IMPACT2015 Quarter 2

A World of Certification, Assessments and Training

Presented by UL DQS Inc.

In the last few years, it seems like each time we turn on the news, we hear about another security breach that is affecting consumers’ personal information. From the Target data breach to the hack-ing of Sony Pictures, many Americans are wondering if their data is safe. In this 2015 Quarter 2 edition of IMPACT, you can read about how the ISO 27001 standard can help to minimize the risk of a security breach for not only your company, but your partners as well.

Also in this edition of the newsletter we feature two companies that have benefited from 20 years of ISO 9001 certification. PLITEK, a leading provider of precision die cut components, and Marvel Group, Inc., a fully-in-tegrated metal fabricator, both celebrated 20 years of partnership with UL DQS for their ISO 9001 certification recently. We would like to congratulate both of these companies on this achievement and look forward to their future growth and success.

Ganesh RaoPresident & CEO

PLITEK

Page 2

Marvel Group

Page 3

ISO 27001

Page 5

2015 Quarter 2

2

PLITEK

Keith Hoffman, PLITEK Operations Manager, shows Ganesh Rao, UL DQS President and CEO, and Hoss Parandeh, UL DQS Vice President of Sales and Marketing, around the location in Des Plaines, IL. PLITEK was founded in 1968 and partnered with UL DQS for ISO certifi-cation in 1994.

PLITEK is a leading provider of pre-cision die cut components offering ex-tensive, vertically integrated convert-ing capabilities including precision die cutting, multi-layer laminating, custom film extrusion, specialty ad-hesive coating, slitting & rewinding, printing, RFID, and surface treatment. While narrow web converting capabili-ties are impressive, it is its combination with the company’s value-added custom-er services, material selection assistance, design support, rapid prototyping, clean room manufacturing, contract assembly & packaging that differentiate PLITEK in the industry. The company focuses on providing solutions to their customers and strongly values quality, innovation, hard work, and good business ethics. The key to the company’s success has been providing engineering solutions to cus-tomers from concept to the end product. Recently, PLITEK celebrated 20 years of continuous ISO 9001 certification. UL DQS presented the company with a plaque of appreciation for 20 years of partnership.Since 1994, PLITEK has been striving to enhance customer satisfaction by meeting and exceeding customers’ and regulatory requirements as well as continually im-proving its processes and performance.

ISO standard certification sets the framework for a well-managed, cus-tomer-focused, quality management system. When products and services conform to ISO, consumers can be con-fident that they are safe, reliable and of good quality. ISO certification has

contributed to PLITEK’s success and growth over the years and helped grow their large customer base worldwide. PLITEK is a company that can serve as a great example of how ISO stan-dard certification can help guide a company into continuous improve-ment and lead to overall sales growth.“The partnership between PLITEK and UL DQS has been a great exam-ple of how commitment to quality and management processes positive-ly impacts success and growth of the business,” said CEO Karl Hoffman.

Mary Rose Hennessy, Executive Director at University of Illinois BIS, Hoss Parandeh, Karl Hoffman, PLITEK CEO, Ganesh Rao, and Keith Hoffman show off plaque to commemorate 20 years of continuous certification.

• PLITEK was founded in 1968.

• The headquarters are located in Des Plaines, IL

• They are partnered with UL DQS Inc. for 20 years for ISO 9001 certification

QUICK 3

On Thursday, February 26th, Marvel Group, Inc., a Chicago based metal fab-ricator of nearly 70 years, was pleased to accept a plaque commemorating 20 years of ISO 9001 certification from UL DQS. This achievement is a significant mile-stone for Marvel Group.

Marvel Group, Inc. is a fully-integrated, world-class metal fabricator headquar-tered in Chicago, Illinois. Originally called Marvel Metal Products, the com-pany was founded in a corner garage by a WWII fighter pilot and his high school buddy in 1946. Their first product was a

metal breadbox decorated with a floral stencil designed by the fighter pilot’s wife. By 1960, Marvel had become the steel manufacturer of choice for quality retail items including Bread Boxes and Storage Bins for Montgomery Wards, Sears Roe-buck, as well as many other national cata-logers and retailers. Marvel’s brand recog-nition went international in 1974 with its OEM division garnering quality awards from well recognized Printer Manufactur-ers. As of 1980, Marvel had entered into the office furniture industry by promising to ship all orders in five days. This has

become a hallmark to the Marvel name, as they maintain a 5-day ship promise on Pronto® and MW®, two of their most pop-ular brands today. In 1985, Marvel became so confident in the quality of their product that they offered a Lifetime Warranty on all of their furniture products. The turn of the century bolstered their continuing effort to bring only the most innovative and highest quality products to the office furniture industry. Marvel commissioned Otto Zapf, a world renowned designer and furniture visionary, to develop a line of panel and free-standing commercial office furniture that could bring style, class, ver-satility, and Marvel Quality to this grow-ing market place.

In addition to focusing on customers, Marvel focused on the environment by installing an environmentally safe pow-der coating system in 1992, which won a special award from the Governor of Illi-nois. Soon after, certain Marvel product lines became GreenGuard® and eventual-ly GreenGuard Gold® Certified. In 1994, Marvel partnered with UL DQS to be-

3Marvel Group

2015 Quarter 2

UL DQS President & CEO, Ganesh Rao, presents John J. Dellamore and the management team at Marvel Group, Inc. with a plaque representing 20 years of ISO 9001 certification. UL DQS President & CEO, Ganesh Rao, VP of Finance & CFO, Pamela Wright, VP of Operations, Edward Lencioni, President & CEO, John J. Dellamore, Director of Quality, Eric delaPena, UL DQS Lead Auditor, Blake Sommer and UL DQS Customer Service Manager, Alexander Madison joins in celebrating Marvel Group’s milestone. (Pictured from left to right).

• Founded in 1946• Located in Chicago, IL• Founded by WWII fighter

pilot and his high school buddy in a corner garage

QUICK 3“Our collaboration with UL DQS has been a great success story. We have worked together for the last 20 years to advance our processes and quality objectives and look forward to continuing this partnership for many years to come,” said Eric delaPena, Director of Quality at Marvel Group.

2015 Quarter 2

4

come IS0 9000 certified. This certification for Marvel Group, Inc. reflects adherence to rigid performance standards not only in product design, development and produc-tion, but also in marketing, purchasing, customer service and even personnel.

Marvel’s ISO 9001 certification is an im-pressive measure of their commitment to overall quality. Their quality goals are simple:• Exceed customer expectations• Continually improve products and

services• Deliver on-time, complete and de-

fect-freeThough these goals are “simple,” Marvel continually strives to improve their metal fabrication through efficiency, innovation and cost-effective processes that have been structured and well defined by 20 years of ISO 9001 certification. This drive for improvement is what made Marvel Group, Inc. a successful metal manufac-turer now serving five major industries:

OFFICE FURNITUREwww.marvelgroup.com

Office furniture, storage systems, seating and more with a reputation for uncompro-mising quality at an affordable price.

CUSTOM CONTRACT MANUFACTUR-INGwww.marveloem.comContract metal fabrication and final me-chanical / electrical assembly of products for the printing, medical, transit, and elec-tronics industries. Since the 1990’s, OEM customers have trusted Marvel quality domestically and internationally, naming Marvel as their supplier for multiple prod-uct lines. Marvel specializes in highly com-plex and time critical products for major

corporations worldwide.

RETAILDesign and fabri-cation of complex point-of-purchase display units for su-per-stores and other contemporary retail-ers.

UNIVERSAL WEAPONS RACK

www.universalweaponracks.comDurable storage systems with exception-al effectiveness, functionality, maximum flexibility and premium quality.

AUDIO VISUAL

www.marvelvizion.comAudio Visual Furniture to support today’s technologies and continue their tradition of manufacturing a high quality, innova-tively designed product that is Made in America.

Nearly 70 years of metal fabricating ex-perience brings unbeatable value to each of their manufacturing partnerships. The world’s most recognized brands rely on the Marvel Group to design, manufacture, and deliver their products and components using the highest standards in every level of our relationship. their award winning Engineering staff partners with marketers, big and small, in designing cost effective, premium quality components embracing “Best Value” principals. Under the guid-ance of UL DQS and the guidelines of ISO 9001, Marvel Group will continue to grow and provide world-class, high qual-ity products.

2015 Quarter 2

5New ISO 27001 Standard Can Reduce Security Breaches

We have witnessed some high profile se-curity breaches in in the past few years. It started with massive data breach of Tar-get reported in December 2013, followed by Home Depot, JP Morgan Chase, Sony Pictures, and the list goes on. The Care-First BlueCross Blue Shield group report-ed massive data breach in May 2015; 1.1 million insurance subscribers’ personal data have been stolen. Other BlueCross entities hacked were Anthem Inc., 78 mil-lion individual records, and Premera Blue Cross, 11 million records compromised. Most recently, hackers accessed data for 4 million current and former federal em-ployees. The hard question we have to ask is are we learning from these incidents.

Let us go back a couple of years to 2011. Lockheed Martin reported that hackers were able to get into their network. This is the time when Lockheed and the Pen-tagon were working on their top secret project to develop the F22 and F35 fighter jets. Both the Pentagon and Lockheed de-nied losing any classified information in that hacking. Everything seemed fine until China released their latest fighter jet J31 in December 2014. Defense analysts were stunned by the striking similarities be-tween the Chinese J31 and the U.S. F35. The Pentagon and Lockheed spent upward of 800 billion dollars to develop the F35. A simple Google search will give you

even more information on this subject, but it is just one example of loss of intellectual property through cybercrime. How much is the U.S. economy losing every year? Dr. Ron Ross, head of the Federal Infor-mation Security Act (FISMA) implemen-tation project, estimated it to be around a trillion dollars per year.Let us try to understand root causes of these high profile breaches.Lockheed Martin is known for its robust security protocols due to their involve-ment in a number of top secret defense projects. Why were the hackers were able to succeed? Investigation revealed that hackers first penetrated RSA token da-tabase of EMC (a third party vendor) to steal secure user credentials of one of the vendors of Lockheed. Then they logged into the Lockheed system as one of their trusted vendors. It was an eye opener for the security professionals. It showed se-curing your own network is not enough, but supply chain security is as important as your own security. This case also showed a classic syndrome of “denial.” It is very difficult for a premiere institute to accept the fact that they have been outsmarted by some “bad guys.” Let us move on to 2013. Target had out-sourced its network security monitoring to a third party organization. That vendor started reporting suspicious activities in

Target network several months before the whole incident went out of control. Target had just gone through PCI audits, and their systems were certified. So there was reason to believe “we are safe.” Later investiga-tion revealed that hackers penetrated one of the HVAC vendors of Target and got access to Target network. Once again the hackers exploited the weakness of a supply chain partner, and Target senior manage-ment’s initial reaction was “denial.”

Not long after the Target incident, Home Depot declared a massive data breach. Once again, hackers stole credentials of one the vendors of Home Depot to get ac-cess to the Home Depot network.

The Sony Pictures hacking topped the list of 2014 security breaches. One of the many things leaked by the hacker in public file sharing sites was a confidential email from the General Counsel of Sony Pictures to the senior management urging them to act on the security gaps reported by an audit firm. That audit was conducted in August of 2014. Senior management of Sony Pictures was aware of the security gaps and chose not to act.

Let us review the new ISO IEC 27001 standard in these contexts.

One of the major changes in the standard is to shift focus of incident management to event management. Security events are

2015 Quarter 2

6

symptoms or early indications of a poten-tial problem. Early detection minimizes impact of an incident. Sometimes organiza-tions are aware of some known weaknesses but don’t take timely action, as in the case of Sony Pictures. Target management was alerted about these events, but those were ignored. The CareFirst group reported the security incident in April 2015. Their report says hackers had been stealing information from June of 2014. This shows their event management process was not effective.Another major change is in the area of supplier security. The new standard has provided additional controls to ensure supply chain security.The figure below illustrates how an Infor-mation Management System works.Section 4 requires organization to un-derstand its business context, threats and opportunities, stakeholders and their ex-pectations, and determine the scope and boundaries of the security management system. Section 5 requires the leadership team of the organization to establish the security management system that includes establishing policies, defining roles and responsibilities, providing resources etc. Section 6 requires organization to develop objectives and plan for the ISMS. Section 8 addresses implementation of the ISMS plan where main activity is risk assess-ment and developing risk mitigation plan.

Annex A provides a list of security con-trols. Organizations implement the con-trols as means of mitigating risks. Section 9 requires organizations to establish a per-formance measurement system to mon-itor the effectiveness of the ISMS. One of monitoring process steps is manage-ment review, where senior management is required to review performance of the ISMS. Section 10 addresses the correc-tive action system to address any devia-tions found in section 9. Section 10 also provides requirements for improvements. Sections 6, 8, 9 and 10 drive a continuous improvement cycle. Section 7 provides re-quirements for the support functions like resource management, training, and docu-ment management.Please remember that no security certifica-tion guarantees protection from hacking. All the cases discussed clearly show that security controls are not effective without management support. ISO 27001 is the only standard on information security that provides a management system frame-work in addition to the security controls.

Subrata Guha Director, IT Services

4 Context of the Organization

5 Leadership

6 Planning

8 Operation

9 Performance Evaluation

10 Improvement

7 Support

Annex A Controls

OUR SERVICES• Certification Assessment

Services• Management System Training Classes• Internal and Supplier Au-

dits

OUR COMPETENCIES• ISO 9001• AS 9100/9120• ISO 22000• ISO 20000• ISO/TS 16949• ISO 27001• BS25999/SS540• eSCM• TL9000• IRIS• ISO 13485• ISO 14001• OHSAS 18001• ESD S20.20/ IEC • ISO 50001• CMMI• BRC• BRC IOP• HACCP• FSSC 22000...and many more

www.ul-dqsusa.com

For assistance, please contact us at

1-800-285-4476 or

customerservice@us.dqs-ul.com