Monitoring Risk When Outsourcing IT to Third Party Vendors

There are clear benefits and potential pitfalls to outsourcing a company’s technology function to a third party managed service provider (MSP, or vendor). Outsourcing can be cost-effective and allow for greater flexibility as well as access to pools of specialized technology resources. Along with these advantages, however, come certain risks. As a business evolves and organizational reach progresses from national to international, technology risk management, mitigation and approaches need to follow suit.

Effectively managing the risks related to using outsourced MSP requires due diligence, including regular reviews of general procedures as well as practices specific to the contracted technology services.

A vendor survey, often in the form of a checklist, is a standard first step in the due diligence review process.

Risks that can be identified through vendor surveys include:

Insufficient Risk Management

Insurance needs: A vendor does not have adequate cyber liability insurance. In the event of a breach, the organization will not be able to adequately recoup losses from the theft of its data.

Evolving regulations: The MSP does not have a strategy in place to address new regulations that will impact the MSP in jurisdictions in which it operates.

Ongoing compliance: The MSP does not periodically demonstrate ongoing compliance with regulations and industry security standards through regular audits.

Incomplete risk strategy: The MSP’s risk management plan does not contain strategies to remediate risks to the organization’s data.

Transitive obligations: The MSP does not hold its subcontractors to the same compliance requirements the organization requires of the vendor, resulting in inadequate security safeguards and a lack of training around processes that have been outsourced to the subcontractor.

Technology evolution: The contract with the MSP does not allow for modifications if new technology is introduced.

Insufficient Support and Reporting

Breach response and notification: Notification of a data breach from MSP to the organization is delayed due to unspecified requirements in the service level agreement or contract causing the organization to delay its response to and assessment of the breach.

KPI value: The MSP’s key performance indicators do not provide enough detail to allow the MSP to continue to improve on its current service offerings.

Incomplete coverage: The support hours provided by the MSP are not adequate to support the organization and its hours of operation.

Control Environment Weakness

Strength of controls: The MSP’s security controls are not adequate or appropriately enforced to protect the organization’s data from internal and external threats.

Physical vulnerability: The vendor’s physical locations are not secured adequately, resulting in unauthorized access or hardware damage that renders the services the organization is paying for unusable.

Improper change management processes: Modifications to the MSP’s resources used by the organization are not properly tested, causing software integrity, incompatibility, and unavailability issues.

Insufficient data backup: The MSP does not perform adequate backup or data restoration procedures required by the organization. Therefore, organization data is not recoverable.

If survey responses align to the organization needs, risks identified through the survey can be addressed throughout the contracting process, ensuring appropriate controls, KPIs, and SLAs are established and enforceable.

Downloadable Checklist

Use this checklist to gauge the processes your prospective service provider has in place and gain a better understanding of whether your service provider’s processes align with your organization’s needs and expectations.

©2024