Professional Resources

Looking for More Security? Why Are Your Customers?
Mark Eich, CPA, CISA, is Principal in Charge of Information Security Services and Brenda Bijnagte is a Principal at LarsonAllen LLP.

(Part 1 of a 3 part series)

Each year, there are many stories where security is breached and confidential or personal information is stolen. In June 2011, Citigroup alone reported that more than 200,000 user records were subject to unauthorized access. This continual attack on personal information requires handlers of that information to continually increase the level of security and policies to protect that data.

Throughout the year, companies provide your business (also known as a “service provider” or “service organization”) with databases of names, addresses, and other confidential information, such as social security numbers or account numbers. Your customers expect that you have the internal controls in place to protect that information throughout the entire print and conversion process. This would include everything from keeping the initial database protected to a policy for how to handle scrap materials with printed private information on it. These are only a few examples of the policies that a printer should have in place to address security and internal controls.

Over the course of the next few months, we want to provide some additional background and guidance regarding where the common internal control weaknesses are, what you can do to bolster your controls, and how you can provide evidence to your customers that the information they give you is secure while in your possession. This evidence could range from providing internal documentation to allowing the customer to complete an inspection or having an SAS 70 or SSAE 16 audit completed.

Below is the first in a series addressing some background on theft of personal information and some common areas of exposure.

While theft and fraud using personal financial information stems back many years, with the increased use of online banking and purchasing power, the black market for this information has increased exponentially. Based on a recent release by PandaLabs, a security malware analysis and detection lab, credit card numbers, full names, job history, driver’s license numbers, and more, are all for sale for as little as $2, but the dollars can grow based on what is being sold. This is a highly profitable environment.

On the regulation side, Section 404 of the Sarbanes-Oxley Act (SOX) requires public companies to assess and report on their internal controls over financial reporting. Internal controls are the safeguards that businesses put in place to ensure that financial reporting is reasonably accurate and free of significant misstatements, errors, or fraud. This includes both business process controls and IT security controls. For many of these public companies, third-party service organizations (e.g., a printer who helps in their process) are a key element of the financial reporting process and therefore must be included in the SOX 404 assessment.

Second, banking regulators, alarmed about growing data and identity theft, have put more focus on vendor management, requiring banks to know more about the security and privacy practices of third-party service organizations (e.g., those that provide outsourced statement printing) with which they share confidential customer information.

Additionally, for service organizations that work with healthcare clients, privacy and security standards included with the Health Insurance Portability and Accountability Act (HIPAA) have come into play.

This is by no means a complete list of the regulations that exist—there are many more rules related to credit card security policies among others. This is a starting point to emphasize that the amount of required security surrounding this information is continuing to increase.

If you couple the increased online use with increased regulations and requirements, the need for secure systems and strong internal controls is quite evident and explains why customers are asking for an SAS 70 (or SSAE 16) audit.

So what are some of the common areas of internal control exposure that are over-looked?

1. Entity Level controls

• Organizational and management controls—do you have the right tone at the top?
• Vendor management controls—do your vendor contracts cover internal controls and security, and are they monitored?

2. Physical controls

• Who has access to the facility?
• How is makeready and scrap handled?
• Employee policies, including hiring, firing, job rotation, and access to information
• Are you handling finished goods prior to sealing and shipping or mailing properly?

3. Technology controls

• Do you have weak password or passwords that aren’t changed regularly?
• Who has access to information via weak VPN, Web security, or other e-commerce traffic?
• What are your database storage policies (i.e., how long is the database information held)? Who has access to that information?

4. Other controls

• Do you have a disaster recovery plan?

In the next issue, we will look at how you mitigate these areas of exposure, and then, in the third part of the series, we talk about how you can prove to your customer that you have a strong control structure in place to handle their confidential information.