We all know the weakest links in cybersecurity are found within the walls of our businesses and organizations.
🔐 eXpress badging® Team Security Processes, Roles, and Responsibilities
At eXpress badging®, we recognize that the weakest links in cybersecurity are often within organizations themselves. Our security program is built on strict personnel screening, ongoing training, process-driven access controls, and a culture of accountability aligned with industry standards such as NIST CSF 2.0 and ISO/IEC 27001.
👥 Personnel & Process Security
-
Background Screening:
-
All team members must pass a third-party background check prior to employment.
-
Annual background re-checks are conducted for every employee.
-
-
Cybersecurity Training:
-
All new employees complete an intensive cybersecurity training program and must pass all associated tests.
-
Quarterly “lunch & learn” refresher sessions cover cybersecurity and physical security awareness.
-
💻 Cybersecurity Responsibilities
-
Role-Based Access:
-
Users are assigned to security groups that restrict access strictly to the systems, files, and resources required for their roles.
-
-
Account Lifecycle Management:
-
Terminated users are removed from access groups within minutes of confirmation.
-
-
PII (Personally Identifiable Information) Handling:
-
All PII files must be exchanged through the eXpress badging® Upload Center (powered by Citrix ShareFile) or using the Veonics® Portal.
-
Email stripping of attachments is enforced for customer-facing addresses (idme@, support@, info@).
-
Company policy prohibits storing PII on local computer drives; all files must be stored on secure company servers.
-
After a badge print job, no high-risk PII is retained.
-
Upon written request, all customer PII is destroyed within 10 business days, with a written certification of destruction provided.
-
If customers supply unnecessary PII, eXpress badging® deletes it before import or storage.
-
🎭 Social Engineering Protections
-
Policies & Education:
-
Security expectations are documented in the Employee Handbook and this Security Disclosure.
-
Portable storage devices (USB drives) are banned from onsite use.
-
Mobile phones may not be connected to computers or network devices.
-
-
Phishing & Spoofing Awareness:
-
Phishing and malware awareness is refreshed quarterly.
-
The IT team conducts periodic simulated phishing/social engineering tests.
-
All suspicious or fraudulent emails must be reported immediately to IT.
-
-
Third-Party Storage Restrictions:
-
Access to personal-use cloud storage services (Dropbox, Google Drive, etc.) is prohibited.
-
-
Policy Enforcement:
-
Employees who violate these policies are subject to written documentation in personnel records and/or termination of employment.
-
🌟 Core Values Driving Security
-
Security First, Family Always
We deliver products and services that proactively address our customers’ security concerns—so that everyone can go home safely to their families each day. -
Team Accountability
We honor commitments through a process-driven approach, adapting to change through planning and assessment, and building trust through teamwork. Accountability ensures every individual’s actions support the security standards and goals of eXpress badging®.
🔐 Who's Responsible? (RACI Matrix)
Why We Use a RACI Model for Security
At eXpress badging®, accountability is built into our culture. To ensure clarity, consistency, and compliance with frameworks like NIST CSF 2.0 and ISO/IEC 27001, we use a RACI (Responsible, Accountable, Consulted, Informed) model for all security-related processes. This approach makes it clear who owns each responsibility, who provides input, and who must be kept informed. By mapping tasks to roles, we reduce risk, improve efficiency, and demonstrate our commitment to transparency for both customers and auditors.
Security Roles & Responsibilities Matrix
| Security Process / Task | IT / Security Lead | Operations Manager | Employee / End User | HR / Admin | Executive Leadership |
|---|---|---|---|---|---|
| Background checks (pre-hire & annual) | C | C | I | R/A | I |
| Onboarding cybersecurity training | C | R | R | A | I |
| Quarterly refresher sessions | R | A | R | C | I |
| Access provisioning (user groups) | R/A | C | I | C | I |
| Immediate account removal (terminations) | R/A | C | I | R | I |
| PII upload via Citrix ShareFile | C | C | R | I | I |
| Email PII stripping enforcement | R/A | I | I | I | I |
| Prohibition of local PII storage | C | C | R | I | A |
| Customer-requested PII destruction | R | C | I | C | A |
| Printer data purge after jobs | R | A | I | I | I |
| Social engineering training (phishing awareness) | R/A | C | R | I | I |
| Simulated phishing campaigns | R/A | I | R (test subjects) | I | I |
| Portable device ban (USB, phones to PCs) | R | A | R | I | I |
| Third-party storage ban (Dropbox, etc.) | R | A | R | I | I |
| Policy enforcement & violations | C | R/A | I | C | I |
| Documentation & Security Handbook updates | C | R | I | C | A |
| Quarterly Fortra VM report review | R/A | C | I | I | I |
| Remediation planning (based on VM findings) | R/A | C | I | I | A |
| Security GPA improvement tracking | R/A | C | I | I | A |
Legend
-
R (Responsible): Does the work.
-
A (Accountable): Final decision authority.
-
C (Consulted): Provides input and review.
-
I (Informed): Kept updated on progress.
Living Our Core Values
Our security processes are more than policies—they reflect the way we work together as a team. By aligning responsibilities through the RACI model, we reinforce our Core Values of Security First, Family Always and Team Accountability. Every team member understands their role in protecting customer data and supporting one another, ensuring that security is not just a requirement, but a shared responsibility. This commitment allows us to confidently serve our customers while safeguarding what matters most.