Media campanies, agencies and platform providers need to know whether their ad operations providers have the systems, processes and controls in place to protect their first-party data, campaign results, conversions, strategy, and so much more. This data is strategically vital and can also be a huge liability if handled in a way that violates data protections laid out in GDPR, CCPA.

Outsourced ad operations firms have the ability to help clients avoid risk by hiring trusted third-parties to audit their own work specific to: quality, process and technical infrastructure security. Several years ago, Paragon Digital Services chose the International Organization of Standards (ISO) as its third-party agency to help achieve Quality and Security standards that exceeded all other providers.

Core features of the ISO 27001 Certification include:

• Risk Assessment Framework
• Physical & Network Security
• Data Security & Data Privacy
• Information Security Awareness
• Information Security Audits
• Incident Management & Breach Notification
• Business Continuity Management
• Statutory & Legal Requirements.

Minimum Controls

Below is a list of the “minimum security controls” your outsourced ad operations provider must have instituted to ensure your data and your clients data are fully protected. Companies that outsource and companies considering outsourcing should compare the list below with the controls their provider has in place to access internal risk.

• Information Security Policies
• Information Security Roles & Responsibilities
• Mobile Computing Policy
• Business Information System Policy
• Human Resources Security Policy
• Acceptable Use Policy
• Data Classification and Protection Policy
• Information Security Awareness
• Incident Management & Breach Notification
• Business Continuity Management
• Risk Assessment Framework
• IPR Compliance Policy

Data Protection Policy

Below is a snapshot of some of the security practices, measures and controls we follow to guarantee the collective security of our environments and systems.

• Non-Disclosure Agreements. All services are fully protected by confidentiality agreements, which we take very seriously. NDA’s oblige us to safeguard sensitive information, so you can rest assured we will never use your data other than for intended purposes.
• Personal Data Protection. Comprehensive data protection protocol ensures your client data are used in strict accordance with your specified instructions. You decide which services Paragon will provide, and which client data we will process on your behalf. Your data will never ever be shared with another Paragon client. In the event of a security incident, structured processes will be invoked to isolate, contain, and manage incidents to conclusion.
• Human Resources Security. Maintaining adequate security is the responsibility of all Paragon staff. Employees are hired, trained, and disciplined per Paragon corporate policies, which include careful personnel screening, confidentiality agreements, security training, among other measures.
• Assets. Assets used by our staff, when we work on your behalf are governed, by acceptable use policies and authorized and tracked by Paragon (for instance, employees are not able to access client data via their personal computer).

Information Management

Paragon’s Information Security Policy focuses on protecting the confidentiality, integrity and availability of information, while ensuring data privacy. Components of this policy include:

• Information Handling. All information, whether in electronic or physical format, is handled according to designated sensitivity and risk classification.
• Access Control Policy. Several rules, procedures and safeguards are implemented to ensure the complete protection, security, and proper handling of information assets. These rules cover rigorous identification, authorization, authentication, and password policies.
• Acceptable Use Policy. All employees are required to further protect assets and the information stored on, and accessible from, all devices and communications services under Paragon’s Acceptable Use Policy (AUP).
• Remote Access Policy. Remote access to internal Paragon systems and information is protected by a layered security model, including the use of firewalls, VPN clients, Paragon managed certificates, and two factor authentication (2FA).
• Communications Security. Established procedures that cover the operation and management of all IT assets and networks to ensure the correct and secure operation of data processing facilities. These policies cover network security, network design, wireless access, and secure communications channels.

Operations Security

Your ad operations provider must monitor all aspects of operations on a 24/7 basis. Measures include appropriate levels of audit logging and event monitoring to mitigate any security related events.  For instance, our Security Information and Event Management (SIEM) solution to assess significant system events is tuned to provide event correlation across multiple system layers and to proactively alert Paragon IT staff in the event that an unexpected activity is detected.

Additionally, your ad operations provider needs to engage a Managed Security Service Provider (MSSP) to monitor events and correlate them with industry intelligence. At Paragon this capability works in conjunction with our internal Cyber Security services to enable 24/7 coverage.  Our Cyber Security Team reviews the threat landscape and manages security tools that protect our infrastructure. Patching procedures are in place to identify, assess, and deploy vendor supported software fixes and across all applicable Paragon technology and platforms.

Finally, your ad operations provider must employs a standard backup policy for all company systems and data, and includes procedures for regularly testing backups for data availability and integrity.

These are just a few of the topics under an Operations Security umbrella. Others include physical security, compliance, business continuity, data encryption, incident reporting and response.

Risk Assessment

Paragon Digital built an inhouse “Risk Assessment Framework” that is in line with ISO 31000 Standards, for each of our clients, based on the following parameters: Network Security, Virtual Private Networks, User Access Restrictions, Multifactor Authentication, Data Classification & Handling of PII Data, Third party Application and Mobile Computing Policy.

If your firm’s decision process would be enhanced with a data driven measurement of risks associated with the change to outsourcing, Paragon Digital would be happy to provide access to our internal Assessment Framework (at no costs) that you can use to forecast and mitigate Risk.

Need more information?

This post touches on some aspects of Paragon’s robust information security framework, policies and procedures. We are happy to provide you with detailed information upon request.

Contact us here if you would like information on how best to forecast and mitigate risk using Paragon’s internal Risk Assessment Framework.