Information security has been emerging as a key issue for print and mail organizations during the past few years. The real possibility of identity theft, coupled with the sometimes reckless reporting by the media of every data breech, have raised the level of concern considerably. We are being viewed as "data stewards" and, as such, required to do our best to minimize the risk of a security lapse, with the data we handle and the documents we create.
Because we are all responsible for the information in our businesses, it is critical to be aware of the level of seriousness required and put internal processes into place that ensure fail-safe procedures. Administrative, technical and physical safeguards must be implemented to protect classified information. This proves to your employees and customers that you have done the work needed to keep their information safe.
Starting at the Top
To be truly effective, a security initiative needs to be a top-down effort, with the visible involvement and leadership of senior management. Everyone in the organization must buy in to the importance of having measures in place to help manage and eliminate security violations. It must be a mandate, a clear-cut signal that the company is really serious about protecting the personal information of the customers and prospects of our clients. In other words, document security simply becomes part of the corporate philosophy.
Most companies start out thinking of all the obvious factors involved in information security. If you have been in this industry for some time, you have probably always had some basic safeguards in place to protect your facility and the data you utilize. However, when you look at information security globally, it involves detailed attention to both physical and data security, coupled with proof of compliance and robust staff training. Lately, there has been a dramatic shift in the emphasis placed on information security by our clients. They now require more than good intentions and broad generalities to ensure compliance with good security practices. Most importantly, you now need to provide evidence of all security activities with extensive documentation.
Many financial and retail institutions in particular have increased their diligence in requiring protection for information that is shared with vendors. Our clients are subject to a number of regulations in the security arena, including the Gramm-Leach-Bliley Act, protecting the privacy of financial information. Yet there is a surprising amount of variation in adherence to the issue. In terms of specific guidelines, there are two approaches to meeting information security requirements. In general, it appears that most vendors of transaction documents will be subject to the requirements of SAS 70, while providers of marketing materials and mailings will need to follow ISO 27001/27002 (formerly ISO 17799). Both programs offer a framework for information security and provide some guidance to implement the controls necessary to achieve regulatory compliance. This is one area where you may want to consider an outside consultant. If you want to ensure you're on the mark, you can commission an independent information security audit focusing on one of these standards. A good auditor will ask in-depth questions in an on-site assessment and then give your company a detailed written report. The audits provide a great way to gain insight into how effective your security measures are, as well as offer a way to measure your security processes against industry standards.
It's All in the Plan
Taking the time to develop a written plan should become a key element in your information security initiative. Here are some things to consider:
- Review of Facility Access One of the first things to review is basic access to your building. Physical security for critical data and documents starts at the front door. Few companies still have an open-door policy. Rules for access to your facilities should incorporate distinctions between staff, temporary workers , vendors and visitors. Access to the most sensitive areas of the building should be the most limited, accompanied by rules, process and documentation.
- Classification of Documents Determine the level of seriousness and attention to security that is required for each type of document. Implement a classification system based on four categories: 1) Public: intended for distribution to the general public, such as company brochures, websites and job openings. 2) Internal Use Only: information not intended for use outside the company such as employee directories, training manuals and internal policies. 3) Confidential: information that is intended for use within the company only. 4) Restricted Confidential: the most highly sensitive category of all, this includes customer data of clients, work-in-process and any information that would violate privacy if released to the public.
- Handling of Sensitive Documents Documents classified as Confidential or Restricted Confidential are considered sensitive. Documents in these categories should have a designated owner and receive appropriate security protections. Determine how to handle this type of information and make sure the parameters are clearly spelled out to employees.
- Document Retention and Destruction There are rules for document retention. Whether you are retaining or destroying documents, rules that outline when and how to track, record and destroy documents need to be outlined.
- Internal Computer Usage What an employee can and cannot leave displayed on a computer when they leave their workstation should be clearly defined. It is recommended that passwords be complex and changed often and computer screens locked down after 15 minutes of no activity.
Internal Education Is Key
Once guidelines are in place, they should become part of your company's overall training. Examples of each document and rules/parameters that accompany each should be thoroughly explained. Employees should have a complete understanding of who has the ownership of each category of information or document and how it's supposed to be treated. Putting standard operating procedures in place will help to eliminate the risk of employees being careless in their use and distribution of data.
Care in Production
With top management on board, the building secured, and your plan in place, maintaining information and document security takes center stage. We recommend what might be called "back office" support for marketers. We often handle jobs that call for multiple versions and complex data manipulations. There could be issues down the road if, for example, the wrong offer is inserted into a personalized piece. We have checkpoints in place to review those types of results before the piece is finished. If you are a company that prints and/or mails any type of document with sensitive customer information, formal checks and balances need to be integrated into the document production process.
There are effective solutions on the market to help manage or eliminate security issues. Today's top software and hardware vendors are savvy about this issue and understand that violating customer privacy and trust puts the entire customer relationship at great risk. Make it a policy to be up-to-speed on what is new in this area and be willing to spend some money to replace any software or equipment that does not meet your standards.
Pulling together an information/document security process is not simple, nor inexpensive. But if the risk of making any errors surrounding the security of proprietary information keeps you up at night, the very best you can do is minimize the odds and implement controls that provide accountability. The time and resources put toward a security project can be high. But my advice is to embrace them. Because sleeping at night is important, too.
Dave Henkel is President of Johnson and Quin, a national leader in targeted full-service direct mail printing and production. He can be reached at dhenkel@J-QUIN.com.