The following are general questions that can be a starting point for an assessment of a potential vendor.
- How adequate are the vendor’s physical and electronic controls over data? Proof of controls would include self-certification such as a SAS 70 review or other independent checking.
- Does the vendor have appropriate administrative controls in place?
- Does the vendor subcontract projects that use your data to other U.S. and non-U.S. vendors? If yes, are there control procedures in place and are the procedures monitored?
- Does the vendor have a history of litigation or regulatory enforcement actions that pertain to privacy, data protection or a general lack of compliance controls?
- Does the vendor permit you to independently verify the privacy and security procedures that are used to protect your company’s data?
- Have you reviewed the S&P reports of the vendor? If it is a public company, have you reviewed its annual report and other financial filings?
- Does your vendor train employees to protect the data entrusted to them by your company?
- Is the vendor insured or does it have fidelity bonds to cover the possibility of a privacy or data security breach?
- Does the vendor have a live feed or online access to your company’s data as part of the contractual requirement? If yes, is there some proof that access controls, identity management and authentication are in place.
Practice Safe Outsourcing
by Dr. Larry Ponemon
Darwin Magazine, March 2004
Subject: Outsourcing / Offshoring Questions