Nahan Printing, Inc. Announces Completed SOC 2 + HITRUST CSF Audit and Report

Author: Joseph Jachimiec, Security Administrator

SAINT CLOUD, MN – December 15, 2020 – Nahan Printing, Inc., the Minnesota-based provider of award-winning commercial print, direct mail, and digital marketing solutions, has completed their newest SOC 2 + HITRUST CSF compliance, audit, and report.

AICPA SOC 2 Logo

The accomplishment marks the seventh successful American Institute of Certified Public Accountants (AICPA) SOC 2 report for Nahan, and the first with the HITRUST CSF (Common Security Framework) mapping.

“Along with our PCI DSS certification and third-party risk assessments, our SOC 2 engagement and report is one of our most important security initiatives of the year,” said Curt Tillotson, Nahan’s Chief Operating Officer.

“And now that we’ve successfully mapped and met the rigorous HITRUST CSF requirements to our SOC 2 report, our customers and prospects can be confident in yet another way we show our dedication to information security and their data protection.”

– Curt Tillotson, Chief Operating Officer, Nahan Printing

As in earlier years, Copeland Buhl & Company PLLP of Wayzata, Minnesota, conducted Nahan’s SOC 2 engagement. The audit confirmed Nahan designed and effectively operated their policies, procedures, and controls during the audit period to meet the AICPA’s Trust Services Criteria related to security, availability, confidentiality, and others.

The HITRUST CSF aligns the requirements from other security frameworks such as HIPAA, PCI DSS, and ISO, and provides details on how to carry out the required controls.

Nahan’s combined SOC 2 + HITRUST CSF report provides a “best-of-both-worlds” approach. The report maps the Trust Services Criteria to the HITRUST CSF and allows Nahan to illustrate their compliant controls in a single report for their stakeholders, clients, and prospects.

About Nahan

Nahan Printing, Inc. is a Minnesota-based, independent, world-class printer committed to providing end-to-end solutions that add value to clients. Since its start in 1962, Nahan has specialized in catalog, direct mail, and digital print solutions for industries such as retail, financial services, non-profit, and hospitality. With a client roster of legendary brands, Nahan prints iconic work that is the highest level of quality and innovation in the industry. For more information about Nahan, please visit nahan.com.

Image by mohamed Hassan from Pixabay

Nahan Printing, Inc. Achieves 2020 PCI DSS Compliance and Certification

Author: Joseph Jachimiec, Security Administrator

SAINT CLOUD, MN – MAY 14, 2020 – Nahan Printing, Inc., award-winning provider of commercial print, direct mail, and digital solutions, announced its achievement of Payment Card Industry Data Security Standard (PCI DSS) Compliance and Certification for 2020.

PCI DSS is an information security framework designed by the Payment Card Industry Security Standards Council (PCI SSC). PCI Compliance is for entities that transmit, process, or store credit card data. The standard guides organizations in protecting cardholder data by preventing fraud and securing Cardholder Data Environments (CDEs).

PCI Logo

2020 marks the fifth year in a row that Nahan has earned the demanding certification. To meet compliance requirements, Nahan performed ongoing management and auditing of physical, technical, and administrative controls of their CDE throughout the year.


The successful audit resulted in Nahan’s Attestation of Compliance (AOC) for Service Providers. The AOC reviews Nahan’s compliance in detail by assessing the 12 main requirements of PCI DSS. Requirements include maintaining a vulnerability management program, implementing strong access control measures, maintaining information security policies, and more.

FRSecure LLC of Minnetonka, Minnesota, conducted Nahan’s PCI audit. As a PCI DSS Qualified Security Assessor (QSA), FRSecure provided the necessary expertise to evaluate and consult Nahan on their PCI DSS compliance.

“Achieving our PCI certification is one of the yearly milestones of Nahan’s ongoing Information Security Program,” stated Curt Tillotson, Nahan’s Chief Operating Officer.

“Our commitment to information security doesn’t stop with our PCI environment, either. It extends throughout our organization. Our customers not only appreciate this, they require it.”

– Curt Tillotson, Chief Operating Officer, Nahan Printing

About Nahan

Nahan Printing is a Minnesota-based, independent, family-owned, world class printer committed to providing end-to-end solutions that add value to clients. Since its inception in 1962, Nahan has specialized in catalog and direct mail printing for industries such as retail, financial services, non-profit, and hospitality. With a client roster of legendary brands, Nahan prints iconic work that represents the highest level of quality and innovation in the industry. For more information about Nahan, please visit https://www.nahan.com/.

Image by Steve Buissinne from Pixabay

Nahan Printing, Inc. Successfully Achieves SOC 2 Compliance for Sixth Time

Author: Joseph Jachimiec, Security Administrator

SAINT CLOUD, MN – APRIL 21, 2020 – Nahan Printing, Inc., award-winning provider of commercial print, direct mail, and digital solutions, has again completed a System and Organization Controls (SOC 2) Type 2 examination.

The achievement marks the sixth time that Nahan has met the SOC 2 compliance requirements as specified by the American Institute of Certified Public Accountants (AICPA).

AICPA SOC 2 Logo

The successful audit resulted in a SOC 2 independent service auditor’s report describing Nahan’s commercial printing and direct mail system and the suitability of the design and operating effectiveness of Nahan’s controls.


Copeland Buhl & Company PLLP of Wayzata, Minnesota, conducted Nahan’s SOC 2 engagement. The audit included a review of Nahan’s policies, procedures, and controls to ensure the protection and security of customer data while in Nahan’s care.

“The SOC 2 audit process is an important engagement for us,” said Curt Tillotson, Chief Operating Officer. He continues:

“One of our core values is to amaze our customers. We do that not only through product quality and superior customer service but also by demonstrating our commitment to data protection and security. Our consistent SOC 2 compliance is a big part of that commitment.”

– Curt Tillotson, Chief Operating Officer, Nahan Printing

About Nahan

Nahan Printing is a Minnesota-based, independent, family-owned, world class printer committed to providing end-to-end solutions that add value to clients. Since its inception in 1962, Nahan has specialized in catalog and direct mail printing for industries such as retail, financial services, non-profit, and hospitality. With a client roster of legendary brands, Nahan prints iconic work that represents the highest level of quality and innovation in the industry. For more information about Nahan, please visit nahan.com.

Image by mohamed Hassan from Pixabay

Three Things to Look for in a Secure Print Partner

Author: Joseph Jachimiec, Security Administrator

Yogi Berra once said, “Okay you guys, pair up in threes… and talk about information security!”

Okay, I added the part about information security. But he still said “pair up in threes,” which is a brilliant Yogi-ism…

Taking his advice to heart, I paired up my knowledge about InfoSec and came up with three things to look for in a secure print partner. Play ball!

1. A Maturing Information Security Program

Your print partner must have an information security program, period.

Bonus points if they have a “maturing” InfoSec program. This means the program (by design) develops and improves over time, guided by business and customer needs. Sprinkle in leadership commitment, reliable frameworks, and awareness training, and you’re off to a good start.

Sounds simple, but it’s not. Consider the following…

Leadership Commitment

A robust information security program starts from the top down. It must have the full support of the CEO and company leadership with a clear security commitment shown to employees, stakeholders, vendors, and customers.

Controls

As discussed in my previous article, a well-designed InfoSec program encompasses administrative, physical, and technical controls.

For administrative controls, think policies and documentation. For physical controls, think door locks, cameras, and key cards. And for technical controls, think firewalls and encryption. Make sure there are policies, standards, procedures, and guidelines in each of these areas. 

Frameworks & Training

Ask if they built the program on a well-known cybersecurity framework like the NIST Cybersecurity Framework, CIS Controls, or ISO/IEC 27001:2013.

Also, make sure the print vendor has a diverse security awareness training program for its employees. More about this later.

2. Independent Third-Party Security Audits

Okay, your potential print partner has an information security program. They’ve told you they segment their networks, scan for vulnerabilities (and patch them), and have full documentation and policies.

Do you take their word for it? Or do you, as the Russian proverb goes, trust but verify?

I think you know the answer. But how do you verify? It’s time-consuming and expensive to fly your security auditors out. However, due diligence is a must.

That’s where independent third-party security audits come in. Trained, unbiased auditors perform these evaluations. And in most cases, compliance obligations require third-party validation.

So ask about the third party reports and certifications that confirm your potential print partner is meeting their InfoSec duties. Make sure they’re following industry standards, using best practices, and protecting your data with proven methods.

For instance, what’s their S2SCORE? Do they have an AICPA SSAE 18 SOC 2 report? If they process credit cardholder data, are they PCI DSS compliant? If you’re in the healthcare field, is the print vendor HIPAA compliant

Besides independent audits, does your potential partner have a track record of fixing security gaps? Do they have a history of remediating and improving any security findings the inspections uncover? Or do they strike out?

3. Security Awareness Training Program

I mentioned awareness training above, but it’s so important that I’m calling it out in this separate section.

Someone once said that humans are the weakest link in the security chain (no offense if you’re human). All this means is we’re emotional, and thus easy prey for social engineering trickery. 

A robust training program covers a few different bases here. First, it shines a spotlight on the threat of social engineering and teaches ways to identify it when something doesn’t seem right.

It’s not about paranoia; it’s about awareness. It’s about thinking before divulging information, clicking on a strange email link, or plugging in that USB thumb drive.

The security awareness program should use different media like email training, newsletters, video, and even live training. Is the training spread out over different time frames like weekly, monthly, and yearly?

Phishing Tests

To further combat social engineering and ransomware, make sure the vendor’s awareness training program includes email phishing tests and remediation training for anyone who takes the bait.

Policy Acknowledgments

And don’t forget about the print vendor’s security policies. All employees must be aware the information security policies exist, what those policies cover, and where to access those policies for further reference. Annual acknowledgment of security policy training is ideal.

Bonus: look to see if the print vendor cares about its employee’s digital safety outside of work. Security training for their family and home life is a welcome addition.

Conclusion

When evaluating a potential secure print partner, look for telltale signs the print provider cares about your data security. Ask them to prove it.

At the very least, look for:

  • A reliable information security program
  • Third-party assessments
  • A security training program that’s proactive about educating its employees.

Is there more to consider? Sure, but don’t get overwhelmed. Start with these basics, and you’ll go a long way toward protecting your data with your trusted print vendor.

If you’re looking for a secure print partner, contact us today. We’ll show you how Nahan meets all these criteria and more.

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by Paul Brennan from Pixabay

A Quick Intro to PCI DSS (Payment Card Industry Data Security Standard)

Author: Joseph Jachimiec, Security Administrator

With over 9,300 security breaches recorded since 2005, and a whopping 10.4 billion records estimated stolen (source: privacyrights.org), it’s essential for businesses to follow a reliable security framework to guide their information security programs.

One such framework is the Payment Card Industry Data Security Standard (PCI DSS).

In this post, we’ll take a quick look at how PCI DSS started. We’ll also define “cardholder data” and touch on the 12 requirements of the standard.

PCI DSS Overview and History

PCI DSS was introduced in 2004 by the five major credit card companies: American Express, Discover Financial Services, JCB, MasterCard, and Visa.

Before joining forces, each company had internal security programs to combat rampant credit card fraud and breaches. They formed the Payment Card Industry Security Standards Council (PCI SSC) to establish a common standard. Additionally, they needed to solve the interoperability problems of individual programs.

From this group, the PCI Data Security Standard was born. It’s aim? To reduce credit card fraud and to give guidance for controls around cardholder data. To this day, the PCI Council acts as the governing body for the PCI Standard.

PCI DSS has been through many iterations since version 1.0 in 2004. Major updates to the standard were released in October 2010 (version 2.0) and November 2013 (version 3.0). At the time of this writing, version 3.2.1 is the most current, released in May 2018.

The PCI DSS applies to any entity that accepts, processes, stores, or transmits cardholder data, including merchants and service providers.

What is Cardholder Data?

In short, cardholder data (and sensitive authentication data) is the good stuff that thieves are after. Here’s a breakdown from the version 3.2.1 documentation:

Table image of PCI DSS cardholder data and sensitive authentication data
Source: Payment Card Industry (PCI) Data Security Standard – Requirements and Security Assessment Procedures, Version 3.2.1, May 2018, page 7

Interesting fact: although PCI DSS permits cardholder data storage, sensitive authentication data storage is not allowed, even if encrypted.

To show where this data lives on a typical credit card, take a look at this image from the PCI DSS Quick Reference Guide:

Image of credit card front and back showing types of data for PCI DSS
Source: PCI DSS Quick Reference Guide – Understanding the Payment Card Industry Data Security Standard version 3.2.1, page 11

The PCI DSS Requirements

The PCI Data Security Standard breaks down into 12 compliance requirements within six goals:

Table image of PCI DSS goals and requirements
Source: PCI DSS Quick Reference Guide – Understanding the Payment Card Industry Data Security Standard version 3.2.1, page 9

As you can see, each requirement is a significant security undertaking for any company. When met though, these requirements mirror security best practices, protect cardholder/sensitive authentication data, and lead toward PCI DSS compliance and certification.

The PCI DSS documentation lays out guidance steps for each requirement. It also unveils the testing procedures that the PCI Qualified Security Assessor (PCI QSA) performs to confirm the requirements are in place. Consider it your PCI cheat sheet!

Conclusion

At Nahan, PCI DSS is just one of the security frameworks that guide our information security program. We’re proud to be PCI Compliant and Certified since 2016. Our annual PCI QSA audit verifies that we’re meeting all PCI DSS requirements to protect cardholder data.

To learn more about our PCI DSS compliance and to see our Attestation of Compliance, contact us today.

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by TheDigitalWay from Pixabay