Posted by: SAS70ExPERT
Access control, Auditing, CIO, Compliance, CSO, Data center operations, Management, Monitoring, Risk management, SAS 70, Security, Security management, Security Program Management, Third-party services
“Do you understand what impact the outsourced vendor has on your financial stability?” says a SAS 70 auditor. If they fail to make payroll or Friday or if you’re DataCenter fails, what effect will that have on your operations? So as not to be “asleep at the switch,” make sure you understand the vendor’s operations and risks involved. Here are 10 essential specifications that you should have in your service level agreement with you’re outsourced vendor:
1) Data encryption and protection – determine what your vendor is doing from an information technology perspective to protect your information. Are they using applications that have security built-in? Do they have firewalls?
2) Physical Security – review and management of access to buildings and data is critical to protect information technology assets. Tight control must be maintained in order to prevent identify theft and loss of valuable equipment, like exchange servers, racks, and hard drives. Each employee should have ID, preferably biometric, and you should log entry and egress into facilities.
3) Environmental Security – Make sure your data is not only locked in the safe room, but that the environment in the room provides essential protections. Do they have fire extinguishers? Temperature control? Air conditioners? …etc.
4) Confidentiality agreements – Require your business partner/vendor to sign confidentiality agreements/non-disclosure agreements to prevent loss of trade secrets, data, and patents.
5)Employee training – Policies are useless, unless your employees and vendors are trained and aware. Provide all vendors with awareness training of your requirements when processing your information or providing you with services.
6) Require employee background investigations. You want to make sure that the person responsible for managing your money is not a convicted felon. They must have a review of the work history and a validation of the skills.
7)Lastly, Management of vendors- After you have given your requirements to your vendor, how do you know they stay in compliance? A SAS 70 audit is required. firstname.lastname@example.org