Mailing in a Secure World

Transcription

1 Mailing in a Secure World Glen Swyers! Manager - Mailing & Fulfillment! Classic Graphics, an Imagine! Print Solutions Company! The Positive! Data Breaches generate a lot of direct mail notifications. 1!

2 What happened?! Security in its infancy was protecting your IT Infrastructure from the latest virus or malware.! Now? One of the biggest threats is your employees themselves either through a malicious action or, much more likely, inadvertent error.! New reality! Your Clients or Organization now conduct vulnerability assessments, penetration tests, application security assessments! Your vocabulary now includes! PCI DSS, SANS, SOC, or ISO 27001! Compliance trumps ROI on new investments.! 2!

3 Pointing the finger! Who should be held liable when there s a massive data breach at a big company? This was one of the hot topics discussed in the 2015 State of the Union Address.! Dilemma! Organizations that do not implement reasonable security protections should be liable for resulting harm, economic or otherwise. But if we try to hold them responsible at the same time that we are trying to figure out what those reasonable protections are, it becomes that much more difficult to learn from incidents.! 3!

4 So am I liable?! I am not a lawyer - and I don't play one on TV.! BUT if you don't have a plan - history is telling us that the less you do to prevent an incident the more potentially liable you may be.! Printer-related security breaches affect 63% of enterprises! Clearly businesses are not doing enough to protect their printing environment, exposing themselves to the potential financial and legal ramifications of print-related breaches,! Pull Printing - use code to get your documents.! printer-related-security-breaches-affect-63-of/! 4!

5 So do we have your attention?! Data security is a good idea! We touched a little on the why! Let's discuss what companies that are in the data/mailing business should be doing to reduce risk.! 5!

6 Step 1! Admit that you have a problem.! If there is no clear consensus on the team that data security is a priority:!! You will fail! Step 2! Develop a Plan! As we discussed, having a plan is almost more important than the plan itself.! 6!

7 Step 3! Execute the Plan! Remember - A good plan violently executed now is better than a perfect plan executed next week.! General George S. Patton! Step 4! Go back to Step 1 and repeat.! The process never stops.! Rules are always evolving.! Threats don't take a break - neither do we! 7!

8 the classic story! We have come a long way! Started in 600 square feet by two friends in college.! Now in the top 1% of all printers in the USA.! 8!

9 Keys to Classic Success! I will not bore you with all the details! Key focus today is our approach to data security and how we have addressed our clients needs and concerns.! Classic : Step 1! Our recognition that there was need in the market place for data security was a direct result of our clients requests.! They needed a partner to quickly respond to direct mail changes - but the information needed to drive the campaigns in raw form was sensitive data.! 9!

10 Classic : Step 2! We invested in smart people and excellent technology! One without the other - just leads to frustration.! Plan components! Badge access to the plant, adding turnstiles to reduce tailgating! Data room: second tier restricted badge access including alarm system with restricted hours.! Data center: 2 person minimum access with man trap, 3 factor authentication including biometrics! Data server: hosts secure data with restricted access! Redundancy in RTP! Input Folder for Sales! File Server: hosts working image files (only composed PDF - no raw data)! Secure proofs stored on data server! 10!

11 Plan components! Moved VDP in to the Data secure room! Employees: background checks, Ethics policy and Social Media Policy.! File Transfer: Secure FTP, Secure ! Gone? Dropbox, Skype, and Thumb Drives (Thanks, Snowden)! Audits - First and Last record, Longest and Shortest, 1 each version, and post on Secure FTP.! Process never stops! In the last year have added! cameras on each rack cabinet! badge access to rack cabinets! cages in shipping areas for delivery drivers! 2 factor authentication for any remote access! and so much more...! 11!

12 Process never stops! Currently adding! DLP system (Data loss prevention)! NAC (Network access control)! Prevention of any use of external storage devices (USB Flash drives, etc.)! Turnstiles at each entrance! Important topics! Encryption - all data is encrypted at rest, data is processed directly on data server NOT on desktop, desktops are encrypted as a failsafe.! Archives:! - How Long?! - More important than ever! - Can you destroy every copy including backups?! - Secure destruction tools to auto execute at X number of days.! Lock box for Secure Waste (crosscut shredded and logged)! 12!

13 ISO 27001! With multiple frameworks and certifications in the market, there is a lot of confusion about what can attest to the security of a system.! ISO certification is proof of an organization s ability to maintain an effective Information Security Management System. It s comparable to getting a house inspected.! Need to raise the bar even higher? Add SSAE16, Type 2.! Why did Classic choose ISO 27001?! Classic has been ISO 9001 certified since 1998! ISO is part of our culture! was a natural progression building on our 9001 foundation.! 13!

14 What has meant to our clients?! Before ISO27001! Annual inspection took days! After ISO27001! Clear understanding of our standards! Inspection has been reduced to hours onsite or not required.! How ISO has helped! It provides a framework for the management of information security risks, which ensures you take into account your legal, contractual and regulatory requirements.! 14!

15 Benefits of ISO 27001! Supports compliance with relevant laws and regulations! Reduces likelihood of facing prosecution and fines! Can help you gain status as a preferred supplier! Other stories! Small Mailer in Orlando - PCI Only! $10,000! Mid-Size Mailer in South East - SOC! $30,000 for consultant! 15!

16 Summary! Data Security is no longer an optional item! It takes more than just IT to execute! The important thing is to start! 16!

17 Questions?! Mailing in a Secure World Glen Swyers! Manager - Mailing & Fulfillment! Classic Graphics, an Imagine! Print Solutions Company! 17!