In terms of processes to monitor that vendor doesn't open our boxes, it's
not really practical - there are too many boxes, users and locations,
including local rules for taping boxes. Instead I rely on (1) the contract
with vendor (2) security information I collect during and after vendor site
inspections.

The contract has several privacy sections: two confidentiality sections
(one in the main agreement and one in an SOW) plus a Business Associate
Addendum which is several pages devoted entirely to privacy safeguards,
liability,  breach recourse. The BAA is imposed on all types of
vendors even if the vendor's (template) contract is used. The contract
requires the vendor to provide documents about technical safeguards to
protect data, Disaster Recovery plan, network diagrams, interface
descriptions, gateway descriptions, results of internal and 3rd party
security assessments (i.e. IT data security).

I collect and inspect all the same vendor building
(interior/exterior/perimeter) security processes you do including
fire/police proximity, alram connectivity etc. plus:
- as much of their security/privacy staff training manuals vendor is
willing to divulge,
- staff training schedule
- PRISM, ACRC, IFMA membership
- descriptions of their staff screening processes (drug screens,
state/federal background checks)
- delivery vehicle break-in/theft/accident history


-- 
Maureen Cusack
San Francisco, CA
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]