One of the most frequently asked questions is “what types of industry standards have been created.” PRISM International is not a standards-making body. As a result, no defacto standards can be attributed directly to PRISM International, and the term “industry standard” does not really apply in the legal sense of the word. However, a great many standards, rules, regulations, and client initiatives do impact the industry. Some of these are briefly outlined here.
Most countries have adopted fire and building codes of one kind or another. There are numerous fire and building codes promulgating organizations throughout the world (there are competing codes organizations within some countries like the United States) so the whole process of discovering which fire and building codes apply can be confusing. Operators are required to comply with all fire and building codes in force at the location where their facility is constructed. Other codes do not apply; however, for market differentiation reasons or in order to comply with the requirements of some vertical markets, some operators may choose to construct or protect a facility to a higher level than the local codes require. Members of PRISM International can reference a number of guidelines publications to review the general requirements of fire codes for commercial records centers and data protection facilities.
In addition, the National Fire Protection Association (NFPA) of the United States has created NFPA 232, the Standard for the Protection of Records. This standard may not be adopted as a part of the code but it does provide helpful references for both commercial records centers and data protection vault facilities. The standard can be purchased from NFPA atwww.nfpa.org.
Countries vary widely when it comes to the requirements for storing government records information. Some, such as Canada and Denmark, are very progressive with outsourcing to the private sector in order to save money, improve efficiency, etc. Other countries may not permit any outsourcing at all. Most countries fall somewhere in between. In the United States, outsourcing of federal records to private sector storage facilities is permitted, provided the facility meets the requirements established by the National Archives and Records Administration. These standards can be found at 36 CFR 1228(k) and related appendices.
The passage of Sarbanes Oxley in the United States (revising corporate governance principles in public companies) impacted the type of recordkeeping requirements for public companies and impacted private sector storage companies as well. In order to provide data protection services for public companies, information system verification may be required–a SAS 70 Audit is the recommended verification method.
Health information must be carefully handled. Changes in HIPAA made in 2009 extend criminal and civil penalties to business associates and require more extensive policies and procedures than was previously the case. PRISM International members may make use of a standard business associate agreement, which incorporates the language recommended by the United States Health and Human Services.
Financial service companies also require contractual safeguards that information will be securely maintained, kept confidential, and in the case of any accidental breach that the client will be notified immediately. PRISM International offers its members a special addendum for this as well.
Credit card processors are now required to comply with the Payment Card Industry Data Security Standard (PCI DSS). As a part of their overall information system, data protection facilities may hold truncated or encrypted data from a merchant processor.