Security is one of our Core Values
Companies entrust Iron Mountain to properly manage and secure their business records. It is vital, not only to our organization, but to those businesses that hand over their private records to us, that we maintain the highest level of ethical and security standards, derived from industry best practices. All Mountaineers are dedicated to this mission and Iron Mountain has a solid, 60-year track record for protecting information.
We operate approximately 1,000 facilities/offices in 35 countries, in which we protect approximately 500 million cartons/containers and more than 4 petabytes of data. With Security as a core value, we are committed to protecting our customers’ information through:
Chain of Custody
Iron Mountain maintains best-in-class policies and standards on chain of custody and materials handling protocols. To achieve and maintain these standards, we invest in proprietary training programs for all employees regarding data protection and privacy. Iron Mountain maintains internal measurement systems to capture incidents involving customer information, and every incident is reported to the Incident Command Team, which ensures the situation is handled appropriately and that similar issues do not reoccur.
At Iron Mountain, every employee is responsible for security and for doing his or her part to preserve and protect fellow employees, customer assets, and our business in general. All employees complete a Security Awareness Training annually. Iron Mountain's hiring procedures include drug screening, identity verification, criminal conviction searches, law enforcement watch list reviews, employment verifications, and (where applicable) education verifications and motor vehicle record reviews.
Our Service Providers
Iron Mountain maintains a third-party service provider qualification process that is designed to meet or exceed applicable privacy and data protection compliance requirements. In general, vendors and/or subcontractors that handle or have access to Iron Mountain employee or customer data must take the following steps before qualifying to form a business relationship with Iron Mountain:
- Complete a Vendor Privacy Assessment that is reviewed and approved by Iron Mountain’s Global Security team
- Execute a Vendor Privacy Agreement which states that data will be protected in accordance with Iron Mountain’s privacy and security standards
- Undergo a full privacy and information security review by Iron Mountain, if indicated by the nature of the specific services being offered
Once the above steps have taken place, Iron Mountain will determine if remediation measures are indicated. Only after remediation is complete can a service provider qualify to work with Iron Mountain.
Iron Mountain maintains the highest standards for facility construction and maintenance in the records management industry. Iron Mountain's facilities (records centers, data vaults, and shred plants) are designed and constructed in accordance with all applicable laws, rules, and regulations. Acquired facilities that don't meet or exceed applicable code requirements are promptly upgraded or vacated as necessary. Additionally, Iron Mountain is actively involved in establishing standards for facility protection and life safety with PRISM International (Professional Records & Information Services Management) and the National Fire Protection Association.
Iron Mountain is sensitive to the security risks associated with transporting customer information. Standard operating procedures (including error reduction procedures, process integrity, and transit and dock security) are created by our delivery teams in order to support the need for consistent and secure information transport. The transportation of customer materials is performed by trained staff in assigned vehicles (unless alternate methods such as air cargo are agreed to by the customer). Iron Mountain’s InControl® ensures the protection of information while it is in transit. This program features:
- Real-time wireless scanning technology to validate pickup and delivery transactions
- Patented security
- Real-time tracking
- Auditable chain of custody
Iron Mountain adheres to all legal compliance and industry standard best practices in the management of information technology – whether the systems are internal or customer facing. These systems are regularly tested and updated to assure peak performance for daily operations, disaster recovery preparedness, business continuity, and information security. Iron Mountain has Certified Disaster Recovery Professionals (CDRP) on staff who are experts in business continuity, risk evaluation, business impact analysis, and building awareness programs.
Iron Mountain maintains rigorous practices around vulnerability management in both our internal corporate environment as well as in our Application Service Provider (ASP) environment. This practice involves both continuous internal testing, and external testing on an annual basis.