3 IT Governance Considerations When Transitioning From Internal Operations to a Service Provider

 

http://www.isaca.org/About-ISACA/-ISACA-Newsletter/Pages/at-ISACA-Volume-10-8-May-2013.aspx?utm_source=informz-8-May-2013-At-ISACA&utm_medium=email&utm_campaign=At-ISACA#5

IT operations are quickly shifting from an internal function performed hands-on by an organization’s technical staff to an external function governed and overseen by an organization’s technology managers and operators. This is evident in the rapid adoption of cloud computing solutions in which many organizations are quickly transitioning their traditional internal IT capabilities to those provided by service providers. It is often the expectation of the organizations and business leaders who are making this transition that these solutions will have the same, and in many cases better, availability, capacity and security characteristics as when these services are maintained by the organizations’ own personnel. This level of assurance can be achieved only if certain governance considerations and arrangements are in place with the service provider. While there are many governance considerations that should be evaluated based on the type of capability that is being sourced, there are 3 that should be consistently reviewed:

1. Is there an agreed-upon process for consistent and detailed information sharing about the health, performance and safety of both the organization’s services and the service provider’s overall environment? The change of control and lack of visibility that often result as part of transitioning operational responsibilities for IT environments from an organization’s internal capabilities to an external service provider can be very challenging. To implement effective governance capabilities, you will need to understand what operational information will be provided by the service provider, including the scope of the information and the delivery method. The scope should include information from the provider about capabilities associated with your organization’s specific environment and the supporting information infrastructure of the provider. Often, service providers are willing to provide detailed reporting about the capabilities specific to the solutions they provide in the form of reporting portals, but are hesitant to provide insight into their supporting information infrastructure. The information must be comprehensive and timely enough to enable you to enact effective IT governance. This will allow you to work collaboratively with the service provider to ensure that your expectations are being met and provide an opportunity for you to enable a trust-but-verify approach to governing the provider.
2. Are key performance indicators (KPIs) established and agreed upon? KPIs can provide a mutual understanding between your organization and the service provider of key metrics and measures associated with the solutions and services that you will monitor as part of your IT governance activities. KPIs should be objective in nature whenever possible to ensure that there is little opportunity for disagreement about the information they provide. The most effective KPIs are those that can be directly bound to the productivity of services and have a direct connection to material and key business capabilities.
3. Does the service provider have adequate information risk management and security capabilities? In many cases, a service provider’s competency, or lack thereof, about information risk management and security is not well understood by its customers until an incident occurs. Security is often identified as one of the key concerns when transferring operational control to service providers, especially when it comes to cloud providers. It is important to conduct comprehensive and regular reviews of the service provider’s capabilities to ensure that they are in line with your organization’s expectations and requirements. Providers often attempt to prove their capabilities through independent industry certifications and vendor compliance reviews that can be helpful for point-in-time insights, but are often not sufficient for ongoing operational IT governance activities. You must understand the maturity and comprehensiveness of the provider’s approach to information risk management and security for its customer environments and its internal operations. Key areas to review and monitor include its level of visibility into its information infrastructure, proactive threat and vulnerability management processes and capabilities, and comprehensive incident management and response processes and capabilities.