With IT organizations looking everywhere to cut costs, one area that gets a lot of attention is outsourcing. But just as there are security concerns with internal IT, so too are there security issues with external IT service providers. Here are 10 tough questions that IT organizations should be asking about their IT service providers.
Click through for 10 questions you should ask before outsourcing any IT services.
Additionally, what compliance and security protections are enforced for those locations? Does the data go to any other entity outside of the vendor? Does it ever leave the country?
It is the customer's responsibility to dig deeper and demand the same level of intelligence about the security of their new virtual data as if they were doing it themselves.
If shared, how does the vendor maintain compliance between its customers? How does the vendor maintain isolation and privacy of my data?
The customer should demand an understanding of the security controls in place protecting their “home away from home” data center and include tightly prescriptive controls around isolation and protection.
IDS/IPS has been a compliance requirement of PCI-DSS for some time now. Most vendors should be able to fill the check mark in the box for perimeter IDS/IPS technology.
While the vendor will be primarily concerned with demonstrating cost reduction, the client needs to incorporate and enforce security controls on those end points. Technologies like full-disk encryption, media encryption, device firewalls and anti-malware should no longer be optional.
Most providers will have SLAs defined, but one must check references, and make the vendor prove out that they deliver on their SLAs. They also should not price gouge if your change requests exceed your monthly quota.
One must have frequent updates to security policies and protections in order to stay ahead of threats, which is why security is a manageability challenge.
What is its incident response plan/process?
No security vendor assumes the risk of a full security breach. They do, however, provide SLAs and other services to mitigate risk. Any outsourcing negotiation should include protocol and definition of who assumes risk in these situations.
Security response and business process is equally important as the ability to effectively manage security policies.
An outsourcing vendor should demonstrate that it is plugged in to the broader community and has multiple data feeds for new threats, viruses and other malicious code.
Vendors naturally try to lock clients in to long-term, five-year-plus engagements. Until that vendor has demonstrated that it treats your data security and protecting your business as mission critical, long-term contracts are higher risk.