3 hours 39 minutes
Alright, everyone, welcome back to this module Today, I've got a guest presenter, Mr bob johnson, who is the Ceo and executive director
for I sigma and
bob. If you could tell us a little bit about you and I sigma, that would be awesome.
Well sure uh and Andrew I know you know a lot about this vote for your audience benefit um and you've been very much involved in I sigma over the years. So um the guy Sigma's actually uh it stands for first of all, the International secure information, governance and management association.
So that is a mouthful. But it does describe what we are and what we do.
What what your viewers should know though too is that I sigma's about 2.5 years old and was formed
By the merger of two associations.
The first one which I was involved in for the last 30 years was the National Association for Information destruction, ornate as it's commonly known in the in the marketplace. And Nate's mission was to or is too, has been to um,
help consumers learn what they need to know about, educate consumers if you will, on the need for the proper disposition of information.
Um, over our 30 years, obviously, data protection has grown in in a concern. But if you go back those 30 years to when we were founded, there was a real need to educate customers that when they discarded their records and their confidential materials and even back then electronic media less so of course
that they had to be careful because
there were a lot of bad things could happen. Not
Not the least of which was bad guys or bad actors could get their hands on it. But there are other ramifications as well now. So Nate was made then we had prism international, prison international had many around even longer I think 40 years.
And Prison International as you know, Andrew stood for professional records and information services management.
And so these are the companies, there was a trade association of companies that
provided records storage services and other records and information management service such as scanning and
um, and uh, text on demand and the tape rotation and other things.
Of course, there's a lot of overlap between information disposition, which is
what they did and
Most of the members of prison international already did as well. And we found out so much overlap. It just made sense after those 30, some odd years to emerge the organizations into one. And so we've got the pooled resources that pulled acumen. Um, all of those things allow us to reach out better.
And currently I sigma
With being the combination of native prison international has about 1400 members. These are service providers and the destruction or records and information management space around the world. I think we're on
five of the seven continents at this point and certainly represent the bulk of the industry.
Well, that that's great, thanks for the history on that. And uh, you you were from the need side
really started with the destruction of
paper information and it's evolved
into other types of
destruction of disposition. Tell us a little bit about, you know, some of the other
items that you made and the people who are part of me
service providers cover, but also how do you keep them accountable?
Well, good question. And, uh, the, uh, as you point out that the, it did start with paper records of course, when the organization was founded in the, in the early nineties, um, you know, that's what the confidential media was being disposed. I mean, that's that's where it was. My, my particular, um,
pedigree, if you will, or history
Was as a service provider in the paper shredding world. So I owned a paper shredding company through the 80s. And among the challenges we had at the time.
Well, I mean, I guess if you had to boil it down to two challenges we had in the 80s were that
one, the customers needed more education on why they should be properly destroying their discarded paper records. And
on the other hand, we had
a lot of unfortunately disreputable or marginal service providers out there that
told the customer what they wanted to hear, but weren't walking the walk didn't have the proper security. So
after I sold that business in the early nineties, and we found in a the mission of Nate was 21 educate customers on why they needed to,
why they needed to destroy discarded media properly.
And to to give those customers tools by which they could better select the vendor so that they could separate the quality vendor from the riff raff. So to your question on accountability,
We developed a certification program. Now we're 25 years on now and Nate triple a certification has been come, as it's known, has been from the beginning
is kind of now the the entry point for secure destruction services. I'm going to say in North America including, well, I should say in the United States and Canada,
probably 80 to 85 90 even percent of the capacity to provide
paper destruction services um are from made certified members. If you look across the gambit, all the large companies and whatever.
Well, of course
it's, I'd like to take credit for it, but
Probably 15, 16 years ago,
seeing what we were doing on the paper destruction side,
we had, uh, vendors that were recycling computers, recycling electronic
who were talking to their customers about data protection and the importance of controlling that information when it was destroyed and destroying the information
had the same challenges. They needed to educate the customer on why they needed to do it. They also had
marginally reputable service providers out there that we're telling the customer one thing that we're doing another.
So we were able to integrate the electronic media folks
into the Nade camp, if you will, and develop certification standards, and do all of those same things. Now with our certification standards in general, we have kind of two ways we approach that. One is the adequate security part of it. So when it comes to access control, employee training, all of those things,
the other side of it, so that's kind of the security around that issue. The other side of it is the regulatory compliance
because it's kind of a unique thing, customers are required under the regulations to properly that
the security and regulatory compliance of vendors that they hire with whom they're going to share confidential information, you know this Andrew. So make your audience may not, or some of them may not, but in the regulatory world, you have the data controller, which is the bank or the hospital or the entity
with whom the individual is sharing their personal information.
the individual is not selecting the downstream vendors. Those are considered the data processors,
the shredding company, the record storage company, the billing company, all of the services that the hospital or bank might might hire. So, um,
the, those banks and insurance companies or whatever, according to the regulations, are supposed to be
properly vetting putting those vendors they hire through their paces.
The the all in fact, really any any company is required to do that. The problem with the regulations is, and this isn't a slam on the regulations is just reality.
Most consumers that is most companies that would hire a destruction service or a storage service or any other vendor with whom they're going to share personal information.
They don't know exactly how to do it. How can they be expected to know all the subtleties of providing information destruction services or all the subtleties of record storage? So when I say, we integrate these data security and the the compliance, the regulatory compliance aspect of it. So the customer knows
when they're picking that vendor
who is made certified in
just to be clear, it's called made Triple A certification.
If you want to delve into the triple A. We can. But for right now, that's the only thing that made has.
the what it does for the customer is they know that that that that service provider
has the requisite physical security to provide the services as well as meeting the regulatory compliance that goes along with it. And therefore
they know they're safe to hire that vendor from both of those perspectives.
And and it's true then, that they're the accountability side of this, that, you know, there is such a thing as uh we talked about
attestation of regulatory compliance for certain vendors, but with Made and
uh, certification, for example, I know that there's others out there, but with the association that you're with,
there's an independent audit that occurs a third party auditor comes in. So it's not a self audit type of scenario, Is that correct there? That's very true, and thanks for bringing that up because
the, you know, one of the most critical
Uh aspects of what we do, we have a network of about 20 auditors around the world, um and most of them are concentrated North America, but we have auditors in Australia and Hong Kong throughout Europe. And
not only do we do scheduled audits to completely review all of the records and everything we have to do, but we have a regime of unannounced audits as well. And those unannounced audits include just knocking on the door and showing up.
And it's interesting
often those audits don't start at the front door, they start at the back door, because on an unannounced audit you're trying to,
you know, it's kind of like your audience is probably familiar with
electronic intrusion testing, where you're, you're tapping the,
you know, electronically. You're trying to see if you can get into the computer as a white hat, right? Trying to figure out if there's a way in what we're doing that. From a very physical perspective, we're actually showing up and seeing can we get in or not? And the best result is the auditor is foiled, can't get access in there, and and, you know,
the vast majority of the times, that's what happened. But we'll also do uh covert surveillance in the field and never will literally follow the trucks into the field and see where they go and how they do it.
So it's kind of a combination of the scheduled audit where we're really, you know, it's it's quite a thorough examination, but we really like those unannounced audits as well. And again, they're applied on our paper destruction side, as well as our electronic destruction side.
All right, well, you share a lot of information with us today and I want appreciate you for doing so and sharing your time with us. Where can someone go to learn more about your association?
I would send him to I sigma, W w W I sigma online dot org.
Excellent. Well, thank you very much. We appreciate you, uh, educating us today and all the best to you and look forward to chatting soon.