ISO is an independent, non-governmental international organization with a membership of 165 national standards bodies. ISO/IEC 27001 provides requirements for an information security management system. Standards are set out for establishing, implementing, maintaining, and continually improving an information security management system, as well as how to assess and treat information security risks.
To certify to ISO-27001 for Snaile’s information security management systems, Snaile engaged ControlCase, global leaders in helping companies achieve compliance with international security standards and regulations. ControlCase has years of audit, compliance, and risk management experience and has worked with large national and international organizations.
Snaile is the first Canadian smart parcel locker company to receive this accreditation. In doing so, we are demonstrating our commitment to two areas that are largely overlooked, despite being major aspects of any parcel locker network: user data privacy, software security, and the physical security of deliveries and customer orders.
In real terms, a smart locker is only a receptacle, no matter how robust it is made. This receptacle is entirely controlled by software, both within the locker and in the Cloud (in Canada you need to also host data in the Cloud in-country to be compliant with Canadian data privacy laws called PIPEDA , which the US and foreign parcel locker companies do not), which means there is always a risk from hackers who can gain access to Personal Identification Information (PII). If software is breached, hackers can dump PII on the internet, hold it in exchange for a ransom, or use it for other nefarious activities. With smart lockers, PII typically includes names, addresses, emails, and, in some instances, payment methods.
It’s crucial that parcels or orders left in lockers are kept secure until the intended recipient collects them. When a parcel is taken by a thief who has breached the system and accessed PII, it’s not only bad news for the intended recipient. It also reflects poorly on the company that decided on its smart locker provider. Questions are raised over liability, and reputations suffer.
With this in mind, Snaile has a four-pronged approach to data security and privacy:
Organizations installing smart lockers for parcel collection should choose an ISO-27001 audited and certified company like Snaile, Canada’s Parcel Locker Company. In doing so, end users, such as building residents, students, or retail customers, are protected by industry-leading and commercially sound information technology and security practices. You are, in turn, provided with internationally recognized assurance that you are partnering with a company that does information technology right.
In the interest of real-world testing, Snaile contracts Canadian-based PacketLabs to conduct ongoing penetration testing using the latest tools and technologies.
Penetration testing, aka ethical hacking, uses a methodology aligned to industry standards and compliant with various regulatory requirements, including PCI DSS 11.3. The primary objective is to uncover hard-to-find vulnerabilities and weaknesses residing in IT systems, applications, or network components and try to exploit them to obtain access to sensitive information. The consultants at PacketLabs think outside of the box, attempting to bypass the security of our corporate networks.
As a final measure and for incident mitigation, our Cyber Insurance policy provides Snaile customers with further protection. Insurance companies will only pay out coverage if the data was compliant in the first place – so in our case data must be hosted in the Cloud in Canada and data hosted in a commercially acceptable data infrastructure (ISO27001). This Cyber Insurance covers network security, privacy liability, regulatory actions, cyber threats of extortion, incident management, and data restoration costs.
SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.
SOC 2 certification is issued by outside auditors. They assess the extent to which Snaile complies with one or more of the five trust principles based on the systems and processes in place.
Want to know more? Get in touch and we’ll arrange for you to speak to our Chief Information Security Officer (CISO). We’d be happy to provide you with a security whitepaper and answer any specific questions you may have.