On Wed, May 7, 2014 at 7:39 AM, Steward, David <
[log in to unmask]> wrote:
> And don't forget that Cintas is now part of the new Cintas-Shred-it
> company. They merged in March.
>
>
> http://www.cintas.com/company/news_media/press_releases/Cintas-Corporation-Announces-Agreement-with-Shred-it-International-Inc.aspx
>
> How much blame do we assess to Cintas and how much to evil people with bad
> intent? Let's be honest, this is a nightmare scenario for all of us. Not
> giving Cintas a pass, but we are in the same position in most of our
> organizations.
>
> I work at a law firm. There is a lot of confidential and proprietary
> information. We have locks, alarms, cameras, monitoring, and many levels
> of security and control. But people are, and will be, the weak link.
>
> I'll bet that not only Cintas but every secure shredding professional will
> look at this event and analyze how they can do better. At least I hope
> that will be an outcome. But the bad guys will find another exposure and
> exploit that.
>
> How secure do you feel about your processes and risk exposure? Could a
> similar situation happen in your environment?
>
> David B. Steward
> Director of Records
I don't actually disagree with David's comments, however....
When you contract with an service provider to provide a set of services and
there are clear terms and conditions that both parties have agreed to, you
have a reasonable expectations that they will ensure they live up to those
expectations.
If they have caveats in the agreement that you are only protected to a
certain level, or that there are things they cannot protect against, then
those are risks you have to weigh and either decide to accept or not.
It's the same (in my mind) with a storage provider or a destruction
company.... they are responsible for performing in accordance with the SLA
both parties have agreed to from start of service to end. If something
happens to assets you have entrusted to them while they are in their care,
then they are responsible for the consequences.
Not everyone, but some, will go as far as to request a formal "Business
Associates Agreement" to ensure the service provider understands they are
fully liable for certain things... and if HIPAA is a piece of your
business, you REALLY SHOULD exercise one of these agreements. In
California, if PHI, PII or PFI is being stored or destroyed by a third
party, you DEFINITELY should have an agreement on file, to limit your costs
in the event of a data breach or exposure.
If your service provider is a member of PRISM or NAID, you might want to
contact them in the event of a failure to live up to contract terms- there
are expectations these associations place on their members as well.
As to the question of how secure do I feel about our processes and risk
exposure? Well, in my scenario, I feel relatively secure. ALL employees
go through initial thorough background checks and periodic
re-investigations, we manage ALL of our services on-site, and we are
notified in advance of any staff changes to roles in our processes. Could
it happen? I won't say that it couldn't.... accidents DO happen, but on a
secure 1-mile campus with buffer zones on all sides, I'm relatively sure
we're okay.
Larry
[log in to unmask]
*Lawrence J. Medina Danville, CARIM Professional since 1972*
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|
