When outsourcing services to vendors where sensitive/confidential data or critical services are involved, most of us request some combination of Business Continuity Plan, DR Plan, DR test results and Incident Response Plan. That’s only half the battle. Of particular interest is the Incident Response Plan. The IRP is certainly something you’d want to review but all it tells you is that procedures are in place. When conducting Due Diligence on a potential vendor that will be handling sensitive/confidential data or providing critical services, it is extremely important to review their INCIDENT MANAGEMENT HISTORY BEFORE YOU SIGN A CONTRACT. You should see if they’ve had any material breaches, when they occurred, the nature of and extent of the breach, and whether the issue that allowed the breach to occur was remediated and tested. You might also want to know the amount of time that transpired between when the breach occurred and when it was identified. Breach Notification should be a part of any contract that you sign as well.