Vendor Due Diligence Outsourcing
Vendor Due Diligence Outsourcing - The need to lower cost, increase efficiency and conserve cash has increased the motivation of companies to turn to outsourcing and increased the appeal of alternative delivery models. The disruptive shifts in new demand and supply patterns drives changes for how IT services are bought and from whom.
Business continuity due diligence comes only through a thorough vetting of a service provider in several areas.
Legal and regulatory
- Will the service provider meet any of your data breach notification requirements (remember even though you are hosting you are responsible for the data under your protection i.e. PCI, DSS, and etc. )?
- Do they have formally defined security policies and procedures?
- Will the provider meet data retention requirements of the business?
- Will the provider meet the standards for data encryption and protection you require?
- Are Safe Harbor needs met?
- Are data destruction or return on end of contract well defined to meet your business requirements?
- What is their incident management program?
- Are they prepared to react in a timely fashion in case of any eDiscovery needs of data they store for you?
- Are the facilities housing the service provider adequately secured (video surveillance, access control, and etc. )?
- Are the RPOs and RTOs consistent with the business' requirements?
- How often are backups taken, are they maintained off-site, and have backups and restores been tested to your satisfaction?
- Are standard backup methods and media used just in case the business needs to bring data back into house?
- Are maintenance and maintenance windows satisfactory according to your operational needs?
- What types of technical security do they employ (i.e. , firewalls, virus protection, intrusion detection devices, etc. )
- Are their hours of operation coincident with yours? If not how will they provide coverage
- If you are a global company do they provide multilingual support?
- Are there clear escalation procedures in case of an incident?
- Does the vendor provide global diversity so if one site goes down another can be used in its place?
- Do they have a current SAS 70 Type II audit findings report?
- Have they corrected any areas of concern to your business?
- What capacity planning do they have in place to meet the growing needs of your business?
- What standards of practice do they adhere to (i.e. , ISO 27001, BS25999, and etc. )?
- Do they have a patch management program in place and what is it? Does it meet your requirements?
- Do their SLAs meet your business and operational requirements?
The Practical Guided for IT Outsourcing Template includes a Sample Outsourcing Contract along with a Service Level Agreement, due diligence questions, and other tools to facilitate the outsourcing process. The template includes Janco's exclusive Business and IT Impact Questionnaire.