Blog

Why Information Security is a critical consideration when selecting your offshore ad operations provider

Media companies, agencies and platform providers need to know whether their ad operations providers have the systems, processes and controls in place to protect their first-party data, campaign results, conversions, strategy, and so much more. This data is strategically vital and can also be a huge liability if handled in a way that violates data protections laid out in GDPR, CCPA.

Top quality offshore ad operations firms help clients avoid risk by hiring trusted third-parties to audit their own work specific to: quality, process and technical infrastructure security.  Several years ago, Paragon Digital Services chose the International Organization of Standards (ISO) as its third-party agency to help achieve Quality and Security standards that exceeded all other providers.

Today, Paragon is both ISO 9001: 2015 Certified for Quality and ISO 27001 Certified for its Technical Security. Core features of the ISO 27001 Certification include:

  • Risk Assessment Framework
  • Physical & Network Security
  • Data Security & Data Privacy
  • Information Security Awareness
  • Information Security Audits
  • Incident Management & Breach Notification
  • Business Continuity Management
  • Statutory & Legal Requirements.

The work required to maintain both Certifications assures Paragon clients that data protection processes are (1) in place (2) strictly adhered to (3) fully compliant with current regulations.

Below is a list of the “minimum controls” your offshore ad operations provider must have instituted to ensure your data and your clients data are fully protected. Companies that outsource and companies considering outsourcing should compare the list below with the controls their provider has in place to access risk.

To assist, Paragon Digital built an inhouse “Risk Assessment Framework” that is in line with ISO 31000 Standards, for each of our clients, based on the following parameters: Network Security, Virtual Private Networks, User Access Restrictions, Multifactor Authentication, Data Classification & Handling of PII Data, Third party Application and Mobile Computing Policy.

Minimum Controls

  • Information Security Policies
  • Information Security Roles & Responsibilities
  • Mobile Computing Policy
  • Business Information System Policy
  • Human Resources Security Policy
  • Acceptable Use Policy
  • Data Classification and Protection Policy
  • Information Security Awareness
  • Incident Management & Breach Notification
  • Business Continuity Management
  • Risk Assessment Framework
  • IPR Compliance Policy

Below is a snapshot of some security practices, measures and controls we follow to guarantee  the collective security of our environments and systems.

Data Protection Policy

  • Non-Disclosure Agreements. All services are fully protected by confidentiality agreements, which we take very seriously. NDA’s oblige us to safeguard sensitive information, so you can rest assured we will never use your data other than for intended purposes.
  • Personal Data Protection. Comprehensive data protection protocol ensures your client data are used in strict accordance with your specified instructions. You decide which services Paragon will provide, and which client data we will process on your behalf. Your data will never ever be shared with another Paragon client. In the event of a security incident, structured processes will be invoked to isolate, contain, and manage incidents to conclusion.
  • Human Resources Security. Maintaining adequate security is the responsibility of all Paragon staff. Employees are hired, trained, and disciplined per Paragon corporate policies, which include careful personnel screening, confidentiality agreements, security training, among other measures.
  • Assets. Assets used by our staff, when we work on your behalf are governed, by acceptable use policies and authorized and tracked by Paragon (for instance, employees are not able to access client data via their personal computer).

Information Management

Paragon’s Information Security Policy focuses on protecting the confidentiality, integrity and availability of information, while ensuring data privacy. Components of our policy include:

  • Information Handling. All information, whether in electronic or physical format, is handled according to designated sensitivity and risk classification.
  • Access Control Policy. Several rules, procedures and safeguards are implemented to ensure the complete protection, security, and proper handling of information assets. These rules cover rigorous identification, authorization, authentication, and password policies.
  • Acceptable Use Policy. All employees are required to further protect assets and the information stored on, and accessible from, all devices and communications services under Paragon’s Acceptable Use Policy (AUP).
  • Remote Access Policy. Remote access to internal Paragon systems and information is protected by a layered security model, including the use of firewalls, VPN clients, Paragon managed certificates, and two factor authentication (2FA).
  • Communications Security. Established procedures that cover the operation and management of all IT assets and networks to ensure the correct and secure operation of data processing facilities. These policies cover network security, network design, wireless access, and secure communications channels.

Operations Security

Paragon monitors all aspects of operations on a 24/7 basis. Measures include appropriate levels of audit logging and event monitoring to mitigate any security related events.  For instance, our Security Information and Event Management (SIEM) solution to assess significant system events is tuned to provide event correlation across multiple system layers and to proactively alert Paragon IT staff in the event that an unexpected activity is detected.

Additionally, Paragon engages a Managed Security Service Provider (MSSP) to monitor events and correlate them with industry intelligence. This capability works in conjunction with Paragon’s internal Cyber Security services to enable 24/7 coverage.  Our Cyber Security Team reviews the threat landscape and manages security tools that protect our infrastructure. Patching procedures are in place to identify, assess, and deploy vendor supported software fixes and across all applicable Paragon technology and platforms.

Finally, Paragon employs a standard backup policy for all company systems and data, and includes procedures for regularly testing backups for data availability and integrity.

These are just a few of the topics under our Operations Security umbrella. Others include physical security, compliance, business continuity, data encryption, incident reporting and response.

Need more information?

This post touches on some aspects of Paragon’s robust information security framework, policies and procedures. We are happy to provide you with detailed information upon request.

Contact us here if you would like information on how best to forecast and mitigate risk using Paragon’s internal Risk Assessment Framework.

Author:David Tyler

Date:25th May 2021