Introduction
Merkle understands the importance of providing its clients and business partners with assurance regarding its information security profile and internal controls. To that end, Merkle offers several avenues towards obtaining this assurance.
Security Policy and Governance
Merkle’s Global Information Security Program v3.1 (GISP) was adopted in October 2009 by Merkle IT Security, a separate function within Merkle Information Technology. GISP is compliant with ISO/IEC 27002:2005 concepts, the international standard which establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
All security policy and strategic direction is reviewed and approved by a formal Security Governance Council, an entity made up of executive stakeholders within Merkle.
Technical and Physical Security Infrastructure
Merkle has implemented defense-in-depth which includes industry-leading stateful inspection firewalls; Tipping Point intrusion prevention systems (IPS); segregated internal networks; McAfee antivirus and secure file transfer protocols.
Merkle’s state of the art headquarters facility includes a 10,000 sq. ft. data center that meets Tier 2 standards set by the Uptime Institute. It features strong physical security, including zoned, proximity card access and two-factor biometric data center access controls; comprehensive video surveillance; and a 7×24 Network Operations Center. Environmental controls include power conditioning and UPS and diesel generator backup; redundant cooling and FM200 fire suppression.
Electronic Vulnerability Management
Merkle has a program of detecting, reporting and remediating security vulnerabilities using Symantec’s DeepSight Early Warning Services and an industry-grade electronic vulnerability scanning utility. For client hosted solutions, vulnerability assessment reports can be provided on request.
Cybertrust Security Certification
Merkle subscribes to the Verizon Business/Cybertrust SiteSecure security management program, a comprehensive ongoing analysis of the organization’s perimeter security; email security; essential practices and desktop security management. Our latest certification was obtained on September 30, 2009 and is valid for one year.
Targeted Consultant Engagements
Merkle periodically engages third party security consultants in an effort to gauge its security profile. Most recently, Merkle engaged Fortrex Technologies in December 2007 to perform a security architecture review. This included a review of Merkle’s security policy program and Security Roadmap. A summary of the results is attached. Overall, Merkle has shown to practice a high level of due diligence with respect to protection of corporate and client assets.
Merkle’s Privacy Policy and Safe Harbor Certification
Merkle has formally self-certified with the Department of Commerce that it meets security and privacy measures required to comply with Safe Harbor. This allows Merkle to act as a recipient and data processor for trans-border personally identifiable information data transfers from EU member nations. In addition, Merkle subscribes to the Direct Marketing Association’s Safe Harbor Program, which serves as a third-party dispute resolution mechanism.
Merkle’s privacy policy can be found on its Merkle’s website
Merkle’s ISO 9001:2000 Quality System Certification
As defined by ISO, “A quality system is a group or series of processes that are used to generate and deliver products and/or services that meet specified (and documented) company policies and objectives.” Our ISO 9001:2000 quality management certification is offered as reinforcement that Merkle places an emphasis on process to ensure quality goals are met.
Client Audits
Your organization may verify through several ways (i.e. onsite inspection or surveys) that Merkle has designed and implemented effective controls. In addition, Merkle can host an on-site review with our IT and security staff if required.
Questions?
Documents are available for distribution under NDA. If you have any questions about Merkle’s security program, please contact:
Allan Sakowski, CISSP, CISM, CISA
Director, Security Assurance
Merkle, Inc.
asakowski@merkleinc.com