It seems that every day, there’s a news story about hackers stealing customer information from a computer system. Most publicized cases involve large companies being hacked for credit card information and passwords for millions of people. Small companies are hacked too, but those stories don’t seem to grab as much attention.
Physical mail is fairly secure and is protected by federal laws enforced by the US Postal Service Inspection Service (USPIS). With a heritage that traces back to Benjamin Franklin, the USPIS aggressively pursues criminals who use the mail to attach or defraud victims. Companies and individuals put great trust in a sealed envelope marked “First-Class Mail”.
In the past, creating transactional mail documents was performed by companies using internal systems. Printers were directly attached to the mainframe computer system. The mail services department was in the same building, if not in the same room. There were tight controls from data to print to insert to delivery to the post office.
Today, most companies use a mix of internal and external resources to create mail. Whether the work is outsourced to a print service provider (PSP) or processed by an in-plant operation, data is still shared with external companies. Address standardization and move-update solutions are hosted externally, or the vendor sends updates via the internet. Document composition is now offered as a software-as-a-service.
Companies need to validate that their data is secured. From the files they send to PSPs, to the data files they exchange with software providers, to the systems that print and insert the physical documents. That includes conducting regular audits that include documentation review, systems inspection, and testing by the customer and vendors.
Before reviewing the components of the audit, ensure you have the right members of the audit team. A good team will include compliance, information technology, purchasing, postal experts and the auditors (internal or external). The information technology members should be specialists on the software and systems being inspected.
Documentation is the hallmark of a quality operation. For data security, this extends beyond standard policies and procedures that detail how the systems and programs work. Organizations must demonstrate that their systems are configured to prevent unauthorized access – from internal and external sources. This includes physical access (e.g., dual controls on server rooms) and digital access (e.g., firewalls).
Necessary documentation also includes a roster of employees and contractors who are authorized access to the system, event logs (planned and unplanned), and software version control. Backup, business continuity and disaster recovery plans are additional requirements. Lastly, there should be stated procedures for how data is secured when not in use, and how it is deleted at the required compliance date.
The documentation should be supplied in advance of the onsite audit. The team should review for completeness and updates. During the audit, the documents should be compared to what actually occurs – or has occurred in the past. Rosters should be cross-checked with current employee listings, and access controls verified. File properties, including creation date, should be inspected for consistency with storage protocols.
While much of the information on systems is included in the documentation, the audit team should validate key components onsite. This may include sitting with a member of the organization’s information technology department in front of their computer. The administrator will walk through the required steps to access the system, the firewalls and authentication protocols for preventing malicious access, and any alerts generated due to errors or attacks.
A good method for reviewing the system controls is to assume different personas. Review what a standard user encounters when logging on, or if they try to access restricted areas. Show the additional controls assigned to a manager or administrator. Lastly, demonstrate what happens when an unauthorized user attempts to bypass the controls.
In the age of piece-level-tracking, web-to-print systems, and the Internet of Things (IOT), customer data is also vulnerable on the production floor. Print files and control files contain personal information about the recipient. Equipment is monitored by third-parties for performance and service calls. Details on the mailpiece, including the recipient’s name and address are shared and modified by multiple systems for upload to the U.S. Postal Service or a presort provider.
The organization must validate that the data remains secure at all steps and on each piece of equipment. System architecture maps, data encryption methodology and activity logs will demonstrate the levels of security in place.
The testing should be completed using the customer’s files. The entire process should be monitored, including:
- Transfer of files to the vendor
- Vendor receipt and acknowledgement
- File processing – internal and external
- Transfer (if any) files to the customer
- Customer receipt and acknowledgement
- File storage (temporary / permanent)
- File deletion
In most cases, the entire process is automated, with the next step starting without operator action. Set up dual screens to monitor what is happening on both the customer’s and vendor’s systems. Note actual transfer, receipt and processing times. If possible, take screen shots to create documentation of the audit.
Many PSPs merge files from several customers before printing to maximize efficiencies and postal discounts. The vendor needs to demonstrate how they manage the data to protect against a customer accidentally receiving someone else’s information.
For vendors who sell cloud-based products or software-as-a-service, an onsite audit isn’t feasible. The equipment and data are often physically located on a server-farm hundreds or thousands of miles away. Work with those providers to develop a remote testing protocol that validates the controls in real-time.
Due to the sensitivity of security, especially data and internet security, vendors will be wary about sharing detailed information on their systems. However, the owner of the data bears the greatest risk if the system is compromised. Fines and legal liability can be mitigated if a company can demonstrate adherence to best practices. Well-written contracts define the required controls and scope of audits – for process and data security.
Unfortunately, there are people with malevolent intent who will attempt to steal customer data. Organizations and their vendors need to build systems that defend against these attacks. Planned, organized and documented audits will certify that those systems are working.