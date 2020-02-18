Despite major security breaches in third party providers of data storage, systems management and/or IAAS providers, providers can often keep unfavourable details quiet.

In outsourced model contracts, the vendor will often talk about a 'relationship' and 'partnership', and will word contractual documents to reflect these sentiments. These types of contracts will often be full of aspirational statements yet lack defined service level agreements (SLAs).

In these arrangements, when it comes to meeting the client’s expected assurance outcomes, it becomes easy for the vendor to fudge reporting to reflect good outcomes. The client or Government department receiving the service will rarely have the applicable expertise to 'separate the wheat from the chaff' in vendor assurance reporting, which is not required to reflect defined SLAs.

Likewise, if the defined SLAs are weak or if there are ineffective security services, it will again be easy for the vendor to report on them in a positive light without providing reliable security.

The key to good security outcomes is to define what 'good' looks like. To be sure of a good security outcome, CANDA recommends you:

Embed 'good' into SLAs which can be measured (These are the security metrics captured).

Ensure that assurance reporting is regular and reflects the SLA data.

Ensure that the contract awards financial penalties (or service credits) for any non-performance by the vendor.

Manage the contract through a commercial team (unrelated to 'day to day' service delivery).

As much as a good working relationship is important, the only way to ensure good service delivery is to make sure the vendor is adequately incentivised to do so.

Here are 7 factors you should consider:

1. Defining the security framework operating for the vendor outsourcing relationship.

2. Defining the scope of security services to be covered by the vendor including platforms, servers, desktops, databases, networks, gateway devices etc.

3. Defining the security services which will apply across the scope.

4. Defining the standards to be applied in design, configuration, implementation and operation of the environment.

5. Link them to measurable security SLAs and ensure the SLAs cover the delivery of effective assurance reporting from the vendor.

6. Tie non-performance against SLAs to service credits and/or financial penalties.

7. Ensure assurance reporting is sent to a commercial team to validate SLAs and apply penalties. Be objective and punish non-performance.

For expert advice and knowledge on all things ICT security, get in contact with CANDA. Their friendly team can talk you through outsourced model best practices, and a range of other issues for improved security.