Intreis Myth Busters are back! We just wrapped up Compliance Myth #5 – “The ‘right’ policies and procedures will make us compliant”. This time we’ll cover why Outsourcing might not be the solution to all your compliance problems.
This myth seems innocuous enough. You’re in an IT department and there are some things you just don’t do very well from a compliance perspective, so you decide to hand over that activity to a 3rd Party for them to manage on your behalf. There are some things you should keep in mind when outsourcing processes with strong compliance aspects.
Remember:
#1 Don’t assume the 3rd Party is more equipped to be compliant that you are. You need to do your due diligence to confirm they have the right controls in place. (see tools below)
#2 You still need to manage the process of compliance, auditing, reporting, testing, verification, communications, and hand-offs between organizations. How will you accomplish this with your 3rd party? What new processes will you need to put in place to support this new control process?
#3 No matter who you shuck your controls off on….guess what?….You’re still responsible. You don’t just get to abdicate your responsibilities because you “outsourced” something. So if you don’t have number 1 & 2 above figured out, the auditors are still find your company deficient….not the 3rd Party.
So, if you’re getting ready to outsource your compliance problems, remember the following:
A. You need controls for the Management of 3rd Parties. That’s right, when you use a 3rd Party there are controls you need to have in place on managing those relationships. So you may have traded the headaches of one set of controls for another. Make sure you are prepared to manage your 3rd Parties.
B. Do your due diligence. Before you sign that contract make sure you have everything in place you need to demonstrate that your chosen vendor is compliant with your regulatory requirements.
C. Take advantage of the tools and resources at your disposal. Here are a few of our favorites where 3rd Parties are concerned:
- Contract Negotiation Checklist
- Understanding Software-as-a-service and Cloud SLAs
- Software-as-a-Service, Cloud Services Risk Assessment
- Good Cloud Gone Bad: Essentials for governing the Cloud
There you have it. Hopefully we’ve convinced you that Outsourcing isn’t a Compliance cure-all. Don’t forget to check back with us next week, when we’ll debunk the myth – The “‘right’ policies and procedures will make us compliant”. Stay tuned!
As always, share with us the Compliance Myth you can’t stand, and it may be included in our series! Comment below or tweet us .
