Online Trust Alliance Forms Data Security Framework

The Online Trust Alliance (OTA) has released a framework of security guidelines designed to help email and online marketers protect their valuable data assets.

When the recent Epsilon security breach happened, the OTA formed a coalition between the marketing and security company, to identify the major issues and “low hanging fruit” that needed to be addressed when it came to security.

“No one is immune to the threats posed by cyber criminals,” says Craig Spiezle, executive director and president of the Online Trust Alliance, which is comprised of 90 member organizations, including marketers, vendors and government organizations.

The guidelines are posted at https://otalliance.org/securitybydesign.html.

The framework was designed with input from a dozen email service providers and marketers, with an eye towards providing guidance, says Spiezle.

“As an online marketer, threats to trust are of great concern. It is incumbent on all involved in the online ecosystem, marketers and service providers alike, to take responsibility for the data that is collected and treat it like the precious commodity that it is,” said Sal Tripi, senior director of operations, privacy and compliance for Publishers Clearing House, in a statement. “The recent data breaches underscore the need to make this an important initiative for 2011 and beyond not only for technology teams, but business leaders as well.”

Part of the problem, notes Spiezle, is that unfortunately, there are a lot companies, including some ads networks, where security wasn’t a part of the initial design.

“Some of this may appear to be security 101, but the overwhelming majority of breaches are because people aren’t doing the basics,” he says. “But in defense of the industry, 10 years ago we didn’t have these problems.”

The framework documents include 20 questions to help companies do a self audit and self examine what they are doing.

“There’s no excuse for not making the investment in security today,” Spiezle says. “It’s imperative for consumer trust. Brands have to ask the hard questions of their vendors.”

The focus of cybercriminals continues to move upstream, he notes, from operating systems to browsers to plug-ins to websites and then servers.

“Before you design any new feature, take a look at how it could be compromised,” he advises.

Steps in the framework include:
• Creating a cross-functional security team headed by a chief security officer (or equivalent) as a single point of authority with security accountability.
• Mapping the data workflows within your organization and vendors to identify points of vulnerability, and examining how you handle data, and who should have access to it.
• Including security review milestones in the product development process, from concept development, functional specification development, design, testing and launch.
• Auditing your network infrastructure, mapping both internal and external facing sites and all points of connection, and implementing processes to monitor and detect unauthorized access or unusual patterns of activity regarding data.
• Developing an incident response plan and team.