Vendor Management on Janitorial Staff

Can anyone tell me what their Bank does for Vendor Management on their Janitorial Staff?

Treated similar to all other staff - with too much access to information as far as I'm concerned. Caught one unfolding a piece of paper that had been placed in the garbage!!! When confronted, she explained that she was checking to make sure it shouldn't have been in the shredder instead of file 13. She is still here.

Confidentiality / Nondisclosure agreements at the very least. We also complete a vendor risk assessment form (that we created to show due diligence) when we hire a new cleaning company.

We have an employee that works for the bank and has a cleaning business on the side. This employee's cleaning business cleans for the bank. Here are the issues:
There is no contract on file with the business
Each cleaner has after hours access to the bank buildings

A confidentiality agreement has only been signed by the owner of the cleaning business. Is this sufficient or should all cleaning staff sign one? If a contract were in place would that negate the need for individually signed confidentiality agreements?
Any feedback on this would be greatly appreciated.

I would think you'd want to have a contract with the cleaning company. If you have a contract, then the confidentiality agreement would be between you and the cleaning company, not between you and each staff member of the cleaning company.

"We have an employee that works for the bank and has a cleaning business on the side. This employee's cleaning business cleans for the bank."

Sounds like a huge conflict of interest to me.

What about contracting with an "outside" cleaning firm? Have them sign confis, do backgroud checks on their employees? What about insurance and bonding, as well as financial condition of the cleaning firm to assure that they can satisfy indemnity obligations for security breaches?

If your janitorial staff is a contracted service (whether to an employee, a private individual, or a cleaning service company), there should be a contract in place that includes privacy and non-disclosure clauses. It doesn't have to be too fancy, but the privacy/NDA should be there. You should not have NDAs with individual employees of a cleaning service company; that's the responsibility of the company, and your contract is with the company. Bonding and insurance issues are part of your vendor acceptance/review process for the cleaning service company, and should be considered in your risk analysis/due diligence.

Chris Fawcett, CISA
Manager, IT Services
Norman Backues & Associates, Inc.

Thank you everyone!