2018 Sustainability Report

arrow blueCommitted to using financial, natural and human resources wisely without compromising the ability of future generations to meet their needs

ADDRESSING RISK
Security

Protecting our people and products, and the data we are trusted with.

Why Security Matters

102-11
Precautionary Principle or approach

103-1
Explanation of the material topic and its Boundary

103-2
Explain management approach components

103-3
Evaluate management approach

418-1
Substantiated complaints concerning breaches of customer privacy and losses of customer data

GRI 102-11; 418: 103-1, 103-2, 103-3; 418-1

Greif prioritizes the security of our assets—people, product and data. This includes the physical security of our facilities, ensuring the safety of our colleagues and maintaining a safe environment for our manufacturing assets. Data security protects our internal and customer data from cyber-attacks. Product security safeguards our customers' products throughout the supply chain, including shipping and transport.

Governance

Our data security practices comply with Sarbanes-Oxley, EU General Data Protection Regulation (GDPR) and Greif’s Records Management and Retention Policy. Greif’s Information Technology Team manages data security, which includes annual audits for IT control processes, quarterly reviews of data permissions and quarterly phishing simulations. All colleagues with access to computers are required to complete quarterly cyber security training, receive quarterly newsletters promoting cyber security awareness and weekly security tips. Tips range from password security to avoiding phishing scams. Greif Executives receive updates through a cybersecurity dashboard that is also shared with Greif’s Enterprise Risk Management Team and Board quarterly. The dashboard currently tracks our performance using the National Institute of Standards and Technology NSF maturity index score.

To manage the physical security of our buildings, Greif installs tag readers and PIN codes locks at our facilities. We require a bill of lading for each shipment picked up from our facilities. Greif supports product security throughout our supply chain by offering tamper-resistant closures.

Greif received zero substantiated complaints concerning breaches of customer privacy and identified zero leaks, thefts or losses of customer data in 2018. To ensure we are able to continue protecting against potential breaches, we partnered with a third-party cybersecurity expert in 2018 to conduct a maturity assessment on Greif’s current cybersecurity protocols. The findings of the assessment helped us identify new focal points and laid the groundwork for our plan to further strengthen our cybersecurity program. To better manage our new focal points and implement our plans, we hired a manager of Global IT Security who is dedicated to cybersecurity. We took the necessary steps to ensure our compliance with the EU GDPR, which entered into force on May 25, 2018, including engaging with a third-party to assess our GDPR readiness. This engagement identified gaps that we are currently addressing by disseminating training to our workforce. The training is available to all colleagues via our existing KnowBe4 security and awareness platform. We also launched an internal IT Services Cyber Incident and Response Plan and an IT Services Global Business Continuity Plan to establish a clear response process should an event occur.

In 2019, we will focus on establishing annual Cybersecurity and Awareness training to mitigate risks by improving our colleagues’ ability to identify and respond to potential threats. We will engage our colleagues with monthly security tips on data access, storage, transmission, classification and handling. Our enhanced focus on employee training is part of our effort to implement a more robust incident response process, which we are continuously refining. We will continue to develop our IT Security Dashboard by adding additional KPI’s that will allow us to proactively identify potential risks and track performance improvements.

Highlight Stories
Highlight Stories

FPS In Turkey Receives ISO 27001 Certification

Greif’s FPS Turkey operations strengthened our commitment to keeping Greif’s, and Greif’s customers, information assets secure by earning ISO 27001 certification in 2018. The certification demonstrates that the information security management system (ISMS) meets international best practices and shows the significant efforts made by FPS Turkey towards compliance with the General Data Protection Regulation (GDPR) in Europe. The certification builds on FPS Turkey’s impressive quality credentials, which include ISO 9001 certified Quality Management Systems, Grade AA BRC IoP Global Standard for Packaging and Packaging Materials Issues compliant Product Safety Management Systems and ISO 14001 compliant Environmental Management Systems.

DEFINITION