Policy Outsourcing and Cloud-Based File Sharing

Similar documents
Sarbanes-Oxley Compliance Kit


Infrastructure, Strategy, and Charter Template

IBM Business Process Manager on Cloud

IBM Business Process Manager on Cloud

IBM Business Process Manager on Cloud

Oracle Functional Help Desk for Retail and Hospitality - SaaS Service Description

Table of Contents 1. What s New... 1

2 INFORMATION ACCESS, SHARING, STORAGE & RETENTION

IBM Sterling Web Forms

IBM Terms of Use SaaS Specific Offering Terms for US Federal. IBM Business Process Manager on Cloud for US Federal

Position Description. Senior Systems Administrator. Purpose and Scope

THE CLOUD, RISKS AND INTERNAL CONTROLS. Presented By William Blend, CPA, CFE

SOX 404 & IT Controls

IBM Emptoris Services Procurement on Cloud

IBM Operational Decision Manager on Cloud

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

Ensuring Organizational & Enterprise Resiliency with Third Parties

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

Comparing Alternatives for Business-Grade File Sharing. intermedia.net CALL US US ON THE WEB

Government-wide: Controls Over Disposal of IT Assets

REQUEST FOR PROPOSALS

Security Monitoring Service Description

IBM Facilities and Real Estate Management on Cloud (TRIRIGA)

SPECIFICATION NO. TxDOT * REVISED: AUGUST 2017 CRIMINAL BACKGROUND CHECKS

Securing Your Business in the Digital Age

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

IT Plan Instructions for FY18-FY19

CENTRE (Common Enterprise Resource)

Top. Reasons Enterprises Select kiteworks by Accellion

Security overview. 2. Physical security

Outsourcing and the Need for Supplier Audits

IBM Sales Performance Management Sales Planning

IBM Facilities and Real Estate Management on Cloud (TRIRIGA)

IBM Facilities and Real Estate Management on Cloud (TRIRIGA)

SSL ClearView Reporter Data Sheet

Asset Tracking Solutions. Partial Controls and Features

IBM Commerce Insights

REQUEST FOR PROPOSAL (RFP) FOR CONTRACT MANAGEMENT SYSTEM ISSUED BY THE RFP INFORMATION

SECTION 18. INFORMATION TECHNOLOGY AND COMMUNICATION SYSTEMS RECORDS

Privacy Statement. Information We Collect

Michigan Department of Transportation Market Scan for a Digital Signature Solution

IBM Emptoris Strategic Supply Management on Cloud

IBM Cognos Analytics on Cloud

IBM Sterling Supply Chain Visibility Vendor Compliance

Delivering high-integrity accounting with Xero

IBM WATSON CAMPAIGN AUTOMATION SUPPORT AGREEMENT

Srinivasan Sundara Rajan MASTER Architect / Cloud Evangelist / Cloud Computing Journal Author

Teleopti WFM Cloud Service Specification

IBM Case Manager on Cloud

Supplier Security Directives

Outline of the Discussion

OpenText RightFax. OpenText RightFax OnDemand. Product Brochure. Benefits

Disaster Recovery. Service Level Agreement. Tel: Fax:

PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE

IBM Emptoris Contract Management on Cloud

IBM Performance Management on Cloud

IBM Enterprise Asset Management on Cloud (Maximo)

IBM Content Manager OnDemand on Cloud

IBM Customer Insight for Insurance on Cloud

Mobile Device Management (MDM)

LogLogic. Open Log Management. LogLogic LX and LogLogic ST for Enterprise. LogLogic LX Enterprise- Class Log Data Capture and Processing

Secure File Sharing and Collaboration

IBM Commerce Insights

Microsoft Dynamics 365 for Finance and Operations. Microsoft Dynamics AX. Service description. Version 4 July 2017

PRIVACY POLICY OUR COMMITMENT TO PRIVACY

IBM Terms of Use SaaS Specific Offering Terms. IBM Kenexa Learn. 1. IBM SaaS. 2. Charge Metrics

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

Reining in Maverick Spend. 3 Ways to Save Costs and Improve Compliance with e-procurement

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements

IBM Facilities and Real Estate Management on Cloud (TRIRIGA)

Whitepaper: The Benefits of Cloud Computing. by Erin Dempsey February 16, 2012 Doc#

Simple, Scalable, Real-time Protection

ACUMATICA CLOUD KEY BENEFITS ACCESS YOUR ERP ANYTIME FROM ANY DEVICE, EASILY SCALE RESOURCES, AND CHOOSE YOUR DEPLOYMENT OPTION WORK THE WAY YOU WANT

CEBOS CLOUD PROGRAM DOCUMENT

IBM Facilities and Real Estate Management on Cloud (TRIRIGA)

IBM Business Automation Content Services on Cloud

Emerging Technology and Security Update

IBM Facilities and Real Estate Management on Cloud (TRIRIGA)

Request for Proposals (RFP) Shared Information Technology (IT) Services for Rural Communities of Scott County, Iowa

IBM Emptoris Contract Management on Cloud

Table of Contents Copyright Janco Associates, Inc. 2

White Paper Integrating Duck Creek Technologies with ECM. Reducing complexity for the commercial insurance carrier

Putnam Valley Central School District. Information Technology Internal Audit Report August 2017

IBM Cognos Analytics on Cloud

AWS MSP Partner Program Validation Checklist v3.2 Mapping

INFORMATION WITH REGARD TO THE PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH REGULATION (EU) 2016/679 AND THE RELEVANT GREEK LEGISLATION

Embracing the Digital Workplace with Unified Endpoint Management (UEM)

Solution Pack. Managed Services for Virtual Private Cloud Continuity Service Selections and Prerequisites

SAP and SAP Ariba Solution Support for GDPR Compliance

Nexonia Timesheets: Mobile Application

Big Data, Security and Privacy: The EHR Vendor View

Dovico Planning & Timesheet v4 BEST PRACTICES

Simplify Governance, Risk, and Compliance with Enterprise Content Management

Call Recording & Quality Management Solutions

This topic focuses on how to prepare a customer for support, and how to use the SAP support processes to solve your customer s problems.

Policy Name: McKesson s Imaging and Workflow Solutions and Enterprise Information Solutions U.S. - EU Safe Harbor Privacy Policy ( Policy )

Internal Audit s Role in Third Party Risk Management (TPRM)

Transcription:

Policy Outsourcing and Cloud-Based File Sharing Version 3.3

Table of Contents Outsourcing and Cloud-Based File Sharing Policy... 2 Outsourcing Cloud-Based File Sharing Management Standard... 2 Overview... 2 Standard... 2 Service Level Agreements (SLA)... 2 Responsibility... 2 Security, Disaster Recovery, Business Continuity, Records Retention and Compliance... 3 Outsourcing Policy... 3 Policy Statement... 3 Goal... 3 Approval Standard... 4 Overview... 4 Standard... 4 Base Case... 4 Cloud-Based File Sharing... 5 Risk Assessment... 5 Categorization... 6 Planning... 6 Retained Costs... 6 Unit Cost... 7 Selecting an Outsourcer... 7 Contract and Confidentiality Agreements... 7 Contract Negotiation... 8 Responsibilities... 9 Appendix... 11 Outsourcing and Cloud Security Compliance Agreement... 12 Outsourcing Security Compliance Agreement... 13 Audit Program Guide... 14 Background... 14 ISO 27001 requirements... 14 Planning the Audit... 15 Audit Scope... 16 Audit Objectives... 16 Audit Wrap Up... 17 Top 10 Cloud and Outsourcing SLA Best Practices... 18 Job Description - Manager Outsourcing... 20 Job Description - Manager Vendor Management... 23 What s New... 26 1 2018 Janco Associates, Inc. -- All Rights Reserved https://www.e-janco.com

Outsourcing and Cloud-Based File Sharing Policy Outsourcing Cloud-Based File Sharing Management Standard Overview Outsourcing and Cloud-Based File Sharing do not remove the enterprise s requirement to manage the process or the data. Even a comprehensive outsourcing and cloud-based file sharing arrangement require Service Level Agreement (SLA) monitoring and redefinition, as well as strategic management and other retained functions. Standard Service Level Agreements (SLA) The SLA is the central instrument for managing an outsourced function. The Information Technology Contract Management Group (ITCMG) will track SLA fulfillment and enforce the contract terms if an SLA is not met. ITCMG must also take an active role in defining and redefining SLAs in order to take into account changes in the operating environment. 1 Responsibility The efficient assignment of End-User complaints to the appropriate entity is critical to maintaining high service levels. IT will ensure that the Help Desk staff is trained to identify whether a problem lies with IT or a particular vendor. In a multi-vendor environment, this task becomes even more critical if one is to avoid a constant reassignment of the problem. In the case of file sharing, the Help Desk Staff should be able to manage and diagnose issues associated with this technology. At the same time, they should be versed in reviewing logs and diagnostics of the vendors who provide the service. 1 The web site https://www.e-janco.com has a tool kit and sample metrics that can be used for this 2 2018 Janco Associates, Inc. -- All Rights Reserved https://www.e-janco.com

Security, Disaster Recovery, Business Continuity, Records Retention and Compliance ENTERPRISE maintains the primary responsibility for all the data and processes that are outsourced and placed in the cloud via a file sharing process. It is for this reason that this policy needs to be followed. All the other supporting infrastructure policies need to be followed. This includes but is not limited to the following: Outsourcing Policy Disaster recovery and business continuity Security compliance and management Compliance management Backup and backup retention Internet, email, social networking, mobile device, electronic communication and records retention Mobile device access and use Physical and virtual server security Records management, retention, and destruction Sensitive information Social networking Telecommuting Text messaging Travel and off-site meetings Policy Statement The enterprise will consider the outsourcing and Cloud-Based File Sharing of parts of its Information Technology (IT) function if such an arrangement could provide savings and true added value. These decisions will not be made without a formal base case analysis that demonstrates the cost-effectiveness of the outsourcing and cloud-based file sharing solution. Outsourcing and cloud-based file sharing contracts will be finite and will hold the Vendor to a Service Level Agreement (SLA). SLAs will contain clear penalties associated with failure to meet minimum service levels. Goal The goal of outsourcing and cloud-based file sharing is to seek areas in which and vendor s convenience and economies of scale are able to streamline IT s operations, add value, and allow the enterprise to concentrate its efforts on core competencies. 3 2018 Janco Associates, Inc. -- All Rights Reserved https://www.e-janco.com

Cloud-Based File Sharing With the increased use of mobile devices, cloud-based file sharing becomes a form of outsourcing. With that, some specific rules need to be followed. Here are four key security considerations as you explore the cloud-based file sharing Encryption - All cloud-based services selected need to encrypt data while it travels through the Internet and sits in its data centers. They also must have vital security systems to keep hackers out and are audited by third parties to confirm they are adequate. Because tablets and smartphones are easily lost, stolen or accessed by an unauthorized person, check the steps a service has taken to protect data temporarily stored, or "cached," in employees' devices. For example, some services encrypt cached files on mobile devices, and others let you remotely wipe its apps from missing devices, along with all login information and cached files. User authentication The enterprise needs control over user accounts so that ex-employees no longer have access to company information. Look for a service that lets an administrator manage accounts and define which users can read, edit and delete which files and folders. Also, look for such security features as the ability to set passwords for individual files and to wipe cached data in mobile devices if someone repeatedly fails to enter the right password. Audit trails the selected service needs to keep detailed logs of which employees downloaded, uploaded and shared which files with whom and when. The information provides better visibility into the company s operations. In addition, if there is a security breach, it can help in the discovery process. Subpoena protection - Documents stored with a cloud provider can be subpoenaed by the government and other parties and may be turned over without your consent. Risk Assessment Management shall nominate a suitable owner for each business function/process outsourced. The owner, with help from the local Information Risk Management Team, shall assess the risks before the function/process is outsourced, using ENTERPRISE s standard risk assessment processes. In relation to outsourcing, specifically, the risk assessment shall take due account of the: Nature of logical and physical access to ENTERPRISE information assets and facilities required by the outsourcer to fulfill the contract; Sensitivity, volume and value of any information assets involved; Commercial risks such as the possibility of the outsourcer s business failing completely, or of them failing to meet agreed service levels or providing services to ENTERPRISE s competitors where this might create conflicts of interest; and Security and commercial controls are known to be currently employed by ENTERPRISE and/or by the outsourcer. The result of the risk assessment shall be presented to management for approval prior to signing the outsourcing contract. Management shall decide if ENTERPRISE will benefit overall by outsourcing the function to the outsourcer, considering both the commercial and information security aspects. If the risks involved are high and the commercial benefits are marginal (e.g. if the controls necessary to manage the risks are too costly), the function shall not be outsourced. 5 2018 Janco Associates, Inc. -- All Rights Reserved https://www.e-janco.com

Outsourcing and Cloud Security Compliance Agreement Employee Name ID Number Job Title Location I hereby certify that I have reviewed ENTERPRISE s Outsourcing and Cloud Security Policy and understand the policy, its standards, and procedures contained therein. I hereby certify that I have reviewed ENTERPRISE s Secure Information policy (ISO 27001) and understand the policy, its standards, and procedures contained therein. I understated that if our firm violates this policy, its standards or procedures, our firm and its employees are subject to all liabilities which may arise from this violation. By signing this form, I affirm that I have the authority to bind our firm and to confirm our firm s willingness to abide by ENTERPRISE s security policies, procedures, and guidelines. By signing this form, I affirm my willingness to abide by ENTERPRISE s outsourcing policies, procedures, and guidelines. Signature Date Click here to enter a date. Printed Name Position Title Company Name Email Address Phone Number 12 2018 Janco Associates, Inc. -- All Rights Reserved https://www.e-janco.com

Top 10 Cloud and Outsourcing SLA Best Practices 1. Define SLA roles and responsibilities for the enterprise and cloud providers. These definitions should include, the persons responsible for oversight of the contract, audit, performance management, maintenance, and security. 2. Define key terms. Include definitions for dates and performance. Define the performance measures of the cloud service, including who is responsible for measuring performance. These measures would include the availability of the cloud service; the number of users that can access the cloud at any given time; and the response time for processing a customer transaction. 3. Define specific identifiable metrics for performance by the cloud provider. Include who is responsible for measuring performance. Examples of such measures would include: SLA Best Practices Level of service (e.g., service availability duration the service is to be available to the enterprise). Capacity and capability of cloud service (e.g., the maximum number of users that can access the cloud at one time and the ability of the provider to expand services to more users). Response time (e.g., how quickly cloud service provider systems process a transaction entered by the customer, response time for responding to service outages). 4. Specify how and when the enterprise has access to its own data and networks. This includes how data and networks are to be managed and maintained throughout the duration of the SLA and transitioned back to the enterprise in case of exit/termination of service. 5. Specify specific SLA infrastructure and requirements methodology: How the cloud service provider will monitor performance and report results to the enterprise. When and how the enterprise, via an audit, is to confirm the performance of the cloud service provider. 6. Provide for disaster recovery and continuity of operations planning and testing. Include how and when the cloud service provider is to report such failures and outages to the enterprise. In addition, how the provider will re-mediate such situations and mitigate the risks of such problems from recurring. 7. Describe any applicable exception criteria when the cloud provider s performance measures do not apply (e.g., during scheduled maintenance or updates). 8. Specify metrics the cloud provider must meet in order to show it is meeting the enterprise s security performance requirements for protecting data (e.g., clearly define who has access to the data and the protections in place to protect the enterprise s data). Specify the security performance requirements that the service provider is to meet. This would include describing security performance metrics for protecting data, such as data reliability, data preservation, and data privacy. Clearly define the access rights of the cloud service provider and the enterprise as well as their respective responsibilities for securing the data, applications, and processes to meet all mandated requirements. Describe what would constitute a breach of security and how and when the service provider is to notify the enterprise when the requirements are not being met. 18 2018 Janco Associates, Inc. -- All Rights Reserved https://www.e-janco.com

Job Description - Manager Outsourcing Position Purpose The Manager Outsourcing is responsible for managing relationships with outsourcing vendors, tracking Service Level Agreement performance of the vendors, reviewing and approving outsourcing invoices, and setting prices for all services that are charged-back to users. The manager develops and implements long and short range plans in support of IT business requirements and objectives, provides the focal point for division business arrangements and contractual issues, directs Information Technology's contract functions, and provides advice on contract risk. Problems and Challenges The Manager Outsourcing faces the challenge of having to track the performance of the outsourcing vendors, application software, and company owned/leased equipment in an outsourced operating environment. The Manager must be cognizant of the requirements placed on the enterprise by Sarbanes-Oxley. Essential Position Functions Principal Accountabilities Defines the operating policies and procedures that IT staff follow in dealing with all outsourcing vendors. Tracks Service Level Performance of all outsourcing vendors. Determines and effectuates accountability and identification of all IT contracts for outsourced goods and services. Maintains a control system to track the performance of individual outsourced processes contracts. This includes charges by the vendors and approvals for new services. Directs, motivates, delegates and empowers staff in the successful performance of their tasks and responsibilities while encouraging innovation. Directs and performs audits and status analysis to ensure the accuracy of records and adequacy of controls, implements corrective action as required. Screens for possible present or future utilization and directs and coordinates the termination of nonessential outsource contracts. Coordinates with management all bids and request for prices from vendors. Directs and authorizes the activation and termination of outsourcing contracts. Develops outsource IT short and long-range facility plans and coordinates IT personnel and equipment moves, office layouts, equipment and space requirements necessary to support contracts. Coordinates licensing and maintenance requirements within associated with all outsource agreements. Develops, prepares, reviews, and submits all direct outsource proposals in support of the enterprise. 20 2018 Janco Associates, Inc. -- All Rights Reserved https://www.e-janco.com

What s New Version 3.3 Add job descriptions for Manager Outsourcing and Manager Vendor Management Updated to meet the latest security and compliance Version 3.2 Updated electronic forms Added Outsourcing Security Compliance Agreement Updated to meet latest compliance requirements Added Top 10 Cloud and Outsourcing SLA Best Practices Version 3.1 Added cloud-based file sharing to the outsourcing policy Updated to meet latest compliance requirements Added references to Cloud-based file-sharing services Version 3.0 Added electronic form for Outsourcing Security Policy Compliance Updated to meet all mandated compliance requirements Version 2.2 Updated policy to comply with ISO 27001 Security Requirements Security Audit Program updated Version 2.1 Updated to Office 2007 CSS Style Sheet Version 2.0 Converted to Janco standard policy format Added Outsourcing Secure Information Policy Agreement Form Audit Program Added Office 2007 version Added 26 2018 Janco Associates, Inc. -- All Rights Reserved https://www.e-janco.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback