Solved

who should own a policy?

Posted on 2011-09-23
10
358 Views
Last Modified: 2012-05-12
If your auditors come in and ask you (company A) for a copy of:

documented backup policy
documented patch management policy

ANd you say operations and responsibility for this has been outsourced to FM provider (company B) so we dont need a policy. Is this a risk?

Should company A still have the documented policy, or is it acceptable to bat it off to company B? Is there any risk in company A not owning or having a documented patch management or backup policy if its the responsibility of company B to perform this on their behalf?
0
Comment
Question by:pma111
  • 4
  • 3
  • 3
10 Comments
 
LVL 6

Accepted Solution

by:
Reubenwelsh earned 250 total points
ID: 36587257
Company A should always have it documented how Company B do these routines. If company B go bankrupt or anything you quickly want to be able to be up and running to simplify for whoever is to take over.
It all really depends on what you have agreed between party A and B... If you have written all resposibility for these things are on company B in the contract, then you can point them on to company B. If there is any questions outside that is it on company A to sort it out.

I would still want all of the stuff as company A though just incase. Company A dosnt need to write all the documentation, but they should have it onsite.
0
 
LVL 3

Author Comment

by:pma111
ID: 36587351
Thanks for the reply. Good points.

Aside from the documented policy. WHat is the actual technical name in terms of backup/patching for the detailed procedures on how the backup and patch management systems will work on a technical level, as opposed policy which is normally top level management speak.

Should company a have both the policy and document X, or just the policy?
0
 
LVL 6

Expert Comment

by:Reubenwelsh
ID: 36587423
Hi, Im not sure if there is any official name for it, i just checked over our contract and we have the follwowing in it:

"Documentation shall be gone through and updated every 6 months for all servers, routines and processes.
Updates in the following routines must be approved by *head of it at company B*

Pre-Approved Changes
Backup
Patching

All documentation shall be stored in *company B's* documentation application " 

I would recomend you always having all documentation onsite and backed up (preferably offsite).

The following documentation is the most important in my opinion.

Documentation on how to do a Restore of a server
Documentation of the network infrastructure
Documentation of all servers in the network
Documentation of routines, (patching, desaster recovery, Backup etc)

Hope this helps!

//RW
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 3

Author Comment

by:pma111
ID: 36587439
Yes many thanks good post
0
 
LVL 3

Author Comment

by:pma111
ID: 36587451
PS - what is your "documentation application" ?

Thanks
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 36592013
When outsourcing to company B, you always need an explicit plan for proper service. This means you should keep the documentation of backup and patch management, as well as other administrative tasks. For one, this is a document you can always go to company B and tell them this is the service you agreed to accommodate. So, this documentation protects you. Liability is yours unless otherwise documented and specified, (right)?

0
 
LVL 3

Author Comment

by:pma111
ID: 36592953
thanks - can you describe other administrative tasks and some examples?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36593294
Active Directory, Mail Servers, Mass storage, Network Tech, programming, Internal wiring, printer servicing, etc...

You see, IT departments are now hiring many people to perform specialized tasks in IT. A typical department would include a Network Tech, A programmer, A help desk Tech, A domain administrator, and an IT security officer, and sometimes a mass storage manager, sometimes a mail server administrator.. It all depends upon the business. Many companies are outsourcing some of these duties, but it is up to the company to keep a service agreement of what you want from the contractors. Otherwise, they simply become money collectors and will probably mess up your network. Some even work on phone systems and Power/engineering requirements for the server rooms. Any of these tasks can be outsourced, but through my own personal experience, it's best done in house.

These individual specialties give meaning to the words "IT specialist". A great consultant, will be an IT generalist. After all, if a consultant only specializes in a few fields, how can they consult on systems integration and configurations management.
0
 
LVL 6

Expert Comment

by:Reubenwelsh
ID: 36593718
Hi, the application they use is called Qondoc, it has loads of functions and keeping track of documentation is one of them. Sadly the support / application is rubbish really and very expensive (i think they pay around $50,000 a year for it to keep track of ~10,000 objects.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36594843
There is nothing wrong with a three ring binder and paper dividers to keep IT policies in.

Let me show you what an IT Security Auditor is looking for:

They want to make sure that there every single layer of the OSI model is secured in one way or another. This includes a backup plan / disaster recovery as well as physical controls and virtual security procedures are met AS PER YOUR CHIEF INFORMATION OFFICER. These policies are passed down by management of IT staff and often suggested to Corporate Executive Officers to be the by laws for IT technicians (IT specialists).

Anyway, look at a multi OSI layered approach to IT security and this is exactly what an IT security auditor is looking for. (Security plans, Backup Plans, Disaster Recovery, and multiple layers of security).

http://www.experts-exchange.com/Networking/Security/A_3197-IDEAS-FOR-SAFEGUARDING-IT-ASSETS-for-home-and-enterprise.html
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question