Articles
Information Security
By: David Henkel, President, Johnson & Quin, Inc.
It's an inside job
Information security has been emerging as a key issue for the management of print and mail organizations during the past few years. The real possibility of identity theft, coupled with the sometimes reckless reporting by the news media of every data breech, have certainly raised the level of concern considerably. Increasingly, we are being viewed as "data stewards" and, as such, required to do our best to minimize the risk of a security lapse, both with the data we handle and the documents we create.
Because we are all responsible for the information in our businesses, it is critical to be aware of the level of seriousness required and put internal processes into place that ensure fail-safe procedures. Administrative, technical, and physical safeguards must be implemented to protect classified information. This proves to your employees and your customers that you have done the work that is needed to keep their information safe.
Starting at the top
To be truly effective, a security initiative needs to be a top-down effort, with the visible involvement and leadership of senior management. Everyone in the organization must buy-in to the importance of having measures in place to help manage and eliminate security violations. It must be a mandate, a clear-cut signal that the company is really serious about protecting the personal information of the customers and prospects of our clients. In other words, document security simply becomes part of the corporate philosophy.
Most companies start out, like ours did, thinking of all the obvious factors involved in information security. If you have been in this industry for some time, you have probably always had some basic safeguards in place to protect your facility and the data you utilize. However, when you look at information security globally, it involves detailed attention to both physical and data security, coupled with proof of compliance and robust staff training. Lately, there has been we have noticed a dramatic shift in the emphasis placed on information security by our clients. They now require more than good intentions and broad generalities to assure compliance with good security practices. Most importantly, you now need to provide evidence of all security activities with extensive documentation.
Many financial and retail institutions in particular have increased their diligence in requiring protection for information that is shared with vendors. Our clients are subject to a number of regulations in the security arena, including the Gramm-Leach-Bliley Act, protecting the privacy of financial information. Yet there is a surprising amount of variation in adherence to the issue. In terms of specific guidelines, or road maps for performance, there are two approaches to meeting information security requirements. In general, it appears that most vendors of transaction documents will be subject to the requirements of SAS 70, while providers of marketing materials and mailings will need to follow ISO 27001/27002 (formerly ISO 17799). Both programs offer a framework for information security and provide some guidance to implement the controls necessary to achieve regulatory compliance. While you can always attempt to meet these standards via a self-taught in-house approach, the task can be daunting. This is one area where you may want to consider an outside consultant. If you want to ensure you're on the mark-and you want to assure your customers-you can commission an independent information security audit focusing on one of these standards. A good auditor will ask in-depth questions in an onsite assessment and then give your company a detailed written report. The audits provide a great way to gain insight into how effective your security measures are, as well as offer a way to measure your security processes against industry standards.
It's all in the plan
Taking the time to develop a written plan should become a key element in your information security initiative. Here are some things to consider:
- Review of facility access-One of the first things to review is basic access to your building. Physical security for critical data and documents starts at the front door. Few companies still have an open-door policy; some simply keep the doors locked, while others have security badges and a thorough access regimen. Rules for access to your facilities should incorporate distinctions between staff, temporary workers (if any), vendors, and visitors. Access to the most sensitive areas of the building should be the most limited, accompanied by rules, process and documentation.
- Classification of documents-Determine the level of seriousness and attention to security that is required for each type of document created or used by your organization. Implement a classification system based on four categories: 1) Public - intended for distribution to the general public, such as company brochures, websites, and job openings. 2) Internal Use Only - information not intended for use outside the company such as employee directories, training manuals, and internal policies. 3) Confidential - information that is intended for use within the company only. Examples here would include pricing information, financial records, and contracts. 4) Restricted Confidential - the most highly sensitive category of all, this includes customer data of clients, work-in-process, and any information that would violate privacy if released to the public.
- Handling of sensitive documents-Documents classified as Confidential or Restricted Confidential are considered sensitive. Documents in these categories should have a designated owner and receive appropriate security protections. Determine how to handle this type of information and make sure the parameters are clearly spelled out to employees who handle this type of information.
- Document retention and destruction-There are rules for document retention. Whether you are retaining or destroying documents, rules that outline when and how to track, record, and destroy documents need to be outlined.
- Internal computer usage-What an employee can and cannot leave displayed on a computer when they leave their workstation should be clearly defined. It is recommended that passwords be complex and changed often and computer screens locked down after 15 minutes of no activity.
Internal education is key
While it seems like a lot to absorb, once your guidelines are in place they should become part of your company's overall employee training. Examples of each document and rules/parameters that accompany each should be thoroughly explained. Employees should have a complete understanding of who has the ownership of each category of information or document, and how it's supposed to be treated. Putting standard operating procedures in place will help to eliminate the risk of employees being careless in their use and distribution of data.
Care in production
With top management on board, the building secured, and your plan in place, maintaining information and document security in the production environment takes center stage. At Johnson & Quin, we provide what might be called "back office" support for marketers. We often handle jobs that call for multiple versions and complex data manipulations. There could be issues down the road if, for example, the wrong offer is inserted into a personalized piece. We have multiple checkpoints in place to review those types of results before the piece is finished. If you are a company that prints and/or mails any type of document with sensitive customer information, formal checks and balances need to be integrated into the document production process.
There are effective solutions on the market to help manage or eliminate security issues. When choosing a solution, it is important to consider the right combination of software and "best-of-breed" hardware. Today's top software and hardware vendors are savvy about this issue and understand that violating customer privacy and trust-whether it be through inserting the wrong data or sending information to the wrong recipient-puts the entire customer relationship at great risk. Make it a policy to be up-to-speed on what is new in this area and be willing to spend some money to replace any software or equipment that does not meet your standards.
Rest easy
Pulling together an information/document security process is not simple, nor inexpensive. But if the risk of making any errors surrounding the security of proprietary information keeps you up at night, the very best you can do is minimize the odds and implement controls that provide accountability. The time and resources put toward a security project can be high. But my advice is to embrace them. Because sleeping at night is important too.
