In the world of information technology, small and medium size businesses don’t have the resources or capital to perform necessary tasks in-house. For this reason, outsourcing certain processes or activities can be beneficial.
Outsourcing is when a business contracts with a vendor to perform a specific function, typically information related in nature. For example, a bank may outsource their core systems, or a small business may outsource their website, so they don’t need to maintain a hosting server in-house.
When referring to processing, in-house means that the business maintains the hardware (servers) or software on their premises and are responsible for maintenance, applying security updates, and the basic overall operation of the process.
There are many benefits to outsourcing:
• No need for additional staffing
• Continued operation during disasters
• Allow managers to focus on core tasks
• Scalable
However, there are also some downsides to outsourcing:
• Not having control over who has access to your data
• The vendor may not have the same security standards that the business has
• Sometimes more expensive overall than in-house processing
• Limited to the schedule and capabilities of the vendor
One of the big things to focus on is security. Businesses should take serious consideration of where their information will be stored, in terms of geographic location. For example, some cloud computing vendors may store information in the USA, but also maintain backups in China, Russia, or other countries.
Also, depending on the type of processing the vendor is performing, they may have an audit performed and outline the results in a report called a SOC report (system and organization controls). There are different types of SOC reports:
• SOC 1: Service organization that do or may impact the business’ financial reporting
• SOC 2: Service organization that holds, stores, or processes information for their clients, but is not significant to financial reporting (would not affect income statement or balance sheet)
• Type 1: Report of procedures / controls in place
• Type 2: Report of audit period and provides evidence of how an organization operated its controls over a period of time
A SOC report is either SOC 1 or SOC 2 AND type 1 or type 2. And vendors typically won’t provide copies of the report until a non-disclosure agreement (NDA) is signed. A NDA basically says that neither party will disclose any information discovered to anyone else. Even if a NDA is signed, vendors may still not provide a copy of a SOC report until the business is an actual customer of the vendor.
It’s vital that businesses are fully aware of the operations of their outsourcing vendor. The more critical the outsourcing process, and the more sensitive the information, the more the vendor should be scrutinized. Too often we see in the news where a company was infected by ransomware and private customer information was leaked online. Although it’s impossible to guarantee 100% security, businesses must perform due diligence to ensure all proper security measures are in place. Because when an outsourced vendor gets compromised, it isn’t them that looks bad, it’s the business that trusted them. Always be cautious, and don’t do business with an organization that you can’t trust.
No comments:
Post a Comment