Checklists for evaluating electronic records storage protection.

• Position: BUSINESS MATTERS

An organization that has decided to outsource its electronic records storage must do its due diligence in selecting a service provider (xSP) to ensure that its information will be managed appropriately throughout its life cycle. A critical aspect of this is investigating how potential xSPs will protect the information it is hosting.

The three following checklists from the technical report Understanding Electronic Storage Technologies (ARMA International TR 26-2014) will be invaluable tools for evaluating xSPs--and most of the checklist items would also be relevant for organizations wanting to evaluate how well they are protecting the records they store in house.

Readers should note that not all items in these checklists may be applicable to their organizations; careful consideration of their unique needs, requirements, and resources (i.e., timelines, personnel, and budgets) is essential.

Checklist for Evaluating the xSP

Financial Stability

What is the ownership structure of the xSP (e.g., family-owned, sole proprietorship, partnership, or corporation)?

How many years has the xSP been in business?

How many years has the xSP been providing electronic records storage services?

If the xSP encounters financial difficulties, what legal agreements control the operation of the facility?

* Does bankruptcy trigger evacuation of all stored electronic records?

* Would a third party be enlisted to operate the facility? xSPs' Providers

What electronic records storage services does the xSP subcontract?

Who are the subcontractors and where are they located?

Does the xSP own or lease the business's facilities such as the physical structure or real estate?

Could the real estate owner's bankruptcy or lienholders create a disruption in the conduct of business?

Are protection agreements in place should a utility company (e.g., communications services provider) fail to deliver on a contractual agreement?

If an energy crisis occurs that disrupts power or fuel availability, is a contingency plan in place that provides an alternative energy supply?

Checklist for Evaluating Electronic Records Security

Access Controls

How does the xSP prevent commingling of electronic records from various contracting organizations?

* What procedures are used to ensure xSP employees cannot release electronic records to the wrong contracting organization?

Are processes in place to secure electronic records from corruption, theft/intrusion, unauthorized access, and/or viruses?

What encryption methods are available and how are encryption keys stored?

What access controls are available?

What procedures exist for detecting security breaches?

What notification processes are in place (to alert the xSP and contracting organization) of potential security breaches (e.g., unusual usage patterns or unapproved configuration changes)?

What services are provided from entities located outside the United States?

What subcontractors or third parties have access to the contracting organization's electronic records?

* Is access encrypted and is it granted over the public network, a virtual private network (VPN), or via physical tape transfer?

Are all electronic records transmissions between the xSP and contracting organization performed in a secure (e.g., encrypted) manner?

* If a VPN is used, what entity is responsible for its maintenance?

Does the xSP have a robust firewall to prevent unauthorized external access?

How are audit trails tracking security-related activities managed?

System Issues

What are the critical points of system failure and how is redundancy ensured?

How is equipment slated for de-commissioning and previously used to transmit/store electronic records dispositioned?

Breach Response

If a security breach occurs (or is thwarted) while a backup is in process, what procedures are in place to avoid com promising backup operations?

In sophisticated attacks, secure lines can be diverted and backup mimicked. How would this situation be handled?

In the event of sabotage, can a remote command purge electronic records stored at the facility?

Checklist for Evaluating Facility and Personnel--Safety and security

Environmental Issues

Has an "Unacceptable Threat Matrix Identification" been performed?

Has the site been evaluated as outside of the 100-year flood plain?

* Are there issues that could change the flood risk at the site?

Is there proximity to nuclear power plants, chemical plants, pipelines, refineries, or other facilities that could create the need for a facility evacuation?

* Are underground storage tanks adjacent to the site?

* Could tanks create a contamination that would necessitate evacuation?

* Has a Phase III Environmental Hazard Risk Assessment been done?

Is the site in an area prone to civil unrest or high crime? (Lack of a secure neighborhood can affect the xSP's ability to retain a highly-skilled staff and maintain effective operations; criminal activity in the area can diminish employee morale and increase the xSP's insurance costs.)

Who are the adjacent tenants and landowners?

* Are there adjacent tenants that limit control and integrity of the site's ingress/egress?

* Is the site in an airport glide path where a crash or radar...