Due Diligence for Information Management Vendors
Useful Suggestions on How to Identify Quality Vendors
Utilizing third-party assistance for the non-core activities of your business is a common practice. It increases operational efficiencies and reduces the burden on in-house costs and administration. However, selecting the right vendor for your outsourcing requirements is a process in itself. If you wish to create reliable, safe and lasting partnerships, you need to invest substantial time and effort in evaluating the vendors and conducting proper due diligence. After all, you want to bring on board a partner that has strong risk management practices, process integrity and customer-orientation.
At Crown Information Management, we have been at the other end of third-party audits numerous times. Our clients are always pleased with the various checks and controls that we demonstrate through our policies and processes. It is our strong security protocols and single-minded focus on protecting customer privacy that makes us the preferred information management vendor for several businesses in and around central Florida. Read on to know how you can partner with the right vendors for outsourcing records storage and management or secure destruction of your paper and digital records.
Ask the Right Questions to Eliminate the Best from the Rest
When you are looking for third-party assistance for crucial components of your business, asking the right questions and properly vetting potential vendors will help you prevent costly breaches and mitigate the risks of outsourcing. Use these five parameters to conduct your due diligence and eliminate the best from the rest.
Physical Controls: Check if the potential vendor has a formal physical security policy in place.
- Do they log information on visitors, issue them IDs and personally escort them on premises?
- Are visitors denied access to areas where sensitive information is being managed?
- Do they have controls, such as biometric or electronic device-based access for their information management hubs?
- Do they have electronic surveillance, monitored security storage for physical records.
Organizational Priorities: Evaluate whether the vendor’s organizational priorities are in order.
- Have they put in place a formal risk assessment program, information security policy, incident response teams and business continuity plans?
- Do they monitor quality controls and audit their own processes?
Data Checks and Management: Find out whether the vendor has a formal asset management program and access control policies.
- Do they encrypt confidential data and conduct periodic data backups?
- Is the backed up information stored in an independent location, away from the primary system?
- Do they monitor the return of assets and equipment when their employees resign?
Staff Effectiveness: Evaluate the kind of controls that the vendor has put in place while hiring and terminating their staff.
- Do they have formal policies for hiring and termination of employees, as well as contractual staff?
- Do they perform extensive background checks for potential employees before allowing them to handle confidential records of their customers?
- Are their employees aware of the company’s Code of Ethics and do they receive formal training on information security protocols?
Technology and Infrastructure: Discuss and review the vendor’s technology platforms and physical infrastructure to determine their robustness and reliability.
- Have they invested in advanced equipment and technology to securely manage or destruct the client’s information?
- Are their network and application configurations on par with industry standards?
- Do they own or lease the physical premises where the client records are stored and managed?
For systematic records management and storage, or secure disposal of physical and digital records, choose a NAID AAA Certified company, such as Crown Information Management. Call us at 800-979-9545 or contact us online for a free estimate for your requirements.