During the last several decades, there’s been an absolute explosion of information, collected across a variety of different devices, applications and systems while being housed in various forms and formats—both physical and electronic. The rising volume and variety of business information is creating a demand for new information-management practices that keep pace with cybersecurity threats and compliance challenges, which creates a heightened need for document and data security.
Because enterprise information management (EIM) vendors are engaged to ultimately handle these volumes of information— whether it be physical documents or electronic, or involve inbound capture, management, and secure storage—organizations should have a high level of confidence in their partners’ technologies, processes and protocols. That’s why security and industry certifications matter in enterprise information management.
Anyone involved in making EIM vendor decisions (i.e. CTOs, CSOs, CCOs, CEOs, etc.) should be very aware of these certifications. Surprisingly, in today’s heightened security environment, many are not.
Dependable quality, security, and risk management are paramount, as EIMs are ultimately responsible for all of their clients’ information. Having a consistent, reliable and secure process is something that every organization—regardless of size and industry—should expect.
Certifications You Should Expect
Certifications are not easy to obtain. An enormous amount of effort, knowledge and expense is involved in order to achieve and maintain the certifications that matter in enterprise information management. Organizations should expect their EIM solution providers to maintain these certifications, at a minimum:
ISO
ISO 9001 is an internationally recognized standard that is all about quality. It specifies requirements for a quality-management system and demonstrates the ability to consistently provide products and services that meet customer and regulatory requirements. Achieving ISO certification means that an EIM’s quality-management system, customer service and documentational procedures met or exceeded all requirements according to the British Standards Institution (BSI), an ISO-accredited notified body responsible for assessing compliance and issuing the certification. The certification process examines areas such policies, procedures, quality-issue response and continual process improvement.
PCI DSS
PCI DSS compliance certification is recognized as the global security standard in the payment-card industry and one of the most stringent and comprehensive payment-security certification standards in the world. This certification demonstrates that an organization has the necessary controls in place to securely manage and store card-holder data. To obtain PCI DSS, a company must undergo a comprehensive and rigorous review from an independent assessment organization authorized by the PCI Security Standards Council.
HIPAA
HIPAA is the standard for protecting personal health information (PHI). It demonstrates to any company within the healthcare industry that there are controls in place to maintain the confidentiality, privacy, integrity and availability of PHI. A HIPPA security assessment involves a comprehensive review of policies and procedures; network and data flow diagrams; physical and environmental security; disaster-recovery backup processes; vulnerability management; penetration testing; system-hardening standards; and other pertinent areas. Conducted through a third-party firm, the certification process also assesses patch management; access control; data storage, logging and auditing; security monitoring; and incident response.
SOC 2
A SOC 2 certification is issued by outside auditors who assess the extent to which an EIM provider complies with one or more of five principles based on systems and processes in place at the company.
A SOC 2 report is the best way to gain information and assurance about a company’s controls and processes that effect the security, availability and processing integrity of the systems used to process documents and data as well as the confidentiality and privacy of the information processed by the systems.
The five principles include security (protection of system resources against unauthorized access); availability (accessibility of systems, products, or services as stipulated by contract or service-level agreement); and processing integrity (offering complete, valid, accurate, timely, and authorized data processing). Two additional trust principles encompass preservation of data confidentiality (via encryption, network and application firewalls, and rigorous access controls); and privacy (the collection, use, retention, disclosure, and disposal of customers’ personal information in conformity with individual organizations’ privacy notice, as well as with criteria outlined in the AICPA’s generally accepted privacy principles.
Top-Three Questions to Ask
Industry and security certifications provide additional assurance to companies that they can confidently depend on EIM providers to be good stewards of the information and data for which they’re entrusted. When evaluating new EIM partners, vendor-management executives should ask the following questions:
- What certifications do you have?
- When was the last certification date for each? (For example, the certifications mentioned above are all annual, so the last assessment should have been performed within the last year)
- Can you provide verification for each certification?
Organizations should prioritize making sure EIM providers’ security credentials and industry certifications are in compliance with the strictest data-security standards and meet other top industry standards—as well as demonstrate an ongoing commitment to safeguard both the privacy and integrity of their business data and reputations.
Do you know what your EIM partner’s certifications are?
