Up next in our Ask the Expert series, Ben Rothke, Senior Information Security Manager, reviews two certifications that should be part of your information security strategy: Service Organization Control (SOC) 2 Type 2 and International Organization for Standardization (ISO) 27001. Tapad, a part of Experian, is 27001 and SOC 2 Type 2 compliant.
Two information security certifications you can trust
Seals from Good Housekeeping and Underwriters Laboratories give consumers confidence that they can trust the product that they’re buying. For IT solutions or service providers, what, or who can you turn to for that seal of approval? There are many equivalent third-party attestations you can use. But which should you trust?
- The International Organization for Standardization (ISO) 27001
- The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC)
International Organization for Standardization (ISO)
27001 is an international standard for information security from the ISO. ISO 27001 is globally acknowledged and sets requirements for controls, maintenance, and certification of an information security management system (ISMS). This international standard provides organizations with a framework to identify, manage and reduce risks related to the security of information
System and Organization Controls (SOC)
The SOC, as defined by the AICPA, is a set of audit reports. SOC reports, like 27001 certificates, are used by service organizations to give their customers the confidence they have adequate information security controls in place to protect the data that they handle.
SOC 2 is an assessment of controls at a service organization regarding security, availability, processing integrity, confidentiality, and privacy. The purpose of the report is to provide extensive information and assurance to a broad range of users about the controls at a service organization that are relevant to the security, availability, and processing integrity of the systems that process user data, as well as the confidentiality and privacy of the information processed by these systems.
Why ISO 27001 and SOC 2 are important
The value of these third-party attestations is two-fold:
- Organizations can show they have passed an independent external audit
- Third-party attestations save organizations the time of having to do their own audits
In addition to 27001 and SOC 2 Type 2 compliance, we are also certified with ISO 27017 and 27018, which are add-ons to 27001 that are specific to cloud computing. We take the security and privacy of our customers’ data as seriously as they do.
Every cloud service provider (CSP) has a responsibility matrix that details what security and privacy tasks they are responsible for and which ones the customer is responsible for. Any cloud customer that needs to be made aware of what their security tasks are is putting themselves at risk.
So, when you want to engage a CSP, ask them for their attestations. They worked hard for them and will be proud to share their compliance.
We’re powered by decades of setting standards in marketing services
At Experian, we’re a privacy-first business. We’re highly focused on respecting people, their data, and their privacy. We continue to show our dedication to information security by completing these security audits every year.
The constant changes to data compliance regulations can be challenging to navigate, but you don’t have to do it alone. Contact us today. We will be your guide so you can ethically and confidently reach your customers.
About our expert
Ben Rothke, Senior Information Security Manager
Ben Rothke, CISSP, CISA, is a Senior Information Security Manager at Tapad, a part of Experian. He has over 25 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, cryptography, and security policy development. Ben is the author of Computer Security – 20 Things Every Employee Should Know (McGraw-Hill), and writes security and privacy book reviews for the RSA Conference Blog and Security Management magazine.
Latest posts
Whether it’s a result of the sky rocketing costs of razor blades, the increasing popularity of Movember or a general trend among Hollywood’s leading men to sport some scruff, it seems that facial hair hasn’t been this en vogue since the mid-70s. Whether you love it or hate it, shaving is big business and any rise in beardedness can shave significant revenue from the bottom lines of companies catering to men’s grooming products. As proof, CPG giant Proctor & Gamble recently announced that its second-quarter earnings were negatively impacted due to the growing preference among men for mustaches and beards. For years, Experian Marketing Services has been measuring the grooming habits of men for marketers via our trusted Simmons National Consumer Study and a recent analysis of the data shows a slight, yet clear, decline in the use of shaving products and an increase in the percent of men sporting facial hair in recent years, especially among the younger demographic. According to our estimates, 17 percent of all men and 35 percent of young men ages 18 to 24 have facial hair today, up from 14 percent and 31 percent, respectively, since 2009. That said, most men with facial hair at least occasionally use shaving products, like shaving cream, disposable razors, razor blades or electric shavers. In fact, the vast majority of all guys (94 percent) still use at least some shaving products, and that number has remained virtually unchanged in recent years. There is, however, a sizable and growing share of young men who are going all wooly mammoth and steering clear of shaving products all together. Specifically, 15 percent of men ages 18 to 24 today say they don’t use any shaving products up from 13 percent in 2009. As younger men’s beards fill in and they move into more professional occupations, most are likely to throw in the (hot) towel and pick up a razor, as evidenced by the fact that only 5 percent of men in the next-oldest age bracket (25 to 34) don’t shave. But the growing bearded trend among young men is hair raising nonetheless. Another trend worth monitoring is the declining frequency of use of shaving products overall, which clearly reflects the increasing popularity of the two-, three- or five-day beard. Among the 67 percent of all men who use shaving cream, for instance, less than a third (29 percent) say they use it seven times a week or more often (the equivalent of a daily shave). On average, men today use shaving cream only 4.3 times per week down from 4.5 times per week in 2009. Young men use shaving cream only 3.3 times a week on average, down from 3.6 times in 2009. Frequency of use is also down among the 36 percent of men who use an electric razor, a popular grooming tool for bearded men who wish to keep things a bit more tame. In fact, just 27 percent of men in the electric razor set say they use it seven or more times a week. On average men use an electric razor 3.7 times per week, down from 4.0 times per week in 2009. On the bright side, Proctor & Gamble, in their latest earnings report, said that despite bad news for their facial hair business, they see potential to offset losses with the increasing popularity of body-shaving by men. And they may have a point. Based on 52-week trend data from our Hitwise online search intelligence tool, searches for “manscaping,” a modern term used to refer to the shaving or trimming of excess body hair, are up a relative 14 percent in the past year.
Once upon a time, the Chief Marketing Officer (CMO) was primarily focused on their company’s branding efforts. They spent a lot of time thinking about things like look and feel, messaging, ad buys and what their competitors were up to. Of course, those are all still important components of a CMO’s job description, but the role has changed – expanded, really – over the last five or so years. The ongoing proliferation of devices in the hands of empowered consumers requires that CMOs understand things like consumer behavior, channel and device preference, triggered messaging and much more. They must have expertise in various technologies, real-time analytics and, oftentimes, be change agents who move their organizations toward a more customer-centric business model. Today’s CMO must know how their customers want to interact with their brand, then build messaging and execute campaigns that create engagement and ensure ongoing brand advocacy. In a newly published predictions piece: “#7for14: Seven ways digital marketing will change in 2014” several of Experian Marketing Services’ leaders weigh in on the changing role of today’s marketing heads. Check out prediction #1 – Challenges of the CMO and prediction #6 – The CMO as technologist to see more.
CASL will come into force in phases starting July 1, 2014 The information below should not be considered legal advice. Please consult with appropriate legal counsel before relying upon the compliance information provided below. As of December 2013 both regulators responsible for implementing Canada’s Anti-Spam Law have finalized their regulations. Industry Canada’s guidelines confirm all but one of the expected exemptions, provide needed clarifications to key requirements and delay implementation of the more controversial aspects of the law. Over the past two years we have been updating you on CASL’s developments and efforts by industry groups to address unclear or onerous aspects of its proposed regulations. With Industry Canada confirming all but one expected exemptions and providing detailed guidance in its Regulatory Impact Analysis Statement, marketers should now have an easier time preparing. Here is a summary of key points for Industry Canada’s final regulations: i. CASL will be implemented in three phases: a. The majority of CASL comes into force July 1, 2014; b. The rules that apply to computer programs will come into force January 15, 2015; and c. The private right of action takes effect on July 1, 2017. ii. Industry Canada has provided interpretive guidance on several issues under CASL, including: a. The definition of a "CEM"; b. The application of CASL to express consent obtained before CASL comes into force; c. The application of CASL to IP addresses and cookies; and d. The interaction between the unsubscribe requirement and implied consent. iii. New exceptions have been added for: a. Closed platforms, which would appear to apply to platforms such as BlackBerry Messenger and social medial networks; b. Limited-access accounts, where organizations communicate directly with recipients (e.g., online banking); c. Messages targeted at foreign persons; and d. Fundraising by charities and political parties. A surprising exclusion of the ‘Reasonable Knowledge’ exemption In its draft regulations, Industry Canada sought to exempt foreign senders in instances where the sender could not reasonably know that the message would be received in Canada, particularly when the recipient does not typically access email within Canada or through Canadian systems.[1] However, in its final rulemaking the Department chose to nix this exemption as “unnecessary,” choosing instead to exempt messages routed through Canada into a foreign state. [2] This omission may create challenges for marketers in situations where it’s not possible or practical to collect country of origin information.[3] We expect further clarification on this concern from Canadian regulators in the coming months. For detailed information please visit the Canadian Government’s informational website. For summary information please see the following links: http://news.gc.ca/web/article-eng.do?nid=798829 http://blog.deliverability.com/2013/12/canadas-anti-spam-law-casl-is-now-a-done-deal.html http://www.cauce.org/2013/12/canadas-anti-spam-law-coming-into-force-june-2014.html If you would like to discuss CASL’s email-related issues, please email us at digitalprivacy@experian.com or reach out to us through your account teams. [1] Archived http://www.gazette.gc.ca/rp-pr/p1/2013/2013-01-05/html/reg1-eng.html [2] See Limited Exclusions section of Industry Canada’s Regulatory Risk Impact Assessment, http://fightspam.gc.ca/eic/site/030.nsf/eng/00271.html [3] If a consumer uses a global inbox provider like Google a sender will be challenged to determine where the email is accessed. And since reverse IP geo-location records may be outdated or inaccurate, new technologies and customer self-identification processes may be needed.