I EV SSL Certs l
Messaging Ecosystem Security
SECURITY BY DESIGN
Security by Design
Top 20 Questions
Few events can damage a company's brand and the trust of
its customers more than a data incident, such as an external breach or the
accidental loss and misuse of customer data. As witnessed in recent months,
cybercriminals have expanded their efforts, targeting the email and
interactive messaging ecosystem with increased malice and precision. Every
brand and service provider, as well as others, in this ecosystem needs to
understand the nature of these attacks, recognize their data assets are at
risk and plan accordingly. Left unchecked, data incidents can trigger a
meltdown in consumer trust, jeopardizing their privacy and personal data
along with the viability of online communication and commerce.
As proposed by OTA, 'security by design' is a holistic
framework predicated on the belief that all members of the messaging
community have a stake in the preservation of consumer trust and that data
stewardship is everyone's responsibility. Further we believe that creating
a culture of security is a critical industry priority as we move into an era
of data-driven cross-channel communications and platforms.
OTA believes all businesses must take security and
privacy seriously now, and not wait for government regulation to force our
hand. Effective self-regulation and transparency will enhance the vitality
of our industry and advance the interests of all legitimate stakeholders,
but its absence will have the opposite and significantly detrimental effect.
This document provides a security framework that every
business and technical leader should carefully consider. To aid in the
development of a plan, a series of twenty questions are included to
stimulate an internal review. The data security best practices are
presented as a starting point for security professionals and operations
managers as they seek to assess their data and operational security
To be successful, 'security by design' needs to be part
of the culture of every organization and functional group. Security is no
longer an option and businesses need to accept three fundamental truths:
The data you collect includes some form of
personally identifiable information (PII) or "covered information"
If you collect data you will experience a data loss
incident at some point;
Data stewardship is everyone's responsibility.
Businesses that accept these "laws of data collection"
and structure themselves accordingly will be better positioned to protect
their customers and brands from harm.
OTA has identified best practices to help businesses
address the most common causes of loss. Many of the guidelines may be
regarded as "security 101", but they are often the very ones most often
overlooked or not maintained. While there is no silver bullet, the attached
list provides recommendations that serve as a basis to develop an
appropriate security program for those businesses that maintain consumer'
data or messaging infrastructure. When implemented they help to harden
security defenses, help detect exploits, and develop effective plans to
remediate data loss. The majority can quickly be implemented to help
protect the personal, business and financial data of all affected
The definition of private and personal data is rapidly
evolving as the regulatory landscape has become increasingly complex. Today
we no longer compile files consisting solely of email addresses. Through
appends, data mining and other tools we now have comprehensive data files
that include email addresses, which sometimes also serve as the match key.
Since service providers have little or no visibility in what data elements
are being used or created, OTA recommends that both in-house marketers and
service providers assume their lists include some PII or related covered
Download the report
Security by Design
Revised October 1, 2013