Bishop says potential vendors are required to provide documentation to Amica showing they have a capable and mature information security program. These include security policies, network infrastructure diagrams, physical and logical access controls and, most importantly, findings reports from any independent information security audits or assessments.