NASPO Background
Who or What is NASPO?
NASPO was founded in 2002 by companies and individuals in the security products industry that recognized the need for the control of secure products and technologies. To provide a recognized framework, NASPO developed an authoritative set of standards and auditing practices focused on the principle of control using the concept of risk management.
Why was NASPO formed?
NASPO was formed to combat the every increasing amount of fraud within the areas of Brand Protection, Financial, and Identity. Our focus is to produce a credible, structured, certifiable, security products industry in Canada and the United States by the creation of a risk reduction standard and auditing process to certify security product providers. This structure also provides the end user with the ability to create a secure supply chain from technology developers to end users.
When was NASPO founded?
The announcement of the formation of NASPO was made in September 2002 at a PIA/GATF sponsored security conference. The first NASPO Board Meeting was held in Washington, DC in December 2002.
NASPO Benefits
What can NASPO do for me and my company?
NASPO can provide many things for your company. Among them is:
- A level of recognition within the security products industry;
- A set of "Security Best Practices" to protect your company, your employees and your customers;
- Broadened access to restricted security materials; and
- Meeting security requirements in contracts and request for quotes.
Can I use the NASPO Certification or membership in my marketing material?
All members in good standing are welcome and encouraged to use the NASPO logo on their marketing materials. Certified members are encouraged to use the NASPO Certified logo. This provides a level of distinction of the companys commitment to the security interest of their customers and clients.
Doing Business with NASPO Certified Companies
I continue to see more security requirements in RFP's and contracts. Will NASPO Certification help my company fulfill those requirements?
Yes, the NASPO standard and the auditing/certification process provides companies with a solid framework of security practices and procedures to fulfill contractual security requirements.
As an end user/brand owner why should I use a NASPO Certified company?
End users and brand owners are increasingly faced with numerous threats and frauds that jeopardize and attack their financial structure and brand name integrity. To many brand owners this has become a critical issue. To counter these threats many have turned to security technologies and security practices. NASPO is designed to directly support that activity by providing a recognized structure for a secure supply chain for security materials and technologies. The standards also provide the end user and brand owner a set of standards and auditing criteria that can be tailored to the specific needs of an organization, without the necessity of developing company specific standards and costly audit procedures.
The NASPO standards are cost effective to use, understandable to a large variety of companies, and certifiable through independent auditing.
As an end user/brand owner, can I use the ANSI/NASPO Standards as a security requirement in my contracts and RFP's?
Yes. The use of the NASPO standards in contracts and Request for Purchase (RFP) documents is easy and cost effective. The end user/brand owner, based upon the standard, would independently determine the level of security required for the production of their procured item. The end user/brand owner would then simply state, in the contract/RFP, that the supplier must meet a specific NASPO designated security level to bid on or provide the procurement item. In effect the brand owner and supplier both know what the security requirements are, and NASPO has independently certified that the producing company has met those requirements.
Membership, Member Responsibilities, and Member Costs
Who can join NASPO? How do I join?
Membership is open to any company, organization or individual, legitimately involved in the development, integration, manufacture and use of security products used within our defined areas of fraud reduction. Because of the security nature of our organization, all potential members will be screened to determine their applicability for membership. Membership information and an application form can be downloaded from our website.
How much does it cost?
NASPO membership has several levels of dues based upon your desired membership status. Each level has its benefits and advantages. The dues are outlined in our membership material, downloadable from our website.
Beyond the cost of the audit, how much will it cost my company to become certified?
Each company is going to be different based upon the security classification and the amount of security infrastructure already in place. A company can review the standard criteria for the classification desired and use a gap analysis to determine deficiencies. A working budget can then be approximated based upon the analysis. In addition, the company is billed for the travel expenses of the auditor. An estimate of those expenses can be provided to the company prior to the audit.
Because NASPO is primarily a volunteer organization, how much time will I need to spend on NASPO work?
NASPO is a volunteer organization and is dependent on the work of the members to fulfill the objectives of the organization. We are extremely fortunate that we have individuals that have been strongly supported by their companies. Without the support of the member companies NASPO would not be in existence. The actual amount of time required is an individual decision. We all are employed full time and therefore our volunteer time may be heavily restricted. We take the contributions of time when and where they are available and thank everyone for their participation.
Does one corporation hold a membership or does each plant have to be a member?
A corporation may hold a membership or individual plants may hold memberships, dependent upon the structure of the corporation or desire of the individual plants. NASPO may limit Board membership and voting rights from multiple plants from one corporation, but not actual memberships.
If I am a member do I have to be audited and certified?
Members are encouraged to become certified, but it is not a requirement to do so.
Security Audits and Security Certification
Who will the auditors be?
Both NASPO and third party auditors who are professionals selected and trained by NASPO in both the standards and auditing process are available to perform audits.
Who can help my company understand the standards and the audit process to become certified?
There are a number of independent consultants to assist in understanding the ANSI/NASPO standards and audit processes. Auditors may also be available on a limited basis to answer specific questions related to the standards and audit.
How will my company know which security classification is appropriate for us?
The security classification to which the company will be audited to is mutually determined by the auditor and the company. It is primarily determined by the nature of the security products produced and the threats posed against those products. Products and services that are the primary targets of organized crime or terrorist enabling would normally require the highest level of evaluation.
How long will it take my company to become certified?
This will vary from company to company based on the Class of security sought and the level of current preparedness. Only an internal pre-audit exercise by the company can make the determination of infrastructure procedures and preparedness necessary to estimate a timeline to certification.
Do I have to be a member to receive a Security Audit?
No you do not have to be a member to receive a Security Audit. We have established a price structure for auditing services for those organizations that choose not to become members. It is of course more cost effective for members to receive the Security Audit and Certification. The cost of the Security Audit and Certification for members and non-members is outlined in our membership material, downloadable from our website.
Are the results of my audit going to be made public, or known by the membership?
The results of your audit are held at a highly confidential level and revealed to no one without express written consent of the audited company. Any written or electronic documents produced from an audit are stored in a bank vault. Auditors are all required to sign a highly restrictive confidentially agreement. NASPO will only publicly announce that a company has been certified and not at what classification level. Classification levels can be revealed solely by the certified company; NASPO will verify the certification to third parties only with the written permission of the certified company.
I am concerned about divulging confidential information. What does NASPO do to protect my confidentiality?
The NASPO Auditor will be working under a restrictive confidentiality agreement. The only confidential information that must be revealed to the Auditor will be of a security nature, and pertinent to the audit process. Any confidential information revealed to the Auditor in the audit process will not be disclosed to anyone under any circumstance.
Security Standards
Can I get the standards without being a member?
Yes, the standard is an American National Standard available to anyone wishing to purchase a copy. Copies can be purchased on-line at either www.naspo.info or at ANSIıs eStandards Store at www.ansi.org. NASPO members, however, receive copies of our standards and auditing procedures at no additional cost.
Will the ANSI/NASPO Standards become part of the security requirements for contracts and RFP's?
It is our expectation that when the NASPO standard is accepted as an ANSI standard, it will become the recognized standard for security compliance in many RFP's and contracts.
Are your standards the same as the European CEN Standards?
No, they may have a similar basis and focus but the European CEN Standard is a separate standard developed independently of NASPO.
Are your standards the same as the APACS standards used in the United Kingdom?
No, they may have a similar basis and focus but the APACS is a separate standard developed independently of NASPO, and primarily for the production of checks and financial documents.
NASPO Meetings
How often are meetings being held?
Currently committee and Board Meetings are being held three times per year. Special committee and Board meetings can be called by the committee chairperson or by the Executive Committee.
Where are the meetings being held?
Meetings are generally held in major cities in North America as voted by the membership.
What do you do at NASPO meetings?
We review the progress of the standards development committee and the certification status of member companies. We also conduct NASPO business involving planning, communications, and topics of general interest to the product security industry.
Some of my competitors are members of NASPO. How does NASPO handle anti-trust issues?
NASPO strictly adheres to all anti-trust regulations and prohibits its members from participating in any activity that might be in violation of any anti-trust laws or regulations. Our anti-trust policy is read prior to all meeting and a copy is provided to all members at regular Board meetings.
Some of my competitors are members of NASPO. Are we expected to discuss issues that may be competitive information at the meetings?
No, NASPO discourages any company from discussing information that may be competitive in nature. NASPO strictly prohibits the discussion of any information that may be in violation of anti-trust statutes. The organization is focused on the development of security industry standards and the certification of qualified companies. All discussions should be germane to that focus.
NASPO Outside of North America
Will you create standards that will apply outside of North America?
While the standards were developed primarily for the security markets of the United States and Canada, we recognize that companies located outside those countries may be providing products into the global market. In that case the standards may not only be applicable but also may be a supply requirement.
NASPO is a standards development organization and will consider development of standards as approved by the membership.
My company is based outside of the United States or Canada, but I do business in those countries. Can I join NASPO?
Yes, companies selling security products and services within Canada and the United States can become a member. Auditing and certification will be determined on a company by company basis.
My company is based outside of the United States or Canada, and I don't currently do business there. Can I join NASPO?
No, at the present time only companies supplying security products and services into Canada and the United States are eligible for membership.
My plant is outside of the United States and Canada. Can it be audited and certified by NASPO?
Possibly Yes. Any audits and certifications outside of the United States and Canada will be determined on a case by case basis and solely at the discretion of NASPO.
My plant is outside of the United States and Canada, but I am bidding on a contract that has an ANSI/NASPO security requirement. Can I be audited and certified by NASPO?
Possibly Yes. Any audits and certifications outside of the United States and Canada will be determined on a case by case basis and solely at the discretion of NASPO. NASPO will give special consideration and priority to organizations that are attempting to qualify for any contract required criteria under the ANSI/NASPO Standards.
Does NASPO recognize the European CEN Certified companies?
We currently have no formal reciprocity of recognition between the two organizations. We do recognize that companies acquiring the CEN Certification have met a significant level of security assurance.
Does the European CEN Certification recognize the NASPO Standards?
We currently have no formal reciprocity of recognition between the two organizations.
