Iron Mountain (UK) PLC

Policy Center Solution

Policy Center is a subscription-based software created to help you stay up to date on ever-changing legal retention requirements. It helps organise and manage records for compliance from creation through secure disposition. Policy Center shows your compliance obligations based on your industry and location, and provides a legally-defensible retention schedule.

Features

• Global Research Service for alignment to legal and regulatory updates
• Single Sign On (SSO) to provide easy and seamless access
• M365 Purview Retention Engine to manage information retention and disposition
• Open APIs to connect with other content management systems

Benefits

• Accurately manage your compliance obligations based on your industry/location
• Create a legally-defensible retention schedule aligned to your risk appetite
• Improve efficiency, improve ESG and mitigate your information risks
• Access to experienced IG professionals for advice and support
• Tools and services to support integrated information and data management

£19,000 an instance

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at BidManagementWE@ironmountain.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

349105624058074

Contact

Dee-Ann Guy
08445 60 70 80
BidManagementWE@ironmountain.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Iron Mountain InSight
• Cloud deployment model: Private cloud
• Service constraints: No
• System requirements: N/a

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 48 hours, excluding weekends
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Options include:; ; - Fully managed service to support clients with ongoing retention management, attended monitoring of schedules, and IG advice; ; - Attended monitoring only, to monitor and maintain retention schedules; ; - Provide a one-off retention schedule without ongoing maintenance or access to PCS; ; - Service level required is discussed on a case-by-case basis and will impact costs.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Development and validation of classification scheme, retention rules, and retention schedules throughout the engagement, tailored training sessions to meet user needs, and knowledge center articles to support PCS users.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Retention schedule reports can be run at any time.
• End-of-contract process: Access to the PCS system is removed, no client data is stored in the system.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Use of Infotechtion to connect to M365 Purview Retention Engine and open APIs to connect a variety of other content management systems to manage retention and disposition of your information.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: PCS instances are tailored to client needs providing full customisation of retention rules within the retention schedule, adjustable service levels, and Information Governance team support as required.

Scaling

• Independence of resources: Policy Center is web-based product, designed to fully support the number of global users. The nature of the product means that there are limited users and we have the capacity built in to ensure that all registered users and more could access Policy Center concurrently.

Analytics

• Service usage metrics: Yes
• Metrics types: Audit trail reporting
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: Never
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Retention schedule reports can be run at any time.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: N/a - the system does not hold client data

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: Policy Center is software that contains legal and regulatory requirements only. There is no client data stored within the system and therefore there is no requirement to protect client data, however there is single sign on and secure log in.
• Data protection within supplier network: Other
• Other protection within supplier network: Policy Center is software that contains legal and regulatory requirements only. There is no client data stored within the system and therefore there is no requirement to protect client data, however there is single sign on and secure log in.

Availability and resilience

• Guaranteed availability: Response within 48 hours
• Approach to resilience: Policy Center is software that contains legal and regulatory requirements only. There is no client data stored within the system and therefore there is no requirement to protect client data, however there is single sign on and secure log in.
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: SAML 2.0 with integration to customer's identity provider
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Coalfire Inc
• ISO/IEC 27001 accreditation date: 22/11/2023
• What the ISO/IEC 27001 doesn’t cover: N/a
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • US FedRAMP - NIST 800-53
  • SOC2 Type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: SOC2 Type 2; US Gov FedRAMP

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes are tracked in a central change management system with an approval process run by our change review board. Changes are reviewed for completeness and evaluated for risk as well as rollback, testing and user impact / communication.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Patching and Vulnerability management, anti-malware, endpoint disk encryption and intrusion prevention are managed via our IT asset and endpoint management solutions. ; ; Workstations and servers are mitigated in a scheduled maintenance window following change management procedures with proper customer and end-user notification. ; ; For cloud-based systems, automated agents continuously scan the environment finding any security vulnerabilities such as out-dated OS versions, app servers or misconfigured security policies. ; ; Alerts are sent to our 24x7 Virtual Security Operations (vSOC) team. ; ; Systems are patched following remediation times of: Critical (same week or sooner), High (within 2 weeks), Medium (within 90 days), Low (within 120 days).
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Policy Center is software that contains legal and regulatory requirements only. There is no client data stored within the system and therefore there is no requirement to protect client data, however there is single sign on and secure log in.
• Incident management type: Supplier-defined controls
• Incident management approach: Policy Center is software that contains legal and regulatory requirements only. There is no client data stored within the system and therefore there is no requirement to protect client data, however there is single sign on and secure log in.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Iron Mountain actively seeks opportunities to improve our environmental performance, and reduce our carbon footprint and support our customers with their environmental objectives. We are currently on track to achieve Net Zero emissions by 2040, 10 years ahead of the Paris Climate Accord. We will go beyond our current Science-Based Target (25% reduction of absolute GHG emissions from 2016 baseline) and by 2025 will achieve a reduction of 25% of GHG emissions from Scope 1 & 2 energy sources from the 2019 baseline. ; Some of the steps and results we have achieved against Carbon Net Zero targets to date include:- UK operations were among our first to be certified to ISO 14001 for environmental management over 12 years ago. (Environmental Management Standard) and recertified all Data Centre facilities under ISO 50001 (Energy Management). ; As part of our EV100 commitment, we will transition 10% of our total fleet (100% of our cars and 50% of our vans) to electric by 2025 and expect to exceed 2,000 vehicles by 2030. Currently, in the UK, 98% of our energy use at all sites is green power purchased. We are working to reduce the final 2%. We have upgraded over 56,000 lights to LED across 32 sites in just the past five years in the UK. We have completed 9 on-site solar systems in the UK for a total 1.65 MW of generation capacity. In 2021, we implemented an irrigation control program at 41 of our facilities that will save an estimated 17.7 million gallons of water per year. We will work with G-Cloud customers to develop specific and measurable additional social value commitments aligned to their priorities.

  Covid-19 recovery

  Iron Mountain recognises that Covid-19 has had a significant impact on many communities and businesses within the UK. We introduced a variety of measures to support our customers with flexible ways of working implemented at pace to support the changes in business activity that the pandemic has caused. We built a strong foundation to respond to the pandemic in 2020 when we established our Crisis Management Core Team and implemented COVID-19 protocols in line with the Centers for Disease Control (CDC) and the World Health Organization (WHO). Our initial efforts combined monitoring key metrics, adjusting workplace practices, providing personal protective equipment to ensure optimal working conditions for on-site employees, and supporting our employee’s physical and mental health. ; To support our customers in their critical work, we have developed new ways of delivering services, many of which have become standard practices. One example includes replacing physical file retrievals with our digital platform (InsightⓇ Content Services Platform) and service enabling remote working across critical records. This was delivered in a fast tracked implementation of 14 days. For some customers this has now become the default method for all retrieval activity post pandemic, supporting service levels, delivering on commercial and environmental objectives.; We will work with G-Cloud customers to develop specific and measurable additional social value commitments aligned to their priorities.

  Tackling economic inequality

  Iron Mountain cultivates a culture of inclusion that values diverse perspectives across our global workforce. Our Inclusion & Diversity strategy includes four areas of focus that each have several activities and approach including, build a more inclusive culture; increase workforce diversity at all levels; establish a global mindset and; Embed accountability. We have demonstrable experience of tackling workforce inequality. As part of our annual CSR measurements we actively measure a variety of diversity goals, including gender within leadership positions. We received a 90 percent score on the Disability Equality Index® (DEI) and are a DEI Best Place to Work for Disability Inclusion. In addition, in 2022 for the fifth year in a row, we scored 100% on Human Rights Campaign’s Corporate Equality Index for LGBTQ Workplace Equality. We also focus our efforts on supporting staff training to increase staff progression. In 2021, we expanded our Global Management Development Program (MDP), a comprehensive learning framework developed in 2020 in partnership with LinkedIn Learning, an online educational platform. After an initial pilot group, in 2021 the MDP included 131 managers from around the world. We have seen MDP alumni grow in their roles as managers with more than 20% receiving a promotion or role expansion in 2021. We will work with G-Cloud customers to develop specific and measurable additional social value commitments aligned to their priorities.

  Equal opportunity

  Iron Mountain has a long and demonstrable experience of supporting employment and development opportunities in the communities in which we operate. This is one of our key principles and objectives and one that we also flow down contractually, develop and manage via our subcontractors. One of our key factors in selecting subcontractors is their track record and proven ability in creating and developing employment and skills training. Iron Mountain is committed to building an inclusive working environment and monitoring diversity within our workforce. One example includes measurements around gender pay parity. 2023 will see the launch of a new multi-faceted Women in Leadership initiative for our female Director+ population. Our goals are: ● We will relentlessly strive to be a world-class employer in every region in which we operate ● By 2025 we will tighten our threshold for gender pay parity from +/-10% to achieve +/- 5% across all organisational levels in all countries where we are reporting (US, Canada, UK) ● By 2025, women will represent 40% of global leadership.We will work with G-Cloud customers to develop specific and measurable additional social value commitments aligned to their priorities.; ; As part of our annual CSR measurements we actively measure a variety of diversity goals, including gender within leadership positions. We received a 90 percent score on the Disability Equality Index® (DEI) and are a DEI Best Place to Work for Disability Inclusion. In addition, we are a member of the Disability Confident Scheme.

  Wellbeing

  Iron Mountain strives to create a workplace where employees’ authentic selves are welcomed and valued. In 2021, we established a dedicated company-wide Culture and Engagement (C&E) team to foster a culture of recognition, continuous learning, wellbeing, innovation and belonging. ; All staff working with with G-Cloud customers will be able to access the following initiatives: ; Employee Assistance Program (EAP) offers staff support with any work or personal issues. These include short-term professional counselling and connection to local resources to help with emotional, practical, and physical needs. The EAP service is free, confidential, and available in a variety of languages - 24 hours a day, 7 days a week. ; - Mental Health and Wellbeing Coaching sessions with external experts ; - Employee health monitoring through the partner/employee health service provider; - The Virgin Pulse app, launched in pandemic (health and wellbeing tips in a mobile app where all mountaineers have access to) ; - The best medical subscription packs ; - Partial gym membership paid by Iron Mountain; - Recreational activities designed to form bonds within our community ; - Wellbeing trainings - Training on the occasion of Mental Health day; ; - Team building activities; - 2 volunteer days offered by the company for community involvement;; - Ethic Line: Ask questions or make reports regarding our Code of Ethics and Business Conduct ; - Richard Reese Employee Relief Fund - Financial support for staff when they need it most. The fund was created after many employees were affected by Hurricane Katrina.It provides temporary financial assistance to our colleagues and their families impacted by a catastrophic event. ; - PsychHub - All our staff have access to PsychHub, the world’s largest mental health education platform which aims to create awareness of and increase literacy around mental health issues through videos, podcasts, shareable content and more.

Pricing

• Price: £19,000 an instance
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at BidManagementWE@ironmountain.com. Tell them what format you need. It will help if you say what assistive technology you use.