A Checklist for the Chief Information Officer
You know information is at the heart of your supply chain operation. It's why you invest significant time, effort and money to ensure your information stays safe.
A study by IBM and the Ponemon Institute shows the cost of a data breach averages $4 million, or $158 per stolen record. And while that's surely a direct cost you can't afford, it pales in comparison to the indirect costs of such breaches. These can include customer turnover and a tarnished reputation for your brand.
The professionals at Penske Logistics are serious about protecting customer data and avoiding the high direct and indirect costs of data breaches. It's why our ClearChain® technology meets or exceeds the industry standards and best practices to keep information secure, reduces the risk of security breaches and provides data recovery.
Penske's data security solutions monitor its systems, the information moving back and forth between them, and the associates that access and view data. Here's a checklist of the security measures Penske has put in place to ensure 24/7 protection of your data:
Platform redundancy for near real-time disaster recovery – Penske utilizes two data centers that continuously back up each other. This guarantees systems won't go down and prevents potential data losses. Data replication happens continuously in both locations all day, every day. Our full off-site system and platform redundancy are designed to recover data in near real-time should weather disaster or fire ever compromise one location.
Multiple types of malware detection – Penske uses a number of proactive approaches to defend its network. It utilizes both behavioral- and signature-based malware detection for depth, and it monitors email, internet communication, end-user workstations, servers and network segments. The system moves quickly — within milliseconds — if it suspects a problem.
Filtering and protection from intrusion – Host- and network-based filtering and intrusion detection with centralized logging and alerting also help to protect data. The firewalls allow systems to communicate without unwanted intrusion. All firewall, intrusion detection, proxy server and other critical security logs are centrally located. This allows the network to identify patterns, correlate events and alert staff if a problem occurs.
Proactive vulnerability scanning and patching – Penske takes a proactive approach to patching security vulnerabilities within its North American and global networks. Its vulnerability scanning and patching program includes hosts, network and application code. In addition to conducting weekly scans, Penske's IT staff monitors industry communication for vulnerability announcements and applies system patches for critical vulnerabilities in 10 days or less.
Automated SSO and routine auditing – An automated single-sign-on account provisioning and de-provisioning program with regular audits for privileged accounts facilitates automated onboarding and account removal. It is tied with Penske's human resources system to ensure access is given only to people who should have it. In addition, quarterly audits on privileged system accounts and annual audits of all critical system users ensure data remain safe.
Detailed data classification policy with strong encryption capabilities – Many years ago, Penske developed a detailed four-level data classification policy. Those specifications guide how the company treats the data. They include strong encryption capabilities for data in transit, at rest and on backups using a number of methods, including TLS/SSL and AES & PGP.
Secure remote access – To prevent unauthorized users or a data breach, Penske relies on a strong encryption network for people who access its internal network from an external network. The network includes client VPN for remote access (with two-factor user authentication for end users) and two-factor authentication for access to network equipment and other sensitive environments. The system also logs any changes made to the networking equipment.
24/7 log monitoring and alerting – Penske Logistics works with a large industry-leading partner to perform 24/7 analysis on critical security logs and review intrusion detection and proxy logs. All logs generated by Penske are reviewed in real-time, which allows IT experts to analyze and identify any trends in data security risks.
Annual certified penetration testing – In addition, each year an outside firm and its PCI- and CISSP-certified security experts perform a penetration test of the systems. The test includes ethical hacking as well as physical access testing and social engineering attacks on data centers. This helps the IT staff identify and correct any concerns.
Ongoing security training for Penske associates – The people using the systems are a key link in the data-security chain. Penske Logistics has developed an IT security awareness program for associates. It starts with training that's built into the onboarding process for new hires. A monthly security newsletter and an annual week-long training event help to keep security front and center. Throughout the year, Penske performs monthly periodic in-house phishing attacks against associates and contractors. If someone clicks a potentially dangerous link, they are sent to a coaching page that helps them understand how to recognize and react to email threats.
Keeping data safe is an ongoing process, and while we employ industry leading security processes and procedures, no such preventative measure is ever able to prevent all breaches. Our dynamic approach is designed to ensure the network and its IT personnel continually monitor trends and update systems as threats evolve, mitigating the potential for – and impact of – breaches, data loss and disaster recovery.
Your data are extremely valuable. So too is your organization. When you partner with Penske, you can be assured we're working 24/7 to surpass industry standards, keep your data safe and reduce the risk for breaches.
Glossary of Terms:
AES (Advanced Encryption Standard): A specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology in 2001. It is implemented in software and hardware throughout the world to encrypt sensitive data.
CISSP (Certified Information Systems Security Professional): An independent information security certification governed by the International Information System Security Certification Consortium
PCI (Payment Card Industry): The payment card industry utilizes the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover and JCB.
PGP (Pretty Good Privacy): A data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication.
SSL (Secure Sockets Layer): The standard security technology for establishing an encrypted link between a web server and a browser. The SSL link ensures that all data passed between the web server and browsers remain private and integral.
TLS (Transport Layer Security): A cryptographic protocol that provides communications security over a computer network.
VPN (Virtual Private Networks): A virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols or traffic encryption.