who should own a policy?

If your auditors come in and ask you (company A) for a copy of:

documented backup policy
documented patch management policy

ANd you say operations and responsibility for this has been outsourced to FM provider (company B) so we dont need a policy. Is this a risk?

Should company A still have the documented policy, or is it acceptable to bat it off to company B? Is there any risk in company A not owning or having a documented patch management or backup policy if its the responsibility of company B to perform this on their behalf?
Who is Participating?
ReubenwelshConnect With a Mentor Commented:
Company A should always have it documented how Company B do these routines. If company B go bankrupt or anything you quickly want to be able to be up and running to simplify for whoever is to take over.
It all really depends on what you have agreed between party A and B... If you have written all resposibility for these things are on company B in the contract, then you can point them on to company B. If there is any questions outside that is it on company A to sort it out.

I would still want all of the stuff as company A though just incase. Company A dosnt need to write all the documentation, but they should have it onsite.
pma111Author Commented:
Thanks for the reply. Good points.

Aside from the documented policy. WHat is the actual technical name in terms of backup/patching for the detailed procedures on how the backup and patch management systems will work on a technical level, as opposed policy which is normally top level management speak.

Should company a have both the policy and document X, or just the policy?
Hi, Im not sure if there is any official name for it, i just checked over our contract and we have the follwowing in it:

"Documentation shall be gone through and updated every 6 months for all servers, routines and processes.
Updates in the following routines must be approved by *head of it at company B*

Pre-Approved Changes

All documentation shall be stored in *company B's* documentation application " 

I would recomend you always having all documentation onsite and backed up (preferably offsite).

The following documentation is the most important in my opinion.

Documentation on how to do a Restore of a server
Documentation of the network infrastructure
Documentation of all servers in the network
Documentation of routines, (patching, desaster recovery, Backup etc)

Hope this helps!

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

pma111Author Commented:
Yes many thanks good post
pma111Author Commented:
PS - what is your "documentation application" ?

ChiefITConnect With a Mentor Commented:
When outsourcing to company B, you always need an explicit plan for proper service. This means you should keep the documentation of backup and patch management, as well as other administrative tasks. For one, this is a document you can always go to company B and tell them this is the service you agreed to accommodate. So, this documentation protects you. Liability is yours unless otherwise documented and specified, (right)?

pma111Author Commented:
thanks - can you describe other administrative tasks and some examples?
Active Directory, Mail Servers, Mass storage, Network Tech, programming, Internal wiring, printer servicing, etc...

You see, IT departments are now hiring many people to perform specialized tasks in IT. A typical department would include a Network Tech, A programmer, A help desk Tech, A domain administrator, and an IT security officer, and sometimes a mass storage manager, sometimes a mail server administrator.. It all depends upon the business. Many companies are outsourcing some of these duties, but it is up to the company to keep a service agreement of what you want from the contractors. Otherwise, they simply become money collectors and will probably mess up your network. Some even work on phone systems and Power/engineering requirements for the server rooms. Any of these tasks can be outsourced, but through my own personal experience, it's best done in house.

These individual specialties give meaning to the words "IT specialist". A great consultant, will be an IT generalist. After all, if a consultant only specializes in a few fields, how can they consult on systems integration and configurations management.
Hi, the application they use is called Qondoc, it has loads of functions and keeping track of documentation is one of them. Sadly the support / application is rubbish really and very expensive (i think they pay around $50,000 a year for it to keep track of ~10,000 objects.
There is nothing wrong with a three ring binder and paper dividers to keep IT policies in.

Let me show you what an IT Security Auditor is looking for:

They want to make sure that there every single layer of the OSI model is secured in one way or another. This includes a backup plan / disaster recovery as well as physical controls and virtual security procedures are met AS PER YOUR CHIEF INFORMATION OFFICER. These policies are passed down by management of IT staff and often suggested to Corporate Executive Officers to be the by laws for IT technicians (IT specialists).

Anyway, look at a multi OSI layered approach to IT security and this is exactly what an IT security auditor is looking for. (Security plans, Backup Plans, Disaster Recovery, and multiple layers of security).

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.