, Mark Kelsey, acknowledged the digital identity leadership that ThreatMetrix established and emphasized how a more comprehensive approach to fraud and identity risk management will be attained through the acquisition. The decision encompasses an ambition to transition to the cloud and a shift towards more purchased applications. Lately, two new acquisitions had been completed by LexisNexis, as acquisitions have become second nature for information giants. Emailage and ID Analytics are both recent companies that were purchased by RELX to further establish a footprint in the fraud prevention market (Analytics Co RELX Buys anti-fraud Start Up Emailage, 2020). Cloud based technology offers one distinct advantage over conventional data storage with its invulnerability to natural disasters. Through the shift to cloud-based technology, focus can be re-established to outsourcing data center providers. Owning, operating, and maintaining data centers is expensive; with cloud technology storage tends to be more efficient and reduces costs.

A rigorous process was pursued to identify a worthy cloud provider. Negotiations remained for a year, axing Google out in the process. In February 2020 Microsoft Azure became the cloud-based technology provider. An external vendor, Verne Global, was engaged and selected. To further reduce liabilities, third party call centers became outsourced offshore. Call Centers must follow rigorous protocols and security compliance training. Following the acquisition, ThreatMetrix needed to be customized to also fall under LexisNexis global compliance, governance, and procedures. The ThreatMetrix CEO was directly responsible for any integration and migration with LexisNexis.

4. Application implementation

The development was not a fixed completion since bug fixes and enhancements are continuous. The determination of when and if the ThreatMetrix server integration was complete culminated when the quality assurance team of LexisNexis ensured the functional remedy. Regression testing is a test LexisNexis uses to ensure that the recent coding has not adversely impacted existing features. Regression testing detects any defects in existing functionality after a new functionality is added. Cumulative testing is subsequently performed on the new alteration. The development team was implemented by ThreatMetrix. ThreatMetrix, as a standalone organization, their own development team was responsible for acceptance testing. Acceptance testing was performed internally as a collaboration between project managers, the sales team, and product managers of both organizations.

Additional testing performed during the implementation included test scripts that are collectively produced by developer and quality assurance teams. The scripts are conveyed to the project managers and the sales team of LexisNexis to ensure their awareness of how ThreatMetrix is operating and conducting its business with clients and customers. Beta testing was deemed irrelevant and ThreatMetrix has been well established and operational since 2005. Unit testing is found during the iterate releases of newer functionality and are performed by developer. Uniquely, a smoke test was conducted during the integration to assess whether the main software is functioning correctly. The acceptance criteria of LexisNexis comprised mainly of how to associate individuals with Digital ID in order to execute immaculate customer trust decisions in real-time. Ultimately, the unification of the analytics across the entire digital trace of an individual would decrease fraud and reduce abandoned transactions. Since the companies have been collaborating under the radar years prior to the acquisition, it is safe to assume all concerns regarding ThreatMetrix were adequately addressed by LexisNexis.

Scalability and projected growth were among the numerous traits ThreatMetrix could offer, and partially part of the reason for acquisition. The knowledge that the ability to access more data would further expand the horizons LexisNexis covered. The transition of ThreatMetrix to LexisNexis platforms initiated 2015, however as mentioned earlier, finalization climaxed late 2018. ThreatMetrix is notable for being one of the earlier cybersecurity companies to offer both identification authentication services as well as malware detection, but the identity repository may be the key to the price paid by RELX. RELX says ThreatMetrix’s so-called Digital Identity Network analyses over 100 million transactions a day leading to the trail of 1.4 billion distinctive online identities in above 180 nations.

The now LexisNexis sales team provides necessary training to any customer who uses ThreatMetrix and iterate releases include detailed directions on the additions or subtractions. In term of the acquisition coming into place, ThreatMetrix imposes rigorous training on how their product works. LexisNexis would provide training on how to comply with LexisNexis Regulations. As part of the knowledge of the whole application functionality, it is exchanged in the form of training. As part of the skills, training is also a requirement and conducted online.

The customers won’t be impacted by the acquisition unless and until new functionality is introduced. As far as the sales team and operational facility, a rigorous training process that is knowledge based assists the operators. When data privacy policies are updated, such as California last year, which gives all California residents have the right to remove acquired data from their technology data centers (Hautala, 2019), similarly with the UK and the GDPR (GDPR, n.d.), employees are notified and trained to adhere to regulations. A document is produced and distributed by the sales team to the customers as well. Customers have their own sales team and both teams coordinate, additionally, online training is provided.

BIBLIOGRAPHY

Ambler, S. W. (2018). User Stories: An Agile Introduction. Retrieved from Agile Modeling: http://www.agilemodeling.com/artifacts/userStory.htm

Analytics Co RELX Buys Anti Fraud Start Up Emailage. (2020). Retrieved from PYMNTS: https://www.pymnts.com/news/partnerships-acquisitions/2020/analytics-co-relx-buys-anti-fraud-startup-emailage-for-480m/

Cloud Service Level Agreement Standardisation Guidelines. (2014, June 26). Retrieved from European Commission: https://ec.europa.eu/digital-single-market/en/news/cloud-service-level-agreement-standardisation-guidelines

Constine, J. (2012). ThreatMetrix Acquires Trustdefender. Retrieved from Tech Crunch: https://techcrunch.com/2012/01/09/threatmetrix-acquires-trustdefender/

GDPR. (n.d.). Retrieved from Intersoft Consulting: https://gdpr-info.eu/

Hautala, L. (2019). CCPA Is Here. Retrieved from Cnet: https://www.cnet.com/news/ccpa-is-here-californias-privacy-law-gives-you-new-rights/

Intelletual Property In Outsourcing. (n.d.). Retrieved from LexisNexis: https://www.lexisnexis.com/uk/lexispsl/commercial/document/392064/8WBR-HMN2-8T41-D0PY-00000-00/Third-party-intellectual-property-rights-indemnity-clause%E2%80%94pro-supplier

LexID. (n.d.). Retrieved from LexisNexis: https://risk.lexisnexis.com/our-technology/lexid

LexisNexis Payment Terms and Interest. (n.d.). Retrieved from LexisNexis: https://www.lexisnexis.com/uk/lexispsl/commercial/document/391299/55MR-DYP1-F185-N0BS-00000-00/Price%2C-payment-terms-and-interest

Lunden, I. (2018, January 29). Relx acquires ThreatMetrix. Retrieved from Tech Crunch: https://techcrunch.com/2018/01/29/relx-threatmetrix-risk-authentication-lexisnexis/

Outsourcing Agreements – Overview. (n.d.). Retrieved from LexisNexis: https://www.lexisnexis.com/uk/lexispsl/commercial/document/393989/5MY4-DB51-F18C-X2JY-00000-00/Outsourcing_agreements_overview