Solved

who should own a policy?

Posted on 2011-09-23
10
354 Views
Last Modified: 2012-05-12
If your auditors come in and ask you (company A) for a copy of:

documented backup policy
documented patch management policy

ANd you say operations and responsibility for this has been outsourced to FM provider (company B) so we dont need a policy. Is this a risk?

Should company A still have the documented policy, or is it acceptable to bat it off to company B? Is there any risk in company A not owning or having a documented patch management or backup policy if its the responsibility of company B to perform this on their behalf?
0
Comment
Question by:pma111
  • 4
  • 3
  • 3
10 Comments
 
LVL 6

Accepted Solution

by:
Reubenwelsh earned 250 total points
ID: 36587257
Company A should always have it documented how Company B do these routines. If company B go bankrupt or anything you quickly want to be able to be up and running to simplify for whoever is to take over.
It all really depends on what you have agreed between party A and B... If you have written all resposibility for these things are on company B in the contract, then you can point them on to company B. If there is any questions outside that is it on company A to sort it out.

I would still want all of the stuff as company A though just incase. Company A dosnt need to write all the documentation, but they should have it onsite.
0
 
LVL 3

Author Comment

by:pma111
ID: 36587351
Thanks for the reply. Good points.

Aside from the documented policy. WHat is the actual technical name in terms of backup/patching for the detailed procedures on how the backup and patch management systems will work on a technical level, as opposed policy which is normally top level management speak.

Should company a have both the policy and document X, or just the policy?
0
 
LVL 6

Expert Comment

by:Reubenwelsh
ID: 36587423
Hi, Im not sure if there is any official name for it, i just checked over our contract and we have the follwowing in it:

"Documentation shall be gone through and updated every 6 months for all servers, routines and processes.
Updates in the following routines must be approved by *head of it at company B*

Pre-Approved Changes
Backup
Patching

All documentation shall be stored in *company B's* documentation application "

I would recomend you always having all documentation onsite and backed up (preferably offsite).

The following documentation is the most important in my opinion.

Documentation on how to do a Restore of a server
Documentation of the network infrastructure
Documentation of all servers in the network
Documentation of routines, (patching, desaster recovery, Backup etc)

Hope this helps!

//RW
0
 
LVL 3

Author Comment

by:pma111
ID: 36587439
Yes many thanks good post
0
 
LVL 3

Author Comment

by:pma111
ID: 36587451
PS - what is your "documentation application" ?

Thanks
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 36592013
When outsourcing to company B, you always need an explicit plan for proper service. This means you should keep the documentation of backup and patch management, as well as other administrative tasks. For one, this is a document you can always go to company B and tell them this is the service you agreed to accommodate. So, this documentation protects you. Liability is yours unless otherwise documented and specified, (right)?

0
 
LVL 3

Author Comment

by:pma111
ID: 36592953
thanks - can you describe other administrative tasks and some examples?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36593294
Active Directory, Mail Servers, Mass storage, Network Tech, programming, Internal wiring, printer servicing, etc...

You see, IT departments are now hiring many people to perform specialized tasks in IT. A typical department would include a Network Tech, A programmer, A help desk Tech, A domain administrator, and an IT security officer, and sometimes a mass storage manager, sometimes a mail server administrator.. It all depends upon the business. Many companies are outsourcing some of these duties, but it is up to the company to keep a service agreement of what you want from the contractors. Otherwise, they simply become money collectors and will probably mess up your network. Some even work on phone systems and Power/engineering requirements for the server rooms. Any of these tasks can be outsourced, but through my own personal experience, it's best done in house.

These individual specialties give meaning to the words "IT specialist". A great consultant, will be an IT generalist. After all, if a consultant only specializes in a few fields, how can they consult on systems integration and configurations management.
0
 
LVL 6

Expert Comment

by:Reubenwelsh
ID: 36593718
Hi, the application they use is called Qondoc, it has loads of functions and keeping track of documentation is one of them. Sadly the support / application is rubbish really and very expensive (i think they pay around $50,000 a year for it to keep track of ~10,000 objects.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36594843
There is nothing wrong with a three ring binder and paper dividers to keep IT policies in.

Let me show you what an IT Security Auditor is looking for:

They want to make sure that there every single layer of the OSI model is secured in one way or another. This includes a backup plan / disaster recovery as well as physical controls and virtual security procedures are met AS PER YOUR CHIEF INFORMATION OFFICER. These policies are passed down by management of IT staff and often suggested to Corporate Executive Officers to be the by laws for IT technicians (IT specialists).

Anyway, look at a multi OSI layered approach to IT security and this is exactly what an IT security auditor is looking for. (Security plans, Backup Plans, Disaster Recovery, and multiple layers of security).

http://www.experts-exchange.com/Networking/Security/A_3197-IDEAS-FOR-SAFEGUARDING-IT-ASSETS-for-home-and-enterprise.html
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now