2019 Sustainability Report

arrow blueCommitted to using financial, natural and human resources wisely without compromising the ability of future generations to meet their needs

ADDRESSING RISK
Security

Protecting our people and products, and the data we are trusted with.

Why Security Matters

102-11
Precautionary Principle or approach

103-1
Explanation of the material topic and its Boundary

103-2
Explain management approach components

103-3
Evaluate management approach

418-1
Substantiated complaints concerning breaches of customer privacy and losses of customer data

GRI 102-11; 418: 103-1, 103-2, 103-3; 418-1

Greif prioritizes the security of our assets—people, product and data. This includes the physical security of our facilities, ensuring the safety of our colleagues and maintaining a safe environment for our manufacturing assets. Data security protects our internal and customer data from cyber-attacks. Product security safeguards our customers' products throughout the supply chain, including shipping and transport.

Governance

Our data security practices comply with Sarbanes-Oxley, EU General Data Protection Regulation (GDPR) and Greif’s Records Management and Retention Policy. Greif’s Information Technology Team, led by our manager of Global IT Security, manages data security, which includes annual audits for IT control processes, quarterly reviews of data permissions and quarterly phishing simulations. At the center of our security operations is training. All colleagues with access to computers are required to complete quarterly cybersecurity training, receive quarterly newsletters promoting cybersecurity awareness and weekly security tips on topics ranging from password security to avoiding phishing scams, and participate in our annual Cybersecurity Month each October. Greif Executives receive updates through a cybersecurity dashboard that is shared with Greif’s Enterprise Risk Management Team and Board quarterly. The dashboard currently tracks our performance using the National Institute of Standards and Technology NSF maturity index score. Should Greif fall victim to a cybersecurity breach, we maintain an IT Services Cyber Incident and Response Plan and an IT Services Global Business Continuity Plan, which outlines our steps to quickly respond to and mitigate the impact of an incident. Greif received zero substantiated complaints concerning breaches of customer privacy and identified zero leaks, thefts or losses of customer data in 2019.

To manage the physical security of our buildings, Greif installs tag readers and PIN codes locks at our facilities. We require a bill of lading for each shipment picked up from our facilities. Greif supports product security throughout our supply chain by offering tamper-resistant closures.

Since 2018 we have been working to implement findings from a cybersecurity maturity assessment we conducted in collaboration with a third-party partner. In 2019 we continued to implement programs based on findings from the assessment. We introduced annual online Cybersecurity and Awareness training to help improve our colleagues’ ability to identify and respond to potential threats and minimize risk in both digital and physical spaces. After completing the training, each of our colleagues must complete a quarterly checkup, ensuring knowledge is retained and put into practice. The training is mandatory for all colleagues with access to computers, including our Executive Leadership Team. To further comply with GDPR, we have conducted GDPR training for our colleagues in EMEA and began establishing a formal data classification framework. The framework will help us better understand, and ultimately manage, the personal information we store.

In 2019 we established a three year cybersecurity strategy that we will begin implementing in 2020. The strategy will focus on implementation of multi-factor authentication, privilege access management, NxGenAV with EDR, and data classification framework, positioning ourselves to implement internet of things technology and continuing to train and educate our colleagues on current cybersecurity best practices.

Highlight Stories
Highlight Stories

FPS In Turkey Receives ISO 27001 Certification

Since 2018, Greif’s Flexibles Products and Services (FPS) Turkey operations have been ISO 27001 certified, reflecting of our commitment to keeping Greif’s, and Greif’s customers, information assets secure. The certification demonstrates that the information security management system (ISMS) meets international best practices and shows the significant efforts made by FPS Turkey towards compliance with the General Data Protection Regulation (GDPR) in Europe. The certification builds on FPS Turkey’s impressive quality credentials, which include ISO 9001 certified Quality Management Systems, Grade AA BRC IoP Global Standard for Packaging and Packaging Materials Issues compliant Product Safety Management Systems and ISO 14001 compliant Environmental Management Systems.

DEFINITION