Taking a page from how we assess third party IT vendors... I think you should put together a list of "control standards" that you feel are critical for a reputable vendor to have. You can probably pull some baselines from ARMA publications and some stuff from PRISM and possibly NAID. I'd need to think about it for a while, but when I think back to some of the horror shows that I have seen, the obvious things deal with perimeter security, fire suppression, transportation, and employees. You can probably have as many as 40 questions. Send out the questionnaire, build a scoring matrix, and add in some questions around professionalism (Are they PRISM, ARMA or NAID  members? If applicable, have they heard of PCI standards? Have they ever had a SSAE 16 -- replacement for SAS70 -- performed? If they offer online access to your inventory, do they have penetration tests performed?). I'm sure if I sat here for a couple hours, I could come up with something.

Expect that some vendors will tell you to pound sand. Some will have no idea of what you're asking. 

The areas that I would make sure that I cover (and I suspect that others will chime in) are:

Perimeter security alarms
Fire, smoke, and heat rise alarms
Fire sprinklers and water flow alarms
Vehicle alarms, GPS tracking, vehicle door unsecured alarms
Use of third party delivery services
Nature of box tracking system (computerized or manual)
If computerized, bar codes or RFID?
Nature of metadata fields
How is box destruction handled? (process description)
Employee background checks? (what is checked)
Employee drug testing? (what is checked)
Employee bonding? (Not required, but usually an indicator if the company is serious)
How is access gained to the facility? (keycards, keys, etc.)
Is the facility occupied 24x7? If not, what hours?
Is the facility shared with other businesses? If so, which ones?
Are items other than records stored in the facility? If so, what? (This should be where you catch the moving and storage facilities)
What types of facilities share adjacent properties, including, but not limited to, common walls?
Do you support online / internet access to request retrieval of records?
Describe the architecture of this access?
Has the online / internet access been penetration tested? If so, by whom and when? Provide a copy of the summary of the report.
Do you have a SSAE16 report? Provide a copy.

Seismic certification (as applicable)
Date of last building or fire inspection
FEMA Flood Zone Designation

Patrick Cunningham, CRM, CIP, FAI
[log in to unmask]

"Perpetual optimism is a force multiplier." 
-- Colin Powell

 From: Nolene Sherman <[log in to unmask]>
To: [log in to unmask] 
Sent: Saturday, February 4, 2012 9:52 PM
Subject: [RM] Offsite Records Storage
Our newly minted records management policy requires that inactive records are stored with dedicated records management vendors. The intent behind this was to prohibit the use of public storage units, basements, Joe-who-has-extra-office-space-down-the-street, and other non-secure storage locations.

In the past, the decision of where to store inactive records was left up to the local business units. As a result, the company has no comprehensive list of where all of our records are stored. One of the first things I'm doing as I implement our program is having my Liaisons identify all locations where inactive records are stored. Although not all of our 800 offices use offsite storage, you can still imagine how large this list is becoming. The local office often chose the cheapest option available so we have loads of non-secure locations, but we also have a good number of vendors that appear to be legitimate records storage companies. Obviously, we will require business units to move non-secure locations to our preferred vendor. It is not an exclusive or required vendor at this time, though that may change if we can get good enough rates and service guarantees. Until that decision is made, I am fine with the local offices leaving their records with a
 vendor that provides a!
n acceptable level of protection.

I thought I would be able to tell if the vendor was good enough by looking at their website. So far all the one's I've looked at (admittedly not that many yet) appear to be "real" records management vendors. However, it could be that they just know what to say on their website. There is no way I can go visit each of the potential vendors and my local records coordinators would need an education in the subtleties of records warehouses.

My question is this: What would you suggest is the easiest way to vet these vendors? Should I create a simple audit/checklist that either the vendor can answer or our coordinator can use during a site visit, or use Prism's "Demand the Best"  or 10-question pocket guides, or just say, for example, that the vendor must be compliant with SAS 70 or a Prism member (or whatever)?

Nolene Sherman
[log in to unmask]

Records Manager since 1996. Gone wonky since 1998.

List archives at
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

List archives at
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]