Solved

who should own a policy?

Posted on 2011-09-23
10
360 Views
Last Modified: 2012-05-12
If your auditors come in and ask you (company A) for a copy of:

documented backup policy
documented patch management policy

ANd you say operations and responsibility for this has been outsourced to FM provider (company B) so we dont need a policy. Is this a risk?

Should company A still have the documented policy, or is it acceptable to bat it off to company B? Is there any risk in company A not owning or having a documented patch management or backup policy if its the responsibility of company B to perform this on their behalf?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 6

Accepted Solution

by:
Reubenwelsh earned 250 total points
ID: 36587257
Company A should always have it documented how Company B do these routines. If company B go bankrupt or anything you quickly want to be able to be up and running to simplify for whoever is to take over.
It all really depends on what you have agreed between party A and B... If you have written all resposibility for these things are on company B in the contract, then you can point them on to company B. If there is any questions outside that is it on company A to sort it out.

I would still want all of the stuff as company A though just incase. Company A dosnt need to write all the documentation, but they should have it onsite.
0
 
LVL 3

Author Comment

by:pma111
ID: 36587351
Thanks for the reply. Good points.

Aside from the documented policy. WHat is the actual technical name in terms of backup/patching for the detailed procedures on how the backup and patch management systems will work on a technical level, as opposed policy which is normally top level management speak.

Should company a have both the policy and document X, or just the policy?
0
 
LVL 6

Expert Comment

by:Reubenwelsh
ID: 36587423
Hi, Im not sure if there is any official name for it, i just checked over our contract and we have the follwowing in it:

"Documentation shall be gone through and updated every 6 months for all servers, routines and processes.
Updates in the following routines must be approved by *head of it at company B*

Pre-Approved Changes
Backup
Patching

All documentation shall be stored in *company B's* documentation application " 

I would recomend you always having all documentation onsite and backed up (preferably offsite).

The following documentation is the most important in my opinion.

Documentation on how to do a Restore of a server
Documentation of the network infrastructure
Documentation of all servers in the network
Documentation of routines, (patching, desaster recovery, Backup etc)

Hope this helps!

//RW
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 3

Author Comment

by:pma111
ID: 36587439
Yes many thanks good post
0
 
LVL 3

Author Comment

by:pma111
ID: 36587451
PS - what is your "documentation application" ?

Thanks
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 36592013
When outsourcing to company B, you always need an explicit plan for proper service. This means you should keep the documentation of backup and patch management, as well as other administrative tasks. For one, this is a document you can always go to company B and tell them this is the service you agreed to accommodate. So, this documentation protects you. Liability is yours unless otherwise documented and specified, (right)?

0
 
LVL 3

Author Comment

by:pma111
ID: 36592953
thanks - can you describe other administrative tasks and some examples?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 36593294
Active Directory, Mail Servers, Mass storage, Network Tech, programming, Internal wiring, printer servicing, etc...

You see, IT departments are now hiring many people to perform specialized tasks in IT. A typical department would include a Network Tech, A programmer, A help desk Tech, A domain administrator, and an IT security officer, and sometimes a mass storage manager, sometimes a mail server administrator.. It all depends upon the business. Many companies are outsourcing some of these duties, but it is up to the company to keep a service agreement of what you want from the contractors. Otherwise, they simply become money collectors and will probably mess up your network. Some even work on phone systems and Power/engineering requirements for the server rooms. Any of these tasks can be outsourced, but through my own personal experience, it's best done in house.

These individual specialties give meaning to the words "IT specialist". A great consultant, will be an IT generalist. After all, if a consultant only specializes in a few fields, how can they consult on systems integration and configurations management.
0
 
LVL 6

Expert Comment

by:Reubenwelsh
ID: 36593718
Hi, the application they use is called Qondoc, it has loads of functions and keeping track of documentation is one of them. Sadly the support / application is rubbish really and very expensive (i think they pay around $50,000 a year for it to keep track of ~10,000 objects.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 36594843
There is nothing wrong with a three ring binder and paper dividers to keep IT policies in.

Let me show you what an IT Security Auditor is looking for:

They want to make sure that there every single layer of the OSI model is secured in one way or another. This includes a backup plan / disaster recovery as well as physical controls and virtual security procedures are met AS PER YOUR CHIEF INFORMATION OFFICER. These policies are passed down by management of IT staff and often suggested to Corporate Executive Officers to be the by laws for IT technicians (IT specialists).

Anyway, look at a multi OSI layered approach to IT security and this is exactly what an IT security auditor is looking for. (Security plans, Backup Plans, Disaster Recovery, and multiple layers of security).

http://www.experts-exchange.com/Networking/Security/A_3197-IDEAS-FOR-SAFEGUARDING-IT-ASSETS-for-home-and-enterprise.html
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question