Information Disposition Discussion by Bob Johnson

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:01
Alright, everyone, welcome back to this module Today, I've got a guest presenter, Mr bob johnson, who is the Ceo and executive director
00:12
for I sigma and
00:14
bob. If you could tell us a little bit about you and I sigma, that would be awesome.
00:18
Well sure uh and Andrew I know you know a lot about this vote for your audience benefit um and you've been very much involved in I sigma over the years. So um the guy Sigma's actually uh it stands for first of all, the International secure information, governance and management association.
00:38
So that is a mouthful. But it does describe what we are and what we do.
00:42
What what your viewers should know though too is that I sigma's about 2.5 years old and was formed
00:50
By the merger of two associations.
00:53
The first one which I was involved in for the last 30 years was the National Association for Information destruction, ornate as it's commonly known in the in the marketplace. And Nate's mission was to or is too, has been to um,
01:10
help consumers learn what they need to know about, educate consumers if you will, on the need for the proper disposition of information.
01:21
Um, over our 30 years, obviously, data protection has grown in in a concern. But if you go back those 30 years to when we were founded, there was a real need to educate customers that when they discarded their records and their confidential materials and even back then electronic media less so of course
01:40
that they had to be careful because
01:42
there were a lot of bad things could happen. Not
01:45
Not the least of which was bad guys or bad actors could get their hands on it. But there are other ramifications as well now. So Nate was made then we had prism international, prison international had many around even longer I think 40 years.
02:01
And Prison International as you know, Andrew stood for professional records and information services management.
02:08
And so these are the companies, there was a trade association of companies that
02:15
provided records storage services and other records and information management service such as scanning and
02:21
um, and uh, text on demand and the tape rotation and other things.
02:28
Of course, there's a lot of overlap between information disposition, which is
02:32
what they did and
02:35
what
02:36
Most of the members of prison international already did as well. And we found out so much overlap. It just made sense after those 30, some odd years to emerge the organizations into one. And so we've got the pooled resources that pulled acumen. Um, all of those things allow us to reach out better.
02:54
And currently I sigma
02:57
With being the combination of native prison international has about 1400 members. These are service providers and the destruction or records and information management space around the world. I think we're on
03:10
five of the seven continents at this point and certainly represent the bulk of the industry.
03:16
Well, that that's great, thanks for the history on that. And uh, you you were from the need side
03:23
and Nade
03:24
really started with the destruction of
03:28
paper information and it's evolved
03:30
into other types of
03:32
destruction of disposition. Tell us a little bit about, you know, some of the other
03:37
items that you made and the people who are part of me
03:40
service providers cover, but also how do you keep them accountable?
03:46
Well, good question. And, uh, the, uh, as you point out that the, it did start with paper records of course, when the organization was founded in the, in the early nineties, um, you know, that's what the confidential media was being disposed. I mean, that's that's where it was. My, my particular, um,
04:06
pedigree, if you will, or history
04:09
Was as a service provider in the paper shredding world. So I owned a paper shredding company through the 80s. And among the challenges we had at the time.
04:18
Well, I mean, I guess if you had to boil it down to two challenges we had in the 80s were that
04:25
one, the customers needed more education on why they should be properly destroying their discarded paper records. And
04:32
on the other hand, we had
04:35
a lot of unfortunately disreputable or marginal service providers out there that
04:41
told the customer what they wanted to hear, but weren't walking the walk didn't have the proper security. So
04:47
after I sold that business in the early nineties, and we found in a the mission of Nate was 21 educate customers on why they needed to,
04:57
um,
04:58
why they needed to destroy discarded media properly.
05:00
And to to give those customers tools by which they could better select the vendor so that they could separate the quality vendor from the riff raff. So to your question on accountability,
05:13
We developed a certification program. Now we're 25 years on now and Nate triple a certification has been come, as it's known, has been from the beginning
05:24
is kind of now the the entry point for secure destruction services. I'm going to say in North America including, well, I should say in the United States and Canada,
05:35
probably 80 to 85 90 even percent of the capacity to provide
05:42
paper destruction services um are from made certified members. If you look across the gambit, all the large companies and whatever.
05:50
Well, of course
05:53
it's, I'd like to take credit for it, but
05:56
Probably 15, 16 years ago,
05:58
seeing what we were doing on the paper destruction side,
06:01
we had, uh, vendors that were recycling computers, recycling electronic
06:08
media
06:10
who were talking to their customers about data protection and the importance of controlling that information when it was destroyed and destroying the information
06:17
had the same challenges. They needed to educate the customer on why they needed to do it. They also had
06:25
marginally reputable service providers out there that we're telling the customer one thing that we're doing another.
06:30
So we were able to integrate the electronic media folks
06:33
into the Nade camp, if you will, and develop certification standards, and do all of those same things. Now with our certification standards in general, we have kind of two ways we approach that. One is the adequate security part of it. So when it comes to access control, employee training, all of those things,
06:53
the other side of it, so that's kind of the security around that issue. The other side of it is the regulatory compliance
07:00
because it's kind of a unique thing, customers are required under the regulations to properly that
07:08
the security and regulatory compliance of vendors that they hire with whom they're going to share confidential information, you know this Andrew. So make your audience may not, or some of them may not, but in the regulatory world, you have the data controller, which is the bank or the hospital or the entity
07:27
with whom the individual is sharing their personal information.
07:30
Lead individual,
07:31
the individual is not selecting the downstream vendors. Those are considered the data processors,
07:40
the shredding company, the record storage company, the billing company, all of the services that the hospital or bank might might hire. So, um,
07:48
the, those banks and insurance companies or whatever, according to the regulations, are supposed to be
07:56
properly vetting putting those vendors they hire through their paces.
08:00
The the all in fact, really any any company is required to do that. The problem with the regulations is, and this isn't a slam on the regulations is just reality.
08:11
Most consumers that is most companies that would hire a destruction service or a storage service or any other vendor with whom they're going to share personal information.
08:22
They don't know exactly how to do it. How can they be expected to know all the subtleties of providing information destruction services or all the subtleties of record storage? So when I say, we integrate these data security and the the compliance, the regulatory compliance aspect of it. So the customer knows
08:41
when they're picking that vendor
08:43
who is made certified in
08:46
just to be clear, it's called made Triple A certification.
08:50
If you want to delve into the triple A. We can. But for right now, that's the only thing that made has.
08:56
But the
08:58
the what it does for the customer is they know that that that that service provider
09:05
has the requisite physical security to provide the services as well as meeting the regulatory compliance that goes along with it. And therefore
09:13
they know they're safe to hire that vendor from both of those perspectives.
09:18
And and it's true then, that they're the accountability side of this, that, you know, there is such a thing as uh we talked about
09:26
attestation of regulatory compliance for certain vendors, but with Made and
09:31
uh, certification, for example, I know that there's others out there, but with the association that you're with,
09:37
there's an independent audit that occurs a third party auditor comes in. So it's not a self audit type of scenario, Is that correct there? That's very true, and thanks for bringing that up because
09:48
probably the,
09:50
the, you know, one of the most critical
09:54
Uh aspects of what we do, we have a network of about 20 auditors around the world, um and most of them are concentrated North America, but we have auditors in Australia and Hong Kong throughout Europe. And
10:09
not only do we do scheduled audits to completely review all of the records and everything we have to do, but we have a regime of unannounced audits as well. And those unannounced audits include just knocking on the door and showing up.
10:24
And it's interesting
10:26
often those audits don't start at the front door, they start at the back door, because on an unannounced audit you're trying to,
10:33
you know, it's kind of like your audience is probably familiar with
10:37
electronic intrusion testing, where you're, you're tapping the,
10:43
you know, electronically. You're trying to see if you can get into the computer as a white hat, right? Trying to figure out if there's a way in what we're doing that. From a very physical perspective, we're actually showing up and seeing can we get in or not? And the best result is the auditor is foiled, can't get access in there, and and, you know,
11:03
the vast majority of the times, that's what happened. But we'll also do uh covert surveillance in the field and never will literally follow the trucks into the field and see where they go and how they do it.
11:15
So it's kind of a combination of the scheduled audit where we're really, you know, it's it's quite a thorough examination, but we really like those unannounced audits as well. And again, they're applied on our paper destruction side, as well as our electronic destruction side.
11:33
All right, well, you share a lot of information with us today and I want appreciate you for doing so and sharing your time with us. Where can someone go to learn more about your association?
11:43
Yeah.
11:43
I would send him to I sigma, W w W I sigma online dot org.
11:50
Excellent. Well, thank you very much. We appreciate you, uh, educating us today and all the best to you and look forward to chatting soon.
11:58
Thanks Sandra.
Up Next