Please enable JavaScript.
Coggle requires JavaScript to display documents.
1.10.2 (an enterprise should consider the following provisions in its…
1.10.2
an enterprise should consider the following provisions in its outsourcing contracts:
• Incorporate
service quality expectations
, including usage of ISO/IEC 15504 (Software Process Improvement and Capability dEtermination [SPICE]), CMMI, ITIL or ISO methodologies.
• Ensure adequate contractual consideration of
access control/security administration, whether vendor- or owner-controlled.
• Ensure that
violation reporting and follow-up are required by the contract.
• Ensure any
requirements for owner notification and cooperation with any investigations.
• Ensure that
change/version control and testing requirements are contractually required
for the implementation and production phases.
• Ensure that the
parties responsible and the requirements for network controls are adequately defined
and any necessary delineation of these responsibilities established.
•
State specific, defined performance parameters that must be met,
such as minimum processing times for transactions or minimum hold times for contractors.
• Incorporate
capacity management
criteria.
• Provide
contractual provisions for making changes to the contract.
• Provide a
clearly defined dispute escalation and resolution process.
• Ensure that the
contract indemnifies the company from damages caused by the organization responsible for the outsourced services.
•
Require confidentiality agreements protecting both parties
.
•
Incorporate clear, unambiguous “right to audit” provisions, providing the right to audit vendor operations
(e.g., access to facilities, access to records, right to make copies, access to personnel, provision of computerized files) as they relate to the contracted services.
• Ensure that the
contract adequately addresses business continuity and disaster recovery provisions and appropriate testing.
•
Establish that the confidentiality, integrity and availabilit
y (sometimesreferred to as the CIA triad) of organization-owned data must be maintained, and clearly establish the ownership of the data.
• Require that the
vendor comply with all relevant legal and regulatory requirements, including those enacted after contract initiation.
• Establish
ownership of intellectual property developed by the vendor on behalf of the customer.
• Establish
clear warranty and maintenance periods.
• Provide
software escrow provisions.
• Protect
intellectual property rights.
• Comply with
legislation.
• Establish
clear roles and responsibilities between the parties.
• Require that the
vendor follow the organization’s policies, including its information security policy,
unless the vendor’s policies have been agreed to in advance by the organization.
• Require the
vendor to identify all subcontract relationships and requiring the organization’s approval to change subcontractors
.
IT SERVICE PROVIDER ACQUISITION AND
MANAGEMENT
Delivery of IT functions can be characterized as:
• Insourced—Fully performed by the organization’s staff
• Outsourced—Fully performed by the vendor’s staff
• Hybrid—Performed by a mix of the organization’s and the vendor’s staffs;can include joint ventures/supplemental staff
The organization should evaluate its IT functions and determine the
most appropriate method of delivering the IT functions, considering the following questions:
• Is this a
core function f
or the organization?
• Does this
function have specific knowledge, processes and staff critical to meeting its goals and objectives,
which cannot be replicated externally or in another location?
• Can this
function be performed by another party or in another location for the same or lower price, with the same or higher quality, AND...WITHOUT INCREASING RISK
• Does the organization
have experience managing third parties or using remote/offshore locations to execute IS or business
functions?
• Are
there any contractual or regulatory restrictions preventing offshore locations or use of foreign nationals?
At this point, if the organization has
chosen to use outsourcing,
a
rigorous process should be followed, including the following steps
:
• Define the
IT FUNCTION
to be outsourced.
• Describe the
SERVICE LEVELS
required and
MINIMUM METRICES
to be met.
• Know the
DESIRED LEVEL OF SKILL, KNOWLEDGE AND QUALITY
of the expected service provider desired.
• Know the
CURRENT IN-HOUSE COST INFORMATION
to compare with third-party bids.
• Conduct
DUE DILIGENCE REVIEWS
of potential service providers.
• Confirm any
ARCHITECTURAL REQUIREMENTS
to
MEETING CONTRACTUAL AND REGULATORY REQUIREMENTS
IS auditor must understand the variety of vendor-provided services (e.g., commercial off-the-shelf HW/SW products, outsourced services to include cloud offerings, managed services)
needs to
understand the vendor’s SLAs
that are in place to address system/software operational and technical support requirements.
suppliers’ financial viability, licensing scalability and provisions for software escrow.
must understand the
NEED FOR REQUIRED SECURITY AND CONTROLS
to be specified,
OUTSOURCING PRACTICES AND STRATEGIES
Outsourcing practices relate to
CONTRACTUAL AGREEMENTS
under which an organization hands over control of part or all of the functions of the IT department to an external party.
Most IT departments use information resources from a wide array of vendors and, therefore, need a defined outsourcing process for effectively managing contractual agreements with these vendors
specific objectives for IT outsourcing
achieve lasting,
MEANINGFUL IMPROVEMENT IN BUSINESS PROCESSES
and services through corporate restructuring to
TAKE ADVANTAGE OF VENDOR'S CORE COMPETENCIES
Reasons for embarking on outsourcing
• A desire to
focus on core activities
• Increasing competition that demands
cost savings and faster time-to-market
•
Flexibility with respect to organization, structure and market size
•
Pressure on profit margins
Outsourcing Advantages, Disadvantages and Business Risk, and Risk Reduction Options
Advantages
• Commercial outsourcing companies can
achieve ECONOMIES OF SCALE through the deployment of reusable component software.
• Outsourcing vendors are
likely to be able to DEVOTE MORE TIME AND TO FOCUS EFFECTIVELY AND EFFICIENTLY
on a given project than in-house staff.
Outsourcing vendors are
likely to have MORE EXPERIENCE with a wider array of problems, issues and techniques than in-house staff.
• The act of
developing specifications and contractual agreements using outsourcing services is likely to result in better specifications than if developed only by in-house staff.
• Because
vendors are highly sensitive to time-consuming diversions and changes, FEATURE CREEP OR SCOPE CREEP IS SUBSTANTIALLY LESS LIKELY with outsourcing vendors
Disadvantages/Business risk s
• Costs exceeding customer expectations
• Loss of internal IT experience
• Loss of control over IT
• Vendor failure (ongoing concern)
• Limited product access
• Difficulty in reversing or changing outsourced arrangements
• Deficient compliance with legal and regulatory requirements
• Contract terms not being met
• Lack of loyalty of contractor personnel toward the customer
• Disgruntled customers/employees as a result of the outsource arrangement
• Service costs not being competitive over the period of the entire contract
• Obsolescence of vendor IT systems
• Failure of either company to receive the anticipated benefits of the outsourcing arrangement
• Reputational damage to either or both companies due to project failure
• Lengthy, expensive litigation
• Loss or leakage of information or processes
Risk reduction options
• Establishing
measurable, PARTNERSHIP ENACTED SHARED GOALS AND REWARDS
•
SOFTWARE ESCROW
to
ensure maintenance of the software
• Using
MULTIPLE SUPPLIERS
or
WITHHOLDING A PIECE OF BUSINESS
as an incentive
• Performing
PERIODIC COMPETITIVE REVIEWS
and benchmarking/benchtrending
• Implementing
SHORT TERM CONTRACTS
• Forming a
CROSS FUNCTIONAL CONTRACT MANAGEMENT TEAM
• Including contractual provisions to
CONSIDER AS MANY CONTINGENCIES AS CAN BE FORESEEN