Up next in our Ask the Expert series, Ben Rothke, Senior Information Security Manager, reviews two certifications that should be part of your information security strategy: Service Organization Control (SOC) 2 Type 2 and International Organization for Standardization (ISO) 27001. Tapad, a part of Experian, is 27001 and SOC 2 Type 2 compliant.
Two information security certifications you can trust
Seals from Good Housekeeping and Underwriters Laboratories give consumers confidence that they can trust the product that they’re buying. For IT solutions or service providers, what, or who can you turn to for that seal of approval? There are many equivalent third-party attestations you can use. But which should you trust?
- The International Organization for Standardization (ISO) 27001
- The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC)
International Organization for Standardization (ISO)
27001 is an international standard for information security from the ISO. ISO 27001 is globally acknowledged and sets requirements for controls, maintenance, and certification of an information security management system (ISMS). This international standard provides organizations with a framework to identify, manage and reduce risks related to the security of information
System and Organization Controls (SOC)
The SOC, as defined by the AICPA, is a set of audit reports. SOC reports, like 27001 certificates, are used by service organizations to give their customers the confidence they have adequate information security controls in place to protect the data that they handle.
SOC 2 is an assessment of controls at a service organization regarding security, availability, processing integrity, confidentiality, and privacy. The purpose of the report is to provide extensive information and assurance to a broad range of users about the controls at a service organization that are relevant to the security, availability, and processing integrity of the systems that process user data, as well as the confidentiality and privacy of the information processed by these systems.
Why ISO 27001 and SOC 2 are important
The value of these third-party attestations is two-fold:
- Organizations can show they have passed an independent external audit
- Third-party attestations save organizations the time of having to do their own audits
In addition to 27001 and SOC 2 Type 2 compliance, we are also certified with ISO 27017 and 27018, which are add-ons to 27001 that are specific to cloud computing. We take the security and privacy of our customers’ data as seriously as they do.
Every cloud service provider (CSP) has a responsibility matrix that details what security and privacy tasks they are responsible for and which ones the customer is responsible for. Any cloud customer that needs to be made aware of what their security tasks are is putting themselves at risk.
So, when you want to engage a CSP, ask them for their attestations. They worked hard for them and will be proud to share their compliance.
We’re powered by decades of setting standards in marketing services
At Experian, we’re a privacy-first business. We’re highly focused on respecting people, their data, and their privacy. We continue to show our dedication to information security by completing these security audits every year.
The constant changes to data compliance regulations can be challenging to navigate, but you don’t have to do it alone. Contact us today. We will be your guide so you can ethically and confidently reach your customers.
About our expert
Ben Rothke, Senior Information Security Manager
Ben Rothke, CISSP, CISA, is a Senior Information Security Manager at Tapad, a part of Experian. He has over 25 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, cryptography, and security policy development. Ben is the author of Computer Security – 20 Things Every Employee Should Know (McGraw-Hill), and writes security and privacy book reviews for the RSA Conference Blog and Security Management magazine.
Latest posts
Strong Revenue Performance and Thriving Culture Contribute to Industry Recognition NEW YORK, Sept. 15, 2016 /PRNewswire/ — Tapad, the leader in cross-device marketing technology and now a part of Experian, was named a top company on Inc. Magazine’s list of the 5000 fastest-growing private companies in the U.S. In addition, Tapad won the TMCnet 2016 Tech Culture Award. The exclusive Inc. 5000 ranking highlights the fastest-growing privately-held* companies in America. These distinguished companies have achieved success in strategy, service and innovation. TMCnet recognizes talented tech professionals who are committed to building a culture that prioritizes employee growth, collaboration and engagement. Tapad continues to broaden their presence into new markets, having launched in APAC earlier this year, as well as continuing their European expansion. Tapad’s proprietary technology, The Device Graph™ is leveraged by more marketers and brands to understand digital engagement across devices. The company’s rapidly expanding client base includes numerous Fortune 500 company brands as well as all four major advertising holding companies in the U.S. “We have an exceptional team of innovative people who are all working very hard to achieve the kind of results these publications are recognizing,” said Tapad CEO and Founder, Are Traasdahl. “Given that, we have an even greater responsibility to our talent to create an environment that fosters innovation and nurtures open communication. Ultimately, this is how we will continue to reach our very ambitious goals of becoming the world’s leading unified marketing technology provider.” Tapad’s award-winning work culture is defined by its gold-standard benefits which include a six-month parental leave policy, unlimited vacation time, company-sponsored meals and office space designed to facilitate collaboration and open communication. Tapad’s highly talented team has also received multiple customer service awards in 2016. These awards include the iMedia ASPY awards for Best Customer Service and Best Mobile Partner as well as recognition from The Communicator Awards of Excellence in Interactive Media. *Prior to Tapad’s acquisition by Telenor in February 2016. Contact us today!
The Tapad Device GraphTM Had Twice the Precision and Three Times the Scale as Next Competitor New York, September 14, 2016 – Just-released findings of a Hotels.com® study revealed that Tapad’s (part of Experian) cross-screen marketing technology achieved the highest levels of precision and scale among competitors. According to the leading online accommodation booking website, after a rigorous, three-and-a-half month vendor analysis, Tapad achieved twice the precision of the next highest-scoring cross-screen offering and three times greater scale. The two other companies evaluated were not named. Said Helene Cameron-Heslop, Senior Manager of Analytics of the Hotels.com brand, “Our team implemented an extremely rigorous vetting of open, cross-screen technology vendors. At the outset, we assumed we would have to compromise on either scale or accuracy – particularly given the importance to our brand of operating in a privacy-safe setting. We were surprised to find a complete package, but Tapad’s Device Graph won out on scale, accuracy and privacy; making our choice of partners very clear.” In another metric critical to the Hotels.com brand, The Tapad Device GraphTM was eight times more “unique” than the next closest offering, meaning Tapad’s graph was found to have a much greater number of connections not seen in any of the other graphs. In addition to precision, uniqueness and scale, the Tapad Device GraphTM was found to have: ● 100% higher recall● 47% more incremental matches● 53% higher North American market coverage● 101% higher F-Score* “A valuable cross-device solution should enable partners to get everything they’re looking for from a single vendor,” said Tapad Founder and CEO, Are Traasdahl. “We are deeply impressed with how thorough Hotels.com was in their vetting, and we confidently tackle the complex challenges of the martech industry thanks to our superior technology. Everyone loves a bake-off, and Tapad is no exception – delivering best-in-class results in areas that really count.” *F-score is a statistical measurement that takes precision and recall together. The calculation is 2*(precision*recall)/precision + recall). It gives you one number instead of two numbers to look at and judge performance. Contact us today
As many folks within the email eco-system probably know by now, Spamhaus, an organization known for compiling several widely used anti-spam lists, has been extremely active this week. Over the past week, Spamhaus has listed a number of potentially hazardous IP addresses used by some of the world’s largest email service providers due to the way their newsletters signups are set up. According to most of the listings, Spamhaus has stated: Unfortunately, the said newsletter service is not verifying the email address of new subscribers. Due to this, the service can be easily abused to "listbomb" internet users. Problem resolution ============================ The newsletter service needs to clean up their email address list and ensure that bulk emails are only being sent to recipients who have verifiably subscribed to their bulk email service. In addition, the newsletter service should take appropriate actions to prevent further abuse of their service: a) Implementing CAPTCHA to prevent automated subscriptions b) Implementing Confirmed Opt In (COI) to prevent abusers from adding random email addresses to the newsletter service that are not owned by the subscriber For the most part these listings should not directly impact marketers’ current ability to send their campaigns and reach their customers as they are listed as “warnings” within the Spamhaus system. What is important to understand is that these types of listings will likely continue to happen as Spamhaus has seen a dramatic increase in malicious use of newsletter sign-ups to "email bomb" various addresses, especially government (.gov) domains. While we understand that implementing CAPTCHA, or COI into any marketing system is not something that can be done quickly, Experian Marketing Services has recommended that our clients begin to investigate how they can potentially implement this process into their newsletter sign-ups. By asking customers to simply perform the CAPTCHA check, it will not only protect marketers from adding addresses from automated signup systems, but will also reduce the possibility of being listed with Spamhaus for these types of issues in the future. Some additional resources: Massive Email Bombs Target .Gov Addresses Subscription bombing, ESPs and Spamhaus, August 15, 2016 by laura in Best Practices Comment on the latter blog post on WordtotheWise.com from the CEO of Spamhaus: Excellent well summarized article Laura. No, we’ve not changed SBL policy to require COI. It’s something we very strongly advise but we cannot make a requirement. We’ll have to consider it if list-bombing of this magnitude cannot be kept in check by list managers. This incident involved a large number of government addresses belonging to various countries being subscribed to very large numbers of lists in a very short space of time by scripts run by the attacker(s). Most of the lists hit by the attack used COI and therefore only sent confirmation requests and did not subscribe any addresses. The attack undoubtedly also hit lists which used Captcha in addition to COI and thus did not even proceed to COI (those list admins deserve some sort of community ‘hi 5’ award, since one can imagine how hard it is to convince one’s management to implement COI let alone put Captcha in front of it). The issue is the badly-run ‘open’ lists which happily subscribed every address without any consent verification and which now continue as participants in the list-bombing of government addresses. These we are trying to address with SBL listings to prompt resolution by the Senders. As you noticed, most of these particular incident listings are for IPs ending “.0/32” which does not cause any mail issue to the Sender and is deliberately used where we have a good relationship with the Sender and know they will act quickly on the alert. Steve Linford Chief Executive The Spamhaus Project