In a previous post I outlined the need for LPO vendors to implement information security standards and have them periodically certified by independent third parties. Certification is designed to obviate the need for every General Counsel (or other LPO clients) to send an information security specialist to evaluate information security controls at each vendor. However, LPO clients cannot rely on third party certifications alone. When outsourcing legal work (and most other types of work) clients should also protect their information by thoroughly reviewing a vendor’s written security policies and practices. Clients should then make site visits (1) to observe and interview vendor personnel in order to gauge their awareness of policies, and (2) to review the overall information security culture. We strongly recommend that vendor site visits be conducted at the time of due diligence and thereafter at least annually. Information security terms are also an integral part of an LPO vendor contract, and I will write generally about LPO contracts in a future post.
As part of an RFI or RFP process, ask potential vendors to outline any information security standard to which they adhere, to provide a copy of their information security policies and procedures and any third-party information security certification, and to outline the information security training program for vendor employees. Using this information, prepare for vendor site visits by making note of items that can reasonably be confirmed during a site visit. During vendor site visits, you will typically be exposed to the vendors’ most polished and astute staff members, so in addition to asking to speak with specific individual staff with whom you would be working, you should also observe and interact with passing individuals during the facility tour. Your inquiries and observations should be structured to enable you to evaluate internal operations and controls, technical controls and physical security, and perhaps most importantly, but least easily discerned, the organizational cultural norms about client security and confidentiality.
Sample inquiries and observations that may help you evaluate vendors’ information security practices include:
- How does the vendor control physical access to its premises?
- Is access separately controlled for work areas, server rooms, and other areas that house critical infrastructure?
- If video cameras are used in some areas, are they on and monitored? By whom?
- As you walk through the building or campus, are all controlled areas adequately monitored with badges and/or sign-in? Does each employee badge in, or do they allow others to share their badge?
- How “serious” is vendor staff about sign in sheets, escorts, and individual identification processes.
- Do the information security practices in place seem designed to protect the vendor’s assets, or have they also been designed to protect client information?
- Do workers have computers with CD-ROM or floppy drives, or USB ports?
- Is printing allowed? Are print-outs from different clients comingled?
- Is desktop scanning or faxing allowed?
- Do workers have access to the data of multiple clients (VLANs) from a single computer?
- Do workers have access to external websites (i.e. the World Wide Web)?
- Do workers have access to external email such as Hotmail, Yahoo.com or Gmail?
- Are instant messaging systems (e.g. AIM, Skype, Windows Messenger, etc.) permitted?
- Are workers able to participate in desktop conferencing (e.g. Net Meeting, WebEx, and the like)?
- Do workers have mobile phones in the workplace? Are mobile phones with cameras permitted?
- Do workers have laptops that can be removed from the premises?
- Is data physically encrypted on laptops to protect it in case of loss?
- Does the vendor conduct employment background checks? How are the background checks conducted, and by whom?
- Does the vendor conduct programs to reinforce the existence of a security and privacy sensitive culture (e.g. on going training with advancement incentives)?
- Is training provided both at the time of hire and an ongoing basis?
- Are all employees able to discuss the security training they’ve received? Can they easily discuss key elements with you?
- Does the vendor have programs to remain competitive in their local market with respect to employee compensation?
Information security protection is more than a set of policies and a certification; it is also a mindset and culture. Your inquiries should be designed to evaluate not just the formal policies, but also how they are implemented on a day-to-day basis, and will be implemented when you are no longer on-site.
Don’t overlook your vendor’s partnering strategy. Understand how your vendor works with its service providers. In most cases you should prohibit the sharing of information and subcontracting. Its one thing to trust your vendor with whom you have a contract in place, but it’s quite another to indirectly trust additional parties. If, for some reason, a third party would have access to your information, require the same certification and due diligence of the partner that you would of the vendor.
Remember that while information security is a critical aspect of an LPO providers operation, it is just one aspect of evaluating an LPO vendor.
What other observations and inquiries have you made during LPO vendor site visits? If you would like to add other considerations, or share interesting stories about your evaluation process, please comment on this post.