Up next in our Ask the Expert series, Ben Rothke, Senior Information Security Manager, reviews two certifications that should be part of your information security strategy: Service Organization Control (SOC) 2 Type 2 and International Organization for Standardization (ISO) 27001. Tapad, a part of Experian, is 27001 and SOC 2 Type 2 compliant.
Two information security certifications you can trust
Seals from Good Housekeeping and Underwriters Laboratories give consumers confidence that they can trust the product that they’re buying. For IT solutions or service providers, what, or who can you turn to for that seal of approval? There are many equivalent third-party attestations you can use. But which should you trust?
- The International Organization for Standardization (ISO) 27001
- The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC)
International Organization for Standardization (ISO)
27001 is an international standard for information security from the ISO. ISO 27001 is globally acknowledged and sets requirements for controls, maintenance, and certification of an information security management system (ISMS). This international standard provides organizations with a framework to identify, manage and reduce risks related to the security of information
System and Organization Controls (SOC)
The SOC, as defined by the AICPA, is a set of audit reports. SOC reports, like 27001 certificates, are used by service organizations to give their customers the confidence they have adequate information security controls in place to protect the data that they handle.
SOC 2 is an assessment of controls at a service organization regarding security, availability, processing integrity, confidentiality, and privacy. The purpose of the report is to provide extensive information and assurance to a broad range of users about the controls at a service organization that are relevant to the security, availability, and processing integrity of the systems that process user data, as well as the confidentiality and privacy of the information processed by these systems.
Why ISO 27001 and SOC 2 are important
The value of these third-party attestations is two-fold:
- Organizations can show they have passed an independent external audit
- Third-party attestations save organizations the time of having to do their own audits
In addition to 27001 and SOC 2 Type 2 compliance, we are also certified with ISO 27017 and 27018, which are add-ons to 27001 that are specific to cloud computing. We take the security and privacy of our customers’ data as seriously as they do.
Every cloud service provider (CSP) has a responsibility matrix that details what security and privacy tasks they are responsible for and which ones the customer is responsible for. Any cloud customer that needs to be made aware of what their security tasks are is putting themselves at risk.
So, when you want to engage a CSP, ask them for their attestations. They worked hard for them and will be proud to share their compliance.
We’re powered by decades of setting standards in marketing services
At Experian, we’re a privacy-first business. We’re highly focused on respecting people, their data, and their privacy. We continue to show our dedication to information security by completing these security audits every year.
The constant changes to data compliance regulations can be challenging to navigate, but you don’t have to do it alone. Contact us today. We will be your guide so you can ethically and confidently reach your customers.
About our expert
Ben Rothke, Senior Information Security Manager
Ben Rothke, CISSP, CISA, is a Senior Information Security Manager at Tapad, a part of Experian. He has over 25 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, cryptography, and security policy development. Ben is the author of Computer Security – 20 Things Every Employee Should Know (McGraw-Hill), and writes security and privacy book reviews for the RSA Conference Blog and Security Management magazine.
Latest posts
Globalization affects retailers in a number of ways. Complying with commercial laws wherever they have brick-and-mortar stores is one such impact. Navigating through privacy rules that impact e-commerce efforts is another. There is one blind spot in particular that deserves attention — sending shopping cart abandonment emails. I am often asked, “How are abandonment emails treated under the CAN-SPAM Act? Canada’s stringent Anti-Spam Law (CASL)?” “Can I even send abandonment emails to my Canadian customers?” What are cart abandonment emails? But let’s back up… What is an ‘abandonment’ email anyway? In the email space shopping cart abandonment refers to a particular type of automated mailing used to re-engage an online customer. The most common example is one where a retailer notices that a customer has left an item sitting in their shopping cart, and proceeds to send a reminder with a coupon to complete the order. To fully understand privacy compliance pitfalls with this technique, in the U.S. and beyond, we need to unpack what happens before the abandonment email is sent. Email marketing shopping cart abandonment compliance Abandonment messages are almost always ‘commercial’, particularly if they incentivize a shopper to complete their purchase. In compliance parlance, we call this encouraging the continuation of a commercial activity. In contrast, an order confirmation typically provides factual information about a commercial activity. Under most anti-spam laws, particularly under CASL, marketers need to ensure abandonment messages are not unsolicited. Triggering should account for: Appropriate consent covering email marketing to new or ongoing online relationships. Scrubbing the customer’s email address against your unsubscribe/suppression lists before sending a solicitous message. (This is true under any anti-spam law.) For more information about CASL-compliant consent record keeping and related best practices, you can navigate to the Canadian Radio-television and Telecommunications Commission. Maintaining compliance with online tracking Abandonment emails rely on online retailers tracking their customers’ activity on their websites and tying online behavior back to the email addresses using the same behavioral targeting technologies as those used to deliver Interest Based Ads. This jump across engagement channels to remarket to customers can raise privacy concerns, so online retailers need to pay attention to their privacy compliance obligations. Cross-channel marketing privacy protections Guidance covering privacy policies and practices issued by the Federal Trade Commission are informative and I encourage you to review these with your law department. If you operate outside the U.S., privacy protection laws like Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) may set out additional obligations with your cross-channel marketing efforts. PIPEDA’s definition of commercial activity, which includes remarketing Privacy Commissioner’s findings under PIPEDA in relation to remarketing Privacy Commissioner’s guidance on online behavioral advertising, the technology of which informs triggered emails Under PIPEDA and similar international privacy regimes, cross-channel marketers will need to (i) clearly and conspicuous inform website visitors that their online activities may result in personalized marketing, (ii) offer a way to opt-out of such tracking, and (iii) obtain individuals’ prior express consent with tracking involving sensitive personal information such as health data How to manage cross-channel marketing compliance risks As privacy protection regimes around the world continue to mature and absorb rules covering marketing, online retailers need to start adding new vocabulary to their privacy compliance lexicon. For example, shopping cart abandonment efforts produce ‘cross-channel re-marketing campaigns triggered by an identifiable individual’s online behavior.’ While this is a mouthful to say, viewing your engagement efforts through this lens will help you manage compliance risks. Experian can help you navigate compliance risks Our privacy-first approach to data is trusted across industries around the world. As a leader in the industry, we are here to help you leverage the power of data while maintaining the highest standards of consumer privacy compliance and legal guidelines. With almost 30 years in business, we are here to help you confidently create and launch data-driven marketing strategies. Contact us today to get started! Please note: Cross-Channel Marketing does not give legal advice on electronic marketing regulations or privacy laws. To mitigate risk to your business, please consult with your legal counsel on the law and your corporate policy.
Partnership combines customer connections and cross-device scale to deliver more strategic customer insights NEW YORK AND CHICAGO — March 16, 2017 — Signal, the global leader in customer identity, today announced a partnership with Tapad, now part of Experian and the leading provider of unified, cross-screen marketing technology solutions. This global integration extends device connectivity for Signal’s clients across North America, APAC and EMEA by leveraging Tapad’s proprietary Device GraphTM. With Signal’s Customer Identity Solution, brands benefit from more visibility of known customers, lower costs to reach those customers and decreased expenses and data loss that often results from using multiple vendors. Integrating with Tapad’s Device Graph, which connects billions of devices, enables Signal clients to build an even broader view of their known customers across multiple devices. This integration combines Signal’s customer identity scale with Tapad’s device scale to expand the reach of addressable media channels and enhance customer journey insights across touchpoints. Tapad and Signal were able to drive incremental device connections for more than 65 percent of customer profiles, linking an average of 6.8 browsers and devices per customer. With this combined data set, Signal clients can expand their authenticated view of a customer to all associated devices and realize more strategic insights into their high-value users. The partnership also allows Signal’s clients to integrate in real-time with Tapad’s media platform, Unify. This proprietary technology enables advertisers to make real-time activation and buying decisions with maximum scale, as well as automated reporting and measurement. “Continuously recognizing customers across devices instantly and in a privacy-safe way is essential for marketers to stay competitive,” said Marc Kiven, founder and CRO of Signal. “We are thrilled to enter this unique, global partnership with Tapad, enabling our clients to access their technology and more effectively reach customers in real-time and at scale.” “Being able to leverage a persistent view of customer connections across devices is a huge challenge for brands,” said Pierre Martensson, SVP and GM of Tapad’s global data division. “With Tapad, Signal is now able to connect with the billions of existing data points in our device graph to help clients better understand customer behavior and realize even stronger customer engagement.” Contact us today
Early successes include revenue increases, global partnerships and fundraising NEW YORK, March 16, 2017 /PRNewswire/ — Tapad's entrepreneurial mentorship initiative, the Propeller Program, has seen extremely positive results since it began in September 2016. The five early-stage startups selected from Norway have gained momentum in establishing a U.S. presence. Tapad, now a part of Experian, is the leader in unified cross-device marketing technology. The company was acquired by the Telenor Group in 2016. Among the successes within Propeller: Xeneta, the leading ocean freight price comparison platform and contracted rate database, has raised an additional $12M in funding since beginning the Propeller Program. Before the end of 2016, the company had exceeded its revenue expectations by nearly 30 percent, proving the European-focused business could succeed in the American market. "Aside from directly impacting our revenue, the Propeller Program has provided us with incredible access to a countless number of external resources, including subject matter experts from the fields of fundraising, public speaking, corporate structuring and immigration law," said William Di Ieso, GM of North America for Xeneta. "We remain extremely grateful for the opportunity and exposure the program has provided for Xeneta." Bubbly, an in-store real-time engagement tool for non-buyers, now has clients on four continents. After only a few months in the U.S. market, Bubbly has signed deals with one major retail brand, one major toy manufacturer and a major global consulting firm. The Propeller Program has also opened doors for greater opportunities in Scandinavia and EMEA. After an introduction to Telenor Group's President and CEO Sigve Brekke, Bubbly is currently piloting its IoT kiosk with the company. "The mentoring sessions have been very valuable and have given us guidance as to how to best enter the U.S. market," said Marianne Haugland Hindsgaul, Bubbly CEO and co-founder. "Learning to do business in the U.S. is not something you can necessarily learn from a book. The most impactful lessons are based on real-world experience, and that is what the Propeller Program has given us." BylineMe, a marketplace for freelancers, publishers and brands to connect for content creation and distribution services, has built an extensive network of potential clients and investors. The company has tested its product in the U.S. market and gained valuable feedback for further development. Eventum, a property-sharing group that digitally assists in securing venues for meetings and corporate events, has closed a seed round of funding for nearly $1M. Eventum has also made key hires in the areas of business development and engineering. Socius, under the influence of Tapad, pivoted into the ad tech space, positioning itself as "a social native ad platform" for digital publishers. The company has attracted top talent to begin building out its U.S. business development and sales divisions. As a result, Socius has signed a host of premium publisher partners to validate its exciting new direction. "It is so rewarding to be able to support these Norwegian startups in a meaningful way," said Are Traasdahl, CEO and founder at Tapad. "Mentor relationships are critical for strategic growth, and I am proud to be able to pay forward the experiences I have gained as an entrepreneur. To me, the Propeller Program is a shining example of the magic that can happen when Norwegian innovation meets American opportunity." Contact us today!