1. Should an organization outsource IT security?
If an organization is large enough to be able to set up its own IT security system, it should. However, smaller organizations may not be able to afford the costs entailed by an in-house IT security system, and for them, outsourcing may be the best thing to do. An organization must examine the costs versus benefits of these two options in order to find out which will suit it best - considering the amount and quality of security that it needs, the cost of IT hardware, software, and networks, and manpower and utility costs. An important thing to consider would also be the amount of time it will take to completely set up related processes and procedures, and whether the company can afford to work with such a timeline.
2. What are the issues involved when you turnover security to an outside organization?
When outsourcing security, it may be a challenge for owners and managers to relinquish or share control of certain systems. This is why in outsourcing, it is important to shop around, do your research, and find a company that you can trust, and with whom you can communicate your ideas and concerns freely and openly.
Another issue is finding a security company that can deliver services that match specific business needs. Different businesses have different security requirements, so it is advised to look for a security company that offers customizable services where organizations can choose the type and amount of security they pay for.
The flow of work may also be a challenge in this arrangement. Processes and procedures for risk management and contingency plans also need to be aligned between the organization and the security company, so that there is a clear understanding of what happens whenever there are security concerns, alerts, and breaches.
3. In case there is a need to outsource, what stipulations would you include in a service level agreement with an IT security outsourcer to ensure that it did not exploit the openness of your systems and steal strategic and sensitive information?
A clause preventing conflict of interest should be included, so that the IT security company cannot do business with direct competitors. The SLA should indicate required reports and the frequency of such reports, and include process flows of what to do during security alerts and breaches. The contract should also cover auditing standards and procedures, and state that the organization may conduct such audits itself, or hire a third party auditor to evaluate the IT security firm’s work.
The IT security company should mirror the organization's data security confidentiality requirements and provisions, and so should any third party company or subcontractor. The IT security company should divulge to the organization all of its locations that will do the work for the organization, so country and state IT and cyber laws can be duly examined. The organization should also be allowed to examine any subcontractor’s processes and be allowed to reject a subcontractor if its practices are not deemed acceptable. When agreeing on a subcontractor, clear parameters should be set as to their involvement.
All personnel whose work is related to the organization’s security are to sign non-disclosure and confidentiality agreements, and the organization should be allowed to conduct background investigation checks on any employee related to the account. There should also be stipulations on penalties and fines in case service level agreement and related performance metrics are not achieved, or agreed process flows are not followed by the IT security company.
No comments:
Post a Comment