Mailing Systems Technology - May/June 2008 - (Page 13)

programs oﬀer a framework for information security and provide some guidance to implement the controls necessary to achieve regulatory compliance. This is one area where you may want to consider an outside consultant. If you want to ensure you’re on the mark, you can commission an independent information security audit focusing on one of these standards. A good auditor will ask in-depth questions in an on-site assessment and then give your company a detailed written report. The audits provide a great way to gain insight into how eﬀective your security measures are, as well as oﬀer a way to measure your security processes against industry standards. It’s All in the Plan Taking the time to develop a written plan should become a key element in your information security initiative. Here are some things to consider: • Review of Facility Access — One of the ﬁrst things to review is basic access to your building. Physical security for critical data and documents starts at the front door. Few companies still have an open-door policy. Rules for access to your facilities should incorporate distinctions between staﬀ, temporary workers , vendors and visitors. Access to the most sensitive areas of the building should be the most limited, accompanied by rules, process and documentation. • Classiﬁcation of Documents — Determine the level of seriousness and attention to security that is required for each type of document. Implement a classiﬁcation system based on four categories: 1) Public: intended for distribution to the general public, such as company brochures, websites and job openings. 2) Internal Use Only: information not intended for use outside the company such as employee directories, training manuals and internal policies. 3) Conﬁdential: information that is intended for use within the company only. 4) Restricted Conﬁdential: the most highly sensitive category of all, this includes customer data of clients, workin-process and any information that would violate privacy if released to the public. • Handling of Sensitive Documents — Documents classiﬁed as Conﬁdential or Restricted Conﬁdential are considered sensitive. Documents in these categories should have a designated owner and receive appropriate security protections. Determine how to handle this type of information and make sure the parameters are clearly spelled out to employees. • Document Retention and Destruction — There are rules for document retention. Whether you are retaining or destroying documents, rules that outline when and how to track, record and destroy documents need to be outlined. • Internal Computer Usage — What an employee can and cannot leave displayed on a computer when they leave their workstation should be clearly deﬁned. It is recommended that passwords be complex and changed often and computer screens locked down after 15 minutes of no activity. that violating customer privacy and trust puts the entire customer relationship at great risk. Make it a policy to be up-to-speed on what is new in this area and be willing to spend some money to replace any software or equipment that does not meet your standards. Pulling together an information/document security process is not simple, nor inexpensive. But if the risk of making any errors surrounding the security of proprietary information keeps you up at night, the very best you can do is minimize the odds and implement controls that provide accountability. The time and resources put toward a security project can be high. But my advice is to embrace them. Because sleeping at night is important, too. Internal Education Is Key Once guidelines are in place, they should become part of your company’s overall training. Examples of each document and rules/parameters that accompany each should be thoroughly explained. Employees should have a complete understanding of who has the ownership of each category of information or document and WHAT YOU NEED TO KNOW how it’s supposed to be treated. ABOUT THE SAS 70 AUDIT Putting standard operating procedures in place will help to Customers who outsource document production as part eliminate the risk of employees of their business require assurance service providers being careless in their use and have all of the measures in place to provide a stable, distribution of data. secure environment for customer data. The Statement on Auditing Standard (SAS 70) Type II Report is one Care in Production vehicle used by service organizations as a guarantee to With top management on clients that reliable controls and safeguards are used board, the building secured, when hosting or processing of clients’ data. Below are a and your plan in place, mainfew quick facts about the SAS 70 certification: taining information and document security takes center stage. We recommend what · Achieving SAS 70 certification requires an might be called “back oﬃce” extensive auditing process in accordance with the support for marketers. We American Institute of Certified Public Accountants often handle jobs that call for (AICPA) Statement on Auditing Standards No. 70. multiple versions and complex data manipulations. There · The SAS 70 certification meets the requirements could be issues down the road of the Sarbanes-Oxley Act of 2002—an important if, for example, the wrong oﬀer factor for service organizations that need this type of is inserted into a personalized accountability for billing and operations activities. piece. We have checkpoints in place to review those types · Final results can be shared with the service of results before the piece is organization’s customers, the outsourcer’s customers, ﬁnished. If you are a company and their respective auditors. that prints and/or mails any type of document with sensiFor more information about SAS 70 certification, visit: tive customer information, http://www.sas70audit.com/index2.html. formal checks and balances need to be integrated into the document production process. There are eﬀective solutions on the market to help manage or eliminate security issues. Today’s top software and hardware vendors are savvy about this issue and understand Dave Henkel is President of Johnson and Quin, a national leader in targeted full-service direct mail printing and production. He can be reached at dhenkel@J-QUIN.com. | MAY-JUNE 2008 WWW.MAILINGSYSTEMSTECHNOLOGY.COM 13 http://www.sas70audit.com/index2.html http://www.mailingsystemstechnology.com

Table of Contents Feed for the Digital Edition of Mailing Systems Technology - May/June 2008

Mailing Systems Technology - May/June 2008 Contents Editor’s Note Peer to Peer It’s an Inside Job Greening Your Mail Center Adopting an Automated Document Factory Intelligent Mail and Address Quality 7 Steps to Combat “Do Not Mail” A Successful Resolution Q&A with Dan G. Blair, Chairman, Postal Regulatory Commission The Intelligent Mail Barcode Developing High-Performance Teams Simple Strategies to Save You Money A Powerful Social Network With Change, Comes Opportunity Increasing the Deliverability of Mail Kate’s Slate Products & Services People of Distinction Advertiser Index Sho Time

Mailing Systems Technology - May/June 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.