white papers



contact us
spacer
white papers
spacer
case studies

case studies

White Papers

Security Becomes A Differentiator For ECM VARs: Earning its SAS 70 Type II certification has allowed this document management solutions provider to truly stand apart from its competitors.

by Gennifer Biggs, Business Solutions Magazine - July 2010

Document management solutions providers often find profit in developing repeatable solutions with a vertical slant. DataBank IMX, a national document management solutions provider, says that approach has worked for it as well. But DataBank has taken that process a bit farther, adds a security certification — SAS 70 Type II — to the mix and creating a differentiator for which many verticals are willing to pay a premium.

To understand the impact that security has had on DataBank’s growth, first you need to know more about the company. DataBank has nine offices and more than 500 employees. A majority of its customers take advantage of the document management services offered by DataBank, and many of those customers fall along strong vertical lines such as higher education, healthcare, government, and oil and gas. To secure these types of customers — and therefore enjoy the recurring revenue flow that comes from ongoing services relationships — DataBank looks for four elements in the applications used by those potential clients.

Picking The Right Document Management Customers

The first criteria, explains Richard Aschman, CEO of DataBank, is that the information coming into the customer’s environment is not entirely client-controlled, and often arrives in several different formats over an extended period of time. For example, when a student submits admissions information to a university, the information can come in both electronic and hard copy formats, and may be forms, letters of reference, transcripts from several high schools (each in that school’s unique format), and electronic applications. The second criterion is that the documents and the data coming in are part of a mission-critical application. For example, filling the seats of each class of a university with highly qualified applicants by a particular date each year is key to the function of that university. Third, DataBank looks for target-rich environments — those with many potential customers — such as government, universities, and large corporations with high volumes of invoices. That allows the solutions provider to develop a repeatable process with one customer, and then roll it out to others in that vertical. Last, Aschman says DataBank looks for customers that have a recurring need for their document management solution. A university not only depends on its admissions cycle to drive revenue, it does so annually. Corporations looking for an accounts payable solution will use it monthly. That recurrence reinforces the critical aspect of the document management solution.

Security Certification Takes Document Management
To Next Level

So, while DataBank has clients that may be shopping for an in-house solution that will be deployed by DataBank, or want to have scanning and storage projects completed by the VAR, the company’s best customers are those with repeatable, recurring needs. Aschman works diligently to identify and develop solutions that cater to the needs of those recurring services customers, and he says anyone can follow that approach. However, the game changer for DataBank was investing in a security certification that allows it to be more competitive in those verticals because decision makers in those businesses see security as a differentiator. “Everyday we can read about people stealing vital records, or someone gaining access to personal financial information, or compromising supposedly secure information files. The damage to that company’s brand alone can be tremendous,” explains Aschman. Plus, protecting vital information is a requirement of most outside audits and many states have passed robust information protection laws. “Security and compliance standards are more visible, and the management of confidential information is considerably more regulated.” For a document management service provider to be successful selling solutions in those verticals impacted by security mandates, SAS 70 Type II is becoming a necessity rather than a luxury. “We found that many of the organizations that fit that our sorting criteria to become recurring services customers needed security and were, in reality, under compliance mandates that require security,” explains Aschman. “Those same mandates, which continue to evolve, create opportunity for us, you just have to have the capability to provide that level of comfort.” Namely, comfort in the form of SAS 70 certification. SAS 70 (Statement on Auditing Standards No. 70) Type II certification is issued by the American Institute of Certified Public Accountants (AICPA) to confirm that internal controls and safeguards are in place at organizations that host or process data for customers. What that means in layman’s terms is that independent auditors confirm the security levels of the workflow processes and facilities of companies that handle sensitive personal information, such as contained in university financial aid paperwork, mortgage applications, financial statements, and more.

DataBank first became aware of this burgeoning need through client interactions. “A few of our clients gave us deadlines for SAS 70 Type II accreditation and some prospective clients directed us to come back when we were accredited,” explains Aschman. That led DataBank to instigate an aggressive program nearly three years ago. “You simply can’t put yourself in that place where your customers are forced to leave you for another provider.” Plus, as one of only a few midsize national document management companies in the market — DataBank overshadows most SMB document management VARs but is usually smaller than manufacturers with direct customer relations — the solutions provider understands it must be as good or better than the large vendors while still treating customers as cherished partners.

Once DataBank made the decision to attack certification, it also set its sights on the higher level of security certification available within SAS 70. Essentially, a SAS 70 type I means you have documented a process and a SAS 70 type II means you are following those documented processes and that has been confirmed by an audit. To achieve that entailed examining management policies, people, and physical and data security, a daunting task. “We dedicated a lot of people just to define the processes we would need,” explains Aschman, who cautions that a solutions provider not willing or able to invest both time, money, and personnel resources to this process for at least a year should not attempt to earn the certification. DataBank began with self-assessment. Then the company’s methodology was documented as it made changes to its process. Finally, DataBank did a readiness assessment, further honed and documented the necessary policies and procedures, and then began work on its formal audit. (Most major auditing firms can provide that service.) “We had three consecutive successful independent audits by one of the world’s largest audit firms,” says Aschman. “It was a lot of work and a lot of change; but it has improved all the elements of our business dramatically. Our clients know we are serious about security and compliance. They can literally see it when they visit our facilities.”

That said, the process was, at points, painful. “There a lot of moving parts,” he says. “At each step, we identified the process [such as picking up an admissions’ office mail from a P.O. box for document typing, scanning and data entry], then identified the solution needed to be secure [creating a chain of custody for those documents], and finally bounced it off a consultant before making it a reality,” explains Aschman. One example of steps taken by DataBank revolves around employees. Because DataBank employees handle confidential documents — such as picking up those admissions document — the solutions provider conducts background checks on all employees. That meant building out a robust hiring and human resource process, plus partnering with a firm that handles the background checks on an as-needed basis. All employees have confidentiality agreements in place, are trained how to maintain security, and must sign an employee handbook that details the security and compliance requirements of DataBank. In additional to background checks for criminal risk, which includes a national and county crime check for felony and misdemeanors, all employees must pass a check credit. “The expense for the background check isn’t much; rather, is about making the effort to take this step with each hire,” says Aschman.

Physically, all DataBank offices are secured through a sophisticated alarm system provide by ADT. Aschman says the auditors go to such lengths they even pretend to be delivery people to test access control at facilities. “It is important that our people understand the importance of maintaining a secure facility. We have two levels of security, card access and PIN, but our people are the best auditors,” stresses Aschman, who recently was challenged by an employee who didn’t recognize the CEO, and asked him for his ID.

DataBank also has security policies related to data management, data backup, workstations, servers, and laptops. Plus, all of its vendors or partners with access to the facilities must agree to the solutions provider’s security policies. “If a vendor or partner can’t — or aren’t willing to — meet our requirements, we no longer can use them,” explains Aschman. For example, if you are a Kodak service tech, and may be at a facility to repair a scanner, you must agree to the security policies. That rule extends from technology partners clear through the cleaning company. Speaking of facilities, with nine offices, DataBank also had to address the issue of transmitting data securely. To achieve its security certification at that level, the solutions provider utilizes a high-speed security WAN created by Verizon Business Solutions that includes a Layer 3 virtual private network, firewalls, data center collocation, a hosted Internet Protocol (IP) Centrex (voice service) solution, and management services.

Prepare For Heavy Investment For Security

Aschman says at points, the process was frustrating and painstaking. “It has so many elements; for example, you want to make the servers secure, so you lock down that room, but then you have to also think about fire, cooling, redundancies. It snowballs,” explains Aschman. “Our CIO and his team worked for months and months just to define the requirements for readiness test. Then you have to spend the money.” Don’t kid yourself; you will spend money if you choose to secure SAS 70 Type II certification. Plus, maintaining the certification requires an annual fee that ranges from $25,000 to $50,000. “The costs are significant. It costs hundreds of thousands of dollars and requires ongoing investment to stay accredited,” cautions Aschman, adding that smaller organizations may simply find the process too expensive. “However, a lack of accreditation around key processes may also limit the applications or the clients for whose business they can complete. My opinion is that this has been a worthwhile investment for us, and will result in millions of dollars worth of new business annually.” The potential revolves around DataBank’s ability to position itself with SAS 70 as a differentiator during the long sales cycle that surrounds solutions requiring high levels of security. That opportunity is only going to grow, says Aschman. “More policies and regulations are being created to protect vital information as access to information becomes easier, and the combination of delivering a secure, outsourced solution — an easy-to-implement quality document management solution — will drive most growth in our industry.”

Latest News


DataBank is a leading document management company that provides comprehensive digital document imaging, document scanning, ecm systems and electronic document management software, and an array of microfilm scanning services.

We have document scanning and digital document management expertise in numerous market verticals including Healthcare, Education, Financial Services, Government, and Back Office Business Services. Our document management software is recognized as an industry leading solution and all our document management services are backed by a 100% guarantee.

Our SAS 70 Type II certification covers document handling operations, digital document imaging, online document management, and document image transmission as well as a comprehensive set of internal operating standards. This SAS 70 Type II certification accomplishment provides our clients a level of protection and security that is currently not available through most document management service companies in our industry today.

We have a presence in major markets across the United States including locations in Washington DC, Baltimore, Philadelphia, New York, Boston, Detroit, Chicago, Houston, Dallas, Louisiana, San Francisco and Sacramento, California.

Our document management company has unequaled expertise in all areas of digital scanning and business document management. We have partnerships with industry-leading document management and electronic document management organizations from around the world.