INTRODUCTION
In today’s digital age, a reliable and secure IT infrastructure is absolutely vital for any organization’s success. This is why many businesses rely on IT services companies to manage their technology needs. However, choosing the right IT services company is only the first step. It’s equally important to demand the right policies, procedures, and standards from your partner to ensure the performance, security, and long-term health of your IT environment and your business as a whole.
After all, if your IT services provider isn’t holding themselves to best-practices and standards, there’s no reason to believe they’ll employ them in the service of your organization.
This report outlines the minimum policies, procedures, and standards that you should demand from your IT services company. By understanding these key requirements, you can ensure that your IT infrastructure and your company is in safe and capable hands.
POLICY FRAMEWORK
- Security Policies:
-
- Data Security: Clearly defined policies for data encryption, access control, data backup and recovery, incident response, and data breach management and notification.
- Network Security: Policies for patching, vulnerability scanning, firewalls, network segregation, intrusion detection/prevention systems (IDS/IPS), and secure remote access.
- User Security: Policies for the acceptable use of business resources, password complexity, access controls, user training and awareness programs, and incident reporting.
- Service Delivery Policies:
-
- Service Level Agreements (SLAs): Clearly defined expectations for service availability, response times, and resolution times.
- Change Management: A documented process for implementing changes to your IT infrastructure, including testing and rollback procedures.
- Incident Management: A clear and defined process for identifying, responding to, and resolving IT incidents.
- Problem Management: A structured approach to identifying and resolving the root cause of recurring IT issues.
- Compliance Policies:
-
- Industry-Specific Regulations: Compliance with relevant industry regulations and data privacy laws, such as FINRA, HIPAA, PCI-DSS, FTC Safeguards, GDPR, etc. If you are not obligated to meet these standards, neither are they. Therefore, at a minimum they should demonstrate compliance with the NIST Cyber Security Framework (NIST CSF) and require you to do the same.
- Internal Policies and Procedures: Alignment with your organization’s internal policies and procedures for IT security, risk management, and compliance. If you don’t have these policies, your provider should absolutely be having these conversations with you. A quality IT company will require you to work toward getting these policies and procedures developed to create a standardized baseline of protection for your business, even if you don’t have any other compliance requirements for your specific industry.
PROCEDURAL GUIDELINES
- Documentation and Reporting:
-
- Comprehensive documentation of all of your business assets. This includes, but is not limited to, servers, computers, mobile devices, network equipment, printers, software subscriptions, cloud resources, data types and locations, vendors, and users.
- Documented procedures for all key IT service activities, including change management, incident management, problem management, and security protocols.
- Regular reporting on key metrics such as service availability, response times, security incidents, and resolved issues.
- Communication and Escalation:
-
- Clearly defined communication channels and protocols for reporting issues, requesting support, and receiving updates.
- Established escalation procedures for unresolved issues or critical incidents.
- Training and Development:
-
- Regular security awareness training for all personnel on the latest security threats, vulnerabilities, and industry best practices.
- Ongoing development and continuing education programs to ensure that your IT services company maintains its expertise and adapts to evolving technologies.
STANDARDIZED OPERATIONS
- Technology Standards:
-
- Standardized configurations for hardware, software, and operating systems to ensure compatibility and security.
- Defined processes for software updates, patch management, and vulnerability scanning and patching.
- Monitoring and Alerting:
-
- Proactive monitoring of your IT infrastructure to identify and address potential issues before they impact your business.
- Timely and effective alerting mechanisms to notify you of any critical events or security incidents.
- Backup, Disaster Recovery, and Business Continuity:
-
- Regularly scheduled backups of your critical data and systems to ensure rapid recovery in the event of an outage or disaster.
- Regular and consistent testing of your backups to ensure their recoverability.
- Tested and documented disaster recovery plans to minimize downtime and data loss.
- Tested and documented business continuity plans to ensure primary business operations remain functional in the midst of a system outage, data breach, or other incident that has negatively impacted the business.
Benefits of Ensuring Your Provider Has “Standards”:
- Enhanced Security:
- Well-defined policies, procedures, and standards in their business provide a strong indication that they’ll establish a foundation of security compliance in your IT environment, mitigating risks, and increasing productivity.
- Improved Performance:
- Established Service Level Agreements ensure consistent service levels and timely resolution of issues.
- Reduced Costs:
- Proactive maintenance and optimized processes can minimize downtime and unforeseen expenses.
- Clear Communication:
- Defined roles, responsibilities, and communication protocols foster a collaborative and efficient relationship.
- Regulatory Compliance:
- Adherence to relevant standards and, where applicable regulations can help avoid legal repercussions and fines. Moreover, it demonstrates a commitment to best practices that translates into higher levels of service and security for you and your organization.
CONCLUSION
By demanding the right policies, procedures, and standards from your IT services company, you can create a robust, productive, and secure IT environment that supports your business goals.
Remember, the partnership between your organization and your IT services company is critical to your long-term success. Ensuring they hold themselves to a set of standards is a positive reflection of how they would service your organization.
It is important that your involvement doesn’t stop there. You need to ensure that the way that they hold themselves accountable should translate to how they are servicing you.
Demand they have SLAs that support your business needs, and that they provide regular reporting as to their alignment with those same service level benchmarks. By taking an active role in defining your expectations and holding your partner accountable, you can ensure that your technology infrastructure is in good hands.
ADDITIONAL RESOURCES:
- National Institute of Standards and Technology (NIST): https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0
- Cloud Security Alliance (CSA): https://cloudsecurityalliance.org/
- International Organization for Standardization (ISO): https://www.iso.org/home.html