Up next in our Ask the Expert series, Ben Rothke, Senior Information Security Manager, reviews two certifications that should be part of your information security strategy: Service Organization Control (SOC) 2 Type 2 and International Organization for Standardization (ISO) 27001. Tapad, a part of Experian, is 27001 and SOC 2 Type 2 compliant.
Two information security certifications you can trust
Seals from Good Housekeeping and Underwriters Laboratories give consumers confidence that they can trust the product that they’re buying. For IT solutions or service providers, what, or who can you turn to for that seal of approval? There are many equivalent third-party attestations you can use. But which should you trust?
- The International Organization for Standardization (ISO) 27001
- The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC)
International Organization for Standardization (ISO)
27001 is an international standard for information security from the ISO. ISO 27001 is globally acknowledged and sets requirements for controls, maintenance, and certification of an information security management system (ISMS). This international standard provides organizations with a framework to identify, manage and reduce risks related to the security of information
System and Organization Controls (SOC)
The SOC, as defined by the AICPA, is a set of audit reports. SOC reports, like 27001 certificates, are used by service organizations to give their customers the confidence they have adequate information security controls in place to protect the data that they handle.
SOC 2 is an assessment of controls at a service organization regarding security, availability, processing integrity, confidentiality, and privacy. The purpose of the report is to provide extensive information and assurance to a broad range of users about the controls at a service organization that are relevant to the security, availability, and processing integrity of the systems that process user data, as well as the confidentiality and privacy of the information processed by these systems.
Why ISO 27001 and SOC 2 are important
The value of these third-party attestations is two-fold:
- Organizations can show they have passed an independent external audit
- Third-party attestations save organizations the time of having to do their own audits
In addition to 27001 and SOC 2 Type 2 compliance, we are also certified with ISO 27017 and 27018, which are add-ons to 27001 that are specific to cloud computing. We take the security and privacy of our customers’ data as seriously as they do.
Every cloud service provider (CSP) has a responsibility matrix that details what security and privacy tasks they are responsible for and which ones the customer is responsible for. Any cloud customer that needs to be made aware of what their security tasks are is putting themselves at risk.
So, when you want to engage a CSP, ask them for their attestations. They worked hard for them and will be proud to share their compliance.
We’re powered by decades of setting standards in marketing services
At Experian, we’re a privacy-first business. We’re highly focused on respecting people, their data, and their privacy. We continue to show our dedication to information security by completing these security audits every year.
The constant changes to data compliance regulations can be challenging to navigate, but you don’t have to do it alone. Contact us today. We will be your guide so you can ethically and confidently reach your customers.
About our expert
Ben Rothke, Senior Information Security Manager
Ben Rothke, CISSP, CISA, is a Senior Information Security Manager at Tapad, a part of Experian. He has over 25 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, cryptography, and security policy development. Ben is the author of Computer Security – 20 Things Every Employee Should Know (McGraw-Hill), and writes security and privacy book reviews for the RSA Conference Blog and Security Management magazine.
Latest posts
Published in AdExchanger. “Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media. Today’s column is written by Tom Manvydas, vice president of advertising strategy and solutions at Experian Marketing Services. The proliferation of connected electronics has spurred new interest in device-recognition technologies even though they have been in use since the 1990s. As we enter the “Internet of Things” era, device recognition will significantly impact the ad tech ecosystem. Many network advertising technologies are becoming obsolete as cookie blocking grows and the Internet becomes more mobile and device-centric. Device recognition will be yet another technology challenge for marketers but has the potential to overcome many key tracking, measurement and privacy issues with which data-driven marketers have struggled. By leveraging device recognition technologies, marketers can protect their investments in Web 2.0 ad tech, like multitouch attribution, and improve their overall digital marketing programs. Device Recognition Vs. Cookies Device recognition attempts to assign uniqueness to connected devices. By focusing on the device, you are able to “bridge” between browsers and apps, desktop to mobile and across OS platforms like iOS and Android. Device-recognition IDs function like desktop cookies for devices but with four important differences: 1. Coverage: Device-recognition methods are largely immune from cookie limitations. About half of mobile engagements on the Web do not involve cookies, while third-party blocking impacts up to 40% of desktop engagements. 2. Persistency: Device-recognition IDs can be more persistent and less fragmented than most desktop cookies. For example, Apple’s UDID or Android ID are permanent, and network node IDs like MAC addresses are near-permanent. Proxy IDs such as IDFA are persistent but can be updated by the device owner or ID provider. 3. Uniqueness: Devices are unique and cookies are fragmented. The digital media industry incurs substantial overhead cost and loss of efficiency when dealing with fragmented profiles and obsolete data caused by cookie churn. However, device-recognition methods are limited in their ability to recognize multiple profiles on shared devices. 4. Universality: Device-recognition technologies are universal and generally work across devices and networks. However, interoperability issues across device operating systems, such as iOS and Android, can limit the universal concept. There are many types of device-recognition technologies but two basic approaches to device recognition: deterministic and probabilistic, each with their pros and cons. Deterministic Approach: Accurate And Persistent But Complicated Deterministic device recognition primarily uses the collection of various IDs. While the mobile developer is familiar with the variety of IDs, it’s important that marketers become better-versed in this area. Examples include hardware IDs (including serial numbers), software-based device IDs (such as Apple’s UDID or the Android ID), digital data packet postal codes or proxy IDs (such as MAC addresses for WiFi or Bluetooth, IDFA for both iOS and Android and open-source IDs). Deterministic methods improve the accuracy of tracking, targeting and measurement over current cookie-based methods. They can improve the ability to more persistently manage consumer opt-outs. But the proliferation of device types limits the universality of deterministic device recognition. Without uniform standards across platforms, marketers need to account for multiple ID types. Also, deterministic device-recognition methods are not well developed for desktop marketing applications. The lack of interoperability across deterministic device IDs makes execution too complicated. Deterministic device IDs were meant for well-intentioned uses, such as tracking the carrier billing for a device. However, they present privacy and data rights challenges, leading to blocking or limited access by companies that control IDs. Probabilistic Device Recognition: A ‘Goldilocks’ Solution Probabilistic device recognition may be the ideal solution for a connected world that does not rely on cookies nor wants to use overly intrusive deterministic device recognition. Probabilistic device recognition is not a replacement for deterministic IDs. Instead, it complements their function and provides coverage when they are not available. The probabilistic approach is based on a statistical probability of uniqueness for any single device profile. This approach creates a unique profile based on a large number of common parameters, such as screen resolution, device type and operating system. This process can uniquely identify a device profile with 60% to 90% accuracy, compared to 20% to 85% accuracy for cookie-based identification methods. Probabilistic IDs are more persistent than cookies with better coverage, but less persistent than deterministic device IDs. The natural evolution of the device takes place over time and prevents persistent identification. Probabilistic device recognition can be universal and is not impacted by interoperability issues across platforms — the technology used to generate a probabilistic ID on one network can be the same technology on another network. Unlike some deterministic device recognition approaches, there is no device fingerprinting. Probabilistic device recognition accurately identifies profiles in aggregate, rather than a single device. That’s the inherent beauty of probabilistic device recognition: It can generate more accurate targeting results than cookie-based methods without explicitly identifying single devices. This is more than good enough for most marketers and significantly better than what’s available today. Another benefit is the absence of any residue on the device — no cookie files, flash files or hidden markers. Probabilistic methods can work on devices that block third-party cookies or connect to the Web without using any cookies. For example, you might have a hard-to-reach but valuable audience segment. Probabilistic device recognition could effectively increase your reach on this segment by 40% to 50% and increase the overall targeting accuracy by two times. Let’s say the actual population for this segment is 100,000 members. The typical cookie-based approach might reach 28,000 members but the typical probabilistic device-recognition approach could reach 65,000 members. A Decline In Hardware Entropy If you take a close look at the emitted data from today’s devices, it is not easy to analyze it for device identification. That’s because the data footprint of one device looks a lot like another. Device recognition augmentation methods can address this, such as device usage profiles, geo location clustering, cross-device/screen analytics or ID linkage for first-party data owners. In the short term, device-recognition technologies, particularly probabilistic methods, can greatly improve today’s digital marketing programs. Marketers should become fluent in their use cases and benefits. If 2013 was the year of mobile, I think we’ll see a surge in marketing applications based on device-recognition technologies in 2014. Follow Experian Marketing Services (@ExperianMkt) and AdExchanger (@adexchanger) on Twitter.
According to Experian Marketing Services’ 2014 Digital Marketer: Benchmark and Trend Report, social media Websites are playing an increasingly important role in driving traffic to other Websites, including retail sites and even other social networking sites, at the expense of search engines and portal pages. For instance, as of March 2014, social media sites account for 7.72 percent of all traffic to retail Websites, up from 6.59 percent in March 2013. Further, Pinterest, more than Facebook or YouTube, is supplying the greatest percentage of downstream traffic to retail sites. According to the Digital Marketer Report, more retailers are directing their customers to social media within their email campaigns. In fact, 96 percent of marketers now promote social media in their emails, and it shows. In 2013, for instance, email Websites generated 18 percent more clicks to social networking pages than the year prior. Social drives more traffic to other social Websites Social media Websites are driving more and more traffic to other social sites. In 2013, 15.1 percent of clicks to social networking and forum sites came from other social networking sites, up from a 12.5 percent click share reported in 2012. Despite driving the greatest share of traffic to social networking sites with 39.1 percent of clicks, search engines’ share of upstream traffic to social declined a relative 13 percent year-over-year. Among the other top referring industries to social, only the portal front pages industry — which includes sites like Yahoo!, MSN and AOL and is closely affiliated with search engines — showed a drop in upstream click share providing further evidence that increasingly all (or most) roads lead to social. To learn more about key trends in social media traffic, including downstream traffic from social sites and the share of consumers accessing social media across multiple channels, download the free 2014 Digital Marketer: Benchmark and Trend Report.
Mother’s Day may not exactly be right around the corner, but the time to send your Mother’s Day emails sure is! Based on our analysis of 186 brands that sent Mother’s Day mailings in 2013, 75 percent of email volume and 80 percent of email-generated revenue occurred between May 1st and Mother’s Day (May 12, 2013). The highest revenue-producing days were five days before the holiday (Wednesday, May 8, 2013) and Mother’s Day itself. This year, the sentimental holiday falls one day sooner than last year (May 11), but you still have more than enough time consider these quick tips for easy wins while planning and executing your campaigns. Tip 1: Give them what they’re searching for Last year, online searches five weeks before Mother’s Day were dominated by searches for the date of the holiday. As such, we recommend including the date of Mother’s Day in your email subject lines, particularly those early in the season, when customers are searching online for, and opening emails with, that information. Tip 2: Set the tone early with your subject lines A sample of early season subject lines that outperformed the overall unique open rate included: Remember Mom on Mother’s Day, May 12 Get a head start on Mother’s Day (plus a gift for you) Just arrived: Mother’s Day Gift Sets To Mother, With Love Tip 3: When it comes to timing, it’s the thought that counts Think through the timing of your emails depending on order delivery deadlines. On May 8th of last year, the largest revenue producers for email were orders for flowers and gifts placed in time to be delivered by Mother’s Day. Email subject lines on May 8th included reminders of the delivery deadlines: Last Chance: Free Shipping/No Service Charge for Mother’s Day! ENDS TODAY: Enjoy Complimentary Second Day Delivery in Time for Mother’s Day Tip 4: Let them treat themselves On Mother’s Day, the top email revenue generators were “self-gifting” (treat yourself on Mother’s Day only), Mother’s Day online sales and free shipping, as well as e-gift cards: Free Shipping Today Only! Happy Mother’s Day You deserve a treat yourself! HAPPY MOTHER’S DAY! Treat yourself to 30% off today only Last Chance: eGift Cards in Time for Mother’s Day Other email performance highlights: Note: All email performance highlights are based on comparisons to Mother’s Day mailings without the highlighted feature from matched brands. To all those in the midst of Mother’s Day campaign planning, good luck and happy sending!