Assessing Information Security in the course of an LPO Vendor Site Stopover
General Counsels need LPO vendors to select an applicable standard, implement it meticulously and subject their operations to periodic testing by a self-governing third party. Some uses of LPO will be less critical with regard to the information security but for organizations aiming to utilize intricate LPO vendors or to outsource work necessitating intensified security encompassing M & A doc review, litigation, a single standard will be easiest to assess and monitor over time.
Certification is intended to preclude the requirement for every General Counsel or other LPO clients to send an information security specialist to assess information security controls at each vendor. However, LPO clients cannot depend on third party certifications alone.
When outsourcing legal work (and most other types of work) clients should also guard their information by meticulously reviewing a vendor’s written security policies and practices.
Clients should then make site visits - to detect and interview vendor personnel in order to verify their attentiveness of policies, to analyze the entire information security culture. In this write-up we will discuss about LPO vendor site stopover to be conducted at the time of due diligence and afterward at least annually. Information security terms are also an essential part of an LPO vendor contract.
Assessing Information Security In The Course Of An LPO Vendor Site Stopover:
As part of an RFI or RFP process, probe potential vendors to shape any information security standard to which they follow, to provide a copy of their information security policies and procedures and any third-party information security certification, and to outline the information security training program for LPO vendor employees. Utilizing this information, arrange for LPO vendor site stopover by making note of items that can sensibly be confirmed during a site stopover.
During LPO vendor site stopover, you will archetypally be exposed to the vendors’ most elegant and astute staff members; so on top of asking to speak with particular individual staff with whom you would be working, you should also notice and intermingle with passing individuals during the facility tour. Your inquiries and observations should be structured to allow you to assess internal operations and controls, technical controls and physical security and possibly most prominently but least easily distinguished, the organizational cultural norms about client security and confidentiality.
To illustrate few inquiries and observations that may assist you in assessing vendors’ information security practices let us concentrate on the below mentioned criterions:
It is important to understand, how a vendor controls physical entrance into its premises. Another important point of scrutiny is whether entry into parts of the physical premises that are marked for crucial activities such as server rooms are distinctly controlled or not. Besides, when clients visit vendor premises for audit, they should duly examine whether the camera recordings in the premises are mentored well, and also inspect the various security practices that the in-house staff at the vendors end follows.
Now, there are a lot of instances where due to operational negligence, client data gets misplaced and leaks out. In-order to avoid this it is important to audit the technological operations and security measures implemented to avoid any kind of misplaced information and resulting leaks at the vendors operational center. For example, clients can probe the vendors about the mailing system, modes of internal official communication, and the security of data in devices such as laptops, which can be easily taken out of the premises.
Integrity is the biggest virtue to scout for, in employees. Law firms and legal counsels should ensure that the vendor they are engaging, employees people only after conducting a thorough background check. Additionally clients should ensure that all employees at the vendor’s place should be deliberated upon the required security measures and a privacy sensitive culture should be encouraged.
Information security fortification is more than a set of policies and certification; it is also an attitude and culture. Your inquiries should be intended to assess not just the formal policies, but also how they are executed on a daily basis, and will be employed when you are no longer on-site.
Remember do not overlook your vendor’s partnering strategy. Comprehend how your vendor works with its service providers. In most cases you should forbid the sharing of information and subcontracting. It is one thing to trust your LPO vendor with whom you have a contract in place, but it is quite another to circuitously have faith in supplementary parties. If for some reason, third party would have access to your information, they would need the same certification and due persistence of the partner that you would of the vendor. Remember that while information security is a crucial part of an LPO providers operation it is just one aspect of assessing an LPO vendor.
The most prevalent information security standard among LPO vendors is ISO 27001 (www.iso.org). It was initially distributed in October 2005. It is a specification for an Information Security Management System that improved and synchronized British standard BS7799-2 with other standards. ISO 27002 is a code of practice for information security that shapes latent controls and control mechanisms which can be executed subject to the guidance provided within ISO 27001. The standard outlines a model for launching, executing, functioning, observing, appraising, maintaining, and augmenting an information security management system, and encompasses assistance to protect not only information stored utilizing electronic means, but also information that may be transmitted or printed.
The ISO is a network of the national standards instituting of 162 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that organizes the system. Members encompass the Bureau of Indian Standards (India) and American National Standards Institute (U.S.) ISO itself does not carry out conformity valuations. LPO vendors may be certified complaint with ISO/IEC 27001 by certification organizations accredited by members like the Bureau of Indian Standards and American National Standards Institute.
Implementation and Testing:
Preserving a process-based information security standard is an organization-wide effort. All LPO employees should have some understanding of information security standards and should have received some training both at the time of hire and on a consistent basis thereafter. On top of it, LPO vendors should have their information security standard executions verified. Declarations encompassing statements like, “We follow ISO 27001 guidelines” or “We are seeking ISO 27001 certification” offer little comfort when delivering operations to a vendor half-way across the globe. For multi-site vendors, it is significant that the entire company be certified.
If only one part of an organization is certified, but data is transferred through, or operated by a portion of a vendor company that is not certified, information may be at risk. Many features of vendor relations need trust, but whenever possible, follow the motto of trust but verify and authenticate vendor declarations with a third party. Certifications can assist develop trust more swiftly due to the fact that they show a consistency with regard to processes that are significant to clients. Any LPO vendor selection or RFP process should comprise of criteria and questions about the vendors’ security certifications and practices.
Snehi Kumari is Legal Process Manager at HiTechLPO.com. Having comprehensive insight and exposure to streamlining internal procedures; quality control methodologies; and broad areas of project management. Capable of handling administrative functions and sensitive projects effectively.
The author can be reached at: firstname.lastname@example.org