NASPO Background
NASPO Benefits
NASPO Services
Doing Business with NASPO Certified Companies
Membership, Member Responsibilities, and Member Costs
Security Audits and Security Certification
Security Standards
NASPO Meetings
NASPO Outside of North America
NASPO Background
Who or What is NASPO?
NASPO was founded in 2002 by companies and individuals in the security products industry that recognized the need for the control of secure products and technologies. To provide a recognized framework, NASPO developed an authoritative set of standards and auditing practices focused on the principle of control using the concept of risk management.
Why was NASPO formed?
NASPO was formed to combat the every increasing amount of fraud within the areas of Brand Protection, Financial, and Identity. Our focus is to produce a credible, structured, certifiable, security products industry in Canada and the United States by the creation of a risk reduction standard and auditing process to certify security product providers. This structure also provides the end user with the ability to create a secure supply chain from technology developers to end users.
When was NASPO founded and by whom?
The announcement of the formation of NASPO was made in September 2002 at a PIA/GATF sponsored security conference. The first NASPO Board Meeting was held in Washington, DC in December 2002. The founding individuals were Michael O'Neil, Northstar; Richard Warner, GATF; Graham Whitehead, Hologram Industries; and David Lightfoot, Chesapeake Resource Group.
NASPO Benefits
What can NASPO do for me and my company?
NASPO can provide many things for your company. Among them is:
- A level of recognition within the security products industry;
- A set of "Security Best Practices" to protect your company, your employees and your customers;
- Broadened access to restricted security materials; and
- Meeting security requirements in contracts and request for quotes.
Can I use the NASPO Certification or membership in my marketing material?
All members are welcome and encouraged to use the NASPO logo and the NASPO Certified logo on their marketing material. This provides a level of distinction and recognition of the company's commitment to the security interest of their customers and clients.
NASPO Services
I am currently having a security problem. Can you recommend companies to help me?
NASPO will only make recommendations of member companies, and can direct you to the member companies most suitable to your requirements.
Can you evaluate security features for my company?
No, the organization does not make any attempt to evaluate individual security features. Security professionals and consultants can help organizations with an evaluation of features.
Does NASPO provide security consultants?
We do not provide consulting services but can recommend independent consultants that have been trained by NASPO. NASPO Certified Consultants are selected and trained to assist companies in the preparation and implementation of the standards with the purpose of obtaining certification. These are independent consultants and are not representatives of NASPO or affiliated in any way with the auditing process.
Doing Business with NASPO Certified Companies
I continue to see more security requirements in RFP's and contracts. Will NASPO Certification help my company fulfill those requirements?
Yes, the NASPO standard and the auditing/certification process provides companies with a solid framework of security practices and procedures to fulfill contractual security requirements.
As an end user/brand owner why should I use a NASPO Certified company?
End users and brand owners are increasingly faced with numerous threats and frauds that jeopardize and attack their financial structure and brand name integrity. To many brand owners this has become a critical issue. To counter these threats many have turned to security technologies and security practices. NASPO is designed to directly support that activity by providing a recognized structure for a secure supply chain for security materials and technologies. The standards also provide the end user and brand owner a set of standards and auditing criteria that can be tailored to the specific needs of an organization, without the necessity of developing company specific standards and costly audit procedures.
The NASPO standards are cost effective to use, understandable to a large variety of companies, and certifiable through independent auditing.
As an end user/brand owner, can I use the NASPO/ANSI Standards as a security requirement in my contracts and RFP's?
Yes. The use of the NASPO standards in contracts and Request for Purchase (RFP) documents is easy and cost effective. The end user/brand owner, based upon the standard, would independently determine the level of security required for the production of their procured item. The end user/brand owner would then simply state, in the contract/RFP, that the supplier must meet a specific NASPO designated security level to bid on or provide the procurement item. In effect the brand owner and supplier both know what the security requirements are, and NASPO has independently certified that the producing company has met those requirements.
Will using a NASPO certified company help my company with my Sarbanes-Oxley compliance?
Possibly Yes. The NASPO Standards were not directly developed to comply with any of the requirements of the Sarbanes-Oxley legislation. We do recognize that under SOX Section 404 there is a requirement for companies to evaluate and mitigate the financial risk to their organization. Since the NASPO standards focus upon the reduction of risk within a supply chain, it does support the concepts of Section 404. It may also provide a structured, auditable level of security assurance for the SOX audit process.
Will using a NASPO certified company help my company with my Bio-Terrorism Act compliance?
Possibly Yes.The NASPO Standards were not directly developed to comply with any of the requirements of the Bio Terrorism Act. We do recognize that the basic premise of the Act is to provide a secure supply chain for consumer products, primarily food and pharmaceuticals. As recognized, the NASPO Standard is a supply chain security standard, therefore while not directly developed for the Act it does support it in principles and practices.
Membership, Member Responsibilities, and Member Costs
Who can join NASPO? How do I join?
Membership is open to any company, organization or individual, legitimately involved in the development, integration, manufacture and use of security products used within our defined areas of fraud reduction. Because of the security nature of our organization, all potential members will be screened to determine their applicability for membership. Membership information and an application form can be downloaded from our website.
How much does it cost?
NASPO membership has several levels of dues based upon your desired membership status. Each level has its benefits and advantages. The dues are outlined in our membership material, downloadable from our website.
Beyond the cost of the audit, how much will it cost my company to become certified?
Each company is going to be different based upon the security classification and the amount of security infrastructure already in place. A company can review the standard criteria for the classification desired and use a gap analysis to determine deficiencies. A working budget can then be approximated based upon the analysis. In addition, the company is billed for the travel expenses of the auditor. An estimate of those expenses can be provided to the company prior to the audit.
Because NASPO is primarily a volunteer organization, how much time will I need to spend on NASPO work?
NASPO is a volunteer organization and is dependent on the work of the members to fulfill the objectives of the organization. We are extremely fortunate that we have individuals that have been strongly supported by their companies. Without the support of the member companies NASPO would not be in existence. The actual amount of time required is an individual decision. We all are employed full time and therefore our volunteer time may be heavily restricted. We take the contributions of time when and where they are available and thank everyone for their participation.
Does one corporation hold a membership or does each plant have to be a member?
A corporation may hold a membership or individual plants may hold memberships, dependent upon the structure of the corporation or desire of the individual plants. NASPO may limit Board membership and voting rights from multiple plants from one corporation, but not actual memberships.
If I am a member do I have to be audited and certified?
Those members that are security technology developers, integrators or producers are expected to be audited and certified within a reasonable amount of time. Individuals, consultants, end users and brand owners may be audited if they so choose, but are not required to do so.
How much time do I have before I have to be audited?
NASPO has not established a time limitation on being audited. Based upon experience the time required can vary considerably. We do expect that member organizations will make a good faith effort to achieve an audit within an 18-24 month period.
Security Audits and Security Certification
Who will the auditors be?
The auditors are professional independent consultants, selected and trained by NASPO in both the standards and the audit process.
Who can help my company understand the standards and the audit process to become certified?
NASPO can recommend independent consultants that have been trained in the NASPO/ANSI Standards to assist members in understanding the standards and audit processes. Auditors may also be available on a limited based to answer specific question related to the standards or audit.
How will my company know which security classification is appropriate for us?
The security classification to which the company will be audited to is mutually determined by the auditor and the company. It is primarily determined by the nature of the security products produced and the threats posed against those products. Products and services that are the primary targets of organized crime or terrorist enabling would normally require the highest level of evaluation.
How long will it take my company to become certified?
This will vary from company to company based upon the amount of time necessary to complete the requirements of the pre-audit. The initial on-site audit process typically takes the auditor 1-2 days for class 3; 2-3 days for class 2; and 3-5 days for class 1. After completion of the audit, and the fulfillment of any discrepancies, a recommendation to certify is made by the auditors to the Executive Board. The Executive Board, in accepting the recommendation of the auditors, votes to approve the company as certified. This entire process is typically less than 30 days.
Do I have to be a member to receive a Security Audit?
No you do not have to be a member to receive a Security Audit. We have established a price structure for auditing services for those organizations that choose not to become members. It is of course more cost effective for members to receive the Security Audit and Certification. The cost of the Security Audit and Certification for members and non-members is outlined in our membership material, downloadable from our website.
Are the results of my audit going to be made public, or known by the membership?
The results of your audit are held at a highly confidential level and revealed to no one without express written consent of the audited company. Any written or electronic documents produced from an audit are stored in a bank vault. Auditors are all required to sign a highly restrictive confidentially agreement. NASPO will only publicly announce that a company has been certified and not at what classification level. Classification levels can be revealed solely by the certified company; NASPO will verify the certification to third parties only with the written permission of the certified company.
I am concerned about divulging confidential information. What does NASPO do to protect my confidentiality?
The NASPO Auditor will be working under a restrictive confidentiality agreement. The only confidential information that must be revealed to the Auditor will be of a security nature, and pertinent to the audit process. Any confidential information revealed to the Auditor in the audit process will not be disclosed to anyone under any circumstance.
Security Standards
Can I get the standards without being a member?
Yes, the standard is an American National Standard available to anyone wishing to purchase a copy. Copies can be purchased on-line at either www.naspo.info or at ANSIıs eStandards Store at www.ansi.org. NASPO members, however, receive copies of our standards and auditing procedures at no additional cost.
Will the NASPO/ANSI Standards become part of the security requirements for contracts and RFP's?
It is our expectation that when the NASPO standard is accepted as an ANSI standard, it will become the recognized standard for security compliance in many RFP's and contracts.
Are your standards the same as the European CEN Standards?
No, they may have a similar basis and focus but the European CEN Standard is a separate standard developed independently of NASPO.
Are your standards the same as the APACS standards used in the United Kingdom?
No, they may have a similar basis and focus but the APACS is a separate standard developed independently of NASPO, and primarily for the production of checks and financial documents.
NASPO Meetings
How often are meetings being held?
Currently committee and Board Meetings are being held on a quarterly basis. Special committee and Board meetings can be called by the committee chairperson or by the Executive Committee.
Where are the meetings being held?
Meetings are typically hosted by member companies and are held throughout Canada and the United States.
What do you do at NASPO meetings?
We review the progress of the standards development committee and the certification status of member companies. We also conduct NASPO business involving planning, communications, and topics of general interest to the product security industry.
Some of my competitors are members of NASPO. How does NASPO handle anti-trust issues?
NASPO strictly adheres to all anti-trust regulations and prohibits its members from participating in any activity that might be in violation of any anti-trust laws or regulations. Our anti-trust policy is read prior to all meeting and a copy is provided to all members at regular Board meetings.
Some of my competitors are members of NASPO. Are we expected to discuss issues that may be competitive information at the meetings?
No, NASPO discourages any company from discussing information that may be competitive in nature. NASPO strictly prohibits the discussion of any information that may be in violation of anti-trust statutes. The organization is focused on the development of security industry standards and the certification of qualified companies. All discussions should be germane to that focus.
NASPO Outside of North America
Will you create standards that will apply outside of North America?
While the standards were developed primarily for the security markets of the United States and Canada, we recognize that companies located outside those countries may be providing products into the global market. In that case the standards may not only be applicable but also may be a supply requirement.
We are not at this time looking at developing standards for individual countries or regions outside of Canada and the United States. It may be appropriate for NASPO to assist or work with similar organizations to develop reciprocal standards and letters of agreement.
My company is based outside of the United States or Canada, but I do business in those countries. Can I join NASPO?
Yes, companies selling security products and services within Canada and the United States can become a member. Auditing and certification will be determined on a company by company basis.
My company is based outside of the United States or Canada, and I don't currently do business there. Can I join NASPO?
No, at the present time only companies supplying security products and services into Canada and the United States are eligible for membership.
My plant is outside of the United States and Canada. Can it be audited and certified by NASPO?
Possibly Yes. Any audits and certifications outside of the United States and Canada will be determined on a case by case basis and solely at the discretion of NASPO.
My plant is outside of the United States and Canada, but I am bidding on a contract that has an NASPO/ANSI security requirement. Can I be audited and certified by NASPO?
Possibly Yes. Any audits and certifications outside of the United States and Canada will be determined on a case by case basis and solely at the discretion of NASPO. NASPO will give special consideration and priority to organizations that are attempting to qualify for any contract required criteria under the ANSI/NASPO Standards.
Does NASPO recognize the European CEN Certified companies?
We currently have no formal reciprocity of recognition between the two organizations. We do recognize that companies acquiring the CEN Certification have met a significant level of security assurance.
Does the European CEN Certification recognize the NASPO Standards?
We currently have no formal reciprocity of recognition between the two organizations.
