Q: What physical security protocols should my third-party vendors have in place?
A: As part of a comprehensive vendor management oversight program, a thorough evaluation should be conducted on whether your third-party vendors have sufficient physical security controls in place. You should evaluate and identify the inherent risk of each of your vendors and develop a plan for managing physical security risks associated with these third-party relationships. Vendors with access to nonpublic personal consumer information and/or proprietary information generally require greater physical security standards.
One item you should request and review is your vendor's Physical Security Policy. An effective Physical Security Policy ensures safety and security of the vendor's location including off-site data centers, operation rooms, filing rooms, cash rooms, and any other areas that may contain confidential and/or proprietary information. In order to prevent intrusion and unauthorized access, a vendor's Physical Security Policy should at the very least entail the following:
- Employee and visitor access levels and tracking, such as log in/log out sheets;
- Use of alarm systems and/or surveillance cameras with retention records;
- Security perimeters (card controlled entry gates, security guards, and/or manned reception desks);
- Locks, access cards and/or security codes; and,
- Enhanced data center and/or server room security features.
From a regulatory standpoint, an effective vendor management program that assesses these items can help eliminate compliance, reputational, strategic and operational risks.