The governance, development, management and maintenance of Information Technology can in many organisations be a significant, challenging and costly exercise which whilst crucial to business success may not be considered as the core area of internal expertise.
Many organisations have embraced outsourcing and the benefits of cloud services to great effect to gain control, focus on core business activities, reduce costs and become more flexible and agile. Done well, IT outsourcing can deliver real tangible business benefits. The Guidance on Outsourcing (ISO 37500) https://www.iso.org/standard/56269.html is highly recommended in this regard.
Whilst outsourcing certainly has benefits it is essential that organisations retain in house knowledge and expertise in order to ensure the perceived benefits are being delivered and risks are being managed.
Consider a small organisation that entrusts it’s entire IT operations to a third party whilst not retaining or having access to any specialist knowledge in this area. Whilst the organisation may “trust” the provider how can the organisation be sure or have assurance that the IT provider really is providing the most appropriate solutions? How can the organisation be sure that such providers are protecting data appropriately, operating in line with legal and regulatory requirements, have suitable continuity arrangements and are managing risk?
The first point to highlight is that whilst outsourcing of IT means workload maybe transferred it does not transfer risk or legal, regulatory or contractual obligations. For example if an organisaiton was processing personal information outsources IT, and the IT outsourcer suffers a data breach the organisation commissioning the outsourcing is still accountable to its customers and legally liable. A main question to be asked in such cases is whether the organisation commissioning the outsourcing can demonstrate its “due diligence”
How can an organisation demonstrate due diligence?
If your organisation outsources (or intends to outsource) IT, data processing, software development or any service where another party will have access to or handle your data or technology there are many steps that can be taken. The following is a list of suggestions and none of them are exclusive but serve as a starting point. To decide which of these (or combination of these) is the correct approach depends on understanding your business, your requirements, your technology and the risks you face.
1) Confirm if the provider meets basic checks in relation to financial stability, credibility, reputation and legal status.
2) Confirm if the provider holds any independent certifications relevant to information/cyber security such as Cyber Essentials, ISO/IEC 27001, CSA-STAR, ISO/IEC 27701 etc? Be sure to be familiar with these standards, their context and purpose when seeking answers to such questions.
3) Confirm if the provider has been through an attestation audit (e.g. SOC2) and can they provide the reports for your review?
4) Develop and implement clear Service Level Agreements (SLA’s) which cover the relevant requirements. Ensure that such agreements have clear premiums associated with results.
5) Ensure the contract includes clear schedules or information/cyber security, data protection, privacy and business continuity. Such a schedule should consider:
- The minimum security, privacy and continuity controls required
- The need for the provider to provide necessary evidence of controls in this area (this may include the right to audit or be certified (points 1 and 2))
- The need for regular penetration testing where appropriate with suitable remediation
- The need for the provider to ensure that their staff are appropriately background checked and have the necessary competency
- Agreements on matters such a data retention and archiving
- Agreements on the disposal of data and system de-commissioning
- Agreements on overseas data transfers ensuring this is legal especially in the case of Personal Identifiable data (PII)
6) Consider the continuity risks involved, what would happen if this provider was no longer in a position to serve your organisation, can you easily move elsewhere? Would your technology still be supported? Would this impact your core business operations?
7) Consider the risks of subcontracting. If your supplier subcontracts the management of your IT or data processing, do the contractual requirements flow down? Do you have assurance that the subcontractors also manage risk?
8) Ensure you regularly review your supplier against the SLA and contracts and adequately manage changes.
9) Keep up to date on developments in technology and fundamental aspects of control in order to ensure your organisation can gain full value from its outsourcing and third party delivery.
Whilst the above suggestions are by no means an exhaustive list of focus areas this should provide a good start.
For more information on how Parker Solutions Group can support your organisation in getting good value from outsourcing whilst managing the associated risks contact firstname.lastname@example.org