Solved

who should own a policy?

Posted on 2011-09-23
10
355 Views
Last Modified: 2012-05-12
If your auditors come in and ask you (company A) for a copy of:

documented backup policy
documented patch management policy

ANd you say operations and responsibility for this has been outsourced to FM provider (company B) so we dont need a policy. Is this a risk?

Should company A still have the documented policy, or is it acceptable to bat it off to company B? Is there any risk in company A not owning or having a documented patch management or backup policy if its the responsibility of company B to perform this on their behalf?
0
Comment
Question by:pma111
  • 4
  • 3
  • 3
10 Comments
 
LVL 6

Accepted Solution

by:
Reubenwelsh earned 250 total points
ID: 36587257
Company A should always have it documented how Company B do these routines. If company B go bankrupt or anything you quickly want to be able to be up and running to simplify for whoever is to take over.
It all really depends on what you have agreed between party A and B... If you have written all resposibility for these things are on company B in the contract, then you can point them on to company B. If there is any questions outside that is it on company A to sort it out.

I would still want all of the stuff as company A though just incase. Company A dosnt need to write all the documentation, but they should have it onsite.
0
 
LVL 3

Author Comment

by:pma111
ID: 36587351
Thanks for the reply. Good points.

Aside from the documented policy. WHat is the actual technical name in terms of backup/patching for the detailed procedures on how the backup and patch management systems will work on a technical level, as opposed policy which is normally top level management speak.

Should company a have both the policy and document X, or just the policy?
0
 
LVL 6

Expert Comment

by:Reubenwelsh
ID: 36587423
Hi, Im not sure if there is any official name for it, i just checked over our contract and we have the follwowing in it:

"Documentation shall be gone through and updated every 6 months for all servers, routines and processes.
Updates in the following routines must be approved by *head of it at company B*

Pre-Approved Changes
Backup
Patching

All documentation shall be stored in *company B's* documentation application " 

I would recomend you always having all documentation onsite and backed up (preferably offsite).

The following documentation is the most important in my opinion.

Documentation on how to do a Restore of a server
Documentation of the network infrastructure
Documentation of all servers in the network
Documentation of routines, (patching, desaster recovery, Backup etc)

Hope this helps!

//RW
0
 
LVL 3

Author Comment

by:pma111
ID: 36587439
Yes many thanks good post
0
 
LVL 3

Author Comment

by:pma111
ID: 36587451
PS - what is your "documentation application" ?

Thanks
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 36592013
When outsourcing to company B, you always need an explicit plan for proper service. This means you should keep the documentation of backup and patch management, as well as other administrative tasks. For one, this is a document you can always go to company B and tell them this is the service you agreed to accommodate. So, this documentation protects you. Liability is yours unless otherwise documented and specified, (right)?

0
 
LVL 3

Author Comment

by:pma111
ID: 36592953
thanks - can you describe other administrative tasks and some examples?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36593294
Active Directory, Mail Servers, Mass storage, Network Tech, programming, Internal wiring, printer servicing, etc...

You see, IT departments are now hiring many people to perform specialized tasks in IT. A typical department would include a Network Tech, A programmer, A help desk Tech, A domain administrator, and an IT security officer, and sometimes a mass storage manager, sometimes a mail server administrator.. It all depends upon the business. Many companies are outsourcing some of these duties, but it is up to the company to keep a service agreement of what you want from the contractors. Otherwise, they simply become money collectors and will probably mess up your network. Some even work on phone systems and Power/engineering requirements for the server rooms. Any of these tasks can be outsourced, but through my own personal experience, it's best done in house.

These individual specialties give meaning to the words "IT specialist". A great consultant, will be an IT generalist. After all, if a consultant only specializes in a few fields, how can they consult on systems integration and configurations management.
0
 
LVL 6

Expert Comment

by:Reubenwelsh
ID: 36593718
Hi, the application they use is called Qondoc, it has loads of functions and keeping track of documentation is one of them. Sadly the support / application is rubbish really and very expensive (i think they pay around $50,000 a year for it to keep track of ~10,000 objects.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36594843
There is nothing wrong with a three ring binder and paper dividers to keep IT policies in.

Let me show you what an IT Security Auditor is looking for:

They want to make sure that there every single layer of the OSI model is secured in one way or another. This includes a backup plan / disaster recovery as well as physical controls and virtual security procedures are met AS PER YOUR CHIEF INFORMATION OFFICER. These policies are passed down by management of IT staff and often suggested to Corporate Executive Officers to be the by laws for IT technicians (IT specialists).

Anyway, look at a multi OSI layered approach to IT security and this is exactly what an IT security auditor is looking for. (Security plans, Backup Plans, Disaster Recovery, and multiple layers of security).

http://www.experts-exchange.com/Networking/Security/A_3197-IDEAS-FOR-SAFEGUARDING-IT-ASSETS-for-home-and-enterprise.html
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now