According to a 2014 Grant Thornton report, 40% of global businesses currently are or plan to outsource business processes which include Tax, IT, HR & Payroll.
One of the big trends in IT is that IT organizations will continue to move IT services such as managed services, managed hosting, software-as-a-service (SaaS), and cloud solutions to third-party vendors. There are many drivers that support the outsourcing trend. Reducing cost and improving efficiencies are obviously placed at the top of the list. Many believe that outsourcing can provide better access to expertise while ensuring business continuity.
However, there are many areas that need to be examined and taken into consideration to ensure that the outsourced solution is suitable for the organization from a data protection perspective.
Who
There are different outsourcing service offerings with a combination of hardware, software, network, and storage device solutions. Understanding the ownership of physical and logical assets is important. This Off-Premises Third-party Food Chain table illustrates ownership of some of the service.
More importantly, another question needs to be answered. Who owns the responsibility for the data and data processing? The answer is that the responsibility remains with the business that purchases the outside services. For example, a public company uses a managed hosting solution for its financial accounting application. If the hosting firm experiences a catastrophic event in the data center and is not able to recover all the customer’s financial data to produce financial reports, the CEO and CFO of the customer company are ultimately responsible. A business can delegate tasks; a business cannot abrogate responsibility.
What
What data is managed by a third-party vendor? What requirements are needed for use and protection of the data? Many characteristics of data can be analyzed and assessed, such as class, type, scope, sensitivity, criticality, timeliness, and legal requirements. Businesses can group data into sets that have similar characteristics to determine the need for preservation, discovery, and retention purposes. Businesses need to evaluate the third-party vendors to determine if they have the ability to satisfy these requirements.
How
How does a third-party service vendor deliver its managed services? It is through the vendor’s infrastructure and people. A large portion of the infrastructure is in the data center. There are 4 tiers of data centers, and the higher the tier, the more costly the vendor .
People are a key element for the design, implementation, management, and support of the infrastructure and services the third-party vendor provides. The buying businesses need to evaluate the vendor’s infrastructure and people using a capability maturity model (CMM). The general rule is that the higher the level of maturity, the more sophisticated the process management and measurement capabilities are of the service supplier. The same capability maturity model evaluation should be done on the businesses themselves. Normally, businesses will not consider a third-party vendor with lower capability maturity than its own internal IT organization. If the maturity levels are equally close, then the business needs to analyze the financial trade-offs.
Where
Where is the location of the data center? The vendor and the customer need to agree on the data’s location and keep it transparent. The location of data and where it is made available is subject to government regulation. Disaster recovery plans also require the understanding of the data location and that the primary data center and recovery sites have required physical separation.
When
When refers to availability and responsiveness. Businesses need to know when their data will be available and meet the requirements. Formal service-level agreements (SLAs) are necessary. Third-party vendors who have more established and sophisticated processes to manage SLAs are normally ranked higher on their capability maturity.
Losing control is one of the big issues with regard to the use of third-party services. The user of managed services, including cloud computing, depends on a careful analysis including the risks and rewards from third-party service provision to ensure that the managed services can support the business requirements.
If you would like additional information on what to consider when outsouring IT then we have preparred a FREE outsouring white paper for you to download.