network policies

Just wondered, in your organisations, especially for those who outsource there network / IT support, who owns your policy documents, i.e. your network infrastructure backup policy, network patch management policy. Do you the organisation own the policy, or do the 3rd party own the policy documents, if the 3rd party own it why did you chose that asy our approach, or likewise if you yourselves own it, why so. Just trying to weigh up the alternatives, for me the organisation should own the policy and the 3rd party outsourcer should take it on and adhere to it, but seems some places do this differently.
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

liddlerCommented:
You should own your polices, your third party should have procedures that confirm to your polices and should be allowed to audit their procedures to ensure they are complying.
0
pma111Author Commented:
Any specific reasons why? Have my own views but always interesting to generate some debate..
0
liddlerCommented:
The reason I would always do this is third parties might understand how a system works but do not fundamentally understand the specific values of my data or my company polices around that data
They may for instance have a specific retention policy of all data for x years or months.
I may actually want some parts of my data kept for longer, but I may also be required by law or compliance (my data must be PCI DSS compliant for instance) to be deleted.  A third party might not know this.

I currently work for an airline (IOSA compliance), but have worked in water treatment (DWI compliance), drugs (FDA), coal fired power station (PF code of Practise), each of these has different requirements, particularly on data retention, but it then becomes very expensive if you just as for all data to be kept forever.

Unless you as a business, give clear instructions to a third party, how they they be expected to understand the subtleties of your requirements?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.