April 18, 2011
How Safe Is Your Data? Certification Answers That Question
Last month, Nancy Freeman posted a blog that talked about EU’s recent HIPAA certification and what that means to marketing (HIPAA and Direct Mail). Data has become such a critical part of marketing, and the security of the data and information go hand in hand. Let’s take a closer look. . .
Almost any new vendor-client relationship has a data security evaluation component. Whether it is part of the initial vendor review or part of the start-up, it’s critical to insure that your data will be handled properly. You can benefit by discovering if a prospective printing and mailing partner has the proper systems and controls in place to match your needs. One of the best ways to tell is if the vendor has some type of security-related certification.
Certifications come in different forms depending on the industry and the specialization: SAS 70 (U.S. general business), PCI (credit card processing), ISO 27001 (International general business)and HIPAA (U.S. health) to name a few. Their purpose is to protect confidential information and insure the continual improvement of the systems. The certification process involves third-party auditors who do periodic reviews and provide feedback for remediation. Once the auditors deem the systems fall within acceptable standards, a certification or letter of findings is provided. This process normally takes place on an annual basis.
Let’s look at a simplified example of what is evaluated as a part of data security. The actual audit process can take days or weeks depending on the scope. Often companies will do their own security evaluation of vendors that consists of a set of questions that are answered in advance and an on-site visit.
The core of information security is the CIA triad: Confidentiality, Integrity, and Availability. This provides a handy framework to look at the areas for review and how they relate to your printing and mailing partner.
Confidentiality: To ensure the data can only be accessed by those who are authorized. The key is to have controls in place as to who has access to the data. This includes:
Physical security
- Is the plant secure?
- Are there processes and controls on physical printed pieces once they contain data?
- Access control procedures
- Who can access the data?
- Who grants and denies access to data?
Network security
- Are there controls that limit access to data?
- Is the network secure from both internal and external forces
- Transmission security
- Is the channel used to transmit data secure?
- Will the files be encrypted?
Integrity: To ensure the data is correct and not changed (unpredictably). This includes:
- File management
- How different customer’s files are kept separate?
- How are they linked to projects?
- System change management
- Who can make a change?
- How is it logged, documented?
Availability: To ensure the data is available when needed. The key is to have a system that makes certain the data can be accessed and utilized to include:
- Data Backup
- Is the data backed up?
- Can it be restored?
- Redundant systems
- What happens when a system fails?
- How long before the system can be restored?
- Backup Power supplies
- What happens when the power fails?
- Disaster recovery
- Is there a documented plan?
These are just a few of the questions that are often asked as part of an evaluation. There are many more that comprise a standard vendor evaluation, and even more in an audit.
If you’re concerned about how your sensitive data is handled, ask your vendor(s) about their data security policies and if they have any certifications. At the very least, this information will give you a rough baseline on how prepared they are for managing sensitive information.
For more information, you can email Chris Konkel, VP of Data Processing, at ckonkel@euservices.com or call him at 301-795- 6307.
