1
Now, more than ever before, large and small companies alike are outsourcing more of their non-core business. For that matter, companies are even outsourcing their core business these days. So, every company, large or small, needs to consider the inherent risks when entering into a business relationship with a third party.
Outsourcing business services to companies that will have access to your company’s and/or your clients confidential information should be taken very seriously. Let’s face it, besides your people, expertise and assets, your information is what makes your company unique. Now, another company will have access to that information. Have you thought about your company and how information is handled?
Who specifically will have access?
When will they have access?
Where will the information be at all times?
How will the information be stored, transmitted, destroyed?
Now, think about your subcontractor and ask the same questions.
Does this make you nervous?
Well, if you’ve appropriated planned your subcontractor selection criteria in advance and run your subcontractor through a vetting process, then you shouldn’t be nervous.
But, the reality is that we tend to trust people too much. Don’t be afraid to ask the tough questions and get answers in writing.
Here are some very basic questions to ask any service provider that handles your confidential information:
1) Can you provide me with some references with contact information?
2) Are your employees background checked and drug screened during pre-employment screening and does this routinely happen after employment?
3) Is your facility secure by having an alarm monitoring service, CCV cameras recording all activity, video storage for at least 90 days, key card or other access monitoring system, etc.
4) Do you have documented written policies and procedures for the handling of our confidential information?
5) Do you routinely review, test and update these policies and procedures?
6) Do you have any trade certifications? If so, what are the audit/testing guidelines, and can I receive a copy?
7) Can you provide me with the necessary written agreements that our industry requires for the outsourcing of the handling of our confidential information?
8) What are your general and industry specific insurance coverage?
9) What is your disaster recovery plan, has it been tested and can I obtain a copy?
10) What is your business continuity plan, has it been tested and can I obtain a copy?
It’s virtually impossible to get to know your subcontractor as well as you know your business. However, it’s good business practice, and the law in some cases, to perform a vendor review to establish that due diligence was taken when selecting a vendor to handle your confidential information.