Finance, health care, insurance. These are highly regulated industries that demand rigorous information security practices from their business partners—and rightfully so. The protection of confidential data is a matter of brand integrity and, by extension, customer loyalty both to businesses in these industries and to their service providers. But it’s not just these clients who expect proper data protection; anyone who shares their data has an expectation of privacy. Of course, as anyone in the direct marketing industry knows, this means everyone.
Each of these big industries has their own relevant security standards. For example, there’s the Payment Card Industry Data Security Standard (PCI DSS) for the financial/credit card industry and the Health Insurance Portability and Accountability Act (HIPAA) for the health field, along with many others.
Why We’re Skeptical of SAS 70 (SSAE 16)
Every so often, we’re asked about SAS 70 (now SSAE 16). For those a bit rusty on their auditing standards, SAS 70 was, for many years, the authoritative guidance for reporting on service organizations’ control activities and processes to their customers. So why aren’t we all over it?
Jonathan Gossels, President and CEO of System Experts, wrote an article that sums up our feelings perfectly, entitled “SAS 70: The Emperor Has No Clothes.” In it, Gossels makes several good arguments against SAS: it doesn’t provide the objective set of standards needed to effectively gauge the strengths of an organization’s security efforts, it’s not audited by experts within the field of technology and it’s designed to drive billable hours rather than provide an actionable account of an organization’s security gaps.
Why We Chose ISO 27001, PCI DSS and HIPAA
This is why IWCO Direct has focused its compliance and certification efforts on industry-recognized best practices such as ISO 27001 and PCI DSS. These disciplines are focused in-depth on the areas of information security that are of greatest concern to our company and our customers. Those in the health care industry need not worry either, as we’ve also made HIPAA compliance a top priority.
Basing our security practice on these standards demonstrates our commitment to taking a proactive approach to security rather than a reactive one. While we have yet to find one standard that covers every customer requirement 100% of the time—striving to close those special customer-specific gaps is a top priority of ours—it’s a great help to know that we’ve got most of it covered before the questions are even asked.
Subscribe to SpeakingDIRECT to have new articles delivered to your inbox as they post. We promise to keep it fresh and interesting.